A CASS Reflection - Governance and oversight of CASS activities delegated to other parties
14 December 2018
If you asked someone to look after your favourite pen, you would probably check in on them occasionally to see that it is still working… so are you applying the same mentality in the context of your CASS outsourced activities?
Why you ask? Firms are increasingly relying on a range of third parties to deliver their business objectives, accessing specialist skills and markets, while realising often sizable cost and operational efficiencies. The scale and complexity of these relationships, the pervasive nature of the risks they introduce, and the potential implications for market stability all combine to ensure that this has become a priority focus for regulators, especially the governance and oversight frameworks that firms have in place over these.
In light of this increased focus, the pressure on firms to step up their level of governance and oversight is on the rise. In our experience, firms are still struggling to get the balance right. In this blog we take a look at the key requirements and challenges faced by firms’ who outsource CASS activities.
What is the definition of outsourcing?
Outsourcing is an arrangement by which a third party (external or intra-group) performs an activity, process or service on behalf of a firm that that firm would typically perform itself, or be expected to perform as part of its normal business activities. Which of your activities fall under this definition?
What are the requirements for governance and oversight of outsourced activities?
SYSC 8 of the FCA Handbook defines the requirements for outsourcing governance in the UK applicable to all outsourcing, both external and intra-group. In essence, CASS firms are required to demonstrate effective UK senior management control and oversight of the outsourced arrangements on which they rely, with a particular focus on those that constitute ‘critical or important outsourcing’ (‘critical outsourcing’). In practice this means defining an outsourcing strategy and risk appetite, and establishing an appropriate outsourcing governance forum to manage this, supported by clear, proportionate lifecycle processes from identification, risk assessments and due diligence through to eventual exit. All supported by an appropriate operating model, comprising sufficiently skilled personnel.
Challenges faced by firms vs. FCA’s expectations
Getting the right balance of oversight is a challenge for a lot of firms. Some common areas we have seen firms struggle include:
- Defining the level of risk that is acceptable in the use of outsourced service providers and the associated tolerance levels to support effective monitoring against these;
- Defining and consistently identifying critical outsourcing (intra-group as well as external);
- Maintaining the right retained capabilities and determining the appropriate level of ongoing monitoring, proportionate to risk;
- Managing sub-contractors;
- Managing concentration risk and substitutability; and
- Embedding effective outsourcing governance into wider enterprise and operational risk management frameworks.
Addressing these and other areas is challenging. However the benefits of getting it right and establishing a robust outsourcing risk framework - from enhanced risk management and demonstrable regulatory compliance to improved commercial insight - by far outweigh the costs.
… after all, you need to ensure your favourite pen stays in good working order!
Look out for the PwC outsourcing scorecard to help you assess the level of oversight you apply to outsourced arrangements.