Asset managers' outsourcing arrangements with tech vendors could face FCA scrutiny
Asset managers must ensure they have effective business continuity plans (BCP) and exit strategies in place with their technology vendors in the event of that service provider defaulting if they are to avoid falling foul of the UK Financial Conduct Authority (FCA).
This comes as the FCA continues to take a growing interest in asset managers’ outsourcing arrangements. In November 2013, the FCA published Report TR13/10, a thematic review following on from its November 2012 “Dear CEO” letter, whereby it expressed concerns that fund managers had given inadequate thought to the complexities and timescales involved in moving service providers in the event of a service provider failure.
While the FCA’s report acknowledged managers had made marked improvements since the “Dear CEO” letter, it warned firms that their outsourcing relationships with global custodians posed serious risks to their businesses, particularly if one or more of those banks ran into difficulty. However, there is a strong risk the FCA’s scrutiny of outsourcing arrangements could be extended to technology vendors.
“The chief focus of the FCA had been on asset managers outsourcing their entire middle and back offices to global custodians. There is a strong possibility regulators could turn their attention towards IT vendors, simply because IT is such a critical component to ensuring asset managers’ operational infrastructure is fully functional. Managers need to conduct thorough risk assessments on their IT vendors and they need to have an effective exit strategy in place in case that vendor runs into difficulties,” said Alexander Brown, partner at Simmons & Simmons in London, speaking at a breakfast seminar hosted jointly by Simmons & Simmons and Eze Castle Integration.
A number of asset managers outsource considerable amounts of their technology requirements to IT vendors. Many will also use these vendors to host their data on a private cloud. IT vendor risk is therefore something asset managers should be looking to mitigate. “We employ systems that allow for the data we host to be easily transferred to a third party if we were ever to run into trouble. Some of our clients even have a black box in their offices which basically backs up all of their data which we hold,” commented Simon Eyre, director of service at Eze Castle Integration.
The FCA review also urged asset managers to make sure they had sufficient internal expertise to monitor the work of their service providers. As a result, asset managers and their institutional investors are increasingly conducting rigorous operational due diligence on vendors. “Clients want to know that our business is sustainable and financially stable. We also show them that we have rigorous systems and controls in place, and we are transparent about our security audits. All of this stemmed from the “Dear CEO” letter,” added Eyre.
COOConnect held a webinar on the challenges of outsourcing operational risk in light of the FCA’s comments on outsourcing. The video replay of the webinar can be viewed here.