Michelmores Michelmores
Michelmores Michelmores
Published February 12th 2025
Home > News & Insights > Article

Outsourcing in the financial services sector - opportunities but with challenges for suppliers and customers alike

Overhead view of two businessman walking on large empty office.
Authors
Tom Torkar
Tom Torkar
Sam Kewellhampton
Sam Kewellhampton

Outsourcing functions can unlock significant advantages – flexibility, cost/operational efficiency, access to expertise, rapid market entry, and a competitive technological edge. However, these benefits come with challenges.

What to look out for and common concerns

For customers:

  • Is the outsourcing “critical or important,” (aka ‘material’) do I need to tell our regulator?
  • What ongoing monitoring and oversight do I need to do?
  • Do regulators look at outsourcing agreements?
  • Do outsourcing rules apply to intragroup arrangements?
  • Is using machine learning and artificial intelligence (AI) a form of outsourcing?

For suppliers:

  • Does my firm need to be regulated if we provide outsourced services to a firm authorised by the Financial Conduct Authority (FCA) or the Prudential Regulatory Authority (PRA)?
  • An FCA/PRA-authorised customer has asked for changes to my standard terms, can I push back?

What is an outsourcing?

The FCA defines outsourcing as:

“An arrangement of any form between a firm and a service provider by which that service provider performs a process, a service or an activity which would otherwise be undertaken by the firm itself.”

Essentially, outsourcing is a very broad definition and involves asking another party to handle a business process, service, or activity that a firm would otherwise carry out itself. This could include IT support, cloud infrastructure, or administrative assistance although it is unlikely to extend to the likes of cleaning contracts or legal advice.

When might it be deemed ‘material’ or ‘critical or important’?

To determine whether an outsourcing arrangement is “material” or “critical or important” (and therefore whether the FCA rules governing outsourcing arrangements will apply), a fact-specific assessment is needed.

Some potential indicators of “materiality”, “criticality” and “importance are as follows:

  • Impact on authorisation and continuity: could the arrangement affect the firm’s authorisation requirements, business continuity, or operational resilience?
  • Knowledge drain and ‘scale by stealth’: is there a risk of becoming overly reliant on the provider over time, making it increasingly difficult to bring the services back in-house?
  • Customer harm: could the outsourcing adversely impact customers?
  • Service quality: will it be difficult to maintain the same quality of service if the outsourcing ends, either by bringing the function back in-house or quickly finding a suitable alternative provider?

Firms should also think about privacy and data security risks attached to outsourcings. For example, cloud infrastructure providers often handle sensitive data for large numbers of clients, creating vulnerabilities particularly during cyber-attacks or data leaks. Similarly, cloud infrastructure providers may have infrastructure that is based outside of the UK or that is dependent on a large supply chain of service providers. Firms should carry out sufficient due diligence to assure themselves of the adequacy of those arrangements and to identify any risks.

Negotiating a material outsourcing agreement

Some of the key provisions to think about (as customer) are:

  • Service levels: the business is delegating business processes and services to a third party so service levels will be an important way of ensuring that performance standards are met. Linked to this may be a service credit mechanism that allows for adequate compensation should standards not be met.
  • Step-in/Retained rights: maintain rights for the customer firm to continue performing the services internally. Similarly, a firm may wish to have the right to step-in to perform the services (whether itself or with a replacement service provider) in certain circumstances linked to supplier default.
  • Oversight powers: ensure the right to monitor the supplier’s performance and access information.
  • Audit and review rights: ensure audit and review rights (as well as others in the agreement) extend to regulators and their representatives.
  • Enhanced termination rights: if, for example, the supplier fails to meet set performance standards.
  • Exit assistance provisions: for transitioning services back in-house or to an alternative provider.
  • Regulatory accountability: confirm the customer firm retains ultimate responsibility for the outsourced services.
  • Sub-contracting controls: place controls on the supplier’s sub-contracting rights.
  • Contingency planning: include provisions to implement disaster recovery and business continuity plans if necessary.

Managing the outsourcing

Having an adequate outsourcing contract is a crucial first step, but it’s not enough. Firms must implement comprehensive risk and oversight frameworks to manage material outsourcing arrangements effectively. This includes:

  • Regular monitoring: track the provider’s performance and compliance with the agreed terms. Firms get into difficulties where they do not refer back to the contract and manage the services by reference to the contract.
  • Risk management: identify and mitigate risks associated with the outsourcing arrangement, including cybersecurity and data privacy.
  • Ongoing reviews: periodically review the outsourcing agreement and its operational impact to ensure it remains fit for purpose. Where parties do not follow rigorous contract change control processes, the contract can become out of date and changes can introduce inconsistencies within the agreement.

Senior management functions (SMFs) under the Senior Managers & Certification Regime should have particular regard to demonstrating continuing and meaningful oversight of any material outsourcings.

Impact on suppliers of technology and other services to regulated firms

Non-regulated firms providing outsourced services to regulated institutions (such as banks or insurers) should also familiarise themselves with the regulatory landscape, and regulators have issued specific guidance (for example on cloud providers). The CrowdStrike outage in 2024 highlighted the potential for harm arising from widespread reliance on small numbers of large tech firms.

From the perspective of the outsourced supplier, we have also seen situations where clients are asked to accommodate extensive changes to their standard customer contracts instigated by regulated clients treating those contracts as material outsourcing agreements. Sometimes this is a case of a ‘one size fits-all’ approach or where that firm views it as generally beneficial to have contractual protections, regardless of whether or not it is a genuine material outsourcing. We have supported firms with responding to and negotiating these requests, including pushing back, where appropriate.

What about AI?

The widespread adoption of AI is deeply connected to the outsourcing landscape.

Regulatory attitudes towards firms relying on large language models (LLMs) to support business functions is evolving but is an increasing focus area. The Bank of England and FCA recently issued a joint report Artificial intelligence in UK financial services – 2024 | Bank of England considering adoption and use of AI in the financial services’ sector and isolated some macro and micro trends and risks.

Firms should bear in mind that reliance on AI tools, particularly where there are elements of automated autonomous or semi-autonomous decision making (even if there is a human in the decision-making chain), may well be viewed as outsourcings. Firms may also be exposed to this risk without realising it by using suppliers who effectively sub-outsource some of their functions to AI tools, either generic LLMs such as ChatGPT or sector specific LLMs (as these continue to proliferate).

AI also brings a new range of challenges. For example, how a firm can meaningfully oversee an advanced machine learning tool carrying on an outsourced function, particularly as the tool’s knowledge increases exponentially which may lead to an ever expanding knowledge gap between the human(s) overseeing it and the machine performing the task?

What next?

Outsourcing can be a powerful tool for growth and efficiency, but firms need to approach it with diligence and a clear understanding of the risks.

The outsourcing rules which apply vary depending on service and sector and can capture firms purely by virtue of them providing their services to regulated customers.

If you have any questions about outsourcings, outsourcing contracts, please do not hesitate to get in contact with Michelmores’ Commercial team.

Authors
Tom Torkar
Tom Torkar
Sam Kewellhampton
Sam Kewellhampton
EVENTS
mainstream
MAINstream Cheltenham Pitch Event

Applications for this pitch event close Monday 3 February 2025. Following the success of MAINstream South West, we are delighted to be launching MAINstream Cheltenham...

MORE
26/02/2025 3:00 pm
Malmaison Cheltenham, Bayshill Rd, Cheltenham GL50 3AS
EVENTS
mainstream
MAINstream Female Founders Pitch Event

Applications for this pitch event close Wednesday 9 April 2025. We are pleased to announce that our next pitch event will be exclusively for female...

MORE
07/05/2025 3:00 pm
Bristol - Venue TBC
EVENTS
mainstream
MAINstream Pitch & Drinks Event

Applications for this pitch event close Wednesday 4 June 2025. If you are interested in joining the network and attending our events please email mainstream@michelmores.com for further...

MORE
25/06/2025 3:00 pm
Exeter - Venue TBC