22 December 2015

Raphaels Bank fined by PRA due to inadequate intra group outsourcing arrangements

In a decision released by the Bank of England Prudential Regulation Authority on 27 November, R Raphaels & Sons plc (“Raphaels”) was fined £1,825,950 (reduced by 30% to £1,278,165 in accordance with the PRA’s fee settlement policy) for a breach of Principle 3 of the FCA’s “Principles for Businesses” (as was in force until 19 June 2014). All FCA or PRA-regulated firms should take note of the decision, which called into question Raphaels’ practices regarding its intra-group outsourcing arrangements and their failure to fulfil their obligations under the PRA Handbook and the FCA Handbook. In particular, firms should be aware of the detailed obligations applicable as rules to common platform firms (and as guidance to all other authorised firms) under the SYSC 8 chapter of the FCA Handbook in respect of any outsourcing of a “critical or important” function – whether or not the outsourcing remains “in the family”.

The Facts

The breach came to light when it transpired that at least £25m in funds had been improperly transferred from one member of Raphaels group to another (known in the decision as “Company C”) by employees of Company C, without the knowledge or consent of Raphaels. This lead to Raphaels’ exposure to Company C being inaccurately reported by Raphaels and to Raphaels breaching its large exposure limit.  It is important to note that no funds were actually transferred outside the Raphaels group.

The Reasons for the Fine

The fine was imposed by the PRA due to Raphaels’ failure to:

  • outsource important operational functions properly and with due regard to its responsibility to ensure that there was no detrimental impact on its ability to meet its prudential regulatory obligations as a result of the outsourcing;
  • manage the risks associated with and oversee the outsourced important operational functions; and
  • have in place adequate systems and controls (which may have prevented the transfers from taking place or enabled them to have been detected in a timely manner).

Key Learnings

This decision is a timely reminder for any firm that is subject to FCA or PRA oversight. Such firms should review the arrangements they have in place with respect to the outsourcing of critical or important functions, even if carried out within their corporate group, to ensure that they comply with the outsourcing requirements set out in the FCA Handbook. While there is some flexibility in intra-group outsourcing arrangements where a firm has a degree of control or influence over the service provider, in many cases authorised firms within a corporate group receive services from companies at the same level or above within the corporate structure, and in those cases SYSC8 can be applied quite strictly.  In almost all cases, it is important to undertake appropriate diligence regarding the relevant group company’s ability to carry out the outsourced function, and to clearly understand the risks associated with the outsourcing.

SYSC 8 also requires all outsourcings of critical and important functions – even intra-group – to be carried out under a written agreement. In addition, SYSC 8 imposes obligations on firms to maintain practical oversight of outsourced functions: so not only must the obligations be set out on paper, but reporting obligations must be fulfilled and performance closely monitored during the entire term of the outsourcing.

Accordingly, firms should consider undertaking all outsourcings as if they were to be conducted on an arm’s-length basis – even if they’re to be carried out by a trusted member of their corporate “family”.

Other Developments

It is clear that outsourcing arrangements have been high on the agenda of the PRA and the FCA in 2015.  While not specifically related to the recent PRA decision concerning Raphaels Bank, the FCA has taken forward various other initiatives during 2015 with a focus on outsourcing, including:

  • A thematic review on delegated authority and outsourcing in the general insurance market (TR15/7), in which the FCA found that many firms – including insurers and intermediaries – did not appear to  have adequately considered or recognised their regulatory obligations. While insurers are subject to different rules on outsourcing (see SYSC 13.9), the FCA’s thematic review nonetheless shows the importance it places on outsourcing arrangements in general.
  • A guidance consultation (15/6) setting out the FCA's proposed guidance for firms outsourcing to the ‘cloud' and other third-party IT services. The outsourcing of IT functions has been a particularly contentious area so far as the FCA is concerned, since many service providers refuse to agree to contractual protections that regulated firms are requested to include in their outsourcing arrangements. While the guidance is useful to firms, it does not lessen their responsibilities to comply with the FCA’s outsourcing rules.

These developments not only show that firms must do more to ensure that they are outsourcing in accordance with the rules, but service providers must also do more to understand the needs of regulated firms whose functions are outsourced to them.

Conclusion

The latest fine by the PRA demonstrates that regulators take outsourcing rules seriously and that there is little scope for firms to ignore them, even when contracting within their own corporate groups.  Firms who ignore the rules going forward will clearly do so at their own peril. Outsourcing agreements just may be closer to the top of the list of New Year’s resolutions for regulated firms.

A Guide to Doing Business in China

We explore the key issues being considered by clients looking to unlock investment opportunities in the People’s Republic of China.

Doing Business in China
Share on LinkedIn Share on Facebook Share on Twitter
    You might also be interested in

    Data is the new oil. It's valuable, but if unrefined it cannot really be used. It has to be changed into gas, plastic, chemicals, etc to create a valuable entity that drives profitable activity

    08 November 2021

    The growth of the digital economy has led governments around the world to seek to regulate cybersecurity and privacy of individuals.

    15 September 2021

    The manner in which China will regulate data security in the automotive industry has become much clearer.

    24 August 2021

    In 2021, China finally ended mandatory animal testing for most types of cosmetics products. However, it is not only rabbits that have reason to rejoice.

    17 August 2021

    This site uses cookies to enhance your experience and to help us improve the site. Please see our Privacy Policy for further information. If you continue without changing your settings, we will assume that you are happy to receive these cookies. You can change your cookie settings at any time.

    For more information on which cookies we use then please refer to our Cookie Policy.