Client Alert

Outsourcing - How to Comply with MiFID

1/7/2008

The Markets in Financial Instruments Directive (MiFID)[1] is considered to be one of the most important and wide-ranging pieces of EU financial services legislation in recent years and it is a major part of the EU’s Financial Services Action Plan (FSAP) - which seeks to promote a single EU market for wholesale and retail transactions in financial instruments. Not only will MiFID have a big impact on how investment firms carry out their business in Europe, it will also impact how they deal with their outsourcing arrangements.

MiFID was originally adopted at an EU level in April 2004 by the European Commission. MiFID was implemented into UK legislation through amendments to the Financial Services and Markets Act 2000 and the regulations under it, along with changes made by the Financial Services Authority (FSA) to the rules and guidance in the FSA Handbook. MiFID came into force in the UK on 1 November 2007 and it replaces the existing Investment Services Directive.[3]

This article concentrates on MiFID from an outsourcing perspective and explains the practical steps that an affected investment firm can take to achieve compliance.

Outsourcing

What is Outsourcing?
In terms of compliance with MiFID, the first practical step a firm needs to take is to establish if it is carrying out any outsourcing activities. MiFID describes outsourcing as, “an arrangement of any form between a firm and a service provider by which the service provider performs a process, a service or an activity which would otherwise be undertaken by the firm itself.”[4] This definition is very broad and firms will therefore need to bear this in mind when reviewing third party supply contracts which, in the past, firms may not have traditionally viewed as outsourcing contracts. In addition, due to the subjective nature of the definition (i.e., “which would otherwise be undertaken by the firm itself”), firms will need to exercise their judgment in borderline cases to determine whether the particular arrangement constitutes outsourcing – because what one firm may do itself may not necessarily be the same as another.

MiFID Applies to Investment Firms

MiFID applies to “any legal person whose regular occupation or business is the provision of one or more investment services to third parties and/or the performance of one or more investment activities on a professional basis.”[2] This includes:

  • Investment banks;
  • Portfolio managers;
  • Stockbrokers and broker dealers;
  • Corporate finance firms;
  • Many futures and options firms; and
  • Some commodities firms.

In some areas, the position may not be clear-cut. For example, retail banks and building societies will be subject to MiFID for some parts of their business (e.g., selling securities, or investment products which contain securities, to customers) but not others.

Outsourcing Critical or Important Functions
Many of the rules and guidance under MiFID only apply when critical or important functions are outsourced by the relevant firm. Under MiFID, an operational function is regarded as critical or important if a defect or failure in its performance would materially impair a firm’s compliance obligations, its financial performance, or the soundness or the continuity of its relevant services and activities.[5] However, there are express exceptions to this rule; for example, outsourcing advisory services, training firm’s personnel, billing services, and security of the firm’s premises and personnel will not be regarded as critical or important.

Firms should note that whether a service or function is critical or important is impacted by how robust the outsourcing structure is from an operational perspective. For example, if a firm decides to outsource its execution services to four different service providers, then failure by one would not impact the other three, and therefore, this is unlikely to be seen as critical or important. However, if the execution services were only awarded to a single service provider and a failure occurs, such an outsourcing would almost certainly fall within the critical or important category because of the impact to the service and the clients.

As critical or important functions will vary from firm to firm, firms should adopt a best practices approach and treat all activities that they intend to outsource in the same way from an operational perspective, including applying the same standards and processes as if they were critical or important functions. This approach is in line with SYSC 8.1.3 G of the FSA Handbook which states that even if non critical or important functions are outsourced, firms must take account of the “rules” in a manner that is proportionate given the scale and complexity of the outsourcing.

Notifying the FSA

SYSC 8.1.12 G states that a firm should notify the FSA when it intends to rely on a third party for the performance of operational functions which are critical or important for the performance of relevant services and activities on a continuous and satisfactory basis.

MiFID – Outsourcing Compliance

General
In the UK, the FSA has incorporated MiFID into its FSA Handbook. The main rules and guidance for outsourcing are set out in SYSC 8. However, firms must also remember to comply with the general organisational requirements in the FSA Handbook. For example, under SYSC 4.1.1R a firm must have:

  • Robust governance arrangements in place;
  • Clear organisational structure;
  • Defined, transparent and consistent lines of responsibility;
  • Effective processes to identify, manage, monitor and report the risks to which it is or might be exposed;
  • Internal control mechanisms;
  • Sound administrative and accounting procedures; and
  • Effective control and safeguard arrangements for information processing systems.

In addition, SYSC 3.2.4 G makes it clear that the internal delegation rules that apply to firms generally also apply to firms in respect of outsourcing arrangements. Accordingly, as a matter of best practice, a firm that outsources its services should ensure that, even though the service is being provided by a third party from an operational perspective, the firm still has the same level of transparency and control over the services as if they were still being provided internally by the firm. For example, if the management team of a firm received certain monthly service level reports when the service was provided internally, then when outsourced, the management team should still receive the same monthly reports from the service provider – and possibly with even more detail as part of obtaining an improved service offering via the outsourcing.

Avoid Undue Operational Risk

If a firm is outsourcing operational functions which are critical for the performance of regulated, listed or ancillary activities (as described in detail in the FSA Handbook), the firm must ensure it takes reasonable steps to avoid undue additional operational risk.[6] In addition, MiFID states that the outsourcing of important operational functions must not impair materially the quality of the firm’s internal control or the FSA’s ability to monitor the firm’s compliance obligations.

On a practical note, firms should be aware that although these rules may appear to be high-level statements, they are in effect, supplemented and further developed in detail by many of the other MiFID rules and guidance that have been incorporated into the FSA Handbook. Therefore, firms will need to review all the MiFID rules in the round to ensure they are meeting the necessary compliance requirements under MiFID. The other practical impact of these high-level statements is that firms will need to be careful about how they set up their governance arrangements operationally (including contractually) because it is essentially a firm’s governance regime that helps it to control its operational risks.


MiFID Applies to Existing Contracts
 

Affected firms should note that the outsourcing requirements of MiFID apply to all existing and future contracts from the date of implementation of MiFID (i.e., 1 November for the UK).
 

Therefore, in addition to taking all the appropriate steps for new outsourcing arrangements, firms will need to review their existing outsourcing arrangements to ensure they are compliant from a MiFID perspective – which may mean re-negotiating certain provisions in order to achieve compliance.

Responsible for Discharging Obligations
If any critical or important operational functions or any relevant services and activities are being outsourced, the firm remains fully responsible for discharging all of its obligations, [7] including:

  • No delegation of senior personnel’s responsibility;
  • The relationship/obligations of the firm to clients under the regulations must not be altered;
  • The firm’s authorisation conditions must not be undermined; and
  • Other conditions subject to which the firm’s authorisation was granted must not be removed or modified.

The impact of this rule is that firms cannot outsource a whole end-to-end process in an attempt to “wash their hands” of their regulatory compliance responsibilities. The rule makes it clear that MiFID compliance is solely the responsibility of the affected firms – it does not directly apply to the service providers and firms cannot contract out of or divest themselves of such responsibility. This means that firms will need to be careful in the way that they draft their outsourcing arrangements to ensure that they do not set up an outsourcing arrangement which falls foul of this rule.

Skill, Care and Due Diligence
Firms must exercise due skill and care and diligence when entering into, managing or terminating any outsourcing arrangement.[8] The FSA views outsourcing transactions as being made up of a number of phases – (1) due diligence phase; (2) negotiating phase (pre signature); (3) operational phase (post signature); and (4) termination phase. What the FSA wants to see firms doing in terms of MiFID compliance is to have the appropriate individuals in place (with the appropriate experience, skills and decision making abilities) at each of these outsourcing phases. This is something firms can achieve by carrying out due diligence at each phase of the transaction, project managing the outsourcing appropriately so that the right people are in place for each phase (including the negotiation team during contract set up phase), monitoring the performance and efficiency of SP post signature, and dealing with termination and expiry with the appropriate involvement from the firm’s management.

Taking the Necessary Steps

SYSC 8.1.8 R is one of the key rules for outsourcing in the FSA Handbook – it sets out the various necessary steps which the firms must take, as follows:

(1) Ability, Capacity and Authorisation: “The service provider must have the ability, capacity, and any authorisation required by law to perform the outsourced functions, services or activities reliably and professionally.” 

In practice, firms can comply with this rule by carrying out a mix of due diligence activities, including for example, seeking evidence of the service provider’s financial standing, checking references, performing site visits, obtaining warranties and setting out appropriate financial representations in the contract. Firms should also ensure the service provider is under a contractual duty to provide all the relevant licences and consents required to perform the relevant services in accordance with the outsourcing contract.

(2) Effective Performance: “The service provider must carry out the outsourced services effectively, and to this end the firm must establish methods for assessing the standard of performance of the service provider.”

To comply with this rule, firms should ensure that the outsourcing contract provides for ways to monitor the performance of the service provider, including agreeing to quantitative and qualitative service level measures and requiring the service provider to attend regular SLA meetings with the firm. The outsourcing contract should also set out reporting obligations and rights to independent reviews and audits of the service provider’s performance.

(3) Supervision and Risk Management: “The service provider must properly supervise the carrying out of the outsourced functions, and adequately manage the risks associated with the outsourcing.”

To demonstrate compliance with this rule, firms should ensure that the service provider is under an obligation to have in place relevant and adequate systems and experienced people who are appropriately trained to ensure the risks are managed. Firms should aim to put in place a risk reporting framework which gives the firm the transparency it requires to be able to monitor and track and perceive risks or breaches by the service provider.

(4) Ability to take appropriate action for non compliance: “Appropriate action must be taken if it appears that the service provider may not be carrying out the functions effectively and in compliance with applicable laws and regulatory requirements.”

On a practical note, the only way for a firm to ensure it is in the best position to be able to comply with this rule is to ensure it has the necessary rights and flexibility in the outsourcing contract in the first place. In addition to firms having the traditional rights of termination for the service provider’s contractual default, firms should consider negotiating flexibility provisions which would allow the firm to manage risk and take appropriate action in other ways. For example, firms should seek rights to step-in so that the firm can take back the service or allow a different third party provider to do so if the service provider is failing to deal with the risks or is performing poorly under the contract. The outsourcing contract should also contain the necessary service levels and other performance measures, reporting and audit requirements of the firm to enable it to monitor the risk profile on an on-going basis throughout the outsourcing period.

(5) Supervisory and Management Expertise: “The firm must retain the necessary expertise to supervise the outsourced functions effectively and manage the risks associated with the outsourcing and must manage those risks and must supervise those functions and manage those risks.”

The key point about this rule is that it states that the firm must supervise and manage. Accordingly, the key to complying with this rule lies in the firms approach to the governance mechanisms it puts in place for the outsourcing arrangement. To support the governance mechanisms, firms must put in place a contract management team with sufficient resources and the right mix of experience, expertise and skill to properly supervise and manage the outsourcing arrangements. At the time of negotiating the outsourcing contract, firms should put their efforts into identifying the most suitable governance model for the planned outsourcing and insist upon, and contractually lock-down, the service provider’s corresponding governance model so that it will link into and align with the firms overall governance approach.

(6) Material Disclosures: “The service provider must disclose to the firm any development that may have a material impact on its ability to carry out the outsourced functions effectively and in compliance with applicable laws and regulatory requirements.”

Firms will be able to comply with this rule by putting in place detailed and appropriate reporting obligations (including for example, operating a risk register) on the service provider and ensuring that effective and relevant incident and problem management processes are in place. Appropriate escalation and dispute resolution procedures should also be captured in the outsourcing contract.

(7) Termination: “The firm must be able to terminate the arrangement for the outsourcing where necessary without detriment to the continuity and quality of its provision of services to clients.”

This is a very interesting rule because it is not yet clear what necessary means in this context, i.e., does it mean that firms should always insist upon a right to terminate for convenience (which could give rise to a negative impact on the cost of the deal)? This issue aside, firms should seek to limit the service provider’s right to terminate and ensure there are clear and lengthy termination notice periods. An exit strategy should be formulated and set out in the outsourcing contract – this should detail the termination assistance and smooth hand over required by the firm in the event of a termination or expiry of the outsourcing contract. The exit strategy and the terms of the contract should cover transfer of knowledge, return of information, data and systems to the firm and it should spell out the rules relating to ownership of intellectual property rights on the termination or expiry of the outsourcing contract. Firms should also seek to negotiate a right to receive assistance from the service provider in relation to transitioning to a successor supplier.

(8) Co-operate with the Regulators: “The service provider must co-operate with the FSA and any other relevant competent authority in connection with the outsourced activities.”

To achieve compliance with this rule, the outsourcing contract will need to contain the appropriate cooperation and audit right provisions for the firm and any appropriate regulators. The firm should ensure such rights flow down to any subcontractors or other third parties engaged by the prime service provider who assist it fulfil its obligations under the outsourcing contract.

(9) Ability of the regulator to exercise its rights: “The firm, its auditors, the FSA and any other relevant competent authority must have effective access to data related to the outsourced activities, as well as to the business premises of the service provider; and the FSA and any other relevant competent authority must be able to exercise those rights of access.”

As part of the obligations negotiated under the previous rule above, firms need to ensure the obligations cover rights to audit books, records, and reports, and rights to access the relevant personnel and premises, as required (including without having to give notice in certain circumstances, for example, fraud). Firms should seek to negotiate third party rights for the regulators in this regard so they can enforce these rights directly themselves.

By complying with the rule above, the firm is also effectively complying with SYSC 8.1.11R (which is not part of this rule, but covers similar ground). The rule requires firms to make available on request to the FSA and other relevant authorities, all information necessary to enable them to supervise the compliance of the performance of the outsourced activities.

(10) Protecting Confidential Information: “The service provider must protect any confidential information relating to the firm and its clients.”

Most firms will already have complied with this rule by putting in place a non-disclosure agreement or incorporating the necessary confidentiality provisions in the outsourcing contract. Either way, the provisions need to, for example, specify how information is designated as confidential information; set the duration of the confidentiality period; identify the rules relating to who can use the confidential information; set out the restrictions on access by subcontractors; and specify how and when confidential information is to be returned to the firm. These provisions will need to align with the security requirements and any relevant data protection provisions which must also be covered by the contract.

(11) Disaster Recovery: “The firm and the service provider must establish, implement and maintain a contingency plan for disaster recovery and periodic testing of backup facilities where that is necessary having regard to the function, service or activity that has been outsourced.”

The firm can achieve compliance with this rule by putting in place the necessary business continuity and disaster recovery measure it needs. The contract should cover how the contingency plan is implemented, tested and inspected. Any emergency procedures should be agreed and captured in the contract, including how the service, data and materials can be quickly transferred to another location or service provider.


Written Outsourcing Contract

SYSC 8.1.9R requires a firm to ensure that the respective rights and obligations of the firm and service provider are clearly allocated and set out in a written agreement. A basic contract on its own would not be sufficient to demonstrate compliance under this rule. The contract must clearly define the roles and responsibilities of firm and the service provider and the overall contract must be appropriate to risks and complexity of the outsourcing. The contract should contain the appropriate flow-down provisions to subcontractors so that the prime contract is not undermined. The contract should cover the appropriate guarantees; liability for poor performance; indemnities; etc.

Group Members
Under the new MiFID regime, there is a special outsourcing rule that comes into play for intra-group outsourcing. If a firm and service provider are members of the same group, the firm may, for the purpose of complying with the outsourcing rules, take into account the extent to which the firm controls the service provider or has the ability to influence its actions.[9] The practical impact of this rule for a firm is that it can take into account its ability to influence the service provider. Therefore, a firm will have more flexibility as to the level of detail it needs to set out in an outsourcing contract with one of its group companies than the full “belt and braces” approach that would need to be followed if the outsourcing contract is with a third party service provider outside of the group.

Summary & Recommendations

The existing high level standards of the old FSA regime are supplemented by the more specific and detailed MiFID rules. Firms will need to review their outsourcing practices and approaches because the scope of MiFID is wider than under the old regime and it will apply to contracts that firms may not traditionally view as outsourcing contracts.

Accordingly, as part of such a review, firms should focus on their existing and planned third party supply contracts. If they are critical or important contracts, firms will need to comply with MiFID and as highlighted above, even if they are not critical or important, firms must take account of the “rules” in a manner that is proportionate. For existing outsourcing arrangements, firms need to check if their service providers are likely to put them in breach of the new rules, and if this is the case or any non-compliance is revealed, firms will need to re-negotiate and amend their existing outsourcing contracts.

As a matter of best practice, firms should review their internal management structures and systems and change them if necessary. They should also check and update their template outsourcing contracts. Firms should identify if there are any operational risks and address them in their internal risk management policies, manuals, guidance notes and procedures. Firms should also consider whether any training is necessary for their management and contract teams.

Some firms have a lot of work to do to achieve compliance with MiFID but given that almost all the activities required for compliance are within their control, firms will have little or no excuses if the regulator comes knocking on their doors. The good news for firms who already have “best practice” operations, governance and reporting processes in place is that they will already be well on the road towards MiFID compliance for their outsourcing arrangements.


Footnotes:

1. Markets in Financial Instruments Directive (2004/39/EC).

2. Article 4 of MiFID.

3. Investment Services Directive (93/22/EEC).

4. Article 2(6) of Commission Directive 2006/73/EC (the MiFID Implementing Directive).

5. SYSC 8.1.4R.

6. SYSC 8.1.1R.

7. SYSC 8.1.6R.

8. SYSC 8.1.7R.

9. SYSC 8.1.10.

Close

Feedback

Disclaimer

Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.