The FCA has published its Business Plan for 2019/20. It comes as no surprise following a number of recent high-profile IT failures that the FCA has committed during the next 12 months to review how firms use third-party IT suppliers. As noted by the FCA, between October 2017 and September 2018, 17% of the incidents reported to the FCA by firms were caused by IT failure at a third party-supplier.
This launch of this review should act as a prompt for all FCA regulated entities to consider how it currently outsources third-party IT services (as well as any other material outsourced services) and whether any improvements can be made.
The recurring theme coming out of the FCA's (and previously the FSA's) investigations into outsourcing over the last ten years, is the lack of control and management that firms have over third party suppliers. Often the contractual documents provide firms with the tools they need to effectively manage and control the outsourcing (such as audit rights, periodic reporting and review meetings); but in practice these tools are not used. A prime example of this is the FSA's investigation into Zurich Insurance Plc where the FSA noted that the service management calls were intermittent and ceased altogether after a certain date.
When reviewing your current outsourcing arrangements it is therefore important that you review the outsourcing agreement itself (making sure the terms (i) enable you to control and manage the outsourcing and (ii) comply with the FCA's detailed rules on outsourcing) and that you review what is happening in practice.