The FSA approach to the supervision of outsourcing
| Date | 01 June 2003 |
| Pages | 113-120 |
| Published date | 01 June 2003 |
| DOI | https://doi.org/10.1108/13581980310810435 |
| Author | Peter McCormack |
| Subject Matter | Accounting & Finance,Financial risk/company failure,Financial compliance/regulation |
The FSA approach to the supervision
of outsourcing
Peter McCormack
Received: 12th March, 2003
Senior Risk Analyst, Financial Services Authority, 25 North Colonnade, Canary Wharf, London E14
5HS, UK; tel: +44 (0)20 7676 1000; fax: +44 (0)20 7676 1099; e-mail: peter.mccormack@fsa.gov.uk
Peter McCormack is a senior risk analyst
in the Risk Review Department of the Pru-
dential Standards Division at the Financial
Services Authority and, in working on
operational risk management issues,
reviews the management of outsourcing.
Prior to joining the Risk Review Depart-
ment he was a policy adviser on opera-
tional risk, also in the Prudential
Standards Division.
ABSTRACT
KEYWORDS: outsourcing, regulation, risk
management, operational risk
This paper introduces and sets out the key regu-
latory requirements for authorised firms in the
area of outsourcing and how these requirements
are evolving. It also sets out the Financial Ser-
vices Authority’s (FSA) Risk Review Depart-
ment’s approach to reviewing the management
of outsourcing.
INTRODUCTION
At N2
1
the Financial Services Authority
(FSA) replaced the legacy risk assessment
frameworks
2
that existed for banks, invest-
ment firms, and insurers with a single risk
assessment framework called ARROW,
3
designed to support the FSA’s risk-based
approach to supervision. This approach to
supervision and the new risk assessment
framework are designed to assist the FSA
in meeting its statutory objectives.
4
The ARROW methodology consists of
a probability/impact assessment matrix of
45 risk elements grouped into business risks
and control risks.
5
One of the risks that the
FSA is interested in is ‘Outsourcing/third
party providers’ — a control risk
6
within
the ARROW framework. Outsourcing is
used throughout this paper to refer to both
outsourcing and third party providers.
Outsourcing has been a source of con-
cern to the regulatory community for
some years with the Investment Manage-
ment Regulatory Organisation (IMRO)
7
being the first to produce guidance on the
‘Control of delegated functions’
8
in 1996.
The FSA has continued to be concerned
about outsourcing and in June, 1999 intro-
duced outsourcing requirements for the
banking sector — this policy was later
extended to building societies in Septem-
ber, 2000. This policy has been carried for-
ward and can be found in both the Interim
Prudential Sourcebooks for banks and
building societies. Although there have
occasionally been difficulties with the inter-
pretation of materiality (see below), the
policy is widely regarded as reflecting com-
mercial common sense.
There are presently five Interim Pruden-
tial Sourcebooks
9
setting out prudential
rules and guidance for five key segments of
Page 113
Journal of Financial Regulation and Compliance Volume 11 Number 2
Journal of Financial Regulation
and Compliance, Vol. 11, No. 2,
2003, pp. 113–120
#Henry Stewart Publications,
1358–1988
To continue reading
Request your trial