In July, the Financial Conduct Authority (FCA - the financial regulatory body in the United Kingdom) issued a paper titled "Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions" (the Considerations). The Considerations contain about five pages of checklist "Areas of interest" and related notes, which are stated to be things a firm subject to regulation by the FCA should consider when procuring 'off the shelf' technology solutions.
When do the Considerations apply?
We view the application of the Considerations as two-fold. First, they supplement the existing IT-related banking regulations. Second, they are intended to apply to procurements where firms might not ordinarily consider applying FCA-originating guidelines.
Supplementing existing regulation
The preamble to the Considerations says that they are separate to, and do not replace, the existing IT-related matters that are assessed by regulators. This means they do not replace existing Threshold Conditions and the requirements set out in Systems and Controls (SYSC) 8 of the FCA Handbook (the Handbook) - these are the general outsourcing requirements, and have been in place since 2007.
The existing rules, as their name suggests, focus on "controls". When firms outsource critical or important operational functions - defined as those that would materially impair a firm's ability to comply with regulatory obligations - they remain fully responsible for all those obligations. The Handbook requires compliance in a number of related areas such as reporting, audit and co-operation with the regulator, all of which must be documented as part of the outsourcing agreement.
In summary, the existing rules provide a good compliance framework of general outsourcing evaluation: have you evaluated the vendor? Can you incentivise / penalise the vendor? Can you get out of the arrangement? etc.
Where the Considerations also concern themselves with issues of general application, there is an overlap with the existing rules. For example, Areas of Interest such as "Oversight of service provider" and "Due diligence" are to a large degree, covered by the requirements of specific controls within the SYSC 8.1 series.
Where the Considerations take a very different approach to the existing regulations is in their technology and sourcing specificity. Areas of Interest such as "Multi-tenancy", "Service levels", "User Administration" and others clearly demonstrate a much greater focus on issues specific to IT procurement. The Considerations are a "ground up" set of notes relating to issues that would need to be considered by a firm's subject matter experts, rather than a more generic set of oversight controls.
Application to different types of
Typically, firms have applied the existing IT-related banking regulation to the procurement of large-scale, "bespoke" services such as IT infrastructure and hosting services. Buying these services has usually involved contracting on the basis of the purchasing firm's terms and conditions, and with significant involvement of the various "buying" functions e.g. IT, procurement, commercial, legal, and regulatory.
The existing rules may not have been considered as applying to off-the-shelf products, as many banking products, or many of the "as a service" type third party solutions that were not part of the IT landscape in 2007.
The Considerations are intended to specifically catch and address these types of procurements; areas of interest include "Data Segregation", "Multi-tenancy", "Track record" and "Scalability". These are topics specific to the procurement of off-the-shelf products, often remotely hosted, and sometimes provided by new entrants to the market or relatively small providers rather than the IT megaliths.
In this context, it is no surprise that the Considerations refer to "application[s] for undertaking a new regulated business activity". The Considerations are talking to the procurement by banks (including many of the newer financial providers, known as 'challenger banks') of core banking platforms (such as Oracle Flexcube or Temenos T24) or narrower and more specialised products such as platforms that support OTC trade reconciliations or other multi-party trading platforms.
These types of procurements may well have been subject to the existing regulations, but many times the regulations weren't considered material or relevant, and many organisations did not think too deeply about the application of regulation to these products. Unlike outsourcing agreements, contracts for off the shelf IT products are often concluded on the vendor's paper, and the "as a service" restrictions (imposing a more restrictive business and delivery model) have acted as a blocker to negotiating some of the fundamental areas that the Considerations now require a focus on.
Firms need to approach their procurement processes for off-the-shelf platforms with a view to ensuring checks against the "Areas of interest" in the Considerations. Applying the Considerations requires activity by most of the functions of a firm involved in purchasing and implementing such platforms, including IT, procurement, legal and others. Additionally, the Considerations should also be thought of in the context of "traditional" material outsourcings in addition to the existing rules and guidance.
A version of this blog first appeared in Banking Technology on 8th September 2014.