Outsourcing

1.1

Unless otherwise stated, this Part applies to a CRR firm:

1. (1) with respect to the carrying on of the following from an establishment in the UK:
1. (a) regulated activities;
2. (b) activities that constitute dealing in investments as principal, disregarding the exclusion in article 15 of Regulated Activities Order;
3. (c) ancillary activities;
4. (d) in relation to MiFID business, ancillary services; and
5. (e) unregulated activities in a prudential context;
2. (2) [deleted.]
3. (3) in a prudential context with respect to activities wherever they are carried on; and
4. (4) taking into account any activity of other members of a group of which the firm is a member.

1.1A

This Part does not apply to a firm with respect to the carrying on of benchmarking activities except to the extent that they transpose an EU instrument.

1.2

In this Part, the following definitions shall apply: 

authorisation

means authorisation as an authorised person for the purposes of FSMA.

critical or important operational function

means an operational function where a defect or failure in its performance would materially impair the compliance of a firm on a continuous and satisfactory basis with:

1. (1) the conditions and obligations of its permission;
2. (2) any of its other obligations under the regulatory system;
3. (3) its financial performance; or
4. (4) the performance, soundness or the continuity of its relevant services and activities.

The following functions will not be considered to be a critical or important operational function for the purposes of this Part:

1. (5) the provision to the firm of advisory services;
2. (6) any other services which do not form part of the relevant services and activities of the firm, including:
   1. (a) the provision of legal advice to the firm;
   2. (b) the training of the firm's personnel;
   3. (c) billing services; and
   4. (d) the security of the firm's premises and personnel; and
3. (7)  the purchase of standardised services, including market information services and the provision of price feeds.

2.1

A firm must:

1. (1) when relying on a third party for the performance of operational functions which are critical for the performance of relevant services and activities on a continuous and satisfactory basis, ensure that it takes reasonable steps to avoid undue additional operational risk; and
2. (2) not undertake the outsourcing of important operational functions in such a way as to impair materially:
1. (a) the quality of its internal control; and
2. (b) the ability of the PRA to monitor the firm’s compliance with all obligations under the regulatory system and, if different, of a competent authority to monitor the firm’s compliance with all obligations implemented pursuant to MiFID II.

[Note: Article 16(5) first paragraph of MiFID II]

2.1A

[Deleted]

2.1B

[Deleted]

2.1C

A firm outsourcing critical or important operational functions will remain fully responsible for discharging all of its obligations under the regulatory system and must ensure that:

1. (1) the outsourcing does not result in the delegation by senior management of its responsibility;
2. (2) the relationship and obligations of the firm towards its clients under the terms of the regulatory system are not altered;
3. (3) the conditions with which the firm must comply in order to maintain its authorisation are not undermined; and
4. (4)  none of the other conditions subject to which the firm's authorisation was granted is removed or modified.

2.1D

A firm must exercise due skill, care and diligence when entering into, managing or terminating any arrangement for the outsourcing of a critical or important operational function and must take the necessary steps to ensure that:

1. (1) the service provider has the ability, capacity, sufficient resources and appropriate organisational structure to support the performance of the outsourced functions reliably and professionally, and any authorisation required by law to perform the outsourced functions;
2. (2) the service provider carries out the outsourced services effectively and in compliance with applicable law and regulatory requirements, and to this end the firm has established methods and procedures for assessing the standard of performance of the service provider and for reviewing on an ongoing basis the services provided by the service provider;
3. (3) the service provider properly oversees the carrying out of the outsourced functions, and adequately manages the risks associated with the outsourcing;
4. (4) appropriate action is taken where it appears that the service provider may not be carrying out the functions effectively or in compliance with applicable laws and regulatory requirements;
5. (5) the firm effectively oversees the outsourced functions or services, and manages the risks associated with the outsourcing, and to this end the firm retains the necessary expertise and resources to oversee the outsourced functions effectively and manage those risks;
6. (6)  the service provider has disclosed to the firm any development that may have a material impact on its ability to carry out the outsourced functions effectively and in compliance with applicable laws and regulatory requirements;
7. (7) the firm is able to terminate the arrangement for outsourcing where necessary, and with immediate effect when this is in the interests of its clients, and without detriment to the continuity and quality of its provision of services to clients;
8. (8) the service provider cooperates with the PRA and any other competent authority in connection with the outsourced functions;
9. (9)  the firm, its auditors and the PRA and any other competent authority have effective access to data related to the outsourced functions, as well as to the relevant business premises of the service provider, where necessary for the purpose of effective oversight in accordance with this rule and the PRA and any other competent authority are able to exercise those rights of access;
10. (10) the service provider protects any confidential information relating to the firm and its clients;
11. (11) the firm and the service provider establish, implement and maintain a contingency plan for disaster recovery and periodic testing of backup facilities, where that is necessary having regard to the function, service or activity that has been outsourced; and
12. (12) the continuity and quality of the outsourced functions or services are maintained in the event of termination of the outsourcing either by the firm transferring the outsourced function or service to another third party or by performing them itself.

2.1E

A firm outsourcing critical or important operational functions must ensure that:

1. (1) the respective rights and obligations of the firm and of the service provider are clearly allocated and set out in a written agreement;
2. (2) the firm preserves its instruction and termination rights, its rights of information, and its right to inspections and access to books and premises; and
3. (3) the written agreement with the service provider only permits sub-outsourcing by the service provider with the prior written consent of the firm.

2.1F

Where a firm outsourcing critical or important operational functions and the service provider are members of the same group, the firm may, for the purposes of complying with this Part take into account the extent to which the firm controls the service provider or has the ability to influence its actions.

2.1G

A firm must be able to, upon request by the PRA, make available to the PRA all information necessary to enable the PRA to supervise the compliance of the performance of the outsourced function, service or activity with the requirements of the regulatory system.

2.2

2.3

2.4

2.5

2.6

2.7

2.8

2.9