This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.
This website is not compatible with Internet Explorer 9 or below, we recommend you update your browser.
Did you know
Old and outdated browser version have security issues and don't follow new web standards. By updating your browser you can element these issues and enjoy a feature rich experience.
Which browser should I choose?
Google Chrome more info | free download
Internet Explorer more info | free download
Mozilla Firefox more info | free download
What does the guidance cover.
The guidance builds on the FCA’s existing approach . The FCA defines outsourcing as a third party delivering services on behalf of regulated firms, and the term 'cloud' includes different IT services supplied over the Internet. The benefits of outsourcing include cost efficiency, flexibility and increased security. However, there are also associated risks such as the customer's lack of control over the supplier and where the data is being stored. The FCA provides guidance on how to monitor and mitigate these risks.
The guidance is not binding but aims to help firms and service providers find ways in which they can comply with the relevant rules.
The guidance affects firms that are currently outsourcing to the cloud and other third party IT services or those that are thinking of doing so.
Legal and regulatory considerations – the FCA states that a firm should have a “clear and documented business case or rationale” to support the outsourcing of critical or important operational functions. A firm should also ensure that the service is suitable for the firm, taking into account relevant legal or regulatory obligations, as well as ensuring that by entering into an outsourcing agreement it does not worsen the firms operational risk.
In addition, firms must maintain accurate records of contracts, and consider the effect of contractual governing law and jurisdiction as well as any additional legal or regulatory obligations on its arrangements with the cloud provider. A firm should also identify all the service providers in the supply chain and ensure that the requirements on the firm can be complied with throughout that chain.
Risk Management – in order to manage any risks arising in an outsourcing agreement, firms should carry out a risk assessment to identify risks and any steps that can be taken to mitigate such risks. The risk assessment should include: identifying current industry good practice and reviewing whether legal and regulatory risk differ due to customers, firms and employees in different geographic or jurisdictional locations. Firms should also assess the overall operational risks and ensure that the contracts provide for the remediation of breaches and other adverse events.
International standards – firms may also wish to assess the provider’s adherence to international standards. For example, does the provider comply with well-understood standards? (e.g. the ISO 27000 series) Is part of the service being assessed relatively stable? Is the service uniform across the customer base?
Oversight of service provider – firms should be aware that they will retain full accountability for discharging all their responsibilities under the regulatory service and it cannot delegate responsibility to the service provider. Therefore, before outsourcing, a firm should be clear about the service being provided and how responsibility and accountability between the firm and its service provider is allocated. Staff should have the skills, competency and resources to oversee, monitor and mitigate any risks, as well as being able to properly manage an exit or transfer from an existing service provider.
Data security – firms should conduct a data security assessment of the service provider which would include agreeing a data residency policy with the provider, setting out the jurisdictions in which the firm's data can be stored, processed and managed. This policy should be reviewed periodically. The data security assessment would also help to understand the provider’s data loss and breach notification process and ensure they are aligned with the firm’s risk appetite and legal or regulatory obligations. Firms should also consider how the data will be segregated, transmitted, stored and encrypted as necessary.
Data Protection Act (DPA) 1998 – a firm should comply with each of the 8 principles of the DPA, as well as the guidance provided by the ICO on cloud computing (PDF) .
Effective access to data and business premises – a firm should have effective access to data and the business premises of the service provider in order to successfully conduct its monitoring. 'Business premises' is a broad term, but the guidance states that this does not necessarily include data centres. Further to this, a firm should ensure that notifications on accessing data are reasonable and not restrictive. The firm should also ensure that there are no restrictions on the number of requests the firm, its auditor or the regulator can make to access or retrieve data. When a firm is seeking to access business premises, it should provide reasonable prior notice and may ask its auditor to undertake the visit. The regulator should also have access to the premises but only if it is necessary. Firms should also ensure that data is not stored in jurisdictions that may hinder access to data for UK regulators.
Relationships between service providers – if the firm does not directly contract with the outsource provider, the firm still needs to ensure that it continues to comply with regulatory requirements. A firm should therefore review its subcontracting arrangements, consider security requirements and ensure that it will still have effective access to data and business premises. The firm should also consider how service providers work together - will the firm or one service provider take the lead systems integration role? A firm should assess how easily a service provider's service will interface with a firm's internal systems or other third-party systems.
Change management – risks can be introduced when changes are made to processes and procedures. A firm should therefore look to establish what provisions can be made for making future changes to technology
Continuity and business planning – where there is an unforeseen interruption of the outsourced services, a firm should consider the impact of the unexpected disruption to the continuity of its operations. A firm could also document its strategy for maintaining continuity of operations and regularly update and test arrangements to ensure their effectiveness. It would also be wise to put in place arrangements to ensure the regulator has access to data in the event of unexpected disruption.
Exit plan – an effective outsourcing plan will minimise disruption of services whilst still complying with regulations. A firm should be aware of how it would transition to another provider whilst maintaining business continuity. An exit plan and termination agreement would document how the firm would remove data from the system, monitor concentration risks and what action would be taken if the outsource provider failed.
In summary, the guidance is a step in the right direction in aiming to help regulated firms adopt the cloud in a safe and compliant way. The guidance also provides a useful standard for regulated firms to base their discussions with a potential cloud provider. For example, the cloud provider will be aware of what restrictions it can put in place when there is an audit, as well as the access requirements of regulators. Cloud providers will also be aware of the compliance requirements imposed on their FCA regulated customers, and will therefore be able to consider how it can facilitate compliance.
Related news and insights, tech firms called on to 'tame aggressive algorithms' under ofcom's new child safety codes.
In May 2024, the UK online safety regulator published its draft Children’s Safety Codes of Practice which set out steps that tech firms must take to protect children online
Burges salmon acts on £130m funding package to support major wind farm project in scotland, what does the online safety act’s risk assessment look like, outsourcing.
FCA activity shows no sign of slowing down as the regulator revealed its Business Plan for 2023/24.
Building upon the FCA's three-year strategy, the 2023/24 Business Plan represents the 'sophomore' business plan outlining how the overall strategy will be delivered. It sets out the regulator's response to a number of current challenges including the uncertainties arising out of high interest rates, inflation, unemployment, declines in incomes and market volatility.
The Business Plan for this year has been slightly re-structured to more closely align with the strategic themes and outlines a total of 13 regulatory commitments across three focus areas, which are:
The 13 commitments under the 2023/24 Business Plan are set out below, with the first four commitments being of the greatest priority:
This article provides a brief summary on some key takeaways from the regulator's Business Plan for the year to come.
Predictably, the FCA said it remains strongly focused on the Consumer Duty, which is due to come into force on 31 July 2023, specifically for those with live products and services. The regulator has stressed that increased consumer protection and the Consumer Duty will represent a significant shift for regulated firms. The Duty imposes more stringent standards for consumer protection and will become an integral part of the regulator's approach and mindset in years to come.
The FCA will invest £5.3 million to ensure the Consumer Duty is successfully embedded and intends to steadily increase its headcount to accompany the transition. Key information was provided about the metrics and KPIs that will be used from sources such as levels and root causes of Financial Ombudsman Service (FOS) complaints, to form a view as to whether firms are meeting the requirements under the Consumer Duty in the two outcomes relating to Consumer Understanding and Consumer Support.
The FCA is also focused on improving the redress framework and is developing proposals to improve complaints reporting. The regulator will be consulting on guidance for firms regarding redress calculations and is currently consulting on access to the FOS for small and medium enterprises that may have insufficient resources to resolve disputes through the legal system.
The FCA is set to continue with its action to tighten supervision in the principal/AR space. The Business Plan confirms that there will be further engagement and scrutiny in this area from a regulatory perspective. The FCA criticised Principals for not adequately overseeing their ARs' activities, thereby putting consumers at an increased risk of being misled. Principals will have to become familiar with the FCA's new rules and guidance to ensure compliance and minimise the risks associated with their ARs' possible mis-selling to consumers. Reporting for principal firms under the new rules becomes fully effective later this year.
Consistent with previous year, the FCA has stated its intention to further its work in the prevention of regulated firm's being used to facilitate financial crime and it is developing metrics in this area to test the effectiveness of its strategy.
Further, the FCA continues to actively target entities who become involved in Market Abuse practices to tackle the detrimental effect these have on market confidence and participation.
The regulator is pinning its strategy on better education for its regulated entities to foster prevention and compliance. In parallel, the regulator is working to improve its detection and prosecution capabilities to detect market manipulation and abuse through increased data capture, improved analytics and a dedicated "equity manipulation team".
Persons Discharging Management Responsibility (PDMR) will also be expected to provide additional transparency and engagement in respect of detecting potential insider dealing.
The FCA is building a regulatory framework to support its ambition to foster a UK net-zero financial centre. The regulator intends to tighten its grip on mis-leading marketing and disclosure around ESG related product and "greenwashing" to protect consumers and promote trust in the market for ESG investment products.
The FCA will further collaborate with key stakeholders in the ESG sphere through its ESG Advisory Committee to the Board, which it established in December 2022, to execute its ESG responsibilities. The regulator will also finalise and publish its rules on Sustainability Disclosure Requirements and investment labels.
The FCA will increasingly rely on Data and Technology-led regulation programmes this year to improve their intelligence capabilities through automation of analytics tooling, detection of crime and faster responses to consumer harms. The regulator has also invested in cyber security and operational resilience to improve efficiency of its staff and regulated firms.
We can expect that the FCA will continue to promote innovation and that reporting expected by firms will become more sophisticated, to improve their existing detection capabilities and promote speed and efficiency of supervision and intervention.
Finally, the FCA expects to invest £12.7 million in 2023/24 to support its "Preparing financial services for the future" strategic commitment. This forms part of the post-Brexit Future Regulatory Framework (FRF), which will transfer even more responsibilities to the FCA and will reinforce accountability, scrutiny and transparency for regulated entities.
The Business Plan as pledged to further work that has been ongoing for a number of years in respect of the Financial Promotions Gateway, ensuring the ongoing resilience of firms from both a financial and operational perspective and how it will continued to share intelligence with other agencies to advance its operational objectives. Closer scrutiny of how firms meet the Threshold Conditions was also widely restated across the business plan, with the FCA planning to challenge firms at each stage of their lifecycle, starting from new firm authorisations.
The FCA's activity is showing no signs of slowdown. To the contrary, during 2022 the FCA issued over 1,800 warnings about potential scam firms, which is 400 more warnings than the previous year. The regulator's headcount has also grown from 3,800 in early 2022 to almost 4,500 at the end of March 2023. Numbers are expected to grow again for the years 2023/24. DWF have a depth of expert insight on regulatory natters across a range of regulatory topics and would be pleased to discuss with you what the business plan means of your firm and how it should be integrated into your business and compliance strategy this year.
Partner and Head of Regulatory Consulting
Head of Financial Services Regulatory // Co-Head of Financial Services Sector
Related sectors, related services.
Our pocket guides are designed to highlight what the practical steps for businesses of identifying and assessing impacts in the risk-based due diligence process.
DWF, the global provider of integrated legal and business services, has advised the shareholders of UK-based Britannia Parking on the sale of the business to KKR backed international operator, Q-Park.
This session covered the basics of construction law, knowing your contracts and top tips.
{{bckdata.locationheading}}.
0" ng-style="{'color': tile.tiletextcolor}" class="gpof-h-xs white bold padding-b-nill gpof-font-semi-bold margin-b-15">{{tile.title}}, {{headerdata.hamburgersecondaryfeatureheading}}, 0" ng-style="{'color': tile.tiletextcolor}" class="gpof-h-xs gpof-grey-dark bold padding-b-nill gpof-font-semi-bold margin-b-15">{{tile.title}}, operational resilience: the fca's review of business continuity planning.
The FCA has published its findings from a recent review of business continuity planning (BCP) among small and medium-sized retail banks, payments institutions and electronic money institutions.
Although the findings suggest that many firms have taken meaningful steps to build operational resilience into their systems and processes, the FCA also identifies a number of areas for improvement. It encourages firms proactively to review, test and revise their arrangements ahead of further supervisory work to be conducted later this year, in particular with respect to scenario testing, incident response planning, training and management oversight.
The importance of this topic is underscored by the fact that the PRA currently has a number of enforcement cases underway against senior managers at UK financial institutions for IT failures, a point confirmed last week by Lyndon Nelson, executive director for regulatory operations and supervisory risk specialists at the PRA, in evidence to the Treasury Select Committee.
The FCA's review follows on from the publication of the joint FCA and PRA discussion paper " Building the UK financial sector's operational resilience " in July 2018 (the Joint Discussion Paper) and also covers ground which overlaps to some degree with recent FCA publications on the related issue of cyber security and resilience – see, for example, the " Cyber and Technology Resilience: Themes from cross-sector survey 2017/18 " paper of November 2018 (the Cyber Resilience Paper) and the " Cyber security – industry insights " document of March 2019.
The continuing regulatory focus on this area is borne out further by the emphasis on operational resilience as a cross-sector priority in the FCA's recently published Business Plan for 2019/20 and the Final Notice issued jointly by the PRA and FCA to Raphaels Bank on 30 May 2019 for failing properly to manage outsourcing arrangements between April 2014 and December 2016 (see our earlier article here ).
In undertaking its review, the FCA found that most firms have demonstrated a good understanding of BCP, but noted that there are "some important areas where improvements could be made".
The FCA assessed firms' approaches to four particular aspects of BCP:
With respect to planning , the FCA found that most firms had a clearly documented BCP strategy with an appropriately defined risk appetite, and that they used governance forums for approval, challenge and maintenance of policies, plans and frameworks.
However, the FCA noted that:
Management and oversight of events is often assigned to staff at too low a level in firms, with insufficient challenge to those staff on current capabilities from senior management. With regard to responding, the FCA noted that some firms had crisis management plans containing pre-approved communications for both employees and customers, and that most firms documented several contingency plans for customer-critical processes.
Potential areas for improvement, however, were also identified:
On the topic of recovering from events and offering appropriate remediation, the FCA noted that all firms used post-incident reviews as a catalyst for updating and improvement of BCP policies, and that some firms proactively contacted customers during an event if harm had occurred.
However, it also recommends that firms ensure that adequate management information is used to identify potential or actual harm proactively and consider what lessons can be learned from an event. This echoes a theme present in other recent FCA communications in which the regulator has expressed some concern regarding the quality of management information presented to senior management at firms and their ability fully to understand it given the technical nature of certain BCP issues such as cyber threats: see, for example, chapter 3 of the Cyber Resilience Paper.
The FCA is advising firms to consider the contents of the Joint Discussion Paper and has made it clear that it expects firms to carry out self-assessments of policies, frameworks and plans on an ongoing basis. Although the review was carried out among small and medium-sized retail banks, payments institutions and electronic money institutions, it will be of interest to all regulated firms – and all businesses – regardless of their size.
The 2019/20 Business Plan says that, as part of its focus on operational resilience, the FCA intends to undertake a number of further activities in this area this year. For example, it plans to:
Firms will want to make sure that they are well prepared to deal with any queries from the regulator in these areas.
With the increasing frequency and severity of cyber attacks and operational disruptions suffered by businesses, it is important that firms are prepared in order to mitigate the risks associated with such events. The FCA's findings and recent papers ought to assist when assessing whether policies and procedures are able to stand up to testing. We would be happy to review your existing BCP and discuss with you how you might improve upon this in light of the FCA's comments.
Contact us or find an office in your location..
Unsolicited emails and other information sent to Dentons will not be considered confidential, may be disclosed to others, may not receive a response, and do not create a lawyer-client relationship. If you are not already a client of Dentons, please do not send us any confidential information.
You are switching to another language. Please click Confirm below to continue.
You will now be taken from the global Dentons website to the $redirectingsite website. To proceed, please click Accept.
Beijing Dacheng Law Offices, LLP ("大成") is an independent law firm, and not a member or affiliate of Dentons. 大成 is a partnership law firm organized under the laws of the People’s Republic of China, and is Dentons' Preferred Law Firm in China, with offices in more than 40 locations throughout China. Dentons Group (a Swiss Verein) ("Dentons") is a separate international law firm with members and affiliates in more than 160 locations around the world, including Hong Kong SAR, China. For more information, please see dacheng.com/legal-notices or dentons.com/legal-notices.
Released in March 2021, the FCA operational resilience policy provides a framework for financial services firms to strengthen their resilience against operational disruptions . To do this, the policy required firms to establish robust plans for ‘severe but plausible’ risks earlier this year.
Created alongside the Bank of England and the Prudential Regulation Authority (PRA), the policy came about in response to Covid-19. The pandemic, as you will be all too aware, caught many businesses off-guard , and the FCA want to prevent a similar situation from occurring. The global financial crisis and the recent rise in cyber-attacks also prove the need for firms to achieve operational resilience.
To understand the regulator’s operational resilience framework in more detail, let’s first go back to basics. Exactly what is operational resilience?
The FCA and PRA define operational resilience as the ability of financial services firms and the finance services sector to:
prevent, adapt, respond to, recover, and learn from operational disruptions.
Essentially, it is all about ensuring that your organisation has contingency plans and risk mitigation strategies in place. Why? So that you are as prepared as possible for adverse scenarios. This should prevent harm from manifesting or will help you to recover more easily if something does go wrong.
The importance of building operational resilience goes beyond protecting your organisation from becoming victim to operational risk . It is also in the public interest. By being prepared for unfavourable situations, financial firms are better placed to protect consumers and the wider financial industry.
Operational resilience is also about changing your organisation’s mindset. Instead of thinking about operational disruption as something that could happen, firms should assume it will happen. This shift in attitude should propel your organisation to make operational resilience a priority and will help to drive cultural change within the industry.
If you are not already familiar with the FCA operational resilience policy , it focuses on five key areas:
While the regulator’s operational resilience requirements may seem complex, in essence they are about ensuring firms are prepared for the worst. That way, severe operational disruption, as well as harm to consumers and the market, can be avoided.
“We need to know that you have planned for the worst and are able to continue to deliver your important business services when the worst does happen.” — Megan Butler , Executive Director of Supervision: Investment, Wholesale and Specialist , TISA’s Operational Resilience Forum
The FCA operational resilience framework applies to banks, building societies, PRA-designated investment firms, insurers, Recognised Investment Exchanges, enhanced scope SMCR firms, and entities that are authorised and registered under the Payment Services.
If you fall under one of these categories, you should now have an operational resilience strategy in place that meets the new requirements.
Considering all of the above, what steps should you have taken to ensure that your firm strengthens its operational resilience to meet the FCA’s framework?
Operational risks are constantly evolving. With Covid-19 and the rise in cyber-attacks, the past couple of years has made this clearer than ever. It is no wonder, then, that the regulators have introduced this operational resilience framework to help firms in the financial sector prepare for the worst. One firm who did successfully prepare for the worst, however, is the Admiral Group .
Now you have a better understanding of the FCA operational resilience policy, download our free e-book to discover a great example of operational resilience: the Admiral Group's response to Covid-19.
Our free e-book explains how Admiral mitigated the risk of Covid-19 and achieved operational resilience. Find out what made their approach successful.
Dive into the future at frontier 2023.
Redefining what matters in regulated industries
3 June 2020 Reed Smith Client Alerts
As financial institutions continue to respond to the challenges posed by COVID-19, the Financial Conduct Authority (FCA) has set out its expectations of how firms should be managing their business from a business continuity, operational resilience and recovery and resolution perspective. In addition, the FCA has required certain firms to submit copies of their business continuity plan (BCP), operational resilience framework (ORA) and recovery and resolution plan (RRP) (together, the contingency plans) for review.
In previous statements, the FCA emphasised the importance of proper planning, constant monitoring, quick reactions and proactive remediation in the event of business disruption and it is clear that they expect firms’ contingency plans to be capable of dealing with any future developments in the COVID-19 situation. Therefore, firms should be reviewing and updating their contingency arrangements to ensure that they are not only fit for the current climate but stand up to potential regulatory scrutiny.
This alert highlights some of the issues that firms should consider when reviewing and updating their contingency plans.
Authors: Howard Womersley Smith David Calligan Bhav Panchal, Sophie Davis
The requirement to maintain and update BCPs has been woven into various aspects of regulation and has typically formed one of the key supervisory pillars by which regulators such as the FCA monitor the ability of a firm to withstand adverse events.
The FCA expects the BCP to address a variety of topics, covering: resource requirements, recovery priorities for each of the firm’s operations, stakeholder communications plans, escalation and invocation plans, the integrity of management information, and regular BCP testing. Factors that firms should take into account when reviewing, updating and implementing their BCPs include:
Supplementing the high-level requirements of BCPs are more specific requirements relating to ensuring the integrity and continuity of outsourced services, whether they are critical, important or non-critical. Both the FCA and European Banking Authority (EBA) have issued detailed guidance in this area, which firms should take into account, particularly considering that firms remain responsible for the provision of the services they outsource. Issues to address include:
Where operational resilience differs from BCPs and RRPs is that it is more focused on the broad impact on customers and financial stability, rather than business continuity and operational continuity in resilience. The FCA and Prudential Regulation Authority’s consultations on operational resilience provide an insight into the themes regulators will be focusing on in a firm’s contingency planning going forward, as well as the process by which they expect firms to follow in creating a living, breathing contingency framework. While they may still be in the consultation stage (the consultation deadline has been extended to 1 October 2020) regulators are likely to take account of the principles established in their consultation when reviewing firms’ BCPs and RRPs during the COVID-19 period. Notably, the FCA will expect firms to invest in and address any weaknesses, vulnerabilities or deficiencies, with the aim of improving contingency plans overall.
Issues that firms may wish to consider in the context of operational resilience include:
Completing a firm’s contingency matrix is the RRP required to be prepared by banks and larger investment firms, being investment firms subject to an initial capital requirement of €730,000 – i.e., UK IFPRU 730K firms. They set out what the firm would do in, or prior to becoming subject to, stressed circumstances that would affect the ability of the firm to carry on all or a significant part of its business. Whilst there will evidently be overlap between the considerations to be made when updating BCPs, RRPs have an additional granular focus on the financial recovery of the firm.
RRPs need to be periodically reviewed and submitted to regulators and so it is important to ensure their appropriateness and relevance. This is particularly pertinent given the changes to a firm’s business or financial situation that may have arisen as a result of COVID-19, and the lessons learnt from the firm’s response. Issues that firms should be considering when reviewing and updating their RRPs include:
The EBA has recently issued a report on the inherent interlinkage between the content of recovery plans and the resolution plans which are prepared by resolution authorities on the basis of information provided by firms. Firms should be aware of this interlinkage and the best practices set out in the EBA’s report. The fact that recovery and resolution plans exist on a continuum means that firms should ensure consistency both in the recovery plans they prepare and the information they provide to resolution authorities.
In a time where business interruption may be more widespread, unforeseen, and yet frequent, it will be important to ensure that the myriad requirements for continuity plans are comprehensive, robust and stress tested.
Firms should continue to monitor developments and statements from regulators in relation to continuity plans during this period of uncertainty. If you have any questions or concerns, please get in touch with your usual contact at Reed Smith.
Our Reed Smith Coronavirus team includes multidisciplinary lawyers from Asia, EME and the United States who stand ready to advise you on the issues above or others you may face related to COVID-19.
For more information on the legal and business implications of COVID-19, visit the Reed Smith Coronavirus (COVID-19) Resource Center or contact us at [email protected] .
Client Alert 2020-358
IMAGES
VIDEO
COMMENTS
The EBA outsourcing guidelines (EBA/GL/2019/02) apply to credit institutions and investment firms subject to the EU Capital Requirement Directive (2013/36/EU). These are banks, building societies and IFPRU investment firms as defined in our Handbook. The Guidelines also apply to payment institutions and electronic money institutions.
In 2024/2025, our annual funding requirement (AFR) is £755.0m, an increase of 10.7%. The funding includes: our ongoing regulatory activities (ORA) budget, and. the costs of exceptional projects we need to recover for changes to our regulated activities and new initiatives.
remedial action and escalation processes for dealing with inadequate performance. SYSC 13.9.7 G 31/12/2006 RP. In some circumstances, a firm may find it beneficial to use externally validated reports commissioned by the service provider, to seek comfort as to the adequacy and effectiveness of its systems and controls.
SYSC 8 : Outsourcing Section 8.1 : General outsourcing requirements 8 8.1.9 R 8.1.10 R 8.1.11 R 8.1.11A G 8.1.12 G 8.1.13 R Release 37 Jun 2024 www.handbook.fca.org.uk SYSC 8/5 (7) thefirmmust be able to terminate the arrangement for the outsourcingwhere necessary without detriment to the continuity and quality of its provision of services toclients; (8) the service provider must co-operate ...
53.3. 8.5%. Our AFR for 2023/24 is £684.2m, an increase of 8.5%. Our AFR includes our ORA budget, Future Regulatory Framework, Transformation, our Consumer Harm Campaign, and the costs we need to recover for changes to our regulated activities ie scope change which includes increased responsibilities for the FCA.
The application of SYSC 8.1 to relevant services and activities (see SYSC 8.1.1 R (1)) is limited by SYSC 1 Annex 1 (Part 2) (Application of the common platform requirements). SYSC 4.1.1 R requires a firm to have effective processes to identify, manage, monitor and report risks and internal control mechanisms.
Financial Conduct Authority Page 4 of 18 Finalised guidance Cloud computing 3.3 As noted above, the term 'cloud' encompasses a range of different IT services. Each service has features and risks associated with it, and it is for firms to consider which outsourcing option is the best fit for their business. From a regulatory perspective, the
We published the final guidance (FG16/5) in July 2016. Our finalised guidance is relevant to firms who are interested in outsourcing to the cloud and other third party IT services. It may also be of interest to third party IT providers (including cloud providers), trade associations and consumer groups, law firms and other advisers, and ...
SYSC 8 : Outsourcing Section 8.3 : Guidance on outsourcing portfolio management for retail clients to a non-EEA State 8 SYSC 8/4 www.handbook.fca.org.uk Release 21 Nov 2017 (2) Theoutsourcingagreement should require the service provider to provide thefirm'soffices in theUnited Kingdomwith all requested information required to meet thefirm'sregulatory obligations.
In March 2024, the Financial Conduct Authority (FCA) released two documents with its updated supervisory approach for the asset management and alternatives sector: the FCA's 2024/25 Business Plan (the Business Plan), and a "Dear CEO" letter titled "Our Asset Management & Alternatives Supervisory Strategy - interim update" (the Dear CEO Letter).
SYSC 8.2.1 R 01/04/2013. (1) 1. In addition to the requirements set out in the MiFID outsourcing rules, when a MiFID investment firm outsources the investment service of portfolio management to retail clients to a service provider located in a non-EEA state , it must ensure that the following conditions are satisfied:
On 29 March 2021 the FCA and PRA released their finalised policy statements1, near final rules2, and, in the case of the PRA, a supervisory statement3 4and statement of policy on operational resilience. The PRA has also released its finalised policy5 and supervisory statement6 on outsourcing and third party risk management.
• The FCA published the findings of its supervisory review on outsourcing in the life insurance sector on 4 March 2020. • The review looked at a sample of life insurers' systems and controls for managing outsourced service providers (OSPs), focusing on exit planning, business continuity planning, and governance, systems and controls.
The FCA defines outsourcing as a third party delivering services on behalf of regulated firms, and the term 'cloud' includes different IT services supplied over the Internet. The benefits of outsourcing include cost efficiency, flexibility and increased security. However, there are also associated risks such as the customer's lack of control ...
The 13 commitments under the 2023/24 Business Plan are set out below, with the first four commitments being of the greatest priority: Preparing financial services for the future. Putting consumers' needs first. Reducing and preventing financial crime. Strengthening the UK's position in global wholesale markets.
The continuing regulatory focus on this area is borne out further by the emphasis on operational resilience as a cross-sector priority in the FCA's recently published Business Plan for 2019/20 and the Final Notice issued jointly by the PRA and FCA to Raphaels Bank on 30 May 2019 for failing properly to manage outsourcing arrangements between ...
On 6 May 2021, the FCA updated its webpage regarding outsourcing and operational resilience. The FCA has added to the bottom of the webpage a new section entitled 'Who the EBA outsourcing guidelines apply to'. Among other things this new section explains that: The FCA notified the European Banking Authority ( EBA) that it would comply with ...
The FCA operational resilience guidelines: an overview. Abbie Glossop May 05, 22. Released in March 2021, the FCA operational resilience policy provides a framework for financial services firms to strengthen their resilience against operational disruptions. To do this, the policy required firms to establish robust plans for 'severe but ...
As financial institutions continue to respond to the challenges posed by COVID-19, the Financial Conduct Authority (FCA) has set out its expectations of how firms should be managing their business from a business continuity, operational resilience and recovery and resolution perspective. In addition, the FCA has required certain firms to submit ...
The FCA is turning its spotlight back to outsourcing, as well as continuing its focus on FinTech, according to its Business Plan 2018/9, published today, 9 April. Each year the FCA publishes its ...
SYSC 8 : Outsourcing Section 8.1 : General outsourcing requirements 8 8.1.9 R 8.1.10 R 8.1.11 R 8.1.11A G 8.1.12 G Release 37 Jun 2024 www.handbook.fca.org.uk SYSC 8/5 (6) the service provider must disclose to thefirmany development that may have a material impact on its ability to carry out theoutsourced functions effectively and in compliance with applicable laws and
Business Plan 2023-24. The FCA business plan is focused on work in four key areas related to preparing financial services for the future, putting consumer needs first, reducing and preventing financial crime, and strengthening position of UK in the global wholesale markets. To deliver on the commitments, the business plan sets out the following: