FCA cracks down on IT outsourcing

UK-based GPs will need to establish more oversight of third party IT service providers to satisfy updated FCA rules.

The UK Financial Conduct Authority (FCA) is telling firms that more due diligence and oversight must be performed when outsourcing any IT work, including email archiving, system backups and customer relationship management systems.

When outsourcing certain functions, GPs must adhere to a set of rules known as the General Outsourcing Senior Management Arrangements, Systems and Controls (SYSC). Outsourcing IT functions were not believed to be subject to the rules but the FCA clarified in updated guidance last month that they were.

The changes will likely have a significant impact on what type of due diligence and oversight GPs must perform when choosing a third party IT service provider.

Regulated managers often delegate IT work to “the lowest bidder or the founder’s nephew,” said James Hogbin, founder of IP Sentinel, an IT provider for the fund management industry. “This is because IT was perceived as not being a regulated function.”

As a result of the rule reform, GPs will need to investigate third party IT providers, gathering information on their: financial and service competence, potential conflicts of interest, politically connected employees, pay policy, staff training, and anti-money laundering processes, among other areas.

Moreover the FCA expects GPs to understand how the outsourced function is being delivered and if it is compliant with all the relevant regulations.