The recent financial penalty imposed on R. Raphael & Sons Plc (“Raphaels”) by the Prudential Regulatory Authority (“PRA”) underlines the importance of having proper and formalised outsourcing arrangements in place with service providers (even where these are intra-group). Although authorised financial institutions may outsource important operational functions, the responsibility to comply with regulation will remain with the authorised firm.
On 27 November 2015 the PRA released a Final Notice (dated 12 November 2015) fining Raphaels £1,278,165 pursuant to s206 Financial Services and Markets Act 2000. The PRA’s notice can be found here. The financial penalty was imposed for Raphaels’ failure to manage its outsourcing arrangements between 18 December 2006 and 1 April 2014 in breach of Principle 3 of the Principles for Businesses (as replaced by the Fundamental Rules in the PRA’s Rulebook).
Raphaels is authorised by the PRA to, amongst other things, accept deposits. It provides consumer finance facilities and savings accounts, and owns permanent and mobile ATMs around the UK.
During the relevant period Raphaels was a party to an intra-group joint venture to provide ATMs across the UK. As part of this arrangement, aspects of Raphaels’ finance function were outsourced to other companies in its group, including making payment to third parties on Raphaels’ behalf and replenishing cash in ATMs. Raphaels would then reimburse the group companies for these costs.
The PRA identified major failings in Raphaels’ outsourcing arrangements. At the outset, no written agreement was entered into relating to the joint venture or the outsourcing of certain finance functions. Raphaels failed to carry out suitable due diligence, or indeed any due diligence, in relation to its outsourcing partners. When a written agreement was entered into with one group company to which certain finance functions were outsourced (referred to by the PRA as “Company C”), 21 months after it had begun providing some of Raphaels’ finance functions, the agreement did not include division of responsibilities and powers between Raphael and Company C nor allow Raphael appropriate oversight over the arrangements.
Between 2007 and 2014 certain employees at Company C with access to Raphaels’ bank accounts, improperly transferred funds from Raphaels to Company C in excess of amounts properly due under the joint venture arrangements. They did this covertly with the aim of assisting Company C with cash-flow issues.
As the joint venture was intra-group, the cash remained within the group and was repaid promptly when the breach was discovered. However, Raphaels’ failure to properly outsource and oversee all aspects of its financial functions meant that the improper transactions were able to take place and remain undetected for approximately seven years. The improper transactions also had the effect of causing Raphaels to make inaccurate capital liquidity reports to the PRA.
What should financial institutions outsourcing aspects of their financial functions consider in light of this decision?
In its notice the PRA states that an authorised firm may outsource important operational functions. However, the financial institution will remain responsible for its compliance with regulation, not the service provider. Therefore it is important to consider the effect that outsourcing functions may have on a financial institution’s ability to comply with its regulatory obligations and to ensure that outsourcing arrangements will not prevent or adversely affect compliance.
The issues encountered by Raphaels, and the findings of the PRA, illustrate the following key considerations:
- due diligence. Suitable due diligence must be conducted on the potential service provider to which a financial institution intends to outsource aspects of its functions. That a potential provider is intra-group (as in this case) does not absolve an authorised firm of the responsibility to conduct proper due diligence.
- scope of services. Responsibilities and powers must be clearly divided between the authorised firm and service provider. In this case there was a delay before the outsourcing arrangements were documented and initial documentation did not define the scope of services to be provided. When the services were documented, the services provided by Company C were far more extensive than those described in the agreement’s scope of services. The PRA’s decision that this was a major failing of Raphaels underlines the importance of properly understanding and defining the scope of services before entering into outsourcing arrangements. It also underlines that where the scope of services changes over time, this should be properly documented.
- proper oversight and control. An authorised firm retains responsibility for regulatory compliance. Therefore it is essential that suitably strong contractual provisions allow the authorised firm to monitor the actions of the service provider and implement changes to the services if required. A major failing in this case was that Raphaels did not monitor Company C’s provision of the outsourced services and there was no established method to verify the accuracy of amounts transferred between the companies. A further lack of proper oversight was that finance functions, including non-outsourced and outsourced aspects, between Raphaels, Company C and a further sister company, which performed outsourced accountancy work, all reported to the team at Company C which included the employees carrying out the improper transfers. Although in this case the outsourcing arrangements were intra-group, the authorised firm had no real control over their actions. In its notice the PRA reiterates that it “expects a prudently managed firm” to have “adequate arrangements for the proper oversight of the outsourced functions” in place.
- proper documentation. It is important to ensure that outsourcing arrangements are properly documented to reflect the commercial terms, responsibilities and reporting lines between the institution and service provider. This is particularly important in intra-group arrangements where the dividing lines between employees' and group entities' functions may not be clear. As in all contract management situations, reliance should only be placed on final, executed versions of agreements – an unsigned draft agreement had been in circulation within Raphaels, but this does not satisfy the requirement to have a written agreement in place.