Specific FSA rules on outsourcing are found in Chapter 8 of the Senior Management Arrangements, Systems and Controls sourcebook (SYSC 8). They implement the outsourcing requirements of Directive 2004/39/EC on markets in financial instruments (MiFID). These mandatory rules apply to common platform firms (broadly, firms within the scope of MiFID and/or Directive 2006/49/EC on the capital adequacy of investment firms and credit institutions). However, all FSA-regulated firms which are not common platform firms (other than insurers, Lloyd’s and underwriters on Lloyd’s) must treat the SYSC 8 rules as guidance.
Central to the rules are specific requirements in relation to outsourcing of critical or important functions. A function is deemed to be critical or important if a defect or failure in its performance would materially impair:
- The firm’s financial performance.
- The firm’s ability to comply with its conditions of authorisation and regulatory obligations.
- The soundness or continuity of its services and activities.
FSA guidance also provides that, when outsourcing functions are not critical or important, firms should take the SYSC 8 rules into account in a manner proportionate to the nature, scale and complexity of the outsourcing.
SYSC 8 rules impose requirements on, among other things:
- the due diligence to be undertaken in relation to a proposed supplier;
- the outsourcing contract’s terms; and
- the basis on which the FSA-regulated firm should supervise the outsourced functions and manage the risk of the outsourcing.
There are additional requirements for firms that outsource portfolio management for retail clients to a supplier in a non-EEA state.