Outsourcing, Third Party Risk Management & Operational Resilience: PRA final policy and supervisory statements published

On 29 March 2021, the UK Prudential Regulation Authority (PRA) published its eagerly anticipated final policy and supervisory statements in relation to outsourcing, third party risk management and operational resilience. As many readers will recall, the final statements follow on from the PRA’s consultation held in 2019, more details of which can be found here. The policy and supervisory statements have been published in coordination with the Financial Conduct Authority and the Bank of England.

The PRA’s final statements will have brought welcome certainty to many – however, what exactly do the statements say? And what impact are they likely to have on the UK financial services sector moving forward?

Outsourcing and Third Party Risk Management

Policy Statement (PS7/21)

The PRA’s Policy Statement can be found here.

The Policy Statement provides detailed commentary to accompany the Supervisory Statement and provides context to the new regulatory framework. The Policy Statement is therefore set out in such a way as to mirror the Supervisory Statement. We recommend reading the Policy Statement in order to aid your understating of the new rules and ensure you are fully prepared.

Supervisory Statement (SS2/21)

The PRA’s Supervisory Statement can be found here.

What is Outsourcing?

The PRA Rulebook defines ‘outsourcing’ as:

“an arrangement of any form between a customer and a service provider, whether a supervised entity or not, by which that service provider performs a process, a service or an activity, whether directly or by sub-outsourcing, which would otherwise be undertaken by the customer itself.”

In the final Supervisory Statement, however, the PRA makes clear that firms should assess the materiality and risks of all third-party agreements using all relevant criteria set out in Chapter 5 of the statement instead of simply applying the formal definition.

What does the Supervisory Statement include?

The Supervisory Statement covers the following areas: proportionality, governance and record-keeping, the pre-outsourcing phase, outsourcing agreements, data security, audit and information rights, sub-outsourcing, business continuity and exit plans.

The Supervisory Statement implements the EBA Guidelines on outsourcing arrangements (and, in some respects, expands on them), together with some elements of the EBA Guidelines on ICT and security risk management. However, it does not implement EIOPA Guidelines on outsourcing to cloud service providers, information and communication technology security and governance, or ESMA Guidelines on outsourcing to cloud service providers. There is some divergence in respect of UK and EU law in this regard and as such, firms whose operations are encapsulated by the Supervisory Statement should take care in applying its requirements.

When will the Supervisory Statement apply?

The requirements will be effective from 31 March 2022.

The PRA expects any outsourcing arrangements entered into on or after 31 March 2021 to be compliant by 31 March 2022, and all older outsourcing arrangements to be reviewed and updated accordingly at the “first appropriate contractual renewal or revision point” to meet the expectations as soon as possible on or after 31 March 2022.

The PRA expects firms to meet their obligations in a manner appropriate to their size, and the scope and complexity of their activities, in line with the principle of proportionality.

Operational Resilience: Impact Tolerances Important for Business

Policy Statement (PS6/21):

The PRA’s Policy Statement can be found here.

The PRA’s policy objective is “to improve the resilience to operational disruptions of both firms and the wider financial sector” by implementing a proportionate minimum standard of operational resilience. In the same vein as the Outsourcing and Third Party Risk Management Policy Statement, this statement provides context to the new regulatory framework and is therefore worth reading.

Supervisory Statement (SS1/21):

The PRA’s Supervisory Statement can be found here.

What is Operational Resilience?

The PRA defines operational resilience as:

“the ability of firms and the financial sector as a whole to prevent, adapt, respond to, recover from, and learn from operational disruptions” and is based on the assumption that “from time to time, disruptions will occur which will prevent firms from operating as usual and see them unable to provide their services for a period.”

What does the Supervisory Statement include?

The statement covers the following areas: important business services, impact tolerances, actions to remain within impact tolerance, mapping, scenario testing, governance, self-assessment, and groups.

When will the Supervisory Statement apply?

The Operational Resilience Supervisory Statement will be effective from 31 March 2022.

In terms of mapping and scenario planning, the PRA considers these ongoing processes and as such, states that “firms are not expected to have performed mapping and scenario testing to the full extent of sophistication by 31 March 2022.”

In regards impact tolerances, firms must have a plan drawn up by no later than 31 March 2025, with evidence of steps being taken to implement it by 31 March 2022.

Looking ahead

The changes made by the PRA modernise the regulatory framework and provide greater clarity and support to all financial services firms located in the UK, including banks, building societies, PRA-designated advice firms, insurers, re-insurers, groups in scope of the Solvency II directive, as well as all UK branches of overseas banks and insurers.

The new arrangements will create some divergence between UK and EU law. We therefore advise any business with operations in both the UK and the EU to ensure full compliance in each jurisdiction, where applicable.

The PRA is planning a follow-up consultation on the idea of developing an online portal for firms to detail their outsourcing and third party arrangements and intends to undertake further analysis on whether additional policy measures to manage the risks that critical third parties could pose to their objectives are appropriate.

How can we help?

MacRoberts’ Information Technology & Outsourcing specialists regularly advise on the regulatory aspects of outsourcings, so please do not hesitate to contact us to find out how we can assist your business.

This article was co-written by Kirsty Fryer, Trainee Solicitor.

Latest updates from @MacRoberts

  • To celebrate the Olympic Games in Tokyo, we're delighted to launch our latest sporting challenge in support of our… https://t.co/Y8IEq3eT53 23/07/2021
  • MacRoberts is recruiting! We are currently looking for a Real Estate Planning Solicitor to join the MacRoberts tea… https://t.co/ioGQaF2hQc 23/07/2021
  • The countdown is on! With just 100 days to go, we’re looking forward to #COP26 in Glasgow! ♻️ As a firm accredite… https://t.co/Ooldhmo8tW 22/07/2021
  • Has lockdown led you to consider a move to the countryside? From discussing a possible purchase to obtaining the… https://t.co/patbF42pjk 22/07/2021
  • Have you seen our latest vacancies? 💼 We currently have opportunities in various departments across the firm. Fin… https://t.co/NpiWs2sphg 21/07/2021
  • Acas has published new guidance for employers with helpful information on #flexibleworking & #hybridworking. With t… https://t.co/SoX87hFkko 20/07/2021
  • Busting the myth that a career in law is only for the privileged few: @marikaflawyer is speaking at this morning’s… https://t.co/awfcub4cw0 19/07/2021
  • MacRoberts is recruiting! We are currently looking for a Support Services Assistant to join our team in Edinburgh.… https://t.co/DJ27fRmmdb 16/07/2021
  • MacRoberts is pleased to have been part of the team advising @HV_Systems in its £5m capital boost from Beehive Equi… https://t.co/BxcwjCgIVk 15/07/2021
  • MacRoberts is recruiting! We are currently looking for a NQ Solicitor to join our Conveyancing & Private Client te… https://t.co/zubGY4zo0D 14/07/2021
  • For the last of our IGTV mini-series, we hear from Katie MacLeod. She will be giving an insight into what it’s like… https://t.co/0v2nNQ9zzZ 14/07/2021
  • RT @marikaflawyer: Exciting opportunity for Associate in our award winning Family Law team #familylaw #LegalCareer https://t.co/z3WEtfFJUo 14/07/2021
  • MacRoberts is recruiting! We are currently looking for an Associate to join our Family Law team in Edinburgh or Gl… https://t.co/CaitiMeVBs 14/07/2021
  • Last week, the UK Government took the decision to relax the rules on the length of time lorry drivers can work as a… https://t.co/o559McerYg 13/07/2021
  • Did you know that we are on Instagram?😜 Follow our page for all the latest legal updates, exclusive IGTV’s and mor… https://t.co/Xx2xOMGBZg 09/07/2021