Outsourcing

The MiFID-based outsourcing requirements are in essence broadly similar to our pre November guidance in our SYSC sourcebook relating to outsourcing. The main differences are that that the MiFID-based requirements are more detailed, and will apply as rules in our new SYSC sourcebook for the outsourcing of critical and important functions across the whole of a firm's financial services activities.

Firms must take reasonable steps to avoid undue operational risk when outsourcing critical or important functions. An operational function is regarded as critical or important if a defect or failure in its performance would materially impair:

• the continuing compliance with the conditions and obligations of its authorisation or its other obligations under the regulatory system; or
• its financial performance; or
• the soundness or continuity of its financial performance; or
• the soundness or continuity of its relevant services and activities.

Advisory and standardised services are excluded.

The outsourcing must not impair the quality of the firm's internal control, or the ability of the firm's supervisory authority to monitor its compliance with regulatory obligations.
The emphasis of the requirement is on 'reasonable steps' – that is, the processes and procedures a firm should take. In taking reasonable steps a firm should be satisfied that:

• the service provider has the ability, capacity and necessary authorisation to perform the outsourced activities reliably and professionally;
• the firm can assess the standard of performance; and
• it can supervise the third party appropriately and manage risks associated with the outsourcing.

Like our current provisions in SYSC 3, the MiFID-based provisions emphasise that the firm and its senior management remain fully responsible for regulatory obligations. The outsourcing cannot result in senior management delegating their responsibility, must not alter the relationship and the regulatory obligations of the firm to its clients, and must not undermine the firm's conditions of authorisation. This emphasis on the continuing responsibility of firms and management is one of the key aspects of our MiFID-based outsourcing provisions – firms will not be able to outsource ultimate regulatory responsibility.

Other important steps the outsourcing firm must take to comply with the new requirements include ensuring:

• it takes appropriate action where the service provider is not carrying out functions effectively or in compliance with applicable laws / regulatory requirements;
• the firm, its auditors and relevant regulatory authorities have effective access to data related to outsourced activities and the business premises of the service provider;
• the service provider will protect confidential information relating to the firm or its clients;
• the firm and the service provider must have a contingency plan that provides for disaster recovery; and
• the outsourcing agreement is in writing.

We have applied the MiFID based provisions as guidance for the outsourcing of operational functions which are not critical or important for the performance of relevant services and activities. We believe this approach reflects the high-level organisational provisions of the CRD (which do not make the distinction between the importance of functions which are outsourced). And we think it will give firms a useful benchmark regarding the types of processes and procedures they could use in managing these outsourcing arrangements.