 |
|
| Financial Law Update | Back to article summary. |
| MiFID outsourcing rules - the de facto standard |
| |
| While primary purpose of the Markets in Financial Instruments Directive ("MiFID") is harmonisation of the rules relating to provision of investment services, and of the level of protection offered to investors, throughout the European Union, a number of the provisions of MiFID are of potentially much broader application, and look likely to be adopted across the financial services sector as de facto, if not de jure, standards. |
| While primary purpose of the Markets in Financial Instruments Directive ("MiFID") is harmonisation of the rules relating to provision of investment services, and of the level of protection offered to investors, throughout the European Union, a number of the provisions of MiFID are of potentially much broader application, and look likely to be adopted across the financial services sector as de facto, if not de jure, standards. Not least amongst these are the organisational requirements provisions, including the rules relating to outsourcing. The adoption of the MiFID outsourcing provisions as a minimum standard to be achieved, not only in the investment services industry, but across a broad range of financial services sectors, is clearly demonstrated by the adoption, in December 2006, by the Committee of European Banking Supervisors ("CEBS") of Guidelines on Outsourcing (the "CEBS Guidelines"). While applicable to the full range of services provided by credit institutions, the CEBS Guidelines have been deliberately designed, in consultation with the Committee of European Securities Regulators, to be consistent with the MiFID outsourcing rules. The UK Financial Services Regulator ("FSA") is meanwhile revising both its Handbook and its Conduct of Business Sourcebook, using MiFID as a catalyst. The FSA's stated intention is that some elements of MiFID would thereby become applicable to all firms under its supervisory control, and not just those which are in any event subject to MiFID, and it is reasonable to assume that the organisational requirements and outsourcing provisions would be amongst those which are applied across the board. And while the Irish Financial Services Regulatory Authority (the "Financial Regulator") has not to date adopted formal outsourcing guidelines, it has in our experience consistently utilised the CEBS Guidelines as a starting point for review of outsourcing arrangements which are notified to it. In continuing with this approach, the Financial Regulator will by implication extend the application of the MiFID outsourcing rules beyond the scope of services strictly covered by MiFID. A key element of ensuring compliance with the MiFID rules will be the execution of a clear outsourcing contract between the outsourcing institution and the service provider, and the CEBS rules contain a useful checklist of issues to be addressed in any such outsourcing contract. These include clearly defining the services to be provided, the performance standards to be achieved, and specifying the ongoing monitoring, assessment and auditing rights of the outsourcing institution, all elements which are critical not only from a regulatory compliance perspective, but are also key components of the commercial relationship between the parties. Both the MiFID rules and the CEBS Guidelines place considerable focus on the role of the supervisory authority of the outsourcing institution. The outsourcing contract must also protect the ability of the supervisory authority to continue properly to oversee and regulate the outsourced activity, and cannot prejudice its ability to audit and access information relating to the outsourcing and the premises from which the outsourced services are provided, or to require termination of the outsourcing contract where deemed necessary. Given the overarching need for the outsourcing institution to retain management responsibility and supervisory control over the outsourced services, and the ability to manage the risks associated with the outsourcing, the contract will not, however, be the sole control mechanism required. Outsourcing institutions should not underestimate the level of practical management supervision and ongoing relationship management which an outsourcing, and particularly the outsourcing by a financial institution of a material or critical operational function, will entail. Experience in other jurisdictions, in both financial services and other industries, has shown that failed outsourcings consistently lack basic governance and contract management structures, and that even where outsourcing arrangements do encompass such governance and contract management structures, they often fail due to ineffective or non-existent implementation of those structure by the parties. In order to meet regulatory obligations, outsourcing institutions will be required to manage their relationships with their service providers actively and effectively, which means establishing comprehensive reporting lines and mechanisms. This will apply not only in using third party providers, but also in an intra-group context, although in such cases the degree of control and influence which an outsourcing institution has over the service provider in the same group, and the degree to which the service provider is included in the consolidated supervision of the group can be taken into account. Greater attention will need to be paid to the practical management and control issues where the outsourcing is to an off-shore service provider. While the MiFID rules do not limit the ability of outsourcing institutions to utilise offshore service providers, including those outside the European Union, the practical difficulties which may arise from the location of a service provider in an different jurisdiction, including as regards guaranteeing the supervisory authority's oversight and audit rights, and restrictions arising under other regulation, such as the Data Protection Acts 1988 and 2003, will need to factored into the overall risk assessment. The application of the outsourcing rules in MiFID to various outsourced activities will vary, being subject as they are to the principle of proportionality, by reference to the nature, scale, complexity and criticality of the outsourced services. It appears, however, that they are likely to be applied beyond the scope of MiFID itself, and to become the principles by reference to which the broad range of financial services outsourcings will be defined. |
Anne-Marie Bohan is a partner in the Banking and Financial Services Department and head of our Outsourcing Group at Matheson Ormsby Prentice. She can be contacted by phone: +353 1 619 9000 or by email: anne-marie.bohan@mop.ie |