Increased scrutiny for outsourcing: an overview of regulatory directives

As financial services rely more on outsourcing, regulators are acting - fast. We take stock of new and emerging regulatory requirements when outsourcing.

04 February 2023 7 mins read
by Jennie Clarke

As technology develops alongside shifting customer and investor expectations, financial institutions have had to shift from a “build” to a “buy” mentality, enlisting the help of specialized services and solutions to enable their activities where they lack the time, resource, or expertise to “build”. One such example is the move to the cloud; most firms now rely on third-party cloud providers in which to store and manage their data, because the notion of building their own private cloud was too daunting. Why do it yourself if someone else can do it for you more effectively?

As ever, with the shifting reliance on outsourced services, financial regulators are moving fast to ensure they are managing any associated risk as a result. Over the past year alone, financial regulators around the globe have issued swathes of new regulations, directives, and consultations that look to bridge the compliance gap for outsourcing.

With that in mind, we scanned the horizon to take stock of new and emerging regulatory requirements when outsourcing.

Securities and Exchange Commission (SEC) – oversight requirements for certain services outsourced by investment advisers – yet to be adopted

In the U.S., the SEC has published proposed oversight requirements for investment advisers (IA) who outsource certain services. On publishing the proposals, SEC Chair Gary Gensler commented that:

“When an investment adviser outsources work to third parties, it may lower the adviser’s costs, but it does not change an adviser’s core obligations to its clients. Thus, today’s proposal specifies requirements for investment advisers designed to ensure that advisers’ outsourcing is consistent with their obligations to clients”

Under the proposed new outsourcing requirements, investment advisers would have to satisfy six new due diligence elements before outsourcing a service to a provider that will perform certain advisory services or functions. These six new areas are as follows:

1. Nature and scope of services

2. Potential risks including their management and mitigation

3. The service provider’s competence, capacity and resources

4. The service provider’s subcontracting arrangements

5. Coordination with the service provider for securities law compliance

6. Orderly termination of the function by the service provider

As well as the six new due diligence considerations, under the proposed IA outsourcing rules recordkeeping is considered a specific area for the attention of investment advisers.

Specifically, it will require “every investment adviser that relies on a third party to make and/or keep any books and records required by the recordkeeping rule […] to comply with a comprehensive oversight framework consisting of due diligence, monitoring, and recordkeeping elements”. The proposed Outsourcing Rules would:

Provide a comprehensive oversight framework for third-party recordkeepers to protect against loss, alteration, or destruction of an adviser’s records

Help ensure records are accessible to the investment adviser as well as Commission staff

Require advisers to conduct reasonable due diligence before engaging a third party to perform a recordkeeping function

The comment period for the SEC’s proposed rules ran until December 27, 2022 – with further consideration anticipated.

UK’s Operational resilience: Critical third parties to the UK financial sector (DP3/22) – awaiting consultation

The UK’s Discussion Paper around critical third parties was published in July 2022 on the understanding that financial institutions “increasingly rely upon third-party services to support their operations”. While in many instances, outsourced services provide “greater resilience than firms’ own technology infrastructure”, the UK government is looking to ensure that any outsourcing risks are considered.

With that in mind, the discussion paper looks to establish a new framework for outsourced services which will:

1. Enable supervisory bodies to identify critical third parties

2. Set minimum standards that these outsourced service providers should meet

3. Create tools with which organizations can rest the operational resilience of their outsourced vendors

The Discussion Paper closed in December 2022 and it is anticipated that UK regulators will consult on new requirements and regulatory obligations early in 2023.

EU’s Digital Operational Resilience Act (DORA) – applies in January 2025

The final text of the EU’s DORA was reached in November 2022 and published in December 2022. It is considered one of the most important pieces of EU legislation concerning operational resilience and cybersecurity. DORA aims to ensure that the European financial sector remains resilient in the event of serious operational or market disruption – an area of key regulatory focus following the unprecedented events of recent years.

DORA applies to a comprehensive range of market participants including investment firms, credit rating agencies, insurance and reinsurance firms, and credit and payment institutions, among others. It introduces a number of specific requirements aimed to tackle operational risks arising from financial services’ reliance on information and communications technology (ICT), data, and third parties. In particular, it focuses on five key areas:

1. ICT risk management

2. Reporting of ICT-related incidents

3. Digital operational resilience testing

4. Management of third-party risk

DORA entered into force on January 17, 2023 and will apply as of January 17, 2025, giving firms two years to prepare for compliance. It is a regulation, not a Directive, so will be binding and applicable across all EU member states.

EU’s Network and Information Systems Directive 2 (NIS2) – applies in October 2024

NIS2 is part of the same regulatory framework as DORA, and looks to repeal and replace the EU’s existing Network and Information Systems Directive (NIS).

The aim of NIS2 is to establish an EY-wide legislation for cybersecurity and resilience, which bolsters the existing framework by introducing a modernized, standardized revamp of existing rules. The new rule looks to keep up with the ever-innovating digitalization of financial services and the wider economy.

NIS2 expands the scope of previous requirements and brings more organizations under the umbrella of those that must be prepared for cyber risk, including banking and public administration, transport, and postal services among others. As with other renewed outsourcing requirements, NIS2 places a keen focus on governance, ensuring that senior managers within a business are directly accountable for cyber resilience plans, including those that concern outsourced service providers such as search engines and cloud computing services.

As well as placing obligations on organizations and their senior managers, NIS2 also creates new obligations for EU Member States. Under the new rules, Member States must designate or create a national authority that is responsible for cybersecurity and its supervision – as well as acting as a single point of contact for these topics. These new authorities must be given the power to supervise, as well as enforce new rules with suspensions, bans, fines, and sanctions.

While NIS2 will not apply directly in UK by reason of Brexit, businesses who operate within the EU will still need to comply with NIS2 in order to maintain a common level of security standards as with EU member states. It is also likely, given the trajectory of UK regulation and recent consultations, that we will similar requirements published within the UK in the near future. Firms should prepare and be proactive.

NIS2 will come into force on October 17, 2024, giving firms and Member States little under two years to prepare for compliance.

As financial organizations become increasingly reliant on outsourced services – and as financial regulators become increasingly eager to see third-party risks mitigated – it is more important than ever to know your vendor.

Before entering into a third-party commitment, firms must show an unflinching commitment to operational resilience and due diligence. Global Relay is the trusted vendor for compliant communications and archiving, with an unblemished track record of building and delivering solutions, at scale.