Outsourcing

Introduction

The Prudential Regulation Authority (PRA) has put in place regulations that apply to any ‘critical operational function’ of the credit union which is outsourced to a third party. Credit unions are expected to identify any critical outsourced functions and take measures to ensure that all outsourcing is compliant with the credit union’s legal and regulatory obligations.

The Financial Conduct Authority (FCA) has also published its own outsourcing guidance, which clarifies regulatory obligations for common platform firms when outsourcing IT services to the cloud. Whilst the FCA’s rules on outsourcing only apply to credit unions (as non-common platform firms) as guidance, credit unions should read this guidance as ‘best practice,’ particularly for outsourcing cloud-based I.T services to third parties.

If you have any questions or comments on this information guide please contact your Member Relationship Manager (MRM) by emailing them direct, on info@abcul.org or by dialling 0161 832 3694.

Scope

What is a critical or important outsourced function?

An operational function is regarded as critical or important if a defect or failure in its performance would materially impair the continuing compliance of a credit union with the conditions and obligations under the regulatory system, or its financial performance, or the soundness or the continuity of its regulated activities.

Applying this definition:

Credit unions need to determine which of its outsourced functions are critical or important in order to apply the requirements in this guide to those functions. Credit unions can differentiate critical and non-critical outsourced functions by considering the impact that the failure of a particular function would have on the credit unions compliance with its regulatory obligations.

For example, the failure of a firm’s third-party accounting software to operate correctly would likely impair the credit union’s ability to monitor its compliance with prudential regulations, whilst the failure of an outsourced painting and decorating service is unlikely to affect the continuity of the credit union’s regulated activities. There is an element of judgment involved when determining whether a function is critical or important, which will depend on the nature of the function outsourced and the credit union’s dependence on that outsourcing to meet regulatory obligations.

Some areas where outsourcing may be critical:

• Third-party banking software
• Interaction with customers e.g. complaints handling, call centre
• Any outsourcing which involves a third party handling customer data e.g. mailing solutions
• Marketing material production
• Accounting or audit functions
• Treasury Management
• Financially advising members

This list is non-exhaustive, and credit unions should consider the impact of all outsourced functions on their regulatory obligations. If in doubt, contact your Member Relationship Manager, who may be able to assist. However, there are certain exceptions to the outsourcing rules to be aware of.

Areas exempt from the outsourcing requirements

• Advisory, legal advice, training, and billing services to the credit union itself
• Security of the credit union premises and personnel
• The purchase of standardised services including market information services and provision of price feeds.

None of these areas are subject to the below requirements.

Requirements

If a credit union outsources critical or important operational functions or any regulated activities, it remains fully responsible for discharging all of its obligations under the regulatory system and must comply, with the following conditions set by the PRA:

1. The outsourcing must not result in the delegation by senior personnel of their responsibility
2. The relationship and obligations of the credit union towards its members under the regulatory system must not be affected
3. The conditions with which the credit union must comply in order to be authorised, must not be undermined
4. none of the other conditions subject to which the credit union’s authorisation was granted must be removed or modified

Essentially the credit union remains as accountable for any regulatory obligations carried out by outsourced functions as it is for internal processes and must exercise due skill, care and diligence when entering into, managing or terminating such outsourcing arrangements. A credit union also needs to consider any risks arising from any arrangement in the context of other risks. In particular, a credit union must take the necessary steps to ensure that the following conditions are satisfied:

1. The service provider must have the ability, capacity and any authorisation required by law to perform the outsourced functions, services or activities reliably and professionally
2. The service provider must carry out the outsourced services effectively and to this end the credit union must establish methods for assessing the standards of the service provide
3. The service provider must properly supervise the carrying out of the outsourced functions and adequately manage the risks associated with the outsourcing
4. Appropriate action must be taken if it appears that the service provider may not be carrying out the functions effectively and in compliance with applicable laws and regulatory requirements
5. The credit union must retain the necessary expertise to supervise the outsourced functions effective and to manage the risks associated with the outsourcing and must supervise those functions and manage those risks
6. The service provider must disclose to the credit union any development that may have a material impact on its ability to carry out the outsourced functions effectively and in compliance with applicable laws and regulatory requirements.
7. The credit union must be able to terminate the arrangement for the outsourcing where necessary without detriment to the continuity and quality of its provision of services to members
8. The service provider must co-operate with the PRA in connection with the outsourced activities
9. The credit union, its auditors and the PRA must have effective access to data related to the outsourced activities and the PRA must be able to exercise this right of access (FCA guidance suggests access to premises)
10. The service provider must protect any confidential information related to the credit union and its members
11. The credit union and the service provider must establish, implement and maintain a contingency plan for disaster recovery and periodic testing of backup facilities where that is necessary having regard to the function, service or activity that has been outsourced.

Credit unions are also required to have a written contract with the service provider which clearly sets out the respective rights and obligations of the credit union and the service provider. For example, the contract should contain terms obliging the outsourcing provider to co-operate with the regulator and disclose to the credit union any information that may impact its compliance with regulatory obligations.

Other aspects of these conditions will require due diligence to be performed on the part of the credit union to assure themselves that the provider is fully authorised and capable of performing the function to regulatory standards. Credit unions should create a policy outlining how outsourcing decisions are reached and what information would be required before entering an outsourcing agreement.

Conclusion

Credit unions need to review any outsourcing requirements they have and assess the impact that outsourcing has on their regulatory obligations. Credit unions which have outsourced critical or important operations or regulatory activities need to take additional steps described in this guide to ensure that outsourced functions meet these requirements.

If you have any questions, contact your MRM by emailing them direct, on info@abcul.org or dialling 0161 832 3694. If ABCUL receives several enquiries about a particular outsourced function we may add further clarification to this guide on that area.