Everyone involved with
IT in the financial services sector - both in-house teams with
outsourced arrangements and suppliers of IT and outsourcing
services - will find themselves affected by the introduction of
important European legislation in November. This legislation is
generally known as Mifid - short for the
Markets in Financial Instruments Directive.
The aim of this article is to set out
the basic elements of the Mifid rules on outsourcing so that
when Mifid is implemented within the UK, those affected will be
less likely to get a nasty surprise. Most importantly, some ideas
need challenging from the outset.
Mifid covers the documentation and decision-making process
behind financial trading. Many organisations' technology
departments are less advanced than perhaps they should be because
there have been greater priorities when it comes to Mifid - meaning
that internal communication about less critical areas may not have
been a priority within the firm to date.
From a supplier's perspective, the tendency - even if the
supplier knew about Mifid - has been to let sleeping dogs lie and
not risk stirring up trouble for itself. The combination of these
factors makes it likely there will be a last minute rush to comply
with Mifid rules on outsourcing once the top priorities are crossed
off compliance teams' lists and attention turns to areas such as
the specific outsourcing rules.
The first misconception is that Mifid is not relevant to banks
or insurers. However, Mifid applies to those involved with almost
any kind of financial institution - apart from organisations that
only lend or receive money and those that only do insurance.
However, in the UK Mifid will apply to those that only lend or
receive money - with the result that in the UK the Mifid rules will
basically apply to everyone except for any company that does
nothing apart from insurance.
I suspect that even those financial institutions that do nothing
apart from insurance will tend to apply the Mifid rules, so that
they are less likely to be criticised should problems ever emerge
with their outsourced relationships.
And in the short term at least, many cautious organisations
covered by Mifid are likely to continue to apply the old rules of
the
Financial Services Authority (FSA) regarding outsourcing - they
are accustomed to them and they will feel more likely to be beyond
criticism if they do. Especially as these are, essentially, the
rules that apply to insurers and which, therefore, still exist in a
different part of the FSA's handbook.
The second misconception is that Mifid will only affect future
outsourcing arrangements. Unfortunately, this is not correct - all
arrangements, including existing arrangements, must comply with
these rules as from 1 November. Those who are not quite sure what
their existing deals say might want to start looking for copies of
the contracts before it is too late.
The third misconception is that Mifid is only an issue for
banks, custodians, exchanges, investment advisers etc, but not for
suppliers. This is true in the sense that a supplier is not going
to be obliged by Mifid itself to change its behaviour or its
contracts.
However, suppliers need to be prepared for financial institutes'
likely behaviour on future contract negotiations and, worse still,
should not be surprised if such companies come to them seeking to
amend existing arrangements. Agreeing to changes to existing deals
is likely to be the price of continuing to do business in this
sector, as the rules apply to existing outsourced arrangements
too.
The fourth misconception is that Mifid affects only "true"
outsourcing arrangements and that, for example, group shared
services are not covered. Again this is wrong - the rules apply to
arrangements where companies within a group provide services to
each other. The degree of control and influence that exists over
the "supplier" can be considered in deciding how to comply with
some of the more detailed rules (not all of them), but this will be
a careful judgment to make in a particular case.
The fifth and final misconception is that Mifid will only apply
to "critical" or "important" functions. The FSA has decided that
these rules should be applied to all outsourcing arrangements -
though they should be applied "proportionately" to functions that
are not critical or important. Again, this will require a careful
judgement call and, in the short term at least, most organisations
are likely to be more cautious and err towards applying the rules
in full to every situation.
Turning to the rules themselves, at the highest level Mifid sets
out that a financial institution's senior management, despite
outsourcing, remain responsible to the FSA in the same way they
always would have been. It states that the relationship that exists
towards its clients cannot be altered in any way and, more
fundamentally, that the basis of the FSA's authorisation of the
financial institution cannot be undermined in any way.
Moving down a level of detail - and these are aims that are
harder to achieve in practice - the organisation has to ensure that
it retains enough expertise in-house to supervise the outsourced
function and that if it terminates any outsourcing deal there is no
impact on its customers.
Good detailed provisions relating to termination assistance will
certainly go a long way towards being able to say at the time of
signing an outsourcing deal that everything that can be done has
been done to protect customers. However, this should not be
confused with actually ensuring there is no impact in practice -
there is no easy fix.
Additionally, outsourcing deals in the financial services sector
are - because of the VAT savings that can result - more likely than
in other sectors to extend to functions other than IT, even where
IT was the major driver in the decision to outsource. This is
likely to increase the practical difficulty of complying with these
particular obligations for many organisations.
At the next level of detail, a supplier has to have the ability
to perform reliably and professionally, must perform effectively,
must supervise the activities properly, co-operate with regulators,
provide access to data and premises to regulators, auditors and
users, and ensure that confidentiality is respected.
These are all areas where a supplier has to expect the financial
services business to include contractual provisions relating to
these as the first stage - and that it will then be checking up on
compliance with these rules. One area where contractual provisions
will be included is in relation to disaster recovery, where Mifid
makes it an obligation to spell out in the contract - and to test -
what the disaster recovery arrangements are.
At the most micro level there will now certainly be a written
contract setting out what rights and obligations exist - that is a
rule - though, hopefully, that would have been the case anyway.
The first way in which a supplier is likely to become aware of
Mifid is an increase in audit activity by users to ensure that a
supplier is complying with these various obligations. Leaving aside
various specific monitoring obligations contained within the rules,
there is an overriding obligation on a financial institution to use
due skill, care and diligence when entering new deals, managing
deals and terminating every deal. Organisations are also required
to have systems in place to assess performance, supervise what is
going on and to take action if there is a problem.
While this overriding obligation should not alter what any
organisation ought to be doing anyway, there is the prospect -
especially in the early days of Mifid - that it will alter the way
in which it goes about being seen to have acted, which tends to
mean an increase in monitoring processes and in documenting
activities and discussions.
Finally, there are two specific provisions within Mifid that may
cause a supplier more difficulty or discomfort. The first is that
the supplier will be obliged to disclose anything that may have a
material impact on its ability to perform the services effectively
and in accordance with all legal and regulatory requirements. This
is effectively an obligation to report itself even before something
goes wrong, rather than just quietly trying to avoid the problem or
to fix it and hope no one notices.
The second provision is the not unreasonable obligation for a
supplier to have any authorisation required by law for its
activities. Where a supplier has moved beyond pure IT outsourcing
it may well have moved into the area of regulated activity, if
viewed literally.
While some of these rules are going to cause some concern, they
are not too surprising or too difficult to comply with. However,
all concerned will struggle if this is left until the last minute.
Now is the time to start work to ensure that the day of Mifid does
not result in nasty surprises.
Top banks get the BOAT to MiFID compliance >>
Broker uses forensic e-mail system to meet compliance
>>
Your way through the legal maze >>
Business data protection: the expert view >>
The Financial Services
Authority: Markets in Financial Instruments
Directive >>
Comment on this article:
computer.weekly@rbi.co.uk