UK Financial ServicesGuidance for IT Outsourcing Regulation and Managing Third-Party Risk

IntroductionAs Financial Services firms strive to meet greater customer expectations and innovate through new technologies, ‘firms and FMIs are increasing their use of third-parties’1 to provide business-critical functions.

However, relying on third-parties brings additional risk and firms ‘can’t outsource the responsibility’2 of properly governing, managing and mitigating the risks.

With firms reliance on third-parties to provide business-critical functions showing no signs of slowing down and third-party failures being the second most common cause of incidents in the financial services sector, its unsurprising that ‘outsourcing and wider use of third-party providers is a priority area of focus for the Authorities’3 including the FCA, the Bank and the PRA.

In response to organisations ever-expanding ecosystems, regulators are supplementing existing rules and guidance around business continuity and contingency planning to include specific measures which focus not only on individual systems and processes but operational resilience as a whole.

Therefore to ensure compliance with IT outsourcing regulation, UK Financial Services organisations must understand current regulation and guidance then develop and implement robust end-to-end risk management programmes which ensure compliance.

To support Financial Services organisations in achieving compliance we have compiled the key regulations and guidelines around IT outsourcing governing the UK Financial Services sector. In this paper, you’ll find our best practice advice and solutions for ensuring compliance.

An NCC Group Publication | UK Financial Services Regulation Insights 2

3

FCA SYSC Chapter 8 OutsourcingChapter 8.1 provides general outsourcing rules and guidance and states that firms must take the necessary steps to ensure that the following conditions are satisfied:

• The provider must supervise the carrying outof the outsourced functions and adequatelymanage the risks associated with outsourcing.

• The firm must retain the necessary expertise tosupervise the outsourced functions effectivelyand to manage the associated risks.

• The firm and the service provider mustestablish, implement and maintain acontingency plan for disaster recovery andperiodic testing of backup facilities wherenecessary.

View FCA SYSC Chapter 8 Outsourcing paper

FCA SYSC Chapter 13 Operational risk: systems and controls for insurersChapter 13 provides guidance on how to deal with the establishment and maintenance of systems and controls, in relation to the management of operational risk. When managing business continuity in the context of operational risk (section 13.8) the FCA provides guidance that firms should:

• Consider the likelihood and impact ofunexpected disruption to the continuity of itsoperations.

• Document its strategy for maintaining continuityof operations, including recovery, and regularlytesting the adequacy and effectiveness of this.

• Assess disruptions to which it is particularlysusceptible including loss or failure ofresources.

• Implement appropriate arrangements tomaintain the continuity of its operations.

• Act to reduce the likelihood and impact of adisruption.

Firms should also establish:

• Formal business continuity plans that outlinearrangements to reduce the impact ofdisruption including resource requirements andarrangements for obtaining these resources.

• Processes to validate the integrity of informationaffected by the disruption.

• Processes to review and update continuityplans and validate information affected bydisruption following changes to the firm’soperations or risk profile.

When managing outsourcing arrangements in relation to operational risk (section 13.9) the FCA provides the following guidance:

• Before entering into, or significantly changing,an outsourcing arrangement, a firm shouldconsider how it will ensure a smooth transitionof its operations from its current arrangementsto a new or changed outsourcing arrangement.

• In negotiating its contract with a serviceprovider, a firm should have regard to the extentto which a service provider will provide businesscontinuity for outsourced operations, whetherexclusive access to its resources is agreed andthe need for continued availability of softwarefollowing difficulty at a third-party supplier.

• A firm should ensure that it has appropriatecontingency arrangements to allow businesscontinuity in the event of a significant loss ofservices from the service provider. Particularissues to consider include unexpectedtermination of the outsourcing arrangement.

View FCA SYSC Chapter 13 Operational risk: systems and controls for insurers Paper

FCA Regulation and GuidanceThe Financial Conduct Authority (FCA) is a conduct regulator for more than 56,000 financial services firms and financial markets in the United Kingdom. Since its inception in 2013, the FCA has built a strong regulatory infrastructure to strengthen the service that financial institutions provide and has maintained the integrity of the financial marketing within the United Kingdom.

The FCA regularly publishes information for its regulated entities covering topics from outsourcing requirements to Cloud computing. Regulation guidelines that are currently in place such as the SYSC 8.1, SYSC 13 and FG 16/5 identify the responsibilities that organisations have to ensure they are committed to managing risk, whilst also ensuring that both the financial services sector and its customers are not exposed to any potential risk of provider failure.

An NCC Group Publication | UK Financial Services Regulation Insights

4

PRA Regulation and GuidanceThe Prudential Regulation Authority (PRA) is responsible for the prudential regulation and supervision of around 1,500 financial institutions. The PRA’s role is defined in terms of two statutory objectives: to promote the safety and soundness of these firms and to contribute to the securing of an appropriate degree of protection for policyholders. The PRA, through regulation, sets standards and policies focused on reducing the harm that firms can cause to the stability of the UK financial system. The PRA expects firms to meet expectations and monitors compliance against these. Most recently they have published expectations on firms to properly manage IT outsourcing and third-party risk.

Outsourcing and third-party risk management (Consultation Paper 30/19)PRA’s expectations on how firms should manage outsourcing and third-party risks. For instance:

“Developing, documenting and testing robust business continuity plans and exit strategies to improve their ability to withstand and recover from potential failures and outages in material third-party service providers in a manner that promotes their operational resilience”.

Business continuity and exit plansFirms should implement and require service providers in material outsourcing arrangements to implement appropriate business continuity plans to anticipate, withstand, respond to and recover from severe but plausible disruption.

For each material outsourcing arrangement, the PRA expects firms to develop, maintain and test a business continuity plan and documented exit strategy, which should cover and differentiate between situations where a firm exits an outsourcing agreement in stressed (e.g. failure or insolvency of the service provider) and non-stressed circumstances.

Material Outsourcing agreementsWritten agreements for material outsourcing should set out at least:

• Requirements for both parties to implement and test business contingency plans;

• Provisions to ensure that data owned by the firm can be accessed promptly in the case of the insolvency, resolution or discontinuation of business operations of the service provider; and

• Termination rights and exit strategies covering both stressed and non-stressed scenarios.

Stressed exitsFirms’ exit plans should cover stressed exits and be appropriately documented and tested as far

as possible to provide a last resort risk mitigation strategy in the event of a disruption that cannot be managed through other business continuity measures, including the insolvency or liquidation of a service provider.

The PRA expects firms to consider all potentially viable forms of exit in a stressed exit scenario, which may include bringing the data, function or service back in-house/on-premise and transferring the data, function or service to an alternative or back-up service provider.

The PRA expects firms to give meaningful consideration to all available tools that can facilitate an orderly stressed exit from a material outsourcing arrangement. These tools are constantly evolving, in particular in technology outsourcing, including Cloud, and may include technology solutions and tools to facilitate the switching and portability of data and applications.

Firms should also actively consider temporary measures that can help ensure the ongoing provision of important business services following a disruption and/or a stressed exit, even if these are not suitable long-term solutions, e.g. contractual arrangements allowing for continued use of a service or technology for a transitional period following termination.

Governance of business continuity plans and exit plansFirms should develop their business continuity and exit plans, in particular for stressed exits (i.e. insolvency or liquidation of the service provider), during the pre-outsourcing phase once they have determined that a planned outsourcing arrangement is material.

Firms should take reasonable steps to test exit plans, in particular, those relating to stressed exits, and business continuity and exit plans should be reviewed periodically.

View the PRA 30/19 Consultation Paper

An NCC Group Publication | UK Financial Services Regulation Insights

Cloud computing is transforming the finance sector and it is predicted that up to 40%–90% of banks‘ workloads globally could be hosted on public cloud or software as a service within a decade4. Whilst Cloud computing provides benefits such as greater flexibility, innovation and is enabling firms to deliver against increasing customer expectations, it’s also important for firms to consider any risks, which if not managed properly, could prevent long term access to Cloud applications and data. The following risks should be considered when utilising the Cloud:

• Risk of service provider insolvency and continuationof service should this occur.

• Whether there is sufficient documentation ofcredentials to access business-critical systems andportals, to allow for the continuation of service withan alternative Infrastructure as a service provider.

• If sufficient information around topology, networkconfiguration, administrative processes andprocedures have been documented independently.

Recognising that the Cloud provides the underlying infrastructure supporting many technology solutions within firms, regulators such as the FCA and PRA have made Cloud a particular area of focus.

FCA Guidance for Outsourcing to the CloudThe FCA approves of Cloud Computing commenting that there is “no fundamental reason why Cloud services cannot be implemented, with appropriate consideration, in a manner that complies with our rules”.

The FCA’s (FG16/5) guidance adds Cloud-specific controls in alignment with their general outsourcing requirements for regulated firms. The guidance supports firms in identifying, managing and mitigating risks that may be introduced when outsourcing to the Cloud and other third-party IT services, including:

Continuity and business planningA firm should have in place appropriate arrangements to ensure that it can continue to function and meet its

regulatory obligations in the event of an unforeseen interruption of the outsourced services. Firms should:

• Consider the likelihood and impact of unexpecteddisruption to the continuity of its operations.

• Document its strategy for maintaining continuity ofoperations, including recovery, and regularly testingthe adequacy and effectiveness of this.

• Regularly update and test arrangements to ensuretheir effectiveness.

• Ensure the regulator has access to data in the eventof insolvency or other disruption.

Exit planFirms need to ensure that they can exit outsourcing plans without disruption to their provision of services, or their regulatory compliance. Firms should:

• Have exit plans and termination arrangements thatare understood, documented and fully tested.

• Know how it would transition to an alternativeservice provider and maintain business continuity.

• Know how it would remove data from the serviceprovider’s systems on exit.

View the FCA FG 16/5 Paper

PRA Expectations for Cloud OutsourcingThe PRA has also published business continuity plan expectations, specific to material Cloud outsourcing arrangements, in its outsourcing and third-party risk management consultation paper (30/19) which looks to modernise existing regulatory frameworks.

In this paper, the PRA states that it expects firms to “assess the resilience requirements of the service and data that are being outsourced and, with a risk-based approach, decide on one or more available Cloud resiliency options, which may include retaining the ability to bring data or applications back on-premise”.

View the PRA 30/19 Consultation Paper

5

Considering the Cloud

An NCC Group Publication | UK Financial Services Regulation Insights

7

Recommendations

An NCC Group Publication | UK Financial Services Regulation Insights

With an increased dependency on third-party providers, financial services firms need to ensure that they are properly managing the risks associated with IT outsourcing as part of a comprehensive compliance programme.

Firms must put in place processes to assess risk and a set of internal policies and procedures to ensure compliance with relevant laws, rules and regulations. Doing so will support firms in protecting their investment in critical software, their reputation and most importantly the customers who rely on the services they deliver.

To establish a consistent and robust approach to regulatory compliance and industry best practice advice, NCC Group recommends firms:

• Bring the issue of third-party risk management to board and strategic level to raise awareness.

• Use recommended risk assessment tools or methodologies from independent assurance specialists to review the current third-party software application portfolio and assess risk exposure.

• Develop an onboarding process for new third-party software providers with escrow agreements and entry-level verification testing as a minimum.

• Establish a secure library with tested and documented details of all critical third-party software, ensuring that details of the environments, resource and expertise requirements are recorded.

• Test the rebuild or data extraction of any high dependency applications ensuring that they form part of any contingency disaster recovery plans.

• Implement a consistent approach to third-party risk management across the organisation with documented processes for assessing risk exposure and for the implementation of escrow and testing with a recommended escrow provider.

• Review and testing this approach on a regular, consistent basis.

Recommended SolutionsNCC Group provides escrow, verification and Cloud resilience services that directly address the risks associated with outsourcing IT to third-party providers as highlighted by regulatory authorities in this paper. Our services provide visible assurance and evidence that should your third-party solution provider(s) become insolvent or unable to maintain their contractual arrangement, the solution can continue to operate while contingency plans are enacted.

Escrow agreements and verification services have now become a vital part of internal processes and contingency planning for financial services when using third-party software providers. Our services provide end-users with assurance that, in the event of third-party failure, they can access the source code behind business-critical outsourced IT, enabling them to bring the function back in-house or transfer the service to an alternative provider.

Where regulatory bodies recommend the need to test and document the development and build of software applications this can be achieved through NCC Group’s verification services which are led by our in-house technical consultants who will work with both the financial services end-user and software provider(s) to implement testing of the software to a level that is appropriate to meet the needs of the financial services firm.

For Cloud applications, NCC Group provides continuity services that enable financial services organisations to employ effective risk mitigation procedures when using or considering applications and systems that are hosted in Cloud environments.

NCC Group’s services provide an independent audit of a firms third-party application(s), system(s) and provider(s). Furthermore, our services provide firms with assurance that their approach to IT outsourcing not only complies with guidelines and regulation but also mitigates the risks associated with third-parties.

response@nccgroup.trustwww.nccgroup.trust

UK: +44 (0) 161 209 5324 Netherlands: +31 (0) 20 620 7151 Switzerland: +41 (0) 41 763 2800 Germany: +49 (0) 89 599 7620 US: +1 (800) 813 3523

For more information from NCC Group, please contact:

About NCC GroupNCC Group is a global expert in cyber security and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape.

With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face.

We are passionate about making the Internet safer and revolutionising the way in which organisations think about cyber security.

About Escrow & VerificationWith over 30 years’ experience we are one of the world’s leading software escrow providers protecting business critical software, data and information through escrow, verification testing and Cloud Resilience services.

Over 18,000 organisations worldwide benefit from our ability to offer our services under a variety of international laws and the assurance that comes from our global network of secure storage vaults across the UK, North America and Europe. Our expertise, offering and global scale are backed up by in-house technical and legal teams, guaranteeing an independent and quality service.

The principle behind our escrow offering is clear – to protect all parties involved in the development, supply and use of business critical software applications, information and technology.

References1 Financial Conduct Authority, Bank of England and Prudential Regulation Authority: Written evidence (OPR0012) 2 IT Failures in the Financial Services Sector: Oral evidence (HC 1766) 3 House of Commons Treasury Committee: IT Failures in the Financial Services Sector (Second Report of Session 2019–20)4 Bank of England: The Future of Finance Report

All Rights Reserved. © NCC Group 2020