FCA and BoE: Evaluate Your Third Parties

UK regulators have urged banks and issuers to scrutinize their outsourced functions in line with proposed rules on operational resilience and third-party risk.

As the coronavirus pandemic disrupts markets and threatens business continuity, the Financial Conduct Authority (FCA) and Bank of England (BoE) are calling on firms to examine whether it is safe to outsource certain “important business services” to vendors.

The regulators have asked relevant institutions to closely assess their third parties to ensure they meet the same level of due diligence and tolerance requirements as the regulated firm would if the processes were brought in-house.

“If you’re making a business decision to outsource, you need to take that in a controlled fashion,” said Megan Butler, director of supervision for investment, wholesale, and specialist at the FCA, during a webinar on operational resilience on March 13, hosted by the FCA and BoE.

“If you [the in-scope firm] can’t reach the standards that we are talking about here, you shouldn’t be outsourcing. So that’s the level of conversation we do expect to see. It might be that you step through some of these arrangements that we’re asking you to put in place, and some businesses take different decisions about what they can safely outsource. We think that is the right thing to do,” Butler said.

On December 5, the BoE, the Prudential Regulation Authority (PRA) and FCA jointly released a series of consultation papers aimed at strengthening the operational resilience of financial services firms and modernizing the regulatory framework on outsourcing and third-party risk management.

While institutions have been subject to operational scrutiny for years, the proposed rules place a greater focus on third- and fourth-party risk, and the ability to manage firms’ growing networks of outsourced vendors, particularly in times of crisis.

Under the proposals, firms will have to determine which of their business services are critical to the market and what is the maximum tolerable disruption to the service they can withstand. They must also prove that their third parties can recover from a failure within the necessary period of time to avoid “intolerable risk.”

As part of the compliance process, vendors will be expected to hand over detailed information about their operations and resiliency to their clients. 

Self-Assessment Templates

During the webinar, Butler and Lyndon Nelson, CEO and executive director of regulatory operations and supervisory risk specialists at the BoE, were fielded questions on the upcoming regulation.

In response to queries, they said the BoE and FCA would not be issuing self-assessment templates, as there is no one-size-fits-all approach to assessing risk tolerance. Each business case is different, and the resolution of most disruptions, such as cybersecurity attacks, requires a flexible approach.

“One of the challenges we all have is if you have a very fixed template, that will quickly become out of date and will not be flexible enough as that threat evolves,” Nelson said. “So we think it’s really important that firms are given flexibility to think about their assessment and what they’re vulnerable to, particularly with these very evolving and changing threats. We think a standardized template would simply be counterproductive.”

Individual firms will be tasked with defining their own tolerances, such as the maximum level of disruption and the time limits in which they can resume the delivery of important business services.

Butler said cross-industry coordination initiatives could be established to help with regulatory compliance, and trade bodies could play an important role in convening firms to share knowledge and ideas.

“This is one area where as an industry, we are only as strong as our weakest link,” she said. “We all need to participate, share, and discuss, so that we can all improve that combined resilience picture in a consistent way,”

The rules are scheduled to be published in the second half of 2020, and firms are mandated to start complying 12 months later. 

However, in-scope firms will be given a three-year window or grace period, after which they will be expected to comply fully.

Nelson and Butler also said that the self-assessments will not be provided on a submission basis, but rather made available on-demand from the authorities.

The consultation for the rules is set to close on April 3, but the regulators “are reviewing all dates given the pressure on resources arising from Covid-19,” Nelson said.