Firms must ensure shared service suppliers have 'sufficient financial resources'

Last one out the data centre, don't switch off the lights!

IBM 26 on/off switch by cc 2.0 attribution generic

Banks, building societies and investment firms must ensure that technology companies providing critical shared services have "sufficient financial resources" to overcome financial problems, a UK regulator has said.

The Prudential Regulation Authority (PRA) said that before they outsource critical shared services firms must ensure that providers have enough resources in place to overcome financial problems the provider might face or the restructuring of firms within the provider's group.

According to the PRA, 'critical shared services' are defined as "those services that need to be available to one or more business unit of a firm or entity of a group in order to provide functions critical to the economy".

"The PRA expects a firm to ensure that the critical shared services provider has sufficient financial resources to ensure continuity of provision of critical shared services to receiving entities during stress or resolution, and after resolution, as part of the post bail-in restructuring of any group entities," the PRA said in a new paper on ensuring operational continuity in resolution (27-page / 665KB PDF).

Resolution is the process by which the authorities can intervene to manage the failure of a firm in an orderly fashion. The Bank of England, under which the PRA operates, is tasked with ensuring that where a firm fails it has minimal adverse effect on the provision of financial services and the wider UK economy.

The PRA's approach to regulation is judgment-based and not prescriptive. It expects firms to make their own judgments about whether they meet regulatory requirements and this will include taking their own assessment of whether a third party provider of critical shared services has 'sufficient financial resources' in place.

However, understands that meeting the 'sufficient financial resources' requirement will require firms to ensure prospective suppliers have sufficient capital in place to be able to absorb losses that could occur in the lead up to a resolution and have liquid assets so that they can continue to operate post-resolution. The capital and assets do not need to be held in different places.

In its paper the PRA identified risks such as temporary loss of revenue, an "expense-revenue mismatch", employee costs, restructuring and wind-down costs and the write down of intangible and relationship-specific assets as examples of risks that firms need to make sure their critical shared service provider can manage with their own financial resources "in a stressed scenario or resolution event".

Rules on outsourcing set out in the PRA Rulebook offer further clues as to how firms can satisfy themselves that the 'sufficient financial resources' requirement is met. Those rules require PRA-regulated firms to take the necessary steps to ensure that third party service providers properly supervise the carrying out of the outsourced functions, and adequately manage the risks associated with the outsourcing. understands that in the context of making an assessment of whether a third party service provider is financially resilient enough to carry out critical shared services, and in line with those outsourcing rules, the PRA would expect firms to undertake appropriate due diligence and undertake credit checks before entering into service arrangements with third party providers, and that firms should also consider a service provider's ability and capacity to perform the service reliably and professionally.

There is no specific exception or relief from the 'sufficient financial resources' requirement when firms outsource critical shared services to SMEs, according to the PRA's paper.

In its paper the PRA has also set out what it expects of financial firms it authorises where they outsource critical shared services to a company within the same group of companies they are part of.

In those circumstances the PRA said it "expects that, as a minimum, the critical shared services provider should be supported by capital resources (or positive net assets, as appropriate) equivalent to 25 per cent of annual fixed overheads and liquidity resources equivalent to 50 per cent of annual fixed overheads".

The PRA said that, regardless of the outsourcing model adopted, it expects firms to "remain responsible for functions that require senior management judgement or decision-making that could affect the prudential soundness or risk appetite of the regulated firm".

Last month the PRA said firms that were thinking about outsourcing critical or important functions of their business to cloud computing providers need to consult its rules, including those specifically relevant to outsourcing, and "liaise with their usual supervisory contact at the earliest opportunity".

The PRA's announcement on outsourcing to the cloud followed the publication of new guidance the Financial Conduct Authority (FCA) which has paved the way for banks, insurers and other financial services companies to take advantage of cloud computing services.

The FCA's draft guidance outlines a number of the areas regulated firms need to consider when thinking about outsourcing to the cloud, from regulatory matters, business continuity, data protection and security, to how to manage risk and ensure regulators have effective access to data.

Copyright © 2015, is part of international law firm Pinsent Masons.

Biting the hand that feeds IT © 1998–2018