July 26, 2017

Is outsourcing creating additional data compliance risk for FCA regulated businesses?

Many financial service organisations outsource elements of their business to other financial organisations and many more plan to according to a survey published by Goldman Sachs. The survey suggests 35% of insurance companies aim to outsource the management of their investments to third party asset management companies. Aberdeen Asset Management also cited increased outsourcing of business functions as a route to cost cutting in its takeover plans for Scottish Widows Investment Partnership.

This is good news for both outsource service providers and the outsourced company but only if managed well. While the benefits of outsourcing such as reduced staff overheads, cost and efficiency savings have been well publicised, the potential threat that suppliers can have on business continuity has received far less attention.

Securing contracts as an outsourced provider

Let’s imagine you are an outsourced provider serving a much larger financial institution and your business premises suffers a destructive fire or powerful storm that knocks down power lines. The last thing your client wants is for your disaster to impact their organisation’s operational resilience. They need you to be as resilient as they are and to have confidence that your plans are robust enough to put their minds at rest.  

Therefore, your ability to secure new outsourcing contracts with larger financial institutions will depend not only on your financial expertise but also on your ability to demonstrate business continuity and resilience to disaster.

Marcie Terman, CEO of DATAFORT, comments, “we have had a number of asset management companies come to us, whilst in the last throws of securing major outsourced contracts, asking if we can help upgrade their data backup and disaster recovery in a hurry.  Often we find ourselves actually demonstrating the service to their prospective client within a week of the request to help them secure the contract.”

Managing your outsource partners

On the other side of the coin, if you are outsourcing areas of your business to third parties while you may have a robust continuity plan is your supplier’s version aligned with it? In other words, will their plan impact on your organisation’s operational resilience?  If you don’t have answers to these questions, you could be in for a shock.

Knowing details such as how critical a supplier is to your business functions and even where you rank in importance among their other customers. Otherwise you can’t prepare for the ripple effect a supplier’s disaster might have. And when you consider that half of businesses that experience a disaster with no plan for business recovery fail within the following 12 months, it certainly makes business sense to evaluate your critical vendors’ resiliency and recovery capabilities. It may even have legal implications, especially if you’re a FCA registered company.

FCA regulatory requirements

FCA registered companies outsourcing to third parties need to ensure their outsourced supplier’s recovery capabilities meet the regulatory requirements set by the FCA.  These guidelines covered in the FCA Handbook SYSC 8.1.8 state: “the firm and the service provider must establish, implement and maintain a contingency plan for disaster recovery and periodic testing of backup facilities where that is necessary having regard to the function, service or activity that has been outsourced.”

Failure to meet these guidelines can have serious implications and carry some pretty hefty fines.

So, whichever sign of the coin you are on in your relationship with other financial providers you need to consider carefully whether your business and data recovery procedure and technology are up to scratch.

To find out more about protecting your data, contact DATAFORT on 0800 454435 or go to contact us on our website.