Outsourcing (SYSC 8.1) | FCA Handbook

A firm may outsource activities to a third party; however, it cannot outsource or delegate its regulatory responsibilities. When relying on a third party for performance of operational functions that are critical for the performance of a regulated activity, then the firm should ensure:

• it takes reasonable steps to avoid any additional operational risk;
• it does not impair materially the FCA’s ability to monitor the firm’s compliance with FCA regulation;
• it has effective processes to identify, manage, monitor and report risks;
• has adequate and effective internal controls in place;
• it has informed the FCA that it intends to outsource the function to a third party; and
• makes available to the FCA, on request, all information necessary for the FCA to supervise compliance of the outsourced activities.

If a firm outsources critical operational functions or services, it remains fully responsible for discharging all of its regulatory obligations and must comply with the following conditions:

• the outsourcing must not result in the delegation by senior management of their responsibility;
• the relationship and obligations of the firm towards its clients under the regulatory system, must not be altered;
• the conditions with which the firm must comply to be authorised must not be undermined; and
• none of the conditions for the firm’s authorisation must be removed or modified.

The firm should have a written agreement in place with all third parties performing outsource functions: identifying its own responsibilities, third party responsibilities, activities that are to be outsourced and the means for terminating the contract. Activities that are not deemed critical include:

• provision of advisory services and other services which do not form part of the relevant services of the firm, such as: legal advice, staff training, billing services and security of the firm’s premises and staff; and
• purchase of standardised services, such as market information services and provision of price feeds.

Outsourcing activities to service providers

A firm should, before outsourcing an activity, ensure the following conditions are met:

• the service provider has the ability, capacity and authorisation;
• the service provider can carry out the service effectively (the firm will need to be able to assess this effectively) and that action is taken if this does not happen;
• the service provider can adequately supervise the operation of the function or service; the firm has adequate expertise and resource to monitor the service provider;
• the service provider must disclose to the firm any development that may materially impact its ability to continue to undertake the outsourced activity;
• the firm is able to terminate the arrangement without detriment to the continuity and quality of the provision of the service;
• the service provider must co-operate with the FCA;
• the firm, its auditors and the FCA must have affective access to data related to outsource activity, as well as the business premises of the service provider;
• the service provider must protect any confidential information relating to the firm and its clients;
• the firms and service provider must maintain a business continuity plan and undertake periodic testing if back up facilities; and
• there must be a written agreement in place detailing the respective rights and obligations of the firm and the service provider (we would recommend that
• firms obtain an independent review of any outsourcing agreements, before entering into any outsourcing arrangements).