- Aravo for
- Aravo Ecosystem
- About Us
- Request Demo
Based on recent fines for outsourcing failures and increased emphasis on holding individuals to account, UK financial services firms need to pay more attention to the overlap between new outsourcing rules and the Senior Managers & Certification Regime (SM&CR). These activities suggest that UK’s financial regulators seem to be planning to focus more attention on this nexus, especially in light of the upcoming deadlines this year.
The focus on the intersection between outsourcing rules and the SM&CR is fairly recent, because most of the rules are relatively new. The SM&CR came into force for banks in March 2016 and will apply to solo-regulated firms such as insurers and asset managers in December 2019. The EU’s European Banking Authority (EBA) published its outsourcing guidelines in February 2019, while the FCA issued its updated guidance on outsourcing to the cloud and other third party IT service providers in September 2019.
It’s hardly surprising that the UK regulators are keen to home in on the links between third-party risk management and personal accountability within organizations. According to the FCA’s 2019/2020 business plan, “Between October 2017 and September 2018, 17% of the incidents firms reported to us were caused by IT failure at a third-party supplier – the second highest root cause of disruption to services.” The FCA plans to spend the year “Setting clear expectations on outsourcing to third party service providers” as well as to financial services firms.
Recent enforcement activity also highlights the FCA’s intent to take action. In October 2018, a large UK insurer called Liberty was fined £5.2 million because a third party they worked with to provide mobile phone insurance to retail customers failed to handle claims and complaints correctly. Said the FCA, “Liberty retained regulatory responsibility for ensuring that claims and complaints made by customers were handled fairly, and ought to have ensured that it had in place adequate systems and controls to oversee the activities of the third party throughout. It did not.”
In May 2019, a retail bank called Raphaels was jointly fined £1.89 million by the FCA and the Bank of England’s Prudential Regulation Authority (PRA) because a third-party card transaction processor experienced an outage on Christmas Eve. There was a lack of business continuity arrangements between the bank and the third party. As a result, the card processor could not authorise 5,356 customer card transactions attempted at point-of-sale terminals, ATM machines, and online. The FCA specifically criticized the board’s governance failures in this case.
At the same time, the UK FCA has increased its enforcement activity against individuals – nearly doubled by some estimates, depending on how levels are calculated. Among the regulator’s top priorities according to its most recent business plan is “holding individuals to account under SM&CR when things go wrong.” So, firms can expect much more focus on the role of individual senior managers in ensuring that TPRM programs are operating as they should.
The UK FCA keeps repeating, like a mantra: “If your firm relies on a third party for the operational functions of the firm, your firm is still fully responsible for carrying out all of its regulatory obligations. While you may outsource the function, you can’t outsource accountability for this function.” Under the SM&CR, senior managers must take “reasonable steps” to manage, operate, and control the areas of business that fall under their areas of responsibility. So, senior managers have the ultimate responsibility for managing or supervising the third-party relationships that fall within their organizational scope, and for which they are responsible to the regulator. Essential questions that senior managers should be asking themselves include:
In short, financial services firms need to focus in on the overlap between SM&CR and third-party risk. It’s clear that the FCA is going to be asking firms about how senior managers are held to account around third-party relationships, in the context of the firm’s overall responsibility. Specifically, senior managers who are individually held accountable for a third-party relationship should make sure their firm has a strong TPRM program in place to support them in their role.