By Nicola Higgs, Fiona MacLean, Brett Carr, and Catherine Campbell

Technology outsourcing by financial institutions (FIs) has increased in recent years as FIs look to the latest innovations to improve their day-to-day business processes and to reduce costs. FIs outsource key functions to a host of regulated and unregulated third-party service providers, and the sector is poised for continued growth. According to research conducted by business outsourcing provider Arvato and analyst firm NelsonHall, outsourcing agreements worth £6.74 billion were agreed in the UK last year across all industries (a 9% increase on the prior year), and financial services firms signed £3.26 billion of them. With this continued growth, the outsourcing sector is increasingly likely to be a hotbed of PE deal activity; and, as regulators place a greater focus on outsource providers, deal teams should monitor regulatory engagement and policy developments.

Outsourcing Companies Evolve

IT and business process outsourcing are converging, meaning outsourcing deals are now different to the traditional, bespoke, dedicated service arrangements firms have entered into in the past. Modern-day outsource providers who have grown exclusively as tech companies are looking to meet the demand for processing and administration solutions for financial products and services in a heavily regulated environment. Notably, the Financial Conduct Authority’s (FCA’s) recent Investment Platforms Market Study identified that most investment platforms purchase their technology from third-party providers, and more than half of the platforms the study considered are in the process of re-platforming to a new provider. Less than a third of firms in the study rely on proprietary technology. Areas such as cybersecurity and data analytics have also become increasingly important for the sector, driving demand for specialist third-party providers with robust processes.

In our view, these outsource service providers will require additional funding to meet scalability challenges, invest in product development, and satisfy rising demand, leading to more PE deals in the future.

Systemic Importance – Concentrations Of Providers Draw Regulatory Attention

As FIs increasingly rely on outsourcing providers, the providers become systemically important to the financial services sector, often with multiple global FIs relying on the same provider to service the majority of clients. This potential concentration risk is drawing increasing regulatory attention.

Currently unregulated providers may not remain so. Evidence suggests regulators across the globe are also now observing resiliency risks arising in relation to unregulated providers. The European Banking Authority’s Draft Guidelines on Outsourcing require financial services firms to consider both intra-firm risk and sector risk when assessing the risk profile of an outsourcing arrangement. Further, the guidelines note that if a competent authority (i.e., a regulator in a European Member State) considers the sectorial concentration risk too great, the regulator may order that affected arrangements cease. The FCA’s 2018/2019 business plan identified data security, resilience, and outsourcing among its eight cross-sector priority areas. The regulator is currently determining the risks of outsourcing and third-party providers, with particular emphasis on concentration risk. The regulatory mood toward systemically important outsource providers is undoubtedly changing, and regulators are keen to generate debate on the operational resiliency of firms they do not (yet) supervise. This future regulatory scrutiny should be considered when assessing the scalability of a target or current or planned positioning of a portfolio company.

How Can PE Firms Mitigate Risk?

PE firms should be mindful of regulatory scrutiny and approach financial services outsourcing deals with pragmatism. In our view, teams should invest the time to understand the regulatory perimeter within which a third-party provider operates. Firms must look beyond the service provider to its underlying clients, and consider the potential for knock-on regulatory risk. If, for example, a service provider’s mistake leads to a bank’s regulatory failure, this could result in significant litigation that firms may not be able to contractually protect against. Early in a potential transaction, PE teams should identify potential regulatory risks and assess management’s understanding of the firm’s regulatory obligations and the historic and potential scope of regulatory attention.