Outsourcing and third-party service providers: oversight obligations
SYSC 8 of the FCA Handbook sets out the outsourcing rules for firms undertaking MiFID business, and similar obligations apply to other firm types through SYSC 13 and sector-specific sourcebook chapters. The PRA's supervisory statement SS2/21 provides additional detail for PRA-regulated firms. While the detailed requirements vary by firm type, the core obligations are consistent: firms must conduct adequate due diligence before entering material outsourcing arrangements, must maintain oversight of the performance of outsourced functions, must ensure that contracts with outsource providers contain defined minimum provisions, and must have adequate contingency arrangements including exit planning.
The materiality assessment — determining whether an outsourcing arrangement is 'material' or 'important' for regulatory purposes — is the first and most consequential step. Material outsourcing arrangements attract the full suite of SYSC 8 obligations; immaterial arrangements require only proportionate oversight. The criteria for materiality include: whether the arrangement supports a function that is important to the continuity of a regulated activity; whether failure of the service provider would have a material impact on the firm's operations or on customers; and whether the arrangement processes regulated data or client assets. Firms frequently under-classify arrangements as immaterial, with the consequence that material arrangements lack required due diligence and contractual protections.
Mandatory contract provisions for material outsourcing under SYSC 8.1.14 include: rights for the firm and its regulators to access, inspect, and audit the service provider's premises and records; service level agreements specifying required performance; provisions for notification of material changes or incidents; information security and data protection obligations; and rights to terminate the arrangement and transition services in an orderly manner. For arrangements with large technology vendors — where the standard contract does not include some or all of these provisions — firms should seek legal advice on whether negotiated amendments are achievable and what alternatives exist if they are not.
Ongoing oversight must be more than an annual contract review. Firms should maintain a monitoring programme for material outsourcing arrangements that covers: regular review of SLA performance data; periodic assessment of the service provider's financial stability and operational resilience; review of any incidents, breaches, or changes notified by the provider; and at least annual due diligence review that considers whether the arrangement remains appropriate. The oversight programme should be documented and reported to senior management and, for material arrangements, to the board at least annually.
Exit planning and substitutability
Exit planning is frequently the most neglected element of outsourcing oversight. SYSC 8 requires firms to have an exit plan that would enable them to terminate an arrangement and transition services without undue disruption. For firms that depend heavily on a single service provider for a critical function, the exit plan is a significant operational challenge — one that requires investment in documentation, data portability provisions, and technical transition planning. Exit plans should be tested periodically (at minimum as a desktop exercise) and should be integrated into the operational resilience self-assessment for relevant important business services.