SYSC 8

Outsourcing

SYSC 8.1

General outsourcing requirements

SYSC 8.1.1

See Notes

handbook-rule

A common platform firm must:

  1. (1) when relying on a third party for the performance of operational functions which are critical for the performance of regulated activities, listed activities or ancillary services (in this chapter "relevant services and activities") on a continuous and satisfactory basis, ensure that it takes reasonable steps to avoid undue additional operational risk;
  2. (2) not undertake the outsourcing of important operational functions in such a way as to impair materially:
    1. (a) the quality of its internal control; and
    2. (b) the ability of the FSA to monitor the firm's compliance with all obligations under the regulatory system and, if different, of a competent authority to monitor the firm's compliance with all obligations under MiFID.

[Note: article 13(5) first paragraph of MiFID]

SYSC 8.1.1A

See Notes

handbook-guidance
Other firms should take account of the outsourcing rule (SYSC 8.1.1 R) as if it were guidance (and as if should appeared in that rule instead of must) as explained in SYSC 1 Annex 1.3.3 G.

SYSC 8.1.2

See Notes

handbook-guidance
The application of SYSC 8.1 to relevant services and activities (see SYSC 8.1.1 R (1)) is limited by SYSC 1 Annex 1 (Part 2) (Application of the common platform requirements).

SYSC 8.1.3

See Notes

handbook-guidance
SYSC 4.1.1 R requires a firm to have effective processes to identify, manage, monitor and report risks and internal control mechanisms. Except in relation to those functions described in SYSC 8.1.5 R, where a firm relies on a third party for the performance of operational functions which are not critical or important for the performance of relevant services and activities (see SYSC 8.1.1 R (1)) on a continuous and satisfactory basis, it should take into account, in a manner that is proportionate given the nature, scale and complexity of the outsourcing, the rules in this section in complying with that requirement.

SYSC 8.1.4

See Notes

handbook-rule

For the purposes of this chapter an operational function is regarded as critical or important if a defect or failure in its performance would materially impair the continuing compliance of a common platform firm with the conditions and obligations of its authorisation or its other obligations under the regulatory system, or its financial performance, or the soundness or the continuity of its relevant services and activities.

[Note: article 13(1) of the MiFID implementing Directive]

SYSC 8.1.5

See Notes

handbook-rule

Without prejudice to the status of any other function, the following functions will not be considered as critical or important for the purposes of this chapter:

  1. (1) the provision to the firm of advisory services, and other services which do not form part of the relevant services and activities of the firm, including the provision of legal advice to the firm, the training of personnel of the firm, billing services and the security of the firm's premises and personnel;
  2. (2) the purchase of standardised services, including market information services and the provision of price feeds;

[Note: article 13(2) of the MiFID implementing Directive]

  1. (3) the recording and retention of relevant telephone conversations or electronic communications subject to COBS 11.8.

SYSC 8.1.5A

See Notes

handbook-guidance
Other firms should take account of the critical functions rules (SYSC 8.1.4 R and SYSC 8.1.5 R) as if they were guidance (and as if should appeared in those rules instead of must) as explained in SYSC 1 Annex 1.3.3 G.

SYSC 8.1.6

See Notes

handbook-rule

If a firm outsources critical or important operational functions or any relevant services and activities, it remains fully responsible for discharging all of its obligations under the regulatory system and must comply, in particular, with the following conditions:

  1. (1) the outsourcing must not result in the delegation by senior personnel of their responsibility;
  2. (2) the relationship and obligations of the firm towards its clients under the regulatory system must not be altered;
  3. (3) the conditions with which the firm must comply in order to be authorised, and to remain so, must not be undermined;
  4. (4) none of the other conditions subject to which the firm's authorisation was granted must be removed or modified.

[Note: article 14(1) of the MiFID implementing Directive]

SYSC 8.1.7

See Notes

handbook-rule

A common platform firm must exercise due skill and care and diligence when entering into, managing or terminating any arrangement for the outsourcing to a service provider of critical or important operational functions or of any relevant services and activities.

[Note: article 14(2) first paragraph of the MiFID implementing Directive]

SYSC 8.1.8

See Notes

handbook-rule

A common platform firm must in particular take the necessary steps to ensure that the following conditions are satisfied:

  1. (1) the service provider must have the ability, capacity, and any authorisation required by law to perform the outsourced functions, services or activities reliably and professionally;
  2. (2) the service provider must carry out the outsourced services effectively, and to this end the firm must establish methods for assessing the standard of performance of the service provider;
  3. (3) the service provider must properly supervise the carrying out of the outsourced functions, and adequately manage the risks associated with the outsourcing;
  4. (4) appropriate action must be taken if it appears that the service provider may not be carrying out the functions effectively and in compliance with applicable laws and regulatory requirements;
  5. (5) the firm must retain the necessary expertise to supervise the outsourced functions effectively and to manage the risks associated with the outsourcing,and must supervise those functions and manage those risks;
  6. (6) the service provider must disclose to the firm any development that may have a material impact on its ability to carry out the outsourced functions effectively and in compliance with applicable laws and regulatory requirements;
  7. (7) the firm must be able to terminate the arrangement for the outsourcing where necessary without detriment to the continuity and quality of its provision of services to clients;
  8. (8) the service provider must co-operate with the FSA and any other relevant competent authority in connection with the outsourced activities;
  9. (9) the firm, its auditors, the FSA and any other relevant competent authority must have effective access to data related to the outsourced activities, as well as to the business premises of the service provider; and the FSA and any other relevant competent authority must be able to exercise those rights of access;
  10. (10) the service provider must protect any confidential information relating to the firm and its clients;
  11. (11) the firm and the service provider must establish, implement and maintain a contingency plan for disaster recovery and periodic testing of backup facilities where that is necessary having regard to the function, service or activity that has been outsourced.

[Note: article 14(2) second paragraph of the MiFID implementing Directive]

SYSC 8.1.9

See Notes

handbook-rule

A common platform firm must ensure that the respective rights and obligations of the firm and of the service provider are clearly allocated and set out in a written agreement.

[Note: article 14(3) of the MiFID implementing Directive]

SYSC 8.1.10

See Notes

handbook-rule

If a common platform firm and the service provider are members of the same group, the firm may, for the purpose of complying with SYSC 8.1.7 R to SYSC 8.1.11 R and SYSC 8.2 and SYSC 8.3, take into account the extent to which the common platform firm controls the service provider or has the ability to influence its actions.

[Note: article 14(4) of the MiFID implementing Directive]

SYSC 8.1.11

See Notes

handbook-rule

A common platform firm must make available on request to the FSA and any other relevant competent authority all information necessary to enable the FSA and any other relevant competent authority to supervise the compliance of the performance of the outsourced activities with the requirements of the regulatory system.

[Note: article 14(5) of the MiFID implementing Directive]

SYSC 8.1.11A

See Notes

handbook-guidance
Other firms should take account of the outsourcing of important operational functions rules (SYSC 8.1.7 R to SYSC 8.1.11 R) as if they were guidance (and as if should appeared in those rules instead of must) as explained in SYSC 1 Annex 1.3.3 G.

SYSC 8.1.12

See Notes

handbook-guidance

As SUP 15.3.8 G explains, a firm should notify the FSA when it intends to rely on a third party for the performance of operational functions which are critical or important for the performance of relevant services and activities on a continuous and satisfactory basis.

[Note: recital 20 of the MiFID implementing Directive]

SYSC 8.2

Outsourcing of portfolio management for retail clients to a non-EEA State

SYSC 8.2.1

See Notes

handbook-rule
  1. (1) In addition to the requirements set out in the MiFID outsourcing rules, when a MiFID investment firm outsources the investment service of portfolio management to retail clients to a service provider located in a non-EEA state, it must ensure that the following conditions are satisfied:
    1. (a) the service provider must be authorised or registered in its home country to provide that service and must be subject to prudential supervision;
    2. (b) there must be an appropriate cooperation agreement between the FSA and the supervisor in the non-EEA state;
    3. (in this chapter the "conditions").
      1. [Note: article 15(1) of the MiFID implementing Directive]
  2. (2) In addition to complying with the common platform outsourcing rules, if one or both of the conditions are not satisfied, a MiFID investment firm may enter into such an outsourcing only if it gives prior notification in writing to the FSA containing adequate details of the proposed outsourcing and the FSA does not object to that arrangement within a reasonable time following receipt of that notification.
      1. [Note: article 15(2) and (4) of the MiFID implementing Directive]
  3. (3) For the purposes of this rule a "reasonable time" is within one month of receipt of a notification. However, the FSA may seek further information from the MiFID investment firm in relation to the outsourcing proposal if this is necessary to enable the FSA to make a decision. Any effect this may have on the FSA's response time will be notified to the MiFID investment firm and that revised response time will constitute a reasonable time for the purposes of this rule.

SYSC 8.2.2

[intentionally blank]

SYSC 8.2.3

See Notes

handbook-guidance
The conditions do not apply if the outsourcing only concerns ancillary activities connected with portfolio management, for example IT processes or execution only activities.

SYSC 8.2.4

See Notes

handbook-guidance
If a firm has received no notice of objection or no request for further information from the FSA within one month of the FSA receiving the notification, it may outsource the portfolio management on the basis set out in the notification.

SYSC 8.2.5

See Notes

handbook-guidance
The FSA would use its powers under section 45 of the Act to vary a firm's permission if it objected to such a notification.

Notification requirements: timing of notification

SYSC 8.2.6

See Notes

handbook-guidance
A firm should only make an outsourcing proposal notification to the FSA after it has carried out due diligence on the service provider and has had regard to the guidance set out in SYSC 8.3. The FSA will expect a firm to only submit an outsourcing proposal notification in respect of a service provider that the firm has determined is suitable to carry on the outsourcing activity.

Notification requirements: content

SYSC 8.2.7

See Notes

handbook-guidance
The guidance set out in SYSC 8.3 includes information on what the FSA will expect a firm to check before the submission of a notification.

SYSC 8.2.8

See Notes

handbook-guidance

A notification under this section should include:

  1. (1) details on which of the conditions is not met;
  2. (2) if applicable, details and evidence of the service provider's authorisation or regulation including the regulator's contact details;
  3. (3) the firm's proposals for meeting its obligations under this chapter on an ongoing basis;
  4. (4) why the firm wishes to outsource to the service provider;
  5. (5) a draft of the outsourcing agreement between the service provider and the firm;
  6. (6) the proposed start date of the outsourcing; and
  7. (7) confirmation that the firm has had regard to the guidance in SYSC 8.3, or if it has not, why not.

Notification requirements additional guidance

SYSC 8.2.9

See Notes

handbook-guidance
Where the FSA has not objected to the outsourcing agreement, the firm should have regard to its obligations under SUP 15 which include making the FSA aware of any matters which could affect the firm's ability to provide adequate services to its customers or could result in serious detriment to its customers or where there has been material change in the information previously provided to the FSA in relation to the outsourcing.

SYSC 8.3

Guidance on outsourcing portfolio management for retail clients to a non-EEA State

SYSC 8.3.1

See Notes

handbook-guidance
This guidance is relevant regardless of whether a firm outsources portfolio management directly or indirectly via a third party. However, firms should note that they may notify a secondary or indirect outsourcing in the same notification as the direct outsourcing.

SYSC 8.3.2

See Notes

handbook-guidance

This guidance sets out examples of the type of actions that a firm proposing to outsource should have undertaken when assessing the suitability of the service provider and its ability to carry on the outsourced activity.

[Note: article 15(3) of the MiFID implementing Directive]

SYSC 8.3.3

See Notes

handbook-guidance
If a firm can demonstrate that it has taken the following guidance into account and has satisfactorily concluded that it would be able to continue to satisfy the common platform outsourcing rules and provide adequate protection for consumers despite not satisfying the conditions, the FSA would not be likely to object to that outsourcing.

SYSC 8.3.4

See Notes

handbook-guidance
If the outsourcing allows the service provider to sub-contract any of the services to be provided under the outsourcing, any such sub-contracting shall not affect the service provider's responsibilities under the outsourcing agreement.

SYSC 8.3.5

See Notes

handbook-guidance
The outsourcing agreement should entitle the firm to terminate the outsourcing if the service provider undergoes a change of control or becomes insolvent, goes into liquidation or receivership (or equivalent in its home state) or is in persistent material default under the agreement.

SYSC 8.3.6

See Notes

handbook-guidance

The following should be taken into account where the service provider is not authorised or registered in its home country and/or not subject to prudential supervision.

  1. (1) The firm should examine, and be able to demonstrate, to what extent the service provider may be subject to any form of voluntary regulation, including self-regulation in its home state.
  2. (2) The firm should be able to satisfy the FSA that the service provider is committed for the term of the outsourcing agreement to devoting sufficient, competent resources to providing the service.
  3. (3) In addition to the requirement to ensure that a service provider discloses any developments that may have a material impact on its ability to carry out the outsourcing (SYSC 8.1.8 R (6)), where the conditions are not met the developments to be disclosed should include, but are not limited to:
    1. (a) any adverse effect that any laws or regulations introduced in the service provider's home country may have on its carrying on the outsourced activity; and
    2. (b) any changes to its capital reserve levels or its prudential risks.
  4. (4) The firm should satisfy itself that the service provider is able to meet its liabilities as they fall due and that it has positive net assets.
  5. (5) The firm should require that the service provider prepares annual reports and accounts which:
    1. (a) are in accordance with the service provider's national law which, in all material respects, is the same as or equivalent to the international accounting standards;
    2. (b) have been independently audited and reported on in accordance with the service provider's national law which is the same as or equivalent to international auditing standards.
  6. (6) The firm should receive copies of each set of the audited annual report and accounts of the service provider. If the service provider expects or knows its auditor will qualify his report on the audited report and accounts, or add an explanatory paragraph, the service provider should be required to notify the firm without delay.
  7. (7) The firm should satisfy itself, and be able to demonstrate, that it has in place appropriate procedures to ensure that it is fully aware of the service provider's controls for protecting confidential information.
  8. (8) In addition to the requirement at SYSC 8.1.8 R (10) that the service provider must protect any confidential information relating to the firm or its clients, the outsourcing agreement should require the service provider to notify the firm immediately if there is a breach of confidentiality.
  9. (9) The outsourcing agreement should be governed by the law and subject to the jurisdiction of an EEA state.

SYSC 8.3.7

See Notes

handbook-guidance

The following should be taken into account by a firm where there is no cooperation agreement between the FSA and the supervisory authority of the service provider or there is no supervisory authority of the service provider.

  1. (1) The outsourcing agreement should ensure the firm can provide the FSA with any information relating to the outsourced activity the FSA may require in order to carry out effective supervision. The firm should therefore assess the extent to which the service provider's regulator and/or local laws and regulations may restrict access to information about the outsourced activity. Any such restriction should be described in the notification to be sent to the FSA.
  2. (2) The outsourcing agreement should require the service provider to provide the firm's offices in the United Kingdom with all requested information required to meet the firm's regulatory obligations. The FSA should be given an enforceable right under the agreement to obtain such information from the firm and to require the service provider to provide the information directly.