Introduction
Further to our recent blog exploring some of the key challenges we see firms facing when seeking authorisation as a payment service provider (PSP) by the Financial Conduct Authority (FCA), we continue to explore some key aspects of the application process where the FCA has placed intense scrutiny.
In this blog, we’ll share our insights on key aspects / expectations of the FCA in respect of firms’ use of Group businesses and outsourcing to third parties.
Where firms are part of a wider Group and/or intend to outsource certain activities to third parties as part of the business model, we often observe the FCA challenging how appropriate initial and ongoing due diligence has/will be conducted and how these functions will be subject to oversight, including the establishment and monitoring of service levels and key performance indicators. And, importantly, escalation arrangements to resolve concerns and/or compliance failings.
The regulatory requirements
The Payment Services Regulations make specific provisions regarding outsourcing, which to be clear includes outsourcing to Group functions and businesses. These provisions cover matters including, but not exclusively:
- Outsourcing should not impair the quality of internal control or the FCA’s ability to monitor compliance;
- Outsourcing does not result in the delegation of compliance responsibility; and
- Customer relationships and outcomes are not substantially altered through such arrangements
The European Banking Authority (EBA) also issued comprehensive Guidance that the FCA expects firms to adhere to in respect of outsourcing. The Guidance cover a whole range of areas for firms to consider, including:
- The assessment of outsourcing arrangements;
- The governance framework for outsourcing arrangements; and
- The outsourcing process itself
Our observations of common concerns
From our work with a range of firms, we have observed a number of common concerns in outsourcing arrangements, for example:
- Failure to identify some arrangements as outsourcing, especially intra-Group arrangements and therefore not applying appropriate due diligence and oversight;
- Lack of adequate risk assessments and implementation of risk mitigants when considering the services to be outsourced;
- No/limited initial or ongoing due diligence to ensure the outsource provider can: provide the necessary service in a compliant manner/to the right level of quality; and is financially sound etc.;
- Inadequate contracting arrangements, rendering firms unable to monitor the performance of its outsourced service provider amongst other issues;
- Service Levels and/or Performance Indicators either not having been defined or where they are, not monitored;
- No routine service meetings;
- Lack of escalation arrangements to help resolve concerns identified;
- No/limited consideration of actual or potential conflicts of interest;
- Inadequate consideration of Business Continuity arrangements; and
- No consideration of termination rights and/or exit strategies
In summary
Firm’s outsourcing arrangements, whether intra-Group or with external providers are coming under increasing scrutiny by the FCA, both at the authorisation gateway and on an ongoing basis. This is a key area that firms must get right in order to ensure positive customer outcomes, compliance and operational resilience.
Here at KPMG, we have significant experience helping firms to develop review/develop their outsourcing frameworks, whether related to authorisation applications or not.
Please reach out to us if you would like to discuss how we can help you. And, please do look out for future articles as we explore some of the more granular FCA expectations on other elements of the authorisation application process.