Financial institutions have a vast array of contracting arrangements unique to the sector, ranging from trading platforms to back office settlement functions, from funds’ administration to information systems.

The divide between mainstream outsourcing and pure financial services is not always obvious (even if most outsourcing lawyers would recognise contracts for network services, applications support or IT provision within a financial services firm). The practical importance of the divide is the blend of legal skills required and in particular the need to understand both the financial services market and outsourcing more generally. To use a very simple example, different skills will apply to an investment management contract (which will be primarily a matter of financial services law) as opposed to a network services agreement (which will be more in the way of a mainstream commercial outsourcing). 

The regulatory environment

Financial services regulation in the UK has always been concerned with the systems and controls of firms carrying on financial services activities. With the trend towards increased integration of the European financial services market this area has naturally been affected by regulation at the European level.

In relation to banking law and regulation, the recommendations of the Basel Committee on Banking Supervision (the “Basel Accords”) were implemented throughout the European Economic Area by the Capital Requirements Directive (“CRD”), which in turn re-cast the Capital Adequacy Directive (“CAD”) and Banking Consolidation Directive (“BCD”). While primarily concerned with the amount of capital to be held by banks, the BCD does extend to governance arrangements, particularly management oversight, systems and controls, and the management of risk. In relation to investment services, the European Market in Financial Instruments Directive (MiFID) (which replaced the Investment Services Directive) imposes similar – though not identical – systems and controls requirements for firms undertaking investment services activities.

In the UK, the Financial Services Authority has been responsible for implementing the various requirements imposed by the above mentioned European Directives through its handbook of rules and guidance (the FSA Handbook), and in particular the “common platform requirements” contained in the FSA’s Senior Management Arrangements, Systems and Controls (SYSC) Sourcebook (which forms part of the FSA Handbook).

Rather than have separate regimes implementing CRD and MiFID, in the SYSC Sourcebook the FSA sought to establish a unified set of risk management and systems and controls requirements applying to firms generally.

The FSA Handbook has always contained a number of principles intended to be general statements of the fundamental obligations of all firms subject to the UK financial services regulatory system. These are set out in the Principles for Businesses (PRIN) Sourcebook. Principle 3 is of particular relevance to outsourcing. It requires firms to take reasonable care to control their affairs responsibly and effectively, with adequate risk management systems. In practice, any breach of the more detailed outsourcing rules in the FSA Handbook would also be treated as a breach of Principle 3, and so this principle must always be borne in mind. In essence, the provisions in the SYSC Sourcebook are the detailed development of this overriding principle.

The application of the provisions in the SYSC Sourcebook depend on the nature of the activities carried on by the outsourcing firm. There are separate provisions for insurers, insurance underwriters and the Society of Lloyd’s. For other types of firm, the application of the common platform requirements (SYSC 4 to 10) depend on whether the firm is a “common platform firm”, including banks, building societies and investment firms subject to MiFID (such as broker dealers, investment managers and financial advisers). Broadly, while SYSC 4 to 10 apply as ‘rules’ to a common platform firm, they may take effect as ‘guidance’ or not apply at all for other types of firm. It’s therefore necessary to understand exactly the regulated activities a particular firm is carrying on in order to understand the scope of its regulatory obligations.

The common platform requirements relevant to outsourcing

Although the main source of provisions affecting outsourcing are contained in SYSC 8, it’s important that an outsourcing firm doesn’t lose sight of its general regulatory obligations. This is reinforced by the fundamental principle applying to outsourcing arrangements within the scope of SYSC 8 – that an outsourcing firm remains fully responsible for discharging all of its obligations under the regulatory system (SYSC 8.1.6).

SYSC 8 applies to arrangements pursuant to which a service provider performs a process, service or an activity (which would otherwise be undertaken by the firm itself) relating to a critical or important operational function. An operational function will be critical or important if a defect or failure in its performance would materially impair the continuing compliance of the firm with its regulatory obligations, the firm’s financial performance or the soundness or continuity of its relevant services and activities (SYSC 8.1.4). Certain advisory services (e.g. legal advice), standardised services and the recording and retention of telephone and email communications are not considered to be critical or important for the purposes of SYSC 8. But where there is ambiguity over whether a particular outsourcing falls within the scope of SYSC 8, careful consideration should be given to the way it’s structured.

The detailed requirements of SYSC 8 are subject to the general duty to exercise due skill, care and diligence when entering into, managing or terminating any outsourcing of critical or important operational functions (SYSC 8.1.7), and the requirement to ensure the respective rights and obligations of the firm and service provider are clearly allocated and set out in a written agreement (SYSC 8.1.9).

Of course, adhering to these detailed requirements in the outsourcing contract is only one component of compliance. In practice, issues such as service provider selection feed into the procurement process, and issues around monitoring performance don’t end once a contract has been put in place. Furthermore, a cold look at the list of SYSC 8 contract issues doesn’t reveal the full extent of responsibilities. See, for example, the rules and guidance in the FSA’s Supervision (SUP) Sourcebook. A firm must take reasonable steps to ensure that a service provider deals in an open and cooperative way with the FSA in the discharge of its functions (SUP 2.3.7R). Firms must also ensure that persons performing the controlled functions specified in the FSA Handbook are approved by the FSA to perform that function, even if employed by the supplier (SUP 10.12.3G).

Generally speaking, it’s wise to inform the FSA at an early stage of any significant proposed outsourcing to give it the opportunity to raise and address any concerns. Indeed, disclosure of a proposed outsourcing may be required. Principle 11 in the PRIN Sourcebook requires firms to “disclose to the FSA appropriately anything relating to the firm of which the FSA would reasonably expect notice.” Guidance in the SUP Sourcebooks indicates that matters to be notified to the FSA include “entering into, or significantly changing, a material outsourcing arrangement”. As to what amounts to a ‘material’ outsourcing, the FSA have intentionally left this issue open-ended, stating that the materiality of an outsourcing will depend on the firm concerned, and that firms are best placed to make this determination. 

The above mentioned provisions are not the only financial services regulations which may affect an outsourcing arrangement – they are merely those most directly relevant to outsourcing. Firms outsourcing their functions should not overlook the fundamental principle mentioned above applying to outsourcing arrangements within the scope of SYSC 8 – that the outsourcing firm remains fully responsible for discharging all of its obligations under the regulatory system (SYSC 8.1.6). Nor should international regulatory requirements and general law requirements be forgotten by outsourcing firms within the financial services sector. Sarbanes-Oxley, the USA Patriot Act and data protection, amongst others, may be highly relevant. 

Finally, firms operating in the financial services sector should be aware that financial services regulation continues to evolve. The efforts of regulators to keep pace with changing market practices is one of the principal factors sustaining this fluidity, as are changes in approach to regulation per se.

Plans announced last year by the Chancellor will see the abolition of the existing tripartite regime between the FSA, Bank of England and HM Treasury, effectively scrapping the FSA in favour or a ‘twin peaks’ regulatory model.

At the Bank of England this will see two new bodies set up, the Prudential Regulatory Authority (PRA), which will take responsibility for regulating banks, building societies, insurers and the largest investment firms, and the Financial Policy Committee, which will oversee macro-regulation. The rest of the industry will be left in the care of the Financial Conduct Authority (FCA), which is the new name for what had previously been labelled the Consumer Protections and Markets Authority. The FCA’s strategic objective will be to protect and enhance confidence in the UK’s financial system.

Following Treasury consultation last year the FSA released a “Dear CEO” letter on the transition in January. In the letter, Hector Sants, Chief Executive of the FSA, reiterated that the PRA (which he will head) will be responsible for promoting the stable and prudent operation of the financial system through the regulation of 2,200 firms. The focus will be on ensuring that institutional failures create minimum impact for the rest of the marketplace, rather than attempting to pursue a ‘zero fail regime’.

The precise timing for creation of the new bodies remains unclear. The target date is currently mid to late 2012 but this is expected to slip into 2013.