FCA Outsourcing
22-item checklist for UK FCA-regulated firms evaluating outsourcing providers. Covers governance, data protection, operational resilience, and exit planning.
A structured checklist for UK firms regulated by the Financial Conduct Authority who are evaluating or onboarding an outsourcing provider for compliance, financial operations, or customer-facing functions. Covers the seven areas the FCA expects regulated firms to assess before, during, and after an outsourcing arrangement.
By Treba Research · [Publish Date] · 5 min read
The FCA’s outsourcing expectations are codified in SYSC 8 (Senior Management Arrangements, Systems and Controls) and the Operational Resilience framework (PS21/3). Together, these require regulated firms to conduct proportionate due diligence on any material outsourcing arrangement, maintain oversight of the outsourced function, and ensure that the outsourcing does not impair the FCA’s ability to supervise the firm.
The Consumer Duty regulation (introduced July 2023) adds a further layer: firms must demonstrate that outsourced functions deliver good outcomes for customers. A poorly managed outsourcing arrangement that degrades customer experience is now a regulatory failure, not just an operational one.
This checklist does not replace legal advice. It is a practical reference tool for compliance teams evaluating whether an outsourcing provider meets the FCA’s expectations across governance, data, operations, and exit planning.
A. Governance & Oversight (Items 1–6)
0 of 22 completed
0%
Written outsourcing policy in place
Your firm must have a board-approved outsourcing policy that classifies arrangements as material or non-material and defines the due diligence and oversight requirements for each.
Material outsourcing assessment completed
Determine whether the outsourced function is ‘material’ under SYSC 8.1.1. Functions that could affect regulatory compliance, customer outcomes, or business continuity are almost certainly material.
Senior Management Function (SMF) accountability assigned
An identified SMF holder must be accountable for the outsourced function. This is not delegable. The SMF holder must understand the arrangement and be able to explain it to the FCA.
Board or committee approval documented
Material outsourcing arrangements require documented board or risk committee approval before execution, including the rationale, risk assessment, and oversight plan.
Ongoing monitoring framework defined
Define KPIs, reporting frequency, escalation triggers, and review cadence. The FCA expects ‘appropriate and proportionate’ oversight, not set-and-forget.
Regulatory notification assessed
Some outsourcing arrangements require notification to the FCA (particularly for critical or important functions). Check FCA SUP 15.3 notification requirements.
Provider’s financial stability assessed
Request audited accounts or evidence of financial viability. A provider that fails mid-engagement creates regulatory and operational risk.
Provider’s information security controls reviewed
Assess against ISO 27001 or equivalent. Review access controls, encryption, incident response, and physical security. Request evidence, not just policy documents.
Provider’s staff vetting procedures documented
Confirm background checks, professional reference verification, and NDA execution. For FCA-regulated functions, confirm that staff understand FCA Conduct Rules.
Business continuity and disaster recovery plan reviewed
Request the provider’s BCP and DR plan. Assess power redundancy, network failover, and data backup procedures. Confirm Recovery Time Objectives (RTOs).
Sub-outsourcing arrangements disclosed
The provider must disclose whether any part of the function is sub-outsourced to a third party. Your firm must approve any sub-outsourcing of material functions.
Regulatory references or existing FCA-regulated client base confirmed
Where possible, confirm that the provider has experience serving FCA-regulated firms. Request anonymised references.
Data Processing Agreement (DPA) executed
A DPA compliant with UK GDPR Article 28 must be in place before any personal data is processed. The DPA must specify purpose, duration, data categories, and processor obligations.
International Data Transfer Agreement (IDTA) completed
If data is transferred outside the UK (e.g., to Kenya), an IDTA or equivalent safeguard must be in place. This is the post-Brexit successor to Standard Contractual Clauses for UK–third country transfers.
Transfer Risk Assessment (TRA) completed
Assess the legal framework in the receiving country. Kenya’s Data Protection Act 2019 is modelled on EU GDPR and has an active supervisory authority (ODPC). Document this assessment.
Data breach notification procedures agreed
The provider must notify your firm of any personal data breach within an agreed timeframe (typically 24–72 hours). Your firm remains responsible for ICO notification under UK GDPR Article 33.
Impact tolerance for the outsourced function defined
Under PS21/3, your firm must define the maximum tolerable disruption for each important business service. If the outsourced function supports an important business service, this tolerance applies.
Scenario testing completed or scheduled
Test what happens when the provider is unavailable. This includes severe but plausible scenarios: internet outage, provider insolvency, sudden staff attrition.
Concentration risk assessed
If the same provider handles multiple functions, assess the impact of a single-provider failure. The FCA is increasingly focused on concentration risk in outsourcing.
Contract includes FCA-required terms
SYSC 8 requires contracts to include: audit rights, access for the FCA, data ownership, termination provisions, and performance standards. All six must be present.
Service Level Agreements (SLAs) defined with measurable KPIs
SLAs must be specific, measurable, and enforceable. Avoid vague terms like ‘best efforts.’ Define turnaround times, error rates, availability, and escalation protocols.
Exit plan documented before engagement begins
Your firm must have a documented exit plan that covers: data return or destruction, transition timeline, alternative provider identification, and service continuity during transition. This is not optional — the FCA expects it before the arrangement commences.
Save this checklist
Print or save this page as a PDF to keep your checklist handy.
Ready to outsource?
Interview pre-vetted candidates within 48 hours. No recruitment fees.