FCA issues considerations on the procurement of off-the-shelf technology solutions
The Financial Conduct Authority has recently issued a series of “considerations” for firms that are thinking about using third-party technology banking solutions. The considerations do not seek to tell firms how to structure their IT procurements but rather provide a useful framework for firms to demonstrate that their IT services are effective, resilient and secure in line with the FCA’s required outcomes, write Mike Pierides and Simon Lightman.
In July, the Financial Conduct Authority issued a paper titled “Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions”. The Considerations contain about five pages of checklist “Areas of interest” and related notes, which are stated to be things a firm should consider when procuring ‘off the shelf’ technology solutions.
When do the Considerations apply?
We view the application of the Considerations as two-fold. First, they supplement the existing IT-related banking regulation. Second, they are intended to apply to procurements where firms might not ordinarily consider applying FCA-originating guidelines.
Supplementing existing regulation
The preamble to the Considerations says that they are separate to, and do not replace, the existing IT-related matters that are assessed by regulators. This means they do not replace existing Threshold Conditions and the requirements set out in Systems and Controls (SYSC) 8 of the FCA Handbook – these are the general outsourcing requirements, and have been in place since 2007.
The existing rules, as their name suggests, focus on “controls”. When firms outsource critical or important operational functions – defined as those that would materially impair a firm’s ability to comply with regulatory obligations – they remain fully responsible for all those obligations. The Handbook requires compliance in a number of related areas such as reporting, audit and co-operation with the regulator, all of which must be documented as part of the outsourcing agreement.
In summary, the existing rules provide a good compliance framework of general outsourcing evaluation: have you evaluated the vendor? Can you incentivise/penalise the vendor? Can you get out of the arrangement? etc.
Where the Considerations also concern themselves with issues of general application, then there is an overlap with the existing rules. For example, areas of interest such as “oversight of service provider” and “due diligence” are to a large degree, covered by the requirements of specific controls within the SYSC 8.1 series.
Where the Considerations take a very different approach to the existing regulations is in their technology and sourcing specificity. Areas of Interest such as “Multi-tenancy”, “Service levels”, “User Administration” and others clearly demonstrate a much greater focus on issues specific to IT procurement. The Considerations are a “ground up” set of notes relating to issues that would need to be considered by a firm’s subject matter experts, rather than a more generic set of oversight controls.
Application to different types of procurements
Typically, firms have applied the existing IT-related banking regulation to the procurement of large-scale, bespoke services such as IT infrastructure and hosting services. Buying these services has usually involved contracting on the basis of the purchasing firm’s terms and conditions, and with significant involvement of the various “buying” functions e.g. IT itself, procurement/commercial, legal and regulatory.
The existing rules have perhaps not been thought to apply to off-the-shelf products, as many banking products, or many of the “as a service” type third party solutions that were not part of the IT landscape in 2007.
The Considerations are intended to specifically catch and address these types of procurements; areas of interest include data segregation, multi-tenancy, track record and scalability. These are topics specific to the procurement of off-the-shelf products, often remotely hosted, and sometimes provided by new entrants to the market or relatively small providers rather than the IT megaliths.
In this context, it is no surprise that the Considerations refer to “application[s] for undertaking a new regulated business activity”. The Considerations are addressing the procurement by banks (including many challenger banks) of core banking platforms (such as Oracle Flexcube or Temenos T24) or narrower and more specialised products such as platforms that support OTC trade reconciliations or other multi-party trading platforms.
These types of procurements may well have been caught, or ought to have been caught, by the existing regulations, but many times they weren’t considered material or relevant, and many organisations did not think too deeply about the application of regulation to these products. Contracts are often concluded on the vendor’s paper, and the “as a service” restrictions (imposed by newer vendors and a more restrictive business and delivery model) have acted as a blocker to engaging on some of the fundamental areas that the Considerations require a focus on.
Firms need to approach their procurement processes for off-the-shelf platforms with a view to ensuring checks against the “Areas of interest” in the Considerations. Applying the Considerations requires activity by most of the functions of a firm involved in purchasing and implementing such platforms, including IT, procurement, legal and others. Additionally, the Considerations should also be thought of in the context of “traditional” material outsourcings in addition to the existing rules and guidance.