The FCA has published a document setting out a list of questions for firms to consider as part of their preparation for the use and evaluation of third parties in the delivery of technology services that are critical to the firm’s business operations.
Among other things, the FCA highlights that the general aim of a firm’s regulatory obligations from an outsourcing perspective is that a firm appropriately manages the operational risk associated with its use of third-parties. In addition, the arrangements with third parties must not impair the regulator’s ability to regulate the firm.
The FCA identifies the following areas for firms to consider:
- the rationale behind the decision to outsource critical technology services;
- the process relating to the selection of an outsource service provider (OSP);
- the oversight and governance of the OSP;
- the operational aspects of the arrangements;
- service protection, including security measures; and
- data protection issues.