Morrison & Foerster : Legal Updates & News : Legal Updates : MiFID’s Outsourcing and Third Party Contracts Requirements: Are You Ready?

For guidance on the local implementation of MiFID in the UK and elsewhere in Europe, please contact Sue McLean or Alistair Maughan.

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

Print page

Email page

			Related Practices: Sourcing

MiFID’s Outsourcing and Third Party Contracts Requirements: Are You Ready?

March 2007
by Susan McLean

MiFID (the Markets in Financial Instruments Directive) is intended to promote a single EU market for wholesale and retail transactions in financial instruments. It is considered one of the most wide-ranging and important pieces of financial services legislation introduced in Europe over recent years.

For anyone working in the European financial services sector, MiFID has been big news for some time, given the impact that MiFID will have on the way investment firms conduct business in Europe. But how much focus has your organisation put on the impact MiFID will have on its outsourcing operations?

In this legal update, we consider the rules imposed by MiFID on regulated firms’ outsourcing and third party contracts and what these mean for financial services organisations that are increasingly outsourcing more and more of their functions to third party providers.

In particular, given that MiFID contains no ‘grandfathering’ provisions affected firms should be aware that they do not have much time to ensure that their existing contracts comply with MiFID’s requirements, and to re-negotiate or amend them if they do not, and review and revise all of their standard templates/precedents to ensure that they will be compliant going forward.

What is MiFID?

MiFID (the Markets in Financial Instruments Directive) is a European Union directive intended to promote a single EU market for wholesale and retail transactions in financial instruments. Once MiFID becomes operative, for the first time there will be European-wide requirements covering investment advice, operation of multilateral trading facilities and services related to commodity derivatives.

Member States were required to make all necessary amendments to national legislation and rules in order to comply with MiFID by 31 January 2007.

MiFID will come into effect on 1 November 2007, when it will replace the existing Investment Services Directive (“ISD”).

Progress around Europe The UK and Ireland were two of the few member states to meet the 31 January 2007 deadline for introducing MiFID into national law. Despite the delay, many member states still claim to be on track for implementing MiFID by the November 2007 deadline. However, it is expected that some financial centres (including Spain and Netherlands) are unlikely to meet the deadline. Countries that fail to implement the directive in time may have to pass emergency legislation to avoid legal uncertainty, and may face legal action from the European Commission which has previously stated that there will be no exceptions and they are prepared to bring enforcement action against member states who do not implement on time.

Who will MiFID affect?

MiFID applies to ‘investment firms’, which are defined as “any legal person whose regular occupation or business is the provision of one or more investment services to third parties and/or the performance of one or more investment activities on a professional basis” i.e.:

investment banks;
portfolio managers;
stockbrokers and broker dealers;
corporate finance firms;
many futures and options firms; and
some commodities firms.

In some areas, the position may not be clear-cut. For example, retail banks and building societies will be subject to MiFID for some parts of their business (e.g., selling securities, or investment products which contain securities, to customers) but not others.

Investment firms are required by MiFID to be authorised by their “home state” (i.e., the state in which they have their registered office). As with the ISD, once a firm is authorised in its home state, it will be able to use the MiFID passport to establish a branch or provide services on a cross-border basis into any other EEA Member State. [1]

Impact on Insurers Although MiFID excludes insurance sales, commentators believe that national regulators may look to extend MiFID’s impact to insurers. In the UK, the FSA has said that they are considering extending some MiFID standards to non-MiFID firms and business (including the sales of certain insurance products), and that they will be reviewing their SYSC / organisational requirements for insurers in 2008 as part of their work on the Solvency 2 Directive.

How does MiFID affect outsourcing?

What is outsourcing in the context of MiFID?
Outsourcing means an arrangement of any form between an investment firm and a service provider by which the service provider performs a service or an activity which would otherwise be undertaken by the firm itself. Clearly, this is a very broad definition that catches many third party contracts that firms may not traditionally regard as “outsourcing”.

Wider MiFID Impacts Of course, MiFID’s scope is much wider than outsourcing. As MiFID involves changes to what activities are regulated, conduct of business rules, organisational rules and the regulation of markets and securities, MiFID will impact on many different aspects of a firm’s operations, in particular client categorisation, order execution, best execution, reporting, and disclosure. Changes will need to be made to documentation, practices, procedures and systems to meet the new requirements.

What specific obligations are imposed in respect of outsourcing?
MiFID requires an investment firm to ensure that, when relying on a third party for the performance of operational functions which are critical for the provision of continuous and satisfactory service to clients and the performance of investment activities on a continuous and satisfactory basis, it takes reasonable steps to avoid undue additional operational risk.

The outsourcing of important operational functions may not be undertaken in such a way as to impair materially the quality of its internal control and the ability of the supervisor to monitor the firm’s compliance with all obligations.

An investment firm must have sound administrative and accounting procedures, internal control mechanisms, effective procedures for risk assessment, and effective control and safeguard arrangements for compliance with all obligations.

An operational function of an investment firm is considered to be ‘critical’ or ‘important’ if a defect or failure in its performance would materially impair the continuing compliance of an investment firm with the conditions and obligations attached to its authorisation, its obligations under MiFID, its financial performance, its soundness, or the continuity of its investment services and activities.

MiFID goes on to specify the following requirements in respect of critical/important outsourcings.

The investment firm must remain fully responsible for discharging all of its obligations under MiFID i.e.:

- the outsourcing must not result in the delegation of responsibility by senior management;
- the relationship/obligations of the firm towards its clients under MiFID must not be altered;
- the conditions with which the firm must comply in order to be authorised under MiFID must not be undermined; and
- no other conditions attaching to a firm’s authorisation must be removed or modified.

The respective rights and obligations of the firm and service provider must be clearly allocated and set out in a written agreement.

In addition, firms must exercise due skill and care and diligence when entering into, managing or terminating any outsourcing arrangement. In particular, a firm must ensure that:

- the service provider has the ability, capacity, and any authorisation required by law to perform the outsourced functions, services or activities reliably and professionally;
  
  (to demonstrate compliance with this rule, a firm should carry out appropriate due diligence of the service provider and its operations. A firm should also include appropriate warranties in the outsourcing agreement)
- the service provider carries out the outsourced services effectively, and the firm must establish methods for assessing the performance standard of the service provider;
  
  (to demonstrate compliance with this rule, the outsourcing contract should include appropriate service levels, and performance standards, together with reporting requirements, and audit rights)
- the service provider properly supervises the carrying out of the outsourced functions, and adequately manages the risks associated with the outsourcing;
  
  (to demonstrate compliance with this rule, the outsourcing contract should include appropriate warranties. It should also include a risk reporting framework to give the firm visibility as to any known and perceived risk/breaches)
- appropriate action is taken if it appears that the service provider may not be carrying out the functions effectively and in compliance with applicable laws and regulatory requirements;
  
  (to demonstrate compliance with this rule, a firm should insist on appropriate step-in rights and termination rights in the event of non-compliance with the firm’s service requirements/service levels/performance standards and/or any breach of law/regulation. The outsourcing contract should also include appropriate audit provisions, for both the firm and any applicable regulators)
- the firm retains the necessary expertise to supervise the outsourced functions effectively and manage the risks associated with the outsourcing;
  
  (to demonstrate compliance with this rule, the outsourcing agreement should include appropriate reporting, governance and contract management mechanisms. In addition, in respect of each outsourcing arrangement, a firm should put in place a contract management team with sufficient resources, and the right experience and expertise, to properly supervise and manage the outsourcing arrangement)
- the service provider discloses to the firm any development that may have an impact on its ability to carry out the outsourced functions effectively and in compliance with applicable laws and regulatory requirements;
  
  (to demonstrate compliance with this rule, any such impacts/risks should be investigated during the due diligence process. In addition, as mentioned above, the outsourcing agreement should include appropriate risk reporting mechanisms)
- the firm is able to terminate the outsourcing arrangement where necessary without detriment to the continuity and quality of their provision of services to clients;
  
  (to demonstrate compliance with this rule, the outsourcing agreement should include termination rights for the firm, together with appropriate exit management provisions to ensure that the transition on termination or expiry of the services to a replacement service provider, or back in-house to the firm, goes smoothly and without adverse impact on the firm’s customers)
- the service provider cooperates with the competent authorities in connection with the outsourced activities;
  
  (to demonstrate compliance with this rule, the outsourcing agreement should include appropriate audit rights for the firm and any appropriate regulators)
- the firm, its auditors and the relevant competent authorities have effective access to data relating to the outsourced activities, as well as to the service provider’s premises, and competent authorities must be able to exercise those rights of access;
  
  (to demonstrate compliance with this rule, the outsourcing agreement should include appropriate audit rights for the firm and any appropriate regulators (including rights of access to records, premises, and personnel). Such audit rights should include a right of access without notice in certain circumstances, for example, in the event of legal/regulatory breach, fraud, etc)
- the service provider protects any confidential information belonging to the firm or relating to its clients; and
  
  (to demonstrate compliance with this rule, the outsourcing agreement should include appropriate confidentiality and data protection provisions, together with appropriate security requirements)
- where applicable, the firm and the service provider establish, implement and maintain a contingency plan for disaster recovery and periodic testing of backup facilities.
  
  (to demonstrate compliance with this rule, the outsourcing agreement should include appropriate business continuity and disaster recovery provisions)

Firms must make available on request to the competent authorities all information necessary to enable the authorities to supervise the compliance of the outsourced activities.

Where the firm and the service provider are members of the same group the firm may take into account the extent to which the firm controls the service provider or has the ability to influence its actions.

MiFID also imposes certain obligations in respect of the outsourcing of portfolio management to service providers outside the EU.

So, what do you need to do?

For firms that follow good outsourcing practice, or are used to following regulatory guidance on outsourcing (such as the guidance previously promulgated by the UK Financial Services Authority), the actual impact of the new rules on their outsourcing operations may not be too great. However, firms that are used to other members states' requirements (or that have not applied the same standards across Europe) may have more work to do.

In any case, as MiFID contains no grandfathering provisions, and November 2007 is fast approaching, affected firms with operations in Europe should:

review all outsourcing and third party supply contracts that touch on European operations to determine whether they are critical or important to the firm’s operations;
in relation to contracts that are critical or important, determine whether they meet the MiFID requirements;
if they do not meet the MiFID requirements, re-negotiate or amend the contract terms to ensure they comply with the new rules; and
in any event, review and revise the terms of their template/precedent outsourcing contracts to ensure that they are compliant.

Footnotes:

1 : The EEA is made up of the 27 EU Member States and the three EEA EFTA States (Iceland, Liechtenstein, and Norway). The EEA forms an internal market governed by the same basic rules.