The FCA is producing a lot of consultations at the moment and it is easy to miss the significance of some of them. However, CP 24/28 is an important one for all firms. We have done a blog on its main contents but I would flag some key points.
First, the new incident reporting obligations apply to all firms and this will require a new discipline and methodology for firms to determine their operational incident reporting obligations which goes well beyond the traditional Principle 11 approach. As a reminder, the broad position is that a firm will need to report any incident which could cause or has caused intolerable levels of harm to consumers from which consumers cannot easily recover; (2) could pose or has posed a risk to market stability, market integrity or confidence in the UK financial system; or (3) could pose or has posed a risk to the safety and soundness of the firm and/or other market participants. The FCA has given a number of examples of incidents which fall on one side of the line or the other. The facts that there are now rules dealing with intermediate reports and final reports with a 30 day and 60 long stop timing on the latter plus the fact that there is a form for the notice should be noted. Overall, what all of this means is that some of the old debates which firms had about whether to delay a Principle 11 notification until a period for investigation had passed will no longer be possible. The regime is tougher and more prescriptive and reflects the growing awareness of operational failure risk in its various guises. My practical message is that firms will need to look at their policies and procedures and up their game in these areas when it comes to these notifications. One point the FCA also makes is that none of this replaces Principle 11 so that even if no new operational incident notification needs to be made then the general notification obligation needs to be considered.
Perhaps the equally big story here is the other piece of the consultation relating to material third party arrangements. Whilst the FCA says that this will only apply to a sub-set of firms and this is true, this importantly includes both enhanced scope SMCR firms and large CASS firms as well as banks and dual regulated firms of course. The firm must notify the FCA when it enters into or materially changes the relevant third party arrangements and the definition of these is quite wide (broadly, arrangements which cause intolerable levels of harm to the firm’s clients); (b) pose a risk to the soundness, stability, resilience, confidence or integrity of the UK financial system; or (c) cast serious doubt on the firm’s ability to satisfy the threshold conditions, or meet its obligations under the Principles, or under SYSC 15A (Operational resilience). The important point to note here is that this goes much wider than the classic outsourcing definition as the FCA is at pains to point out and it also is broader than ICT services for DORA purposes. The FCA accepts a read across to DORA in relation to those arrangements within its scope but the requirements are broader. What all of this means in practice is twofold. First, we are now moving well beyond the old debates on whether a particular service is an outsourcing or not and, secondly, firms will need to get their methodology together in advance to identify all the relevant arrangements in scope. It is true that some of the DORA work will be useful but this needs a mini-project of its own. Firms will be required to keep a register of all of the arrangements and send this to the FCA once a year.
There is an overarching point here which it is important to appreciate. We are leaving the world in which the FCA was only interested in the regulated activities under the RAO and entering a world in which they are concerned with the whole life cycle of the services and activities of regulated firms. Technology has fundamentally changed the world and the “front office” service can no longer be viewed in isolation. When one combines this with the quasi-regulation of critical service providers, this means that the industry needs to be conscious and prepared for heightened supervision of this aspect of what it does.
Firms will also need to consider the extent to which their third party supplier contracts need to be amended.