Outsourcing / third party management compliance and recent COVID 19 impacts

This is a risk and compliance based guest blog by Northey Point associate Mark Rodgers. For more information visit: Regulatory and Compliance Corner.

FCA regulated Firms whose business and operational models are materially dependent on third parties or who materially outsource core or critical functions are required to have compliant and effective risk management supplier management arrangements and procedures.

In particular to identify manage, monitor and report on relevant third party risk as part of their regulatory obligations meeting for example the relevant FCA risk management PRIN3 , SYSC1.2.1 requirements and the General FCA SYSC8.1 requirements around outsourcing whether as rules and / or guidance.

Systems and Controls specific compliance oversight guidance in SYSC3.2.4, SYSC13.9 and SYSC8 requirements have been around for several years, almost as long as when outsourcing firm’s activities were brought into regulatory perimeter by regulations preventing firms from contracting out of their obligations.

Regulated firms seeking to grow and enhance their businesses gaining advantage and cost effectiveness via technological advancement is just one area therefore where outsourcing is increasingly prevalent. Historically many regulated firms have sought to outsource different parts of their business models to achieve these cost efficiencies and to add value.

Regulators and supervisors in the Financial Services firms (“FS”) recent rush towards digitisation haven’t missed the point that where there is a commensurate increase in the outsourcing of core or important operational functions including the decentralisation of IT functions in lieu of online hosted provided services, there is more likely to be increases in operational risk and newer aspects of compliance needed to protect consumers.

Look for example at EBA guidelines published in February 2019 applicable to credit institutions and payment and electronic money institutions alike. See too the FCA explanation (January 2020) of its expectation of firms regarding operational resilience for firms using outsourcers and third party suppliers.

Aligned to other UK requirements the EBA guidelines are put into effect by UK regulators PRA and FCA via Principles for business and systems and controls requirements. PSD2 too as you would expect places a number of requirements which are outsourcing focused and on payment institutions – understanding for example that payments being made to third parties are subject to strict compliance standards around security, resilience and indirectly in some cases via the mandated use of APIs.

Recent Covid-19 events have brought outsourcing into much sharper focus because of the nature of this pandemic and how it has impacted the operation of FS firms including payment institutions. The overt visible impacts are known but what might not be so obvious is the dramatic speed the impact of coronovirus has had on firm’s whole chains of operations and in particular those with part / full outsourced business arrangements.

Covid – 19 was, and is, a super hard test of whether, and if so, how effective delivery of outsourced services has been and so to the risk and compliance experience.  Yes, firms have remained reliant on the effectiveness of their risk frameworks and compliance controls but has Covid – 19 and its impacts created such a deterioration in service delivery (performance and or quality) that it has revealed weaknesses in longer term systems and controls and compliance oversight arrangements and procedures?

The Covid-19 event is unprecedented at least in terms of its impacts and what is on the table in this blog are, in essence, a couple of dimensions of compliance and but are just  a snapshot.

What is certain is that disruption to operations and services has elevated questions about how well firms understand their third party suppliers (other than the signed contractual agreement) and not just from the original due diligence processes perspective.

Covid-19 in many instances has revealed the reality of outsourcer capabilities in terms of the continuity of services they provide and their ability / inability to shift rapidly to remote working patterns, and where for some for many years the outsourcers BCP arrangements were based on agreed different strategies and plans.

The obvious example being continuity via a back up disaster recovery site.

Of course coronovirus and Government restrictions on workplace lockdown at the height of the first wave severely impacted outsourcers as much as they did the regulated firm and thus materially negatively impacting also SLA standards.

Testing times then for risk and compliance teams to demonstrate their effectiveness given compliance obligations to monitor and evaluate supplier contingency plans for disaster recovery and backup facilities will have existed pre crisis.

It is not a standalone issue because there cannot be many firms who have not needed to implement their BCP plans. The question is whether particular outsourcing risks had ever been really fully understood (and aside from a blind default reliance in main heads of agreement and where liabilities sat under outsourcing agreements).

This question may be even more pertinent where the outsourcing is offshore with different workforce restrictions and different levels of structural remote working capability.

For regulators too, who no doubt have shown understanding and acted with reasonableness towards firms with business interruption throughout this period. However, this is to not detract from ongoing monitoring responsibilities notwithstanding greater priorities.

Operational survival and continuity was / is  priority and compliance monitoring / oversight assurance might not have been achieved as set out in compliance plans and assurance programmes.

This could also have been compounded by difficulties in reasonable access to third parties or difficulties in communicating with suppliers for periodic monitoring reporting.

In the UK such challenges were likely ameliorated by use of cloud-based collaboration software such as Teams or Zoom but for third parties overseas the communication challenges could have been far greater if not impossible to surmount.

It is a positive note to understand that a consequence of Covid-19 has been to increase online business activity leading in some case greater digital payment transactions given the onset of government restrictions on movement.

Consumer spend behaviours as an example appears to have shifted to online from in-store and firms with digital business transaction capabilities, providing or using third party digital payment services over the period have weathered better in terms of levels of retail business

From a compliance perspective the importance of having appropriate controls oversight and assurance over online and digital business has therefore never been greater. In this compliance case it is the altered configurations of distributed operations and external hosted third party supplied IT and software providers that raise the questions extending the importance of resilience and IT / cyber security.

Compliance in this scenario is demonstrated through controls with attainment to industry standards such as ISO27001 and the NIST framework approach and this toward digitization by many types of FS firms and the newer payment institutions with outsourced configurations from the outset are in scope.

Covid-19 appears to have accelerated the demand for digital services and thus having robust resilience is inevitably going to be a greater focus of regulators from the point of view how compliant payment institutions are in overseeing their outsourcer partners.

This for, example, would apply to firms who outsource to facilitate API use to make payments or in the encryption of digital payments, or as a payments services provider utilising third party aggregated services cloud based solution to access central payments infrastructure.

No wonder the FCA have reminded all regulated firms using outsourcing providers, including payments services firms in its very recent  explanation of their expectations for outsourcing and the implications for operational resilience.

A quick read through FCA’s explanation should show you how interwoven outsourcing risk management and compliance requirements have become from an operational resilience perspective, from FCA Principles for Business and High Level systems and controls requirement through to PSD2 and Electronic Money Regulations which cross to ESA (European Supervisory Authority) and the EBA European Banking Authority guidelines on outsourcing stemming from Capital Requirements Directive.

In the slow move back towards normalisation (hopefully!) firms will no doubt be evaluating how their third party suppliers (material or not) have been performing and how outsourcers stood up themselves to the same Covid-19 impacts.

Questions of risk assurance and compliance oversight naturally fall into this evaluation and as firms go through this process and this brings us to all the tools at their disposal.

The contractual obligations should help in terms of assessing performance and quality via SLAs but hopefully this blog demonstrates that there is a width to this with various types of compliance and assurance requiring evaluation and that given recent experience a greater / deeper ongoing understanding of outsourcer capabilities should be obtained in order achieve compliance with current multi-layered regulatory requirements.

How to do this probably requires a separate paper but one immediate suggestion might be that it is an opportunity to look at how the outsource relationship is managed.

It is suggested that a joined up oversight approach will help to not immediately overwhelm the supplier with oversight activity and to consider that in addition to auditing and access rights (assumed in this blog to be adequate)  under the outsourcing contract beefing up on relationship management arrangements and capabilities (including skills and knowledge of relationship managers)  will add meaningful insight and information to aid better compliance oversight  and risk assurance.

This is a risk and compliance based guest blog by Northey Point associate Mark Rodgers. For more information visit: Regulatory and Compliance Corner.