PRA Consultation on Outsourcing and third party risk management

This month, the UK Prudential Regulation Authority (PRA) released its consultation on proposals for modernising the regulatory framework on outsourcing and third party risk management in relation to the financial services sector (the “Consultation”). The Consultation, Outsourcing and third party risk management, (CP30/19) is available here. The Consultation was published as part of a set of documents relating to operational resilience including a shared policy summary published by the FCA, PRA and Bank of England and coordinated consultation papers published by the PRA (CP29/19) and FCA (CP19/32).

The Consultation recognises the increasing reliance of firms on technology provided by third parties which create risks around matters such as ensuring that important or sensitive data outsourced to or shared with third parties is secure and accessible to firms and regulators. It also recognises that the increasing complexity of some outsourced technologies can make it difficult for firms to fully comprehend and manage risks. Further, where certain outsourced services are heavily dominated by a small number of third party providers, this may give rise to systemic concentration risks. This has the potential to create a single-point-of-failure within the financial system and firms may also find it difficult to withdraw from such arrangements.

The Consultation seeks to:

  • complement the proposals set out in the PRA Rulebook, the PRA’s Statement of Policy and the FCA’s Supervisory Statement on ‘Operational Resilience: Impact tolerances for important business services’;
  • ‘facilitate greater resilience and adoption of the cloud and other new technologies’ as identified by the Bank of England in its response to the “Future of Finance” report;
  • implement the European Banking Authority (EBA) “Guidelines on Outsourcing Arrangements” ; and
  • take into account the draft European Insurance and Occupational Pensions Authority (EIOPA) guidelines on outsourcing to cloud service providers and EBA guidelines on ICT and security risk management.
Proposals in the Supervisory Statement

The PRA’s Supervisory Statement (SS) sets out how firms should comply with their existing regulatory requirements and expectations in relation to outsourcing and third party risk management.

  • Definition of Outsourcing: The draft SS expands the definition of ‘outsourcing’ currently in the PRA Rulebook and acknowledges that there are certain arrangements that fall outside the definition. The PRA expects all firms to start from the assumption that all activities, functions and services performed or provided by third parties in a “prudential context” as defined in the PRA Rulebook should come under the outsourcing definition.
  • Governance: The PRA expects firms to have appropriate governance and internal controls to identify, manage and report risks resulting from all arrangements with third parties. Boards and senior management cannot outsource their responsibilities and remain responsible for key decisions regarding the firm’s outsourcing arrangements.
  • Due-diligence and risk assessment: firms should determine the materiality of each outsourcing arrangement they enter into, carry out appropriate due diligence on their proposed service providers and conduct a risk assessment in respect of all outsourcing arrangements.
  • Principle of Proportionality: Firms are expected to meet the expectations within it in a manner appropriate to their size and internal organisation as well as the nature, scope and complexity of their activities.
  • Intra-group outsourcing: Intra-group outsourcing is subject to the same requirements and expectations as outsourcing outwith a firm’s group and should not be treated as inherently less risky. However, firms may take a proportionate approach to assessing risk depending on their level of ‘control and influence’ over the group company providing the outsourced service.
  • Record-keeping and outsourcing register: from 31 December 2021, firms will be expected to maintain an up-to-date register of information on their outsourcing arrangements. The Annex to the draft SS contains guidance on how to complete the outsourcing register. This may take the form of a portal and the PRA are likely to further consult on the exact form of this in the future as it will allow the PRA to analyse and compare outsourcing data.
  • Outsourcing policy: The EBA Outsourcing Guidelines and EBA Governance Guidelines (banks) and conditions Governing Business 2.4(1) (insurers) state that firms’ boards should approve, regularly review and implement a written outsourcing policy. Firms can choose to apply some or all of their policy to third-party arrangements. The policy should work alongside existing firm policies such as data protection or business continuity policies.
  • Outsourcing agreements: The SS notes that outsourcing agreements should be in written form (regardless of materiality) and goes on to consider minimum requirements for material outsourcing arrangements, in particular those relating to data security, access, audit and information rights, sub-outsourcing and business continuity and exit plans.

The proposals are relevant to all UK banks, building societies, PRA-designated investment firms, insurance and reinsurance firms and groups in scope of the Solvency II Directive, as well as UK branches of overseas banks and insurers. Certain proposals within the Consultation will also apply to credit unions and non-directive firms. The PRA has noted that if the UK leaves the EU with no implementation period in place, the PRA has assessed that the proposals would not need to be amended under the EU (Withdrawal) Act 2018.

The deadline for responding to the Consultation is 3 April 2020, with the PRA aiming to publish its final policy on the proposals in the second half of 2020.

MacRoberts’ team of outsourcing specialists regularly advises on the regulatory aspects of outsourcings.

This article was co-written by Zoe Jarvis.

Latest updates from @MacRoberts