The UK’s Financial Conduct Authority (FCA) recently published a nonexhaustive checklist of questions for regulated firms to consider when outsourcing critical information technology (IT) services. This comprehensive approach of good vendor procurement and risk management practices is similar to the guidance provided by the U.S. Office of the Comptroller of the Currency.
The FCA provided an extensive list of specific outsourcing issues, such as the degree of data interoperability and security and whether there is an exit plan with details of how the firm will retrieve its data. In addition, the checklist presents general aims and expectations, including that a regulated firm will
- manage the operational risk associated with vendor arrangements;
- ensure the delivery of effective, resilient, secure, and strategic IT services;
- adequately evaluate and prepare for service providers;
- arrange for ongoing oversight and risk management; and
- retain full accountability for all of its responsibilities.
Accordingly, a thorough services agreement can be valuable for regulatory compliance as well as for allocating rights, responsibilities, risks, and rewards between the parties.