Everyone involved with IT in the financial services sector - both in-house teams with outsourced arrangements and suppliers of IT and outsourcing services - will find themselves affected by the introduction of important European legislation in November. This legislation is generally known as Mifid - short for the Markets in Financial Instruments Directive.
The aim of this article is to set out the basic elements of the Mifid rules on outsourcing so that when Mifid is implemented within the UK, those affected will be less likely to get a nasty surprise. Most importantly, some ideas need challenging from the outset.
Mifid covers the documentation and decision-making process behind financial trading. Many organisations' technology departments are less advanced than perhaps they should be because there have been greater priorities when it comes to Mifid - meaning that internal communication about less critical areas may not have been a priority within the firm to date.
From a supplier's perspective, the tendency - even if the supplier knew about Mifid - has been to let sleeping dogs lie and not risk stirring up trouble for itself. The combination of these factors makes it likely there will be a last minute rush to comply with Mifid rules on outsourcing once the top priorities are crossed off compliance teams' lists and attention turns to areas such as the specific outsourcing rules.
The first misconception is that Mifid is not relevant to banks or insurers. However, Mifid applies to those involved with almost any kind of financial institution - apart from organisations that only lend or receive money and those that only do insurance.
However, in the UK Mifid will apply to those that only lend or receive money - with the result that in the UK the Mifid rules will basically apply to everyone except for any company that does nothing apart from insurance.
I suspect that even those financial institutions that do nothing apart from insurance will tend to apply the Mifid rules, so that they are less likely to be criticised should problems ever emerge with their outsourced relationships.
And in the short term at least, many cautious organisations covered by Mifid are likely to continue to apply the old rules of the Financial Services Authority (FSA) regarding outsourcing - they are accustomed to them and they will feel more likely to be beyond criticism if they do. Especially as these are, essentially, the rules that apply to insurers and which, therefore, still exist in a different part of the FSA's handbook.
The second misconception is that Mifid will only affect future outsourcing arrangements. Unfortunately, this is not correct - all arrangements, including existing arrangements, must comply with these rules as from 1 November. Those who are not quite sure what their existing deals say might want to start looking for copies of the contracts before it is too late.
The third misconception is that Mifid is only an issue for banks, custodians, exchanges, investment advisers etc, but not for suppliers. This is true in the sense that a supplier is not going to be obliged by Mifid itself to change its behaviour or its contracts.
However, suppliers need to be prepared for financial institutes' likely behaviour on future contract negotiations and, worse still, should not be surprised if such companies come to them seeking to amend existing arrangements. Agreeing to changes to existing deals is likely to be the price of continuing to do business in this sector, as the rules apply to existing outsourced arrangements too.
The fourth misconception is that Mifid affects only "true" outsourcing arrangements and that, for example, group shared services are not covered. Again this is wrong - the rules apply to arrangements where companies within a group provide services to each other. The degree of control and influence that exists over the "supplier" can be considered in deciding how to comply with some of the more detailed rules (not all of them), but this will be a careful judgment to make in a particular case.
The fifth and final misconception is that Mifid will only apply to "critical" or "important" functions. The FSA has decided that these rules should be applied to all outsourcing arrangements - though they should be applied "proportionately" to functions that are not critical or important. Again, this will require a careful judgement call and, in the short term at least, most organisations are likely to be more cautious and err towards applying the rules in full to every situation.
Turning to the rules themselves, at the highest level Mifid sets out that a financial institution's senior management, despite outsourcing, remain responsible to the FSA in the same way they always would have been. It states that the relationship that exists towards its clients cannot be altered in any way and, more fundamentally, that the basis of the FSA's authorisation of the financial institution cannot be undermined in any way.
Moving down a level of detail - and these are aims that are harder to achieve in practice - the organisation has to ensure that it retains enough expertise in-house to supervise the outsourced function and that if it terminates any outsourcing deal there is no impact on its customers.
Good detailed provisions relating to termination assistance will certainly go a long way towards being able to say at the time of signing an outsourcing deal that everything that can be done has been done to protect customers. However, this should not be confused with actually ensuring there is no impact in practice - there is no easy fix.
Additionally, outsourcing deals in the financial services sector are - because of the VAT savings that can result - more likely than in other sectors to extend to functions other than IT, even where IT was the major driver in the decision to outsource. This is likely to increase the practical difficulty of complying with these particular obligations for many organisations.
At the next level of detail, a supplier has to have the ability to perform reliably and professionally, must perform effectively, must supervise the activities properly, co-operate with regulators, provide access to data and premises to regulators, auditors and users, and ensure that confidentiality is respected.
These are all areas where a supplier has to expect the financial services business to include contractual provisions relating to these as the first stage - and that it will then be checking up on compliance with these rules. One area where contractual provisions will be included is in relation to disaster recovery, where Mifid makes it an obligation to spell out in the contract - and to test - what the disaster recovery arrangements are.
At the most micro level there will now certainly be a written contract setting out what rights and obligations exist - that is a rule - though, hopefully, that would have been the case anyway.
The first way in which a supplier is likely to become aware of Mifid is an increase in audit activity by users to ensure that a supplier is complying with these various obligations. Leaving aside various specific monitoring obligations contained within the rules, there is an overriding obligation on a financial institution to use due skill, care and diligence when entering new deals, managing deals and terminating every deal. Organisations are also required to have systems in place to assess performance, supervise what is going on and to take action if there is a problem.
While this overriding obligation should not alter what any organisation ought to be doing anyway, there is the prospect - especially in the early days of Mifid - that it will alter the way in which it goes about being seen to have acted, which tends to mean an increase in monitoring processes and in documenting activities and discussions.
Finally, there are two specific provisions within Mifid that may cause a supplier more difficulty or discomfort. The first is that the supplier will be obliged to disclose anything that may have a material impact on its ability to perform the services effectively and in accordance with all legal and regulatory requirements. This is effectively an obligation to report itself even before something goes wrong, rather than just quietly trying to avoid the problem or to fix it and hope no one notices.
The second provision is the not unreasonable obligation for a supplier to have any authorisation required by law for its activities. Where a supplier has moved beyond pure IT outsourcing it may well have moved into the area of regulated activity, if viewed literally.
While some of these rules are going to cause some concern, they are not too surprising or too difficult to comply with. However, all concerned will struggle if this is left until the last minute. Now is the time to start work to ensure that the day of Mifid does not result in nasty surprises.
Comment on this article: email@example.com