FCA guidance for firms thinking of using third-party technology (off-the-shelf) banking solutions


[author: Nichola Prescott]

The Financial Conduct Authority has published a document setting out a list of points for financial services firms to consider when preparing for and evaluating third-party technology banking solutions.

Where a third-party provides services which are critical to a regulated firm’s business operation, it will be considered an outsource service provider (“OSP“) and the firm will be subject to certain regulatory obligations as a result.

Primarily firms must meet the FCA’s “appropriate resource” and “suitability” threshold requirements set out in COND 2.4 and 2.5 respectively, and comply with the general outsourcing requirements set out at SYSC 8.1.  The FCA document reminds firms of the overall aim of the regulatory objectives with regards to outsourcing, namely that:

  • firms must appropriately manage and remain responsible for the operational risk associated with its use of third-parties; and
  • the arrangements with third-parties must not impair the regulator’s ability to regulate the firm.

The publication addresses six main areas for assessment by firms considering the use of third party technology, each of which is then further defined by reference to a series of questions for firms to ask themselves as a checklist of their own “thinking” in connection with satisfying their regulatory objectives.  The six principal areas cover:

  • the rationale behind the decision to outsource the delivery of critical technology services;
  • the selection of the OSP and the solution;
  • oversight and governance of the OSP, including service levels;
  • operational elements, including support and maintenance, quality and incident management;
  • service protection, including security, disaster recovery and testing; and
  • data protection.

The document makes clear that the questions are not-exhaustive (either of the points that firms should consider in preparing third party arrangements, or of the points that the regulator(s) will consider when assessing an application for the delivery of regulated services), so of course each firm will need to consider its own specific requirements, internal operation and other relevant issues.  However, the document will be helpful in structuring that process, and also potentially useful in identifying the “right” terms to be included in any relevant contract.

The document is available at http://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© DLA Piper | Attorney Advertising

Written by:


DLA Piper on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.