Regulatory cohesion can be a thing of beauty. It doesn’t happen often. Most of the time we are battling to put together pieces in a large and ever-evolving compliance puzzle. But every so often, global regulators appear to be on the same page.
When it comes to operational resilience, and especially as it relates to outsourced services and critical third parties, the regulatory stars are aligning.
Regulators from the EU, the UK, and the US are simultaneously working on new obligations and guidance that will set out expectations for firms looking to implement (or for those which have implemented) the services of third-party providers.
“When an investment adviser outsources work to third parties, it may lower the adviser’s costs, but it does not change an adviser’s core obligations to its clients.”
Gary Gensler, chair, SEC
Regulatory standards for outsourcing are arguably long overdue. Over the past five years, outsourced services have become the norm for financial institutions. After all, no firm wants to build its own in-house technology only for it to become outdated by the time it is implemented? Of the many issues at hand regarding operational resilience and outsourcing, the consistent regulatory message appears to be one of accountability — namely that outsourcing a service does not mean the outsourcing of responsibility in the event of failure.
To quote SEC Chair Gary Gensler: “When an investment adviser outsources work to third parties, it may lower the adviser’s costs, but it does not change an adviser’s core obligations to its clients.”
Web of providers
The issue here is that firms are gradually employing the services of more and more third parties. Those third parties also often use third parties to deliver their own services (fourth parties to the service recipient). Quickly, a web of third, fourth and even fifth parties is weaved, which can be catastrophic in the event of outages or disruption. Unless, that is, considerable due diligence is established at the outset. This is a risk to which regulators have slowly opened their eyes, with a raft of new and emerging regulation and some enforcement actions in certain cases.
The last year has seen a coordinated move for regulation and regulatory messaging around outsourced services, especially regarding operational resilience and due diligence. While regulators are not necessarily saying the same thing, they are focusing on the same areas, which is, at least, a start.
In the US, for example, the SEC has published proposed oversight requirements for investment advisers that outsource certain services. Under the proposed new requirements, which are still under consideration, investment advisers would have to satisfy six new due diligence elements before outsourcing a service to a provider to perform certain advisory services or functions. These six new areas are:
- the nature and scope of services;
- potential risks, including their management and mitigation;
- the service provider’s competence, capacity and resources;
- the service provider’s subcontracting arrangements;
- coordination with the service provider for securities law compliance;
- orderly termination of the function by the service provider.
In the UK, on the understanding that financial institutions “increasingly rely upon third-party services to support their operations”, we have seen regulators issue discussion paper DP3/22. Published in July 2022, it looks to establish a new framework for outsourced services that would:
- enable supervisory bodies to identify critical third parties;
- set minimum standards that these outsourced service providers should meet;
- create tools with which organizations can test the operational resilience of their outsourced vendors.
In the EU, many readers will be familiar with the Digital Operational Resilience Act (DORA), which is widely considered one of the most transformative pieces of legislation for operational resilience. Of the five key areas of focus for DORA, two concern outsourcing arrangements — namely the management of third-party risk and the arrangements surrounding information sharing.
Tapestry of regulation
Given the fast-growing tapestry of emerging regulation, it came as little surprise when in December 2022 the FCA and PRA issued £48.7m in fines to TSB Bank for historical operational resilience failures. Following acquisition in 2015, TSB embarked on a data migration mission on a mammoth scale. It had been planned for a number of years and in April 2018 the main migration event occurred. This faced technical errors, resulting in outages and leaving many customers and bank branches unable to access accounts and funds.
On investigation, the FCA and PRA found that TSB’s data migration project failed for myriad reasons, most pertaining to ill-considered operational resilience:
- TSB prioritized meeting deadlines over adequate testing, meaning that some tests had been overlooked to meet certain timelines;
- TSB employed the services of a third-party vendor that had “no experience of managing service delivery from a large number of UK subcontractors” and failed to “explicitly address” the risks of using such a third party for a data migration of such proportions;
- TSB outsourced the project, which was “critical to the performance of TSB’s regulated activities” but despite this, did not conduct a “formal, comprehensive due diligence exercise to understand [the third party’s] capability to deliver”;
- TSB failed to asses how the third party would deliver the migration project, therefore failed to understand that the third party was to use 85 third parties of its own (TSB’s fourth parties) to carry out the migration;
- TSB failed to carry out business continuity planning for what would happen in the event the migration failed, meaning that business-as-usual was not restored until eight months after the outage event.
The case has piqued the interest of practitioners for a number of reasons, not least because UK regulators appear to have retroactively applied new operational resilience standards to the historical data migration project. At the time of the migration, many of the above operational resilience and due diligence expectations did not apply.
There is concern among some that this could set a precedent and prove challenging for many firms to meet. Not only must they adhere to stringent operational resilience standards for outsourcing moving forward, but must they also pore over historical projects to ensure compliance?
Now is the time to take stock of existing and emerging third-party relationships.
The future for operational resilience for outsourcing is clear, if not complex. Regulatory expectation and scrutiny will increase, firms will increasingly be expected to show significant and robust due diligence when outsourcing, and a third-party vendor must be prepared to provide significant information to prove its ability to deliver.
For now, firms should closely follow regulatory developments in anticipation of rigorous change. In the meantime, now is the time to take stock of existing and emerging third-party relationships.
- Ask whether your third-party reliance can be consolidated. Look at processes and establish whether a single third party could do the job of many. If so, consolidate and reduce your net.
- Can you show adequate due diligence? Do you know how your third parties are delivering your services? If you don’t know, find out and plan business continuity to support this.
- Have you tested for failure? What will happen if one of your third parties fails? As the TSB enforcement shows, regulators want to see testing prioritized.
Ultimately, operational resilience and outsourcing requires a fine balance. By all means outsource your services, but don’t cast your net too wide. There remain many unanswered questions. For example, how far should you test a process and what happens if that process fails in testing?
The bad news is that future regulation will not make things easy at the outset. The good news is that things will be clearer as we move forward, and more firms may avoid outages and regulatory action further down the line. Prepare now, before you are in too deep.