Based on recent fines for outsourcing failures and increased emphasis on holding individuals to account, UK financial services firms need to pay more attention to the overlap between new outsourcing rules and the Senior Managers & Certification Regime (SM&CR). These activities suggest that UK’s financial regulators seem to be planning to focus more attention on this nexus, especially in light of the upcoming deadlines this year.
Growing enforcement focus
The focus on the intersection between outsourcing rules and the SM&CR is fairly recent, because most of the rules are relatively new. The SM&CR came into force for banks in March 2016 and will apply to solo-regulated firms such as insurers and asset managers in December 2019. The EU’s European Banking Authority (EBA) published its outsourcing guidelines in February 2019, while the FCA issued its updated guidance on outsourcing to the cloud and other third party IT service providers in September 2019.
It’s hardly surprising that the UK regulators are keen to home in on the links between third-party risk management and personal accountability within organizations. According to the FCA’s 2019/2020 business plan, “Between October 2017 and September 2018, 17% of the incidents firms reported to us were caused by IT failure at a third-party supplier – the second highest root cause of disruption to services.” The FCA plans to spend the year “Setting clear expectations on outsourcing to third party service providers” as well as to financial services firms.
Recent enforcement activity also highlights the FCA’s intent to take action. In October 2018, a large UK insurer called Liberty was fined £5.2 million because a third party they worked with to provide mobile phone insurance to retail customers failed to handle claims and complaints correctly. Said the FCA, “Liberty retained regulatory responsibility for ensuring that claims and complaints made by customers were handled fairly, and ought to have ensured that it had in place adequate systems and controls to oversee the activities of the third party throughout. It did not.”
In May 2019, a retail bank called Raphaels was jointly fined £1.89 million by the FCA and the Bank of England’s Prudential Regulation Authority (PRA) because a third-party card transaction processor experienced an outage on Christmas Eve. There was a lack of business continuity arrangements between the bank and the third party. As a result, the card processor could not authorise 5,356 customer card transactions attempted at point-of-sale terminals, ATM machines, and online. The FCA specifically criticized the board’s governance failures in this case.
At the same time, the UK FCA has increased its enforcement activity against individuals – nearly doubled by some estimates, depending on how levels are calculated. Among the regulator’s top priorities according to its most recent business plan is “holding individuals to account under SM&CR when things go wrong.” So, firms can expect much more focus on the role of individual senior managers in ensuring that TPRM programs are operating as they should.
Understanding what’s required
The UK FCA keeps repeating, like a mantra: “If your firm relies on a third party for the operational functions of the firm, your firm is still fully responsible for carrying out all of its regulatory obligations. While you may outsource the function, you can’t outsource accountability for this function.” Under the SM&CR, senior managers must take “reasonable steps” to manage, operate, and control the areas of business that fall under their areas of responsibility. So, senior managers have the ultimate responsibility for managing or supervising the third-party relationships that fall within their organizational scope, and for which they are responsible to the regulator. Essential questions that senior managers should be asking themselves include:
- Who is accountable? – Firms need to be clear about who owns the third-party relationship under the terms of SM&CR, and how this responsibility is described within the organization’s governance framework. This is particularly important if the relationship is critical to the business. Senior managers should have accountability confirmed in writing, such as in statements of responsibility.
- What happens when something goes wrong? – Business continuity policies and procedures should be documented and regularly tested – preferably jointly. Regulators are keen to see that the organization and the third party are working together closely around operational resilience issues.
- How is the third-party relationship monitored? – Firms should apply key risk indicators (KRIs) and key control indicators (KCIs) to the third-party relationship to monitor ongoing health. They should also conduct risk and control self-assessments (RCSAs) on at least an annual basis, or if the third party has experienced an incident. Firms should have the right, contractually, to audit their third parties. Today, best practice is to implement continuous monitoring of third-party systems and processes that relate to contract fulfilment where ever possible.
- Are regulatory hot buttons given adequate attention? – In particular, senior managers should make sure that key risk areas such as data privacy risk, cyber risk, financial crime, and operational resilience are up to scratch. The FCA also wants firms to make sure that vulnerable customers are well looked after in the event of a business continuity outage.
- How is TPRM managed within GRC? – Governance, risk, and compliance frameworks provide checks-and-balances for the organization. For example, TPRM management activities should be able to be evidenced to senior managers, compliance team members, internal auditors, and regulators. As well, strong governance should see important issues escalated to the board, as well as regular board engagement.
- Is reporting right? – Senior managers should receive regular reports on the health of third-party relationships. If the senior manager is directly overseeing the relationship, the manager should have access to dashboards that are continuously updated. Otherwise, senior managers should receive reports with fresh data in a timely fashion.
In short, financial services firms need to focus in on the overlap between SM&CR and third-party risk. It’s clear that the FCA is going to be asking firms about how senior managers are held to account around third-party relationships, in the context of the firm’s overall responsibility. Specifically, senior managers who are individually held accountable for a third-party relationship should make sure their firm has a strong TPRM program in place to support them in their role.