The scenario: You have been CF10 at a national wealth management firm for five years and in that time the business has grown from 200 clients with £100m to 600 clients with £450m. Employee numbers have also increased. This growth has meant that it has been necessary to contract with third parties to ensure your firm is able to service its clients appropriately.
The key third parties arrangements include, platform providers, HR, IT services – including data storage and IT security – and research houses.
All these providers have contractual arrangements in place and you have quarterly meetings with each third party. The meetings are also attended by your firm’s CEO and the key areas for discussion tend to centre upon service level agreements and costs.
Until now, the firm has not had the resources to properly review these arrangements, in part because of a blurring of lines between outsourcing and third-party arrangement.
The key question which is uppermost in your mind is: “Is the oversight and control over these entities appropriate and robust?”
The FCA recently published its thematic review of use of third parties and outsource partners within the asset management industry.
While not 100 per cent related to your sector, the FCA document is relevant and the core themes are a good starting point.
Some factors to consider:
Third party versus outsource arrangement: A third party arrangement is construed differently to an outsource arrangement. You need to assess whether any of the arrangements you have in place are outsource arrangements in SYSC 8.1 terminology. If they are then you need to devise a robust and appropriate monitoring regime to ensure out-sourcing of regulated activities is done in accordance with FCA rules.
Inevitably, this would involve testing and so there is an impact on your resourcing. The level and type of testing would depend upon regulated activities being outsourced but you should ensure all FCA rules are being met and that you have evidence of this.
For true third parties where no regulated activity is being out-sourced, a lighter touch of review and monitoring could be applied. But assure yourself that the third parties’ activities do not impact on your regulatory duties.
For example, although your firm places reliance on the IT service provider for items such as servers – they are responsible for your data storage and so you need to consider this aspect of their service for you.
Third party resilience: In the fast paced and often changing economic environment we currently face, it is not only the activities of the third party you need to consider but also the third party’s resilience to market movements and the business /economic cycle. While not an easy task you should review the third party’s ability to withstand financial pressures. This includes review of their plans for wind up should the worst happen – in particular how they intend to deal with the services they offer you.
Resourcing: We have already discussed the potential need to increase resource to ensure that third party arrangements can be effectively and robustly monitored, but do you have the resource with the right skills and experience?
Often firms give the responsibility for such monitoring / review activities to their most inexperienced staff.
This is fundamentally the wrong approach. In fact it can be argued that the most skilled and experienced regulatory professional should be allocated this responsibility.
The reason for this is that these types of arrangements can often be complex and the direct link of the third party’s activities to your regulatory responsibilities and reputation may not be linear in connection. Therefore, you need experienced staff to review these areas or another specialist but you need to be aware of what they are doing.
Summary: Review and assessment of third parties and out-source arrangements need not be burdensome or overly complex but it must not been forgotten or simply treated as a service arrangement. Inevitably, most arrangements of these kinds could have an impact on your firms’ customers and so and have a consequential impact on your regulatory responsibilities.
Also, a third party firm may be a larger entity than your firm (e.g the Platform) but this should not give you an unhealthy level of re-assurance. Yes the larger entity may have more resources at its disposal but does it effectively manage its own internal risks, and the risks posed by its activities on firms like yours?
Simon Collins is managing director at RGP Compliance