The relative importance of each of these criteria depends on the client`s overall business scenario for the outsourcing project and the nature of the relevant services. outsourcing does not force managers to delegate their responsibilities; Companies are required to provide us with information so that we can monitor their compliance with regulatory obligations. Compliance with principle 11 implies that a company discloses to us everything that relates to the company and that may have serious regulatory implications (SUP 15.3.8). These include reporting requirements for critical, significant or material outsourcing (SYSC 8.1.12) and (SYSC 13.9.2). The UK government has not taken an active or interventionist approach to outsourcing in the UK. In the past, there has been concern about the impact of offshoring on employment, but this is not a major political issue affecting the market. There are also a number of concerns regarding visas for foreign employees of outsourced suppliers and the tax status of individual entrepreneurs providing services to UK companies. At the commencement of an outsourcing agreement, Customer licenses to Supplier all intellectual property it needs to provide the Services. The scope of the license is generally limited to the provision of the service to the customer. In some cases where the supplier purchases existing operations to provide services to both third parties and the customer, it is possible that this intellectual property will be transferred to the supplier or that the scope of the license will be broader.
Registered intellectual property is subject to notification and registration procedures. In the UK, the Financial Conduct Authority (FCA), the Bank of England and the Prudential Regulation Authority (PRA) issued policy statements and rules on operational resilience in March 2021. In addition, the PRA has issued a prudential statement on outsourcing and risk management for third parties. In general, these statements apply to certain companies regulated by UK financial regulators: these include banks, building societies, credit unions, insurers, financial market infrastructure providers, payment and e-money institutions, large investment firms, mixed-activity holding companies and UK branches of certain foreign companies. For other FCA-approved financial services firms, the FCA has previously issued FG 16/5 guidance for firms outsourcing to the cloud and other third-party IT services. The FCA Handbook Glossary contains the definition of outsourcing. In most cases, a company would outsource if it is a party to an agreement under which a service provider performs a process, service or activity on behalf of a company that the company would otherwise perform itself. For example, a company may outsource the hosting of a data center or business process to a third party.
This supervisory statement sets out the expectations of the Prudential Regulation Authority (PRA) on how PRA-regulated firms should comply with regulatory requirements and expectations for third-party outsourcing and risk management. MiFID investment firms may use this list to assess their compliance with Article 32(1) of the MiFID Organisational Regulation. Companies should also consider the outsourcing requirements of Articles 30 and 31 of MiFID Org and SYSC 8 of our Handbook. Financial institutions around the world are using Amazon Web Services (AWS) to transform the way they do business. Regulations in this area are constantly evolving, and we are working hard to help our clients proactively respond to new rules and policies. In many cases, the AWS Cloud makes it easier than ever to support customers in their efforts to comply with different regulations and frameworks around the world. The statements aim to ensure greater operational resilience of UK financial institutions and, in the case of PRA outsourcing documents, to facilitate greater adoption of cloud and other emerging technologies, while implementing the European Banking Authority`s (EBA) guidelines on outsourcing arrangements and relevant sections of the EBA guidelines on ICT and security risk management. (See the AWS approach to these EBA guidelines in this blog post.) Due to the long-term nature of outsourcing relationships, it is important that a detailed and practical change process is in place to ensure that the contract is flexible enough to accommodate changing requirements.
In many cases, the contract provides for both operational changes and contractual change processes, and it is important that there be both price certainty and transparency about the costs of the change. 2Other entities should consider the outsourcing rule (SYSC 8.1.1 R) as if it were guidelines (and as if it should appear in this rule7 instead of “shall”), as explained in SYSC 1 Annex 1 3.3R(1)75. Your company is responsible for all regulatory responsibilities that apply to outsourcing and third-party service contracts. Companies may not delegate any part of this responsibility to third parties. While there are some cases where the supplier and the client or a number of clients form a joint venture (JV) for outsourcing services, in most cases the outsourcing agreement is concluded through a commercial contract between the client and the supplier (either a single source or a multi-supplier agreement – see below). The EBA Guidelines on Outsourcing (EBA/GL/2019/02) apply to credit institutions and investment firms subject to the EU Capital Requirements Directive (2013/36/EU). These are IFPRU banks, mortgage companies and investment companies as defined in our manual. The guidelines also apply to payment institutions and electronic money institutions. They do not apply to account information service providers that only provide the service referred to in point 8 of Annex I to PSD2. The PRA expects the final policy of the outsourcing document to be published in late 2020 and proposals to be implemented shortly thereafter.
UK Finance looks forward to working with members and authorities to respond to the outsourcing paper before the 3 April 2020 deadline. For AWS and our customers, the key takeaway is that these statements provide a regulatory framework for using the cloud resiliently. In particular, the PRA outsourcing document sets out the conditions that can give PRA-regulated companies the peace of mind they can deploy securely and resiliently in the cloud, including for tangible, regulated workloads.
Comments are closed.