When banks outsource the delivery of critical banking services to suppliers they are required to adhere to a number of regulatory obligations and must obtain notify the FCA before implementing those arrangements.

In its paper containing its checklist of things banks should give consideration to when thinking about entering into critical technology outsourcing agreements (6-page / 126KB PDF), the FCA outlined what it hopes the banks will achieve in complying with their regulatory duties.

http://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf

In particular it said that banks should look to ensure that, at the time of an FCA authorisation, the IT services they are outsourcing “are effective, resilient and secure and have been appropriately designed to meet expected future as well as current business needs so as to avoid risks to our objectives”.

Banks must also be able to

• “provide reasonable assurance” that each outsource serving provider (OSP)
• “will deliver its services effectively, resiliently and securely” and must have “appropriate arrangements” in place to ensure “on-going oversight” of its OSPs and
• “the management of any associated risks such that the firm meets all its regulatory requirements”.

• “Above all, a regulated firm should be clear that it retains full accountability for discharging all of its regulatory responsibilities,” the FCA said.

• “It cannot delegate any part of its responsibility to a third party.”

The checklist recommends that banks ask themselves a number of questions before deciding to enter into critical IT outsourcing arrangements.

It said banks should consider whether there is a

• “clear business case or rationale” to support a decision to outsource and
• whether the decision has taken account of “the business risks associated with use of third parties”.

Banks should also assess technical issues, such as whether the IT solutions being provided can be tailored to the banks’ requirements and whether the banks’ data can be

• “readily extracted from a service provider’s systems and downloaded to a firm’s own systems”.

The financial viability of OSPs, the interoperability of OSPs’ systems with other suppliers’ and the banks’ own systems, compliance with data protection laws, incident management and ownership of intellectual property rights when changes are made to the way the technology is being provided are just some of the other issues banks should give consideration to before entering into outsourcing agreements, the FCA said.

The regulator also stressed the importance of good governance by banks over their technology suppliers and recommended that banks put in place an “exit plan” for when their IT contracts with suppliers are due to come to an end.

“[Banks should ask themselves how they will] transition to an alternate service provider; get its data back; [and how] the data [will] be removed from the service provider’s systems [at the end of a contractual relationship],” the FCA said.

“This checklist will prove helpful in focusing organisations on the key issues that arise in any technology procurement or development as seen from the regulator’s perspective.