The first area is getting the right controls in place. The FCA has specific requirements about outsourcing and risk management. How these apply depends on the nature of a firm and its regulated activities. Essentially, any outsourcing supporting regulated activity or key functions should not:

1. introduce undue additional operational risk for the firm;
2. negatively impact the firm’s oversight and control of its operations; or
3. impair the FCA’s ability to monitor and supervise the firm.

Finding a supplier with the right capability at the right cost is only a part of the puzzle; it is crucial to get governance, oversight mechanisms and clear accountability right, to effectively manage risk. This is not just contracts but due diligence, monitoring, oversight frameworks, clear roles, responsibilities and escalation arrangements – plus enough internal capability to effectively oversee the activity.

The second area is contracts. Firms often focus on the operational requirements right now, without properly considering future eventualities. It is vital that agreements also cover exit strategies, such as insourcing or transferring services to a new supplier.  Or rolling back a large deployment, to avoid being trapped in an arrangement that no longer works. Foresight and flexibility in contracts can save you significant headaches down the line.

The final area is data protection and information security. Often risks are not properly assessed or addressed. Robust compliance and security measures are an absolute non-negotiable with your suppliers, particularly those outside of the UK and Europe.

It is critical to undertake robust data protection impact assessments, due diligence and ongoing monitoring. Sometimes firms do this well but forget to update customer-facing information and terms. Breach risks need to be robustly managed. Ensure you have evaluated any jurisdictions a supplier is proposing to provide services from (including how and where data will be stored) and ensure your controls counter the key risks.

Overall, the FCA expects firms to ensure that risks in these arrangements are well managed and any outsourcing is suitably resilient. Ensuring you have carefully considered and documented the above risks is key to success.

If any of the issues raised in this article are relevant to your business and you would like some support, please contact the team at Auxillias for a no obligation discussion.