Regulatory outsourcing

New resource developed following increased regulatory focus on outsourcing.

Latham & Watkins has partnered with the Association for Financial Markets in Europe (AFME) and law firms Matheson and BSP to develop: Outsourcing – Guidance on the Legal and Regulatory Framework, a pioneering resource examining the key European legislation, rules, and guidance for financial services firms to consider in relation to outsourcing.

In light of the plethora of legislative change and increasing regulatory focus on outsourcing in financial services, as well as the growing range of sources that need to be taken into account to ensure compliance in this area, the Paper is designed to provide compliance, legal, and risk teams within regulated firms with a single reference point of regulatory requirements. The resource also provides a number of practical tools to help firms effectively map out their processes and procedures for legal compliance.

Partners Nicola Higgs, Fiona Maclean, and Andrew Moyle and associates Anne Mainwaring, Jagveen Tyndall, Oscar Bjartell, Sean Wells, and Sidhartha Lal led a team of more than 25 lawyers from five Latham offices and local law firms Matheson (Ireland) and BSP (Luxembourg) to produce the Paper.

The new guidelines reflect the European Commission’s aim to provide additional certainty for regulated entities outsourcing to cloud services.

By Rob Moulton, Fiona M. Maclean, Becky Critchley and Anna Lewis-Martinez

On 3 June 2020, ESMA published a consultation paper on draft guidelines regarding outsourcing to cloud service providers.

The purpose of the proposed guidelines is to provide guidance on the outsourcing requirements applicable to firms where they outsource to cloud service providers. The draft guidelines are intended to help firms identify, address, and monitor the risks that may arise from their cloud outsourcing arrangements (from making the decision to outsource, selecting a cloud service provider, and monitoring outsourced activities, to providing for exit strategies).

UK Treasury Committee report warns that the current level and frequency of disruption and consumer harm is unacceptable.

By Carl Simon FernandesNicola Higgs, Fiona M. MacleanChristian F. McDermottRob Moulton, Andrew C. Moyle, Stuart Davis, and Charlotte Collins

On 28 October 2019, the Treasury Committee published a report on IT failures in the financial services sector. The report sets out the findings from the Treasury Committee’s inquiry, which was launched following a number of high-profile and significant IT incidents. (See Senior MP Calls for Regulatory Crackdown on Banks’ IT Systems: 3 Things You Can do to Prepare.) Rather than looking into specific failures, the inquiry looked more holistically at why such incidents are becoming more frequent, how firms should be guarding against and responding to these incidents, and the role of the regulators in preventing and mitigating the impact of these incidents through their rules.

Insights from Latham’s flagship event: Managing the risk and promise of digitisation in financial services

Authors: Andrew Moyle, Nicola Higgs, Christian McDermott, and Kirsty Watkins.

The financial services industry is leading the way in outsourcing, with contract values in excess of US$10.7 billion in 2018, causing regulators to focus more than ever on the associated risks. Guidelines on outsourcing arrangements from the European Banking Authority (EBA), which came into effect on 30 September 2019, expand the requirements on institutions in this area, while both the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) are also increasing their outsourcing supervision and enforcement activity.

Latest FCA and PRA fines against a retail bank show little tolerance for poor outsourcing systems and controls.

By Fiona M. Maclean, Christian F. McDermott, Laura Holden, and Charlotte Collins

On 29 May 2019, the FCA and PRA announced that they had fined an independent UK bank for failing to manage its outsourcing arrangements properly between April 2014 and December 2016. The bank received separate fines of £775,100 from the FCA and £1,112,152 from the PRA (resulting in a combined fine of £1,887,252) for breaches of the regulators’ high-level principles for authorised firms, as well as their more detailed rules on outsourcing. Each fine includes a 30% early settlement discount.

The guidelines create new obligations for financial, payment, and electronic money institutions that will impact cloud outsourcing and deployment of FinTech.

By Fiona M. Maclean and Laura Holden

On 25 February 2019, the European Banking Authority (EBA) published a final report on its draft guidelines on outsourcing arrangements (Guidelines). The report followed the EBA’s publication of draft guidelines in June 2018 (Draft Guidelines) and the ensuing public consultation in September 2018 (Public Consultation).

The Guidelines replace the 2006 Committee of European Banking Supervisors (CEBS) Guidelines on Outsourcing (CEBS Guidelines) and replace and incorporate the EBA’s final recommendations on outsourcing to cloud service providers (Cloud Recommendations). Financial institutions will now only need to consult one set of guidelines for cloud and non-cloud outsourcing.

By Nicola Higgs, Fiona MacLean, Brett Carr, and Catherine Campbell

Technology outsourcing by financial institutions (FIs) has increased in recent years as FIs look to the latest innovations to improve their day-to-day business processes and to reduce costs. FIs outsource key functions to a host of regulated and unregulated third-party service providers, and the sector is poised for continued growth. According to research conducted by business outsourcing provider Arvato and analyst firm NelsonHall, outsourcing agreements worth £6.74 billion were agreed in the UK last year across all industries (a 9% increase on the prior year), and financial services firms signed £3.26 billion of them. With this continued growth, the outsourcing sector is increasingly likely to be a hotbed of PE deal activity; and, as regulators place a greater focus on outsource providers, deal teams should monitor regulatory engagement and policy developments.

The EBA’s draft guidelines on outsourcing will impact cloud outsourcing and institutions’ deployment of FinTech.

By Fiona MacleanCharlotte Collins, and Terese Saplys

On 4 September 2018, a wide audience of interested individuals gathered at Canary Wharf for a public hearing (Public Consultation) to listen to what the European Banking Authority (EBA) had to say in relation to its long-awaited Draft Guidelines on Outsourcing (Draft Guidelines). The Draft Guidelines, which review the existing CEBS Guidelines on Outsourcing published in 2006 (CEBS Guidelines), are the EBA’s opportunity to refresh its recommendations on outsourcing to align more closely with the technical, political, and operational landscape banks face today. The attendees at the Public Consultation raised a number of questions which have, no doubt, given the EBA considerable food for thought. This blog post identifies and explores the key themes of the day. Beyond the key themes identified below, the Public Consultation included discussions of the issues of internal audit, reporting and registration, and supervisory oversight.

By Fiona Maclean, Stuart Davis and Charlotte Collins

Cloud services come with the promise of many benefits for the financial services sector. Cloud computing offers large-scale and cost-effective solutions for data storage and efficient processing and is also the underlying technology for many FinTech platforms. As with a lot of new technology, however, financial institutions are struggling to see how they can embrace cloud services fully in the context of the current regulatory landscape. This is particularly so given that use of cloud services is often considered a material outsourcing, meaning that banks and investment firms must follow strict rules in order to ensure that the risks posed by migrating data to the cloud are mitigated appropriately.