The Financial Conduct Authority (FCA) issued a guidance paper on 7 July 2014, highlighting the essential factors that firms need to consider when using third parties to provide critical IT systems and technology services. It is essential that all regulated firms carefully assess how they procure, manage and maintain a suitable level of oversight of all key IT third parties in order to meet the FCA’s requirements. Although the paper specifically refers to outsourced IT solutions in the banking sector, the principles should be considered for any critical outsourced IT services including third party IT services, cloud applications and third party hosted infrastructure within the broader financial services sector.
The FCA paper provides guidance on the key operational, security, and governance factors that it expects firms to have considered in the selection and ongoing monitoring of third party IT service providers from initial risk assessment and procurement processes through to oversight and operational monitoring requirements. Senior management should ensure that each of these areas is adequately addressed. The FCA is at pains to point out that the guidance does not replace the broader IT matters against which it assesses firms. Firms that do not follow the guidance, but later have a problem will be hard pressed to justify their actions and this may be taken into account in determining any penalties and sanctions applied.
A common issue is that the procurement of third party IT services frequently only addresses legal and contractual issues without the full involvement of internal audit, security and risk teams. The level of documentation is often of poor quality, making it hard for senior management to demonstrate due consideration of all key issues in a clearly documented and approved business case. In addition, management is often only able to evidence a very limited governance framework to regulators or auditors who are interested in whether firms’ third party oversight and assurance processes are operationally effective. Having a clear understanding of responsibilities between your organisation and third party service providers is critical – the FCA emphasises that firms cannot delegate their responsibilities to third parties and that it will hold firms accountable for the integrity, resilience and reliability of their own systems (whether supplied or managed by third parties or not).
Moore Stephens has extensive experience of helping firms address their FCA IT compliance risks. If you would like to talk to us further, please contact us. The full guidance from the FCA can be found here.
ContactsSimon GallagherKelly Sheppard
Related linksInsuranceFinancial services