Many of the outsourcing requirements of MiFID only apply when critical or important functions are outsourced by the relevant firm. An operational function is regarded as critical or important if a defect or failure in its performance would materially impair compliance obligations, financial performance, or the soundness or the continuity of relevant services and activities (although the handbook contains some general exceptions to this rule). Even if non-critical or important functions are outsourced, firms must take account of the ‘rules’ in a manner proportionate given the scale and complexity of the outsourcing.
Firms are required to notify the FSA when they intend to outsource the performance of operational functions that are critical or important. And to ensure the respective rights and obligations of firm and service provider are clearly allocated and set out in a written agreement. Accordingly, the contact must clearly define the roles and responsibilities of firm and service provider, and the overall contract must be appropriate to the risks and complexity associated with the specific outsourcing transaction.
If a firm is outsourcing operational functions critical for the performance of regulated, listed or ancillary activities, the firm must take reasonable steps to avoid undue additional operational risk. The outsourcing of important operational functions must not impair the quality of the firm’s internal control or the FSA’s ability to monitor compliance obligations. Strong, focused and appropriate governance processes will assist firms to meet this requirement.
If any critical or important operational functions or any relevant services and activities are being outsourced, the firm remains responsible for discharging all of its obligations. This means firms cannot seek to contract out of or divest themselves of such responsibility.
Firms must exercise due skill, care and diligence when entering into, managing or terminating any outsourcing arrangement. The handbook requires firms to have appropriate individuals in place at each of phase of the outsourcing. Firms can easily achieve this in practice by carrying out due diligence at each phase of outsourcing, and project managing it appropriately.
The FSA Handbook contains many of the key rules for outsourcing. It sets out the various necessary steps firms must take, as follows:
“The service provider must have the ability, capacity, and any authorisation required by law to perform the outsourced functions, services or activities reliably and professionally.”
Firms can comply with this rule by carrying out adequate due diligence on the service provider and seeking appropriate warranties in the outsourcing contract.
“The service provider must carry out outsourced services effectively, and to this end the firm must establish methods for assessing the standard of performance of the service provider.”
Firms should ensure that the outsourcing contract provides for ways to monitor, report and audit the performance of the service provider.
“The service provider must properly supervise the carrying out of the outsourced functions, and adequately manage the risks associated with the outsourcing.”
Firms should ensure the service provider puts in place adequate systems and experienced people who are appropriately trained.
“Appropriate action must be taken if it appears that the service provider may not be carrying out the functions effectively and in compliance with applicable laws and regulatory requirements.”
Firms should ensure there is as much flexibility in the contract as possible in terms of the rights and remedies.
“The firm must retain the necessary expertise to supervise the outsourced functions effectively and manage the risks associated with the outsourcing and must manage those risks and must supervise those functions and manage those risks.”
At the contract negotiation stage, firms need to focus on setting up an appropriate governance mechanism for the outsourcing arrangement and putting its own contract management team in place – with the right mix of experience and sufficient resources to enable the firm’s team to manage the outsourcing contract.
“The service provider must disclose to the firm any development that may have a material impact on its ability to carry out the outsourced functions effectively and in compliance with applicable laws and regulatory requirements.”
Firms will be able to comply with this rule by using appropriate reporting and problem management systems in their outsourcing arrangements.
“The firm must be able to terminate the arrangement for the outsourcing where necessary without detriment to the continuity and quality of its provision of services to clients.”
Firms should seek wide rights to terminate the outsourcing contract but to limit the service provider’s right to terminate as much as possible. Firms should ensure there are clear and lengthy termination notice periods. An exit and knowledge transfer strategy should be formulated and set out in the contract.
“The service provider must co-operate with the FSA and any other relevant competent authority in connection with the outsourced activities.”
The outsourcing contract will need to contain the appropriate co-operation and audit right provisions for the firm and appropriate regulators.
“The firm, its auditors, the FSA and any other relevant competent authority must have effective access to data related to the outsourced activities, as well as to the business premises of the service provider; and the FSA and any other relevant competent authority must be able to exercise those rights of access.”
Firms will need to ensure the contract obligations on the service provider cover rights to audit books, records, and reports, and rights to access the relevant personnel and premises, as required. Firms should seek to negotiate third-party rights for the regulators so they can enforce these rights directly.
“The service provider must protect any confidential information relating to the firm and its clients.”
Firms will need to ensure they incorporate the necessary confidentiality, security and data protection provisions in the outsourcing contract.
“The firm and the service provider must establish, implement and maintain a contingency plan for disaster recovery and periodic testing of backup facilities having regard to the function, service or activity that has been outsourced.”
Firms can achieve compliance with this rule by putting in place appropriate business continuity and disaster recovery measures.
There is a special rule that applies if a firm is outsourcing to a member of its own group. The rule gives such a firm more flexibility as to the level of detail it needs to set out in an outsourcing contract with one of its group companies than the full ‘belt and braces’ approach that would need to be followed if the outsourcing contract is with a third party service provider outside of the group.
The rule allows the firm to take into account the extent to which the firm controls the service provider or has the ability to influence its action.
The scope of MiFID is wider than under the old FSA regime. Accordingly, firms will need to review their outsourcing practices and approaches in detail (including contracts that existed prior to 1 November 2007 because MiFID applies retrospectively). If the outsourcing involves critical or important contracts, firms will need to comply with MiFID but even if they are not critical or important, firms must take account of the ‘rules’ in a manner that is proportionate.
MiFID does not just apply to provisions that must be included in the outsourcing contract, it also applies to internal management structures and systems and firms will have to change them if necessary to achieve compliance. Firms should identify if there any operational risks and address them in their internal risk management policies, manuals, guidance notes and procedures. Firms should also consider whether any training is necessary for their management and contract teams.