When outsourcing goes awry - Raphaels Bank:
Raphaels Bank is a timely reminder as to why outsourcing rules/regulations are essential; for example
- European Banking Authority (EBA) guidelines
- JFSC Outsourcing Policy - March 2017
- FCA SYSC 13.9 Outsourcing -
In May 2019, when Raphaels Bank was fined £1.89m for failing to manage its outsourcing arrangements properly. The failings came to light after an eight-hour technology “incident” on Christmas Eve 2015 at a service provider replied upon by Raphaels’ payment services division to manage its card programmes and payment authorisation services.
As a result, 5,356 point-of-sale, cash machine and online transactions worth a total of £550,000 could not be authorised.
A subsequent investigation by the Financial Conduct Authority and Prudential Regulation Authority uncovered what the pair called
- “deeper flaws” in the overall management and oversight of outsourcing risk at the company, from “board level down”, and
- “weaknesses” throughout its outsourcing systems that they claimed the bank should have known about since April 2014.
In a statement released on May 2019, Mark Steward, executive director of enforcement and market oversight at the FCA, said:
- “Raphaels’ systems and controls supporting the oversight and governance of its outsourcing arrangements were inadequate and exposed customers to unnecessary and avoidable harm and inconvenience.
- “There is no lower standard for outsourced systems and controls, and firms are accountable for failures by outsourcing providers.”
- there are specific, additional provisions that will apply in relation to business continuity planning for these types of outsourcing and there is a higher level of due diligence required in relation to entering into a critical or important outsourcing
- For example,
- All the guidelines (SEE ABOVE) put the onus on financial institutions to ensure their chosen outsourcing partner has some form of track record with taking care of critical and important functions on behalf of their clients.
- the EBA SAY.
- “The guidelines clarify that the management body of each financial institution remains responsible for that institution and its activities at all times,”
- To this end, the management body should ensure that sufficient resources are available to appropriately support and ensure the performance of those responsibilities, including overseeing all risks and managing the outsourcing arrangements.
- Outsourcing must not lead to a situation in which an institution becomes an ‘empty shell’ that lacks the substance to remain authorised