Senior Management Arrangements Systems and Controls SYSC | Introducer Lead Generator Agreement | Mortgage Conduct of Business MCOB | Due Diligence and Assessment and Analysis | Template for FCA Applications and Authorised Firms

Introducer/Lead Generator Agreement

[Insert location/hyperlink to external location of this document]

 [We have included a template for this document in 02_Manual_Supporting_Docs.]

7.10 Outsourcing & Supplier Policy & Procedures

1. Policy Statement

The company outsources various operational functions to third parties where there is a business need or where the outsourcing of such functions is a legal, statutory, contractual or regulatory requirement. In doing so, we understand that additional risk can be posed to both business and customers and as such we are committed to ensuring the continued quality, standards and compliance of any outsourced process that is aimed for in all our in-house services and functions.

Where any task or activity is outsourced, the company employs structured and robust assessment, due diligence and monitoring measures and procedures, both prior to entering into any supplier contract and for the duration of the business relationship. Our dedicated procedures are used to initiate, maintain and monitor the operational function of the outsourced process as well as to assess the expertise, quality and ongoing compliance of the supplier or vendor.

The company is committed to providing a professional, reliant and transparent service, which includes any outsourced functions and we ensure that any third-party service providers are suitable, competent and trustworthy prior to committing to any working relationship. We also ensure that where a function is outsourced, we have back-up service providers in place should there be a failure with the primary provider.

2. Purpose

The purpose of this policy and procedure document is to provide the company’s statement of intent and objectives for how we manage and monitor our outsourced business services and/or processes and the supplier carrying out those functions. It also provides step by step procedures and guidance for staff and associated individuals/firms, with regards to the company’s processes and methodology for outsourced services and/or business functions.

This overall purpose of the document is to ensure that the company has set suitable and effectives objectives to meet our regulatory and ethical obligations for any outsourced processes and to enable our staff to identify, manage and mitigate against the financial, operational and business risks associated with any service or function that must be outsourced. Our aim is to use only those firms and individuals who are compliant, competent, suitable and reliable and the procedures used during our due diligence checks and ongoing monitoring of any supplier or provider ensures that we can achieve this.

3. Scope

This policy applies in full to the company and its staff (meaning permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents engaged with the company in the UK or overseas). Any member of staff who does not follow this policy and any associated procedures will be subject to disciplinary procedures and possible termination from the company.

4. What is Outsourcing?

For the purposes of this document, ‘outsourcing’ refers to any business function or service that is provided by or contracted out to an external, non-associated provider or supplier. Examples of commonly outsourced functions include postal and mailing services, wastepaper disposal, disaster recovery and translations.

Outsourcing usually happens for 3 reasons: –

• a firm is unable to complete a function or service in-house, possibly due to constraints on resources, time, space or the skill level needed to complete the task
• it is more cost effective to outsource certain functions or processes (e.g. mailing or waste disposal)
• there is a legal or regulatory requirement for outsourcing (i.e. in debt collection where only licenced legal professionals or courts can carry out certain tasks)

Business Process Outsourcing (BPO) is the specific outsourcing of business processes (as oppose to assets or people) and has become a common part of most businesses in today’s market. There are 2 main definitions of BPO: –

Horizontal BPO – horizontal BPO focusses on delivering generic support and process functions that relates to all industries as a general part of business. The supplier or vendor specialises in carrying out particular functions across multiple industry domains, such as recruitment, mailing, waste disposal, HR or accounting.

Vertical BPO – vertical BPO is more industry specific with the supplier or vendor focusing on a limited number of sectors or industries and the functions providing being industry specific. Vertical suppliers can be found in industries such as financial services, retail and healthcare and aim to be experts in the industry and functions that they provide.

Where a regulated firm outsources any of its business functions, it has a duty to its staff, customers and regulators to ensure that the function is still being completed compliantly, ethically and satisfactorily. It is ultimately the firm’s responsibility to ensure compliance, even when the function or process is being completed elsewhere, which is why strict and robust outsourcing policy and procedures documents are necessary.

5. Objectives

The company confirms that in relation to outsourcing business services or processes and when using the services of 3^rd parties, lead generators and/or introducers, we will ensure that the below objectives and obligations are met through implementing the relevant procedures, systems and controls.

Under the FCA Handbook section SYSC 8.1 and with reference to the rules and guidance contained therein and in accordance with our own internal objectives; the company agrees to: –

• avoid any undue operational risks when relying on a service provider for all or part of an operational function
• not to outsource any important operational risk that may impair the quality of the firm’s internal control or the regulators ability to monitor the firm’s compliance with our obligations under the regulatory system
• implement policies and procedures which govern the use of outsourcing and any service provider used
• carry our frequent and rolling audits (physical and remote) on any service provider in relation to their conduct, ability to perform the outsourced task and required compliance
• ensure that the service provider has the correct ability, capacity and any required authorisation to carry out the required function
• ensure that the service provider protects any sensitive and/or confidential information supplied to them in the course to the business relationship
• identify and implement disaster recovery and business continuity procedures and contingencies for any service or function that has been outsourced and to carry out periodic reviews and texts of any such plans
• ensure that a Contract and Service Level Agreement (SLA) is in place and agreed to by both the firm and service provider, prior to any business relationship forming
• carry out a due diligence check and assessment prior to signing the contract and will record the checks and completed forms on the Service Provider Register
• ensure that no outsourcing arrangement diminishes our ability to meet our contractual, regulatory and compliance obligations
• evaluate all risks associated with the outsourcing functions and supplier and score according to our Risk Assessment Matrix to ensure viability of implementation
• ensure the providers ability to maintain the privacy, security, and data protection obligations as applicable to our firm, business type and industry
• have specific procedures and SLA clauses set up for outsourced functions that occur in different time zones and/or countries; to ensure compliance with local law as well as our own regulatory requirements and to prevent risks associated with time differences
• enforce and monitor that all 3^rd parties used for outsourcing or as contractors, lead generators or introducers, comply with and agree to follow this Outsourcing Policy & Procedure and the obligations and procedures contained herein as well as accepting our Due Diligence checks, ongoing monitoring and evaluation and selection procedures

6. Risk Assessment

Prior to outsourcing any business service or function, the company will identify any operational, financial and/or business risks that may present themselves by using an external provider or outsourcing a specific service or process. These risks will be assessed using the Risk Matrix and assigned an impact/probability rating which will form part of the firm’s decision on whether to proceed with the outsourcing.

Other risks that can be associated with outsourcing are: –

• Financial
• Reputation
• Service/Product Quality
• Delays
• Timeframes
• Ability to Comply with Regulatory Requirements

6.1 Due Diligence

The company uses [WebCHeck] searches, individual/director identity checks and a comprehensive Due Diligence Questionnaire and Checklist to ensure that any service provider considered for a business relationship is fit for purpose, reliable, suitable, competent, qualified and experienced.

• In addition to the questions and assessment areas contained in our Due Diligence checks, the selection of providers for outsourced services is also based on the following criteria: –
• Length of experience and depth of expertise in the services and/or functions being offered
• Obtaining samples and evidence of any similar previous work carried out
• Obtaining references or testimonials from previous and/or existing clients
• Cost analysis of services and/or processes provided
• Contractual arrangements consistent with this Outsourcing Policy and Procedures

6.2 Outsourced Functions Register

For any process, function or service that is outsourced, the company maintains a register of the details relating to each provider for regulatory and monitoring purposes. Our Outsourced Functions Register enables us to meet our obligations under this policy and procedure document and to ensure that all outsourced functions are handled according to our own strict procedures and protocols.

Our Outsourced Functions Register is in an external document located at [add location/hyperlink for register]

[We have included a template for this document in 02_Manual_Supporting_Docs.]

7. Procedures

7.1 Assessment & Analysis

Prior to any outsourcing agreement being made, the below procedures must be followed and recorded for each new relationship.

1. The service/function being considered for outsourcing must be assessed to see if it is a general business activity or involves all or part of a regulated activity.
   a. Where the service/function to be outsourced is part of a regulated activity, the firm must also be assessed and monitored for their compliance with the FCA regulations in the applicable area.
2.  An ‘outsource risk/benefit analysis assessment’ is completed for the function/service under consideration, which must include the below information: –

a. Possible efficiency/monetary/quality gains by outsourcing the service
b. List of detailed risks associated with outsourcing the service
c. List of defined benefits and downsides to outsourcing the service
d. Departments and/or staff who will be affected by/involved in the outsourced function
e. Arrangement for monitoring the quality and compliance of the outsourced functions and supplier
f. Scope and timeframe for outsourcing the process or service
g. Internal staff changes, and additional training needed in relation to the outsourcing
h. Implementation of any new systems

7.2 Preparation & Selection

1. After the initial decision to proceed with outsourcing has been made, the company creates a criteria list to be used in the selection stage of the outsourcing process. The criteria list is specific to each project and details the objectives, obligations, standards and requirements that must be met by the supplier.
2. We then collate a list of suitable vendors who can be considered as the outsourced function provider. This list is compiled using all vendors in the market who are suitable to provide the outsourced function. This list is generally large in the initial stage, so we use a Request for Information (RFI) for to narrow down the choices based on the criteria set in step one above.

7.2.1 Request for Information (RFI)

We use a template RFI to collect written information about the capabilities of various suppliers so that the information provided can be assessed against our selection criteria and used for comparative purposes. Each RFI is edited to fit the purpose of the outsourced project and then sent out to the chosen vendors.

[As each RFI is business type and project specific, we have not provided a template for this document, so you should create a generic RFI template that can be used/edited for each supplier project.]

All RFI’s are given a submission date by when all responses must be received. Responding vendor information is then compared and assessed against the pre-set criteria and project requirements. A reduced list of vendors is then selected to proceed to the next stage in the process.

7.2.2 Request for Proposal (RFP)

Vendors proceeding through to the Request for Proposal (RFP) stage of our outsourcing process have been assessed against strict criteria and are deemed capable to commit to providing the relevant services or process. At this stage, we now create an RFP document with specific details about the scope and requirements of the project to ensure that vendors can respond to and price accordingly. Such information includes, but is not limited to: –

• Scope of opportunity
• Relevant requirements and objectives
• Timescales and project length
• Staff & training requirements
• Industry requirements
• Regulatory requirements
• Systems, technology and/or governance requirements
• SLA and/or Contract specifics
• Volume of data (where applicable) or job size
• Ongoing monitoring & due diligence
• Outcomes and performance

The RFP document is then distributed to all participating vendors with specific information on the engagement requirements timelines for questions and responses and key information.

7.3 Evaluation

Once all completed RFP’s have been received, we enter into the evaluation stage of the outsourcing process. At this stage, any vendors who are unable to meet the criteria and requirements set out in the RFP are discounted from further consideration. The evaluation stage takes those from the RFP list through to the short-list stage where we chose a primary and secondary provider for the outsourced services and/or process.

1. The project lead for the specific outsourcing project handles the evaluation stage and also communicates with the vendor POC as noted on the RFP’s
2. All answers to the RFP questions are assessed and any clarifications obtained from the relevant POC and are noted on an attachment to the RFP for future reference
3. We employ a scoring process for evaluating the RFP’s so that a comparable assessment of each vendor can be made
4. Vendors who are discounted at this stage due to low scoring, are contacted in writing within 4 weeks and provided with a summary of why they have been unsuccessful in bidding for this project
5. Firms exceeding the minimum set score for the relevant project are added to a short-list and further risk assessed until we select a primary and secondary provider
6. At this stage, we start the due diligence and change management processes of the selected vendors

7.4 Allocation & Due Diligence

Once the primary and secondary vendors have been chosen, we draft up a Service Level Agreement applicable to the chosen vendors and service or process to be outsourced and a binding contract between ourselves and the vendor. Negotiating any clauses or requirements is carried out at this stage by the project lead and vendor POC until both firms agree to commit and proceed.

1. One vendor is chosen as the dedicated (primary) service provider and a second vendor placed in a back-up (secondary) position to ensure compliance and continued service in the event of any business failure of loss of use of the primary provider.
2. Both vendors are added to the Supplier List and Outsourced Functions Register
3. A due diligence audit and questionnaire is completed for both the primary and secondary providers prior to any agreement being entered into. In addition to the due diligence questionnaire, the company will ensure that it considers the: –
   a. company’s reputation and history
   b. quality of services provided to other customers
   c. number and competence of staff and managers
   d. financial stability of the company and commercial record
   e. retention rates of the company’s employee
   f. company’s adherence to relevant regulatory requirements and laws
4. A detailed company check, and background search must be completed on both the service provider and back-up provider, prior to any agreement being made
5. A physical visit to the primary providers’ services location must be made with a view to carrying out a physical on-site audit.

7.5 Outsourcing Agreement

Once the primary and secondary providers have been assessed, selected and approved, they will be added to their Supplier List and Outsourced Functions Register and an outsourcing agreement (or SLA) is then created and signed by both parties. The agreement will address the below areas: –

• Duties and obligations of the company
• Duties and obligations of the service provider
• Applicable law to outsourcing agreement
• Regulations that apply to the outsourced service/function
• Duration of the Agreement
• Terms of the Agreement
• Reporting
• Audits & Monitoring
• Dispute Resolution
• Confidentiality Agreement
• Non-Compete Agreement
• Appeal & Enforcement

Upon completion of the agreement, the initial outsourcing commences on a 28-day trial with weekly monitoring checks. The process for outsourcing is as below: –

[If you have your own existing procedures for outsourcing a service to a provider, please include them here]

1. If it is possible to outsource part of the service or to outsource in stages/sections, then this should be the default position for all service providers.
2. Where the service provider has access to any internal systems, technical and physical access controls will be used and overseen by the IT Manager to prevent unauthorised access or data breaches.
3. All existing in-house provisions and staff for the outsourced service, will be retained and made readily available throughout the initial implementation period to avoid delays or risks to the business or regulated activities.
4. End of day reports are to be provided by the service provider for the first 28 days and then as per the agreed contract terms going forwards
5. Monitoring checks will be carried out daily during the implementation period, to include: –
   a. Service/function quality
   b. Regulatory compliance
   c. Contractual compliance
   d. Suitability
   e. Efficiency
6. After the first 28 days of outsourcing, the compliance officer and primary outsource team will review the service provider against the initial ‘outsource risk/benefit analysis assessment’ to ensure that the outsourcing is viable and suitable on a long-term basis.

8. Monitoring & Audits

Monitoring of the quality, compliance and result of the outsourced service/process is carried out every [*1/2/4/8 weeks] to ensure that the service provider and outsourced function remain compliant with contractual and regulatory requirements and are both viable and suitable for business needs. Monthly remote audits are carried out and recorded, with a physical audit being conducted on a quarterly basis.

1. Audit checklists are to be used when monitoring the performance and service provision of the outsourced service.
   b. Checklists are to be retained for 6 years after the working relationship has been terminated.
   c. Due diligence questionnaires are repeated on an annual basis with company and financial checks to be included.
   d. Where there are specific FCA regulations that affect or involve the outsourced process or service, these are monitored for compliance on a weekly basis against the handbook requirements and our own internal objectives

To ensure the productivity, effectiveness and suitability of the outsources service or process, the company ensures that the below key principles are monitored and met for the duration of the relationship: –

1. Compliance with the regulation, contractual and legal requirements is adhered to and maintained
2. Continued measurements and assessment of the benefits and suitability against the projects initial criteria
3. Ongoing risk assessments with any business and/or vendor changes and staff retention
4. Training of new staff for both our business and the vendor
5. Continual review and assessment of security and data protection standards and requirements
6. Ongoing assessment that the vendor meets and achieves the SLA requirements and project criteria
7. Audit and benchmarking measures and controls implemented, used and maintained
8. Continued communication with the vendor and specific POC throughout the business relationship
9. Ensuring records and documentation are maintained and retained as per the SLA and legal requirements
10. Dispute resolution and complaint monitoring

9. Responsibilities

The company has a corporate and regulatory obligation and responsibility to ensure that any service or business function that it outsources to a 3^rd party service provider, is not subject to any operational risks or that there is not a loss of quality in the service provided.

[Designated Person] has overall responsibility for handling all service provider contracts, SLA’s, due diligence checks, audits and monitoring and for implementing and monitoring the firm’s procedures in relation to outsourcing.

Management are responsible for designating suitable owners of business processes that are outsourced, overseeing the outsourcing activities and ensuring that this policy is followed. They also have full responsibility for mandating commercial or security controls to manage the risks arising from outsourcing.