03 May 2007

Times: MiFID could force banks to revise outsourcing arrangements

The mere mention of the Markets and Financial Instruments Directive (MiFID) strikes fear into the hearts of Government ministers, let alone financial institutions. But while banks and traders grapple with the massive compliance burden to be introduced by new EU regulations in November, few have stopped to consider the equally burdensome matter of their outsourcing arrangements.

Whilst the Financial Services Authority has long required the institutions that it regulates to have outsourcing agreements, and has published best-practice guidelines, MiFID will go a lot further, according to outsourcing lawyers. The directive, which aims to streamline share-dealing regulations and boost competition across the continent, will cast its net wider and for the first time introduce mandatory obligations to the outsourcing world.

“From a contracting perspective, this is like Sarbanes-Oxley and Y2K before it,” says Martin Cotterill, a partner with the law firm Latham & Watkins in London. “You are going to have a MiFID clause in every outsourcing contract, and you won’t be able to compete unless what you are offering is compliant with the new framework.” But not only will the financial sector need to ensure all new outsourcing contracts comply, and that adequate due diligence is conducted on suppliers, it will also need to renegotiate with current suppliers to make sure existing contracts are up to scratch.

Simon Briskman of Field Fisher Waterhouse says: “There is a window between now and November where every financial institution has to go back to every outsourcing agreement they have in place, and review its compliance. They will often have to go back and renegotiate elements with the supplier.” He adds, “Most firms should be engaged in this activity now. I’m not sure they all are.”

It is widely predicted that as many as one third of the UK companies affected by MiFID will not be compliant by November, which is perhaps not surprising given the one-off £1.2 billion bill for implementation that is expected industry-wide, and the outstanding issues at a macro level. Last week the European Commission started legal action against 24 member states that have failed to introduce the new rules into their national law by the January 31 deadline.

Britain, Romania and Ireland are the only three countries to have so far put MiFID on the statute books, but as the first deadline for the rules to come into effect is November 1, a further rush of activity is expected over the summer.

For institutions, that means more than just internal checks. “You need to take a cold hard look at your outsourcing contracts in light of the new requirements,” says Cotterill. “There will probably be a few gaps that need to be plugged. People have often done that gap analysis for their own organisation, but while everyone is looking at their own systems and controls, they should also be checking the relationships with suppliers.”

For example, the new regulations state that an investment firm must be able to terminate an outsourcing arrangement, if necessary, without detriment to the continuity and quality of its provision of services to clients. They also say that the firm and the service provider should establish and maintain a contingency plan for disaster recovery and periodic testing of back-up facilities.

Briskman says, “You may find you now require more robust business continuity services from your supplier, and you have to consider whether a supplier is big enough and robust enough that you can rely on it being there in a few years’ time.”

An indication of the level of pressure the new rules will put on the outsourcing industry is the fact that the very definition of an outsourcing is now up for debate. The new law says that an outsourcing means “an arrangement of any form between a firm and a service provider by which that service provider performs a process, a service or an activity which would otherwise be undertaken by the firm itself”.

But what if an investment bank employs a data provider such as Bloomberg or Reuters to deliver technical analysis and information services? Or a broker-dealer employs a clearing agent in Frankfurt because they do not themselves have a physical presence in the city?

If these things are deemed to be outsourcing arrangements, the purchasers will have to have audit and access rights to their suppliers’ internal systems going forward, because they will be obliged to monitor the service provision and compliance of a supplier.

Robert Falkner, a partner in the London office of law firm Morgan Lewis, says: “There isn’t industry consensus on a lot of this yet, but if it’s not an outsourcing arrangement you don’t have to have all these mandatory provisions in your contract.”

By way of example, he points to the question of whether a settlement provider is an outsourcing provider. “Some people are now saying that they want audit and access rights to the personal account dealing records of any employee of the settlement company that they use,” he says. “They argue that if you are providing us with a service, and a market abuse issue arises, we have to have access to your employees’ dealing records because it is possible they might have misused information that they had access to through their work for us.”

For a large financial institution like Citigroup, it is not unusual to find two legal teams taking contrary stances on this point. The one that provides settlement and custody services to third parties will argue for a narrow outsourcing definition, and will fight for minimal audit and access rights, whilst another that is the purchaser of services will be trying to negotiate greater powers over its suppliers.

Not all of these debates are new ones, but MiFID draws them into sharper relief. “What’s changing is that general good practice is turning into mandatory rules and becoming more comprehensive,” says Falkner. “It may not be a whole new world on November 1, but there is certainly a need for renegotiation, and there are a few areas that are proving controversial.”

© The Times