Both the JFSC and FCA have issued their thoughts on OUTSOURCING – in picking through the following I have plucked out some matters that you may like to think about…particularly as the JFSC are silent on the specific matter of ‘cloud’ and other third-party IT services” but Jersey providers should think about this very closely.
- the JFSCs consultation on changes to the whole guidance and
- the FCA finalised rules on outsourcing to the ‘cloud’ and other third-party IT services”
Outsourcing Thoughts
JFSC, Outsourcing means:
- An arrangement of any form between a Registered Person and a Service Provider by which the Service Provider performs ANY MATERIAL ACTIVITY THAT would otherwise be undertaken by the Registered Person.
In considering the above the following definitions are important:
- Material Activity means any business activities which are, are part of, or are likely to have a material impact upon the carrying out of any Regulated Activity
- Service Provider means a Person to whom a Registered Person Outsources any Material Activities
- Sub-contractor means a Person to whom a Service Provider transfers the carrying out of any Material Activity which was Outsourced to the Service Provider
FCA handbook, defines outsourcing as:
- An arrangement of any form between a firm and a service provider by which that service provider performs A PROCESS, A SERVICE OR AN ACTIVITY WHICH would otherwise be undertaken by the firm itself.
Further in the FCA Guidance “FG16/5 – Guidance for firms outsourcing to the ‘cloud’ and other third-party IT services” (SEE MORE BELOW):
- “Where a third party delivers services ON BEHALF OF a regulated firm – including a cloud provider – this is considered outsourcing”.
- It is also not clear whether “on behalf of” is intended to be distinguished from delivering services “to” a regulated firm!!!.
FCA finalise guidance for firms outsourcing to the cloud and other third-party IT services – On 7 July 2016, the Financial Conduct Authority (FCA) published its finalised guidance (the Guidance), “FG16/5 – Guidance for firms outsourcing to the ‘cloud’ and other third-party IT services”.
In considering the FCA position on Outsourcing above the following is interesting….
- In the Guidance, the FCA did not amend the wording that
- “Where a third party delivers services on behalf of a regulated firm – including a cloud provider – this is considered outsourcing”.
- This usage of “outsourcing” is different to the definition in the FCA handbook, which defines outsourcing as
- “An arrangement of any form between a firm and a service provider by which that service provider performs a process, a service or an activity which would otherwise be undertaken by the firm itself”.
- It is also not clear whether “on behalf of” is intended to be distinguished from delivering services “to” a regulated firm.
- In its response to the Guidance Consultation, the British Banking Association (BBA) requested that the FCA
- Reconsider the appropriateness of considering all cloud services under the generic category of IT outsourcing for the purposes of SYSC 8.
- In principle, everything from a product support for an application on a firm’s systems to a full infrastructure as a service solution could be categorised as an outsourcing.
- Where there is an outsourcing, firms still need to determine the applicable regulatory obligations and the key consideration for the application of regulations, and this Guidance, remains whether the outsourcing is
- “critical or important” (as defined in SYSC 8.1.4), or
- relates to “important operational functions” under the Electronic Money Regulations 2011 and the Payment Services Regulations 2009 (for authorised payment institutions and authorised electronic money institutions)
Remember if you are outsourcing this will by necessity result in the inclusion of appropriate contractual provisions in agreements between firms and service providers, as well as requiring due diligence, governance, monitoring and supervision by the firm through its own activities and processes.
Loading...