Publication
Global rules on foreign direct investment (FDI)
Cross-border acquisitions and investments increasingly trigger foreign direct investment (FDI) screening requirements.
United Kingdom | Publication | May 2020
This briefing considers how the UK’s proposed operational resilience regulatory framework will impact contractual relationships between regulated firms operating in the financial services sector and their service providers.
Building upon the framework that was outlined in the July 2018 Discussion Paper ‘Building the UK Financial Sector’s Operational Resilience,’ published jointly by the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA), in December 2019, the regulators published a suite of documents seeking to embed that approach into policy (together the Proposals):
The way that parties providing important business services to regulated firms incorporate operational resilience considerations into their business is a key part of such firms’ ability to prevent, adapt, respond to, recover, and learn from operational disruption and to help ensure resilience.
Our recent client briefing and video explores some of the issues that regulated firms should consider in this context, including the identification of “important business services” and the activities regulated firms will be required to undertake in ensuring their operational resilience.
The regulatory landscape for sourcing and outsourcing in the financial services sector is becoming more complex. Financial services sector firms will be undertaking internal compliance projects to implement operational resilience, and as part of this, will no doubt be considering interactions with third party service providers. Lawyers, procurement and business representatives who negotiate service contracts on a daily basis all need to be familiar with the Proposals and their potential impact.
Consistent with the regulatory framework set out by the EBA, PRA and FCA, operational resilience needs to be considered in respect of arrangements with any third party supporting the delivery of an important business service, not only those considered to constitute outsourcing.
Third party arrangements
The PRA has provided examples of such third party arrangements, including:
A regulated firm will therefore need to be cautious when assuming, in respect of a contract that is not on its face an “outsourcing”, that it is not actually subject to additional regulatory requirements. It is worth noting that to the extent the contract does not fall within the scope of the proposed outsourcing requirements, the regulatory requirements that apply may be less prescriptive.
Not all outsourcings will attract the additional controls contemplated by the proposed operational resilience requirements. For example, a regulated firm’s payroll function is unlikely to be assessed as an important business service for operational resilience purposes, but the outsourcing of this function will nevertheless be subject to the PRA’s outsourcing requirements. For these reasons, when drafting or negotiating a service contract, it is essential to have a clear understanding of:
For completeness, it is worth noting that regulated firms subject to the Senior Managers & Certification Regime, are also expected to assign responsibility for the oversight of operational resilience (and with that oversight of outsourcing arrangements) to a senior manager. It is important to ensure that the relevant senior manager has appropriate oversight of service contracts.
The Proposals do not introduce wholesale changes from a service contract perspective and the contractual protections that promote operational resilience objectives will be familiar to procurement lawyers and the procurement function (as well as to service providers).
However, regulated firms may, to the extent relevant and not already provided for, need to:
Specific contractual provisions
The Proposals may impact the way in which certain contractual protections are drafted and negotiated – for example:
The overarching message is that firms should consider how to apply operational resilience most appropriately for their business:
Drafting challenges and solutions
The challenge for those drafting and negotiating service provider contracts is that standard clauses (whether in a template for a new contract or addendum to an existing contract) may be either impractical or insufficient to deal with the unique operational resilience requirements for a particular deal.
A solution could be to create different sets of clauses which are applied based on a risk assessment (similar to what some firms do for data protection). Document automation solutions that build more bespoke contracts based on answers to an initial questionnaire may become increasingly valuable in this context.
Although the regulatory responsibility for operational resilience ultimately rests with a regulated firm, service providers need to understand the requirements and the impact they will have when engaging with firms operating in the financial services sector.
Service providers often make a policy decision not to accommodate a specific customer request in relation to, say, a matter such as business continuity on the basis that accommodating the specific client request would have an adverse operational and cost impact if the service provider similarly had to accommodate the requests of other customers (perhaps from different sectors) in the same way.
Revised negotiation positions in light of compliance requirements
In light of the Proposals, service providers:
The Proposals on access, audit, and information rights are encouraging in this context. The draft supervisory statement:
The fact that such an approach is acknowledged at supervisory authority level may facilitate more constructive discussions between service providers and their regulated clients on these matters.
Confidentiality and intellectual property will also be a key topic. Technology service providers are particularly sensitive in this area and these issues will be at the forefront of discussions on collaboration and exchanging information with other service providers (in addition to compliance with competition laws).
In light of the challenges presented by COVID-19, the deadline for providing responses to the Proposals has been extended to October 1, 2020. There is an open question over whether there will be any significant changes to the FCA and PRA’s final policies as a result of the COVID-19 outbreak.
Publication
Cross-border acquisitions and investments increasingly trigger foreign direct investment (FDI) screening requirements.
Publication
On February 2, 2024, the Belgian Presidency of the Council of the European Union confirmed that the Committee of Permanent Representatives had signed the Artificial Intelligence (AI) Regulation, referred to as the AI Act. Approval by the EU Parliament followed on 13 March 2024, and the AI Act is likely to appear in the EU’s Official Journal around May 2024. The AI Act aims to establish a stringent legal framework governing the development, marketing, and utilisation of artificial intelligence within the region, thereby marking a significant advancement in the regulation of this burgeoning domain.
Publication
The private credit market and direct lending have grown and diversified immensely in the past decade, offering alternative sources and terms of debt compared to those historically provided by the syndicated leveraged loan and public issuance markets. Consequently, they are fast becoming pivotal components in the capital ecosystem, so much so that the Bank of England consider that the private credit market is currently responsible for approximately $1.8 trillion of debt issuance, which is four times its size in 2015. This growth has been particularly pronounced in Europe and the US but there has also been significant activity in Asia.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023