The PRA's expectations on outsourcing and third party risk ...

Outsourcing arrangements: The PRA expects that if a third party service provider in a material outsourcing (or other relevant third party) ... ThePRA’sexpectationsonoutsourcingandthirdpartyriskmanagement Categories Thispostispartofthefollowingcategories: Banking,OperationalResilience,Outsourcing,Prudential,Regulatory,UK AttheendofMarch,thePrudentialRegulationAuthority(PRA)publishedPolicyStatement7/21(PS7/21)andSupervisoryStatement2/21 (SS2/21)whichsetoutitsexpectationsofPRA-regulatedfirmsregardingoutsourcingandthirdpartyriskmanagement. ThepublicationsarepartofthewideroperationalresiliencepolicypackagereleasedjointlywiththeBankofEngland(theBank)andtheUKFinancialConductAuthority(FCA).Forfurtherinformationonthispolicypackage,pleaseseeourpreviouspost here. Inthispost,webrieflyexplainthebackgroundtothesepublicationsandreviewtheimplicationsforbothPRA-regulatedfirmsandserviceproviders.Briefly,thefinancialservicesfirmstowhichSS2/21isdirectedare: banks,buildingsocieties,andPRA-designatedinvestmentfirms(banks); insuranceandreinsurancefirmsandgroupsinscopeofSolvencyII,includingtheSocietyofLloyd’sandmanagingagents(insurers);and branchesofoverseasbanksandinsurers(third-countrybranches). ItisimportanttonotethatwhilethesefirmsareregulatedbythePRAforprudentialpurposes,theywillalsobesubjecttotheFCAinregardstotheconductofbusinessmatters.Assuch,theoutsourcingandthirdpartyarrangementsofthefirmswithinscopeofSS2/21areofinteresttoboththePRAandtheFCA;albeitthattheregulatorswillapplydifferent,butcomplementarylensesinsupervisingfirms’approachestothosearrangements. Keytakeaways InSS21/2,thePRAdoesnotdivergefromtheprevailingprinciplethatfirmsremainresponsibleforcompliancewithregulatoryexpectations.Theexistenceofanoutsourcingorthirdpartyarrangementdoesnotdiminishafirm’s–anditsSeniorManagers’–responsibilities. TheSScomesintoeffectinunder12months’time.Thismeansthat,from31March2022,firmsareexpectedtomeetthePRA’srequirementsassetoutinSS21/2.PRA-regulatedfirmswillneedtousethisshortimplementationperiodtooverlaythePRAexpectationsontotheiroutsourcingandthirdpartyarrangements.Forlarge,complexfirms,itislikelythattheimplementationoftherequirementswillrequireacross-divisionalprojectforwhichexpressaccountabilityshouldbeassignedtoaSeniorManager. WhileSS21/2andtheassociatedPSarerelevantforPRA-regulatedfirms,theyarealsorelevanttounregulatedthirdpartyserviceprovidersasthesedocumentsprovideinformationabouttheexpectationswhichtheirPRA-regulatedcustomersmustmeettomaintainregulatorycomplianceandtobeoperationallyresilient.Therelevanceforthirdpartyserviceprovidersincludesthosethirdpartieswhicharewithinthesamegroupasthefirmandthosewhichareexternaltothefirm’sgroup. SS21/2andPS7/21issetagainstthebackdropofearlierEUlegislationandguidance,inparticularguidanceissuedbytheEuropeanBankingAuthority(EBA).TheSSprovidesfurtherclarityonhowregulatedfirmsoughttoengageandcontractwiththirdparties.Inparticular,theSSgoesfurtherthanthe“outsourcing”arrangementscoveredinthe EBAGuidelines,toalsoconsidernon-outsourcingthirdpartyagreementswhichareeithermaterialorhighrisk. ThePRAdoesnotdictateaone-size-fits-allapproach.Asdescribedat3.1oftheSS21/2,firmsareexpectedtomeettherequirementsinSS21/2“inamannerappropriateto:theirsizeandinternalorganisation;thenature,scopeandcomplexityoftheiractivities;andthecriticalityorimportanceoftheoutsourcedfunctions,inlinewiththeprincipleofproportionality.” Intragrouparrangementsarenottobetreatedasinherentlylessriskythanarrangementswiththirdpartyserviceprovidersoutsideofafirm’sgroup. TheSSclarifiesthatPRA-regulatedfirmsshouldassesstherisksofsub-outsourcings before enteringintoanyarrangementstoensurevisibilityofthesupplychain.Wherethesub-outsourcingmeetsthematerialitycriteria,thePRAhasmoreonerousexpectationsofthefirmanditsongoingresponsibilitytooverseeanymaterialsub-outsourcing. Thebackground PriortoBrexit,theUKrequirementsonoutsourcingwerelargelycoveredinEUlegislationandmaterialsissuedbytheEUsupervisorybodies.OfparticularrelevanceinthecontextofSS21/2aretheEBAGuidelinesonoutsourcingwhichwerepublishedinFebruary2019andenteredintoforceon30September2019,andforwhichtransitionalprovisionsapplyuntil31December2021.TheUKFCAnotifiedtheEBAofitsintentiontocomplywiththeEBAGuidelinesinFebruary2019.TheFCA’sapproachisimportantbecausefirmssubjecttothePRA’sSSwillalsobesubjecttotheFCA’srequirements. TheSSisannotatedwithwordingtosaythatit‘comesintoeffect’on31March2022,butthisshouldnotbemisunderstood.Itmeansthatoutsourcingarrangementsenteredinto,onorafter31March2021shouldmeettheexpectationsintheSSby31March2022. Firmsshouldalsoseektoreviewandupdatetheiroutsourcingarrangementsenteredintobefore31March2021(legacyagreements)“atthefirstappropriatecontractualrenewalorrevisionpoint”assoonaspossibleonorafter31March2022. ThePRA’stextrecognisesthatsomelegacyarrangementsmaynothaveasuitablerenewalpointbefore31March2022;thisenablesfirmstomaketherevisionstolegacyarrangementswhicharerequiredtomeetthePRA’sexpectationsatthefirstavailablerenewalpointafter31March2022. Ineffect,on31March2022,firmsarelikelytohaveamixofthefollowing: arrangementsenteredintoafter31March2021whichmeettheexpectationssetoutintheSS;and legacyarrangements,whichhavenotyetbeenrevisedbutforwhichthereisanupcomingrenewalorrevisionpointwhichwillbeusedatthefirstavailableopportunitytomakerevisionstobringthearrangementintolinewiththePRA’sexpectations. WhiletheMarch2022dateinSS21/2andtheDecember2021dateintheaforementionedEBAGuidelinesdonotalign,thistimingissueisunlikelytohavesignificantpracticalimplicationsfromtheUKregulators’perspective.ThePRAhasexplicitlystatedthatSS21/2implementstheEBAGuidelinesinamanneralignedtothePRA’sexpectations,whiletheFCAhassaidthatitdoesnotexpectfirmstoreporttoitontheirprogresstomeetingthe31December2021deadline.However,wherearrangementsofcriticalorimportantoutsourcingarrangementsenteredintoonorafter31March2021havenotbeenfinalisedby31March2022boththePRAandtheFCAexpecttobeinformed. Forfirmsoperatinginternationally,theEBAtimescalesand/oranyotherjurisdictionalrequirementsmayneedtobefactoredintofirms’complianceprogramme/s. ThePRA’soverarchingaimisthatfirmsappropriatelymanagethirdpartydependenciestomitigaterisktothePRA’sstatutoryobjectives.WhiletheSSelaboratesonthedefinitionof“outsourcing”asusedintherelevantPartsofthePRARulebook,theSSalsonotesthatsomearrangementswiththirdpartiesfalloutsideofthescopeofthePRARulebookdefinition.However,theSSremindsfirmsthatthirdpartyarrangementsneverthelessremainsubjecttothePRA’s FundamentalRules andrelevantrulesonriskmanagementandgovernance. Practicalstepsforfirms ThekeyareaswithwhichthePRA-regulatedfirmsshouldensurecomplianceinclude: Proportionate,risk-based,suitablecontrolsforanymaterialand/orhighriskthirdpartyarrangements: TheSSstatesthatfirmsshouldassess all thirdpartyarrangementsformaterialityandhighrisk,irrespectiveofwhethertheyfallwithinthedefinitionofoutsourcing,usingalltherelevantcriteriafromChapter5oftheSS. Asaguide,materialityisdeterminedwhereadefectorfailureinitsperformancecouldmateriallyimpairthefinancialstabilityoftheUK,orafirm’s:(i)abilitytomeetthethresholdconditionsforauthorisationandtoremainauthorised;(ii)compliancewiththeFundamentalRules;(iii)requirementsunder“relevantlegislation”’andthePRARulebook;or(iv)safetyandsoundness,includingitsfinancialresilience(i.e.,assets,capital,funding,andliquidity)oroperationalresilience(i.e.,itsabilitytocontinueprovidingimportantbusinessservices). Wherenon-outsourcing,thirdpartyarrangementsaredeemedtobematerialorhighrisk,theneffective,“proportionate,risk-based,suitablecontrols”shouldbeimplemented.Theseshouldbeequallyrobustandcommensuratetothematerialityorriskexposureofthearrangement.Ifmateriality is determined,therequirementsincludenotifyingthePRAofthematerialarrangementsenteredintooramended,andimplementingfollow-upactionssuchasenhancingduediligence,governanceorriskmanagement,orrewritinganagreementwherenecessary. Chapter6oftheSSalsoprovidesfurtherguidanceonwhatshouldbeincludedinwrittenmaterialoutsourcingagreements. Intragrouparrangementsnottobeinherentlytreatedaslowerrisk: TheSSstatesthatintragrouparrangementsarenottobetreatedasinherentlylessriskythanthosewithserviceprovidersoutsideofafirm’sgroup.However,theSSalsoprovidesthat: firmscancomplywithsomeoftheoutsourcingrequirementsproportionately,dependingontheirlevelof“controlandinfluence”overtheentitythatisprovidingtheoutsourcedservice; thedeterminationofthelevelofcontrolandinfluencecanbebasedonthegroup’sgovernancestructure,theallocationofseniormanagementfunctions,theabilitytoalterintragroupoutsourcingarrangementsandtheconsistencyofgroupwidestandards;and firmsmayleverageexistingregulatoryframeworkstoalsomeetexpectationsforintragroupoutsourcingagreements. TheSSsetsoutadditionalexamplesofhowproportionalitycanapplytointragrouparrangementsandthird-countrybranches.Forexample,afirmmayadjustitsvendorduediligence,adaptcertainclausesinoutsourcingagreementsandrelyongrouppoliciesandprocedures,aslongasitcomplieswithitsUKlegalandregulatoryobligationsandallowsittomanagerelevantrisks. Outsourcingarrangements: ThePRAexpectsthatifathirdpartyserviceproviderinamaterialoutsourcing(orotherrelevantthirdparty)arrangementisunableorunwillingtoincludecertaintermswithinitscontractthatreflectthefirm’sobligations,thatfirmshouldinformthePRA.Beyondthis,thePRAalsohasproposalsforanonlineportaltointegrateandstreamlineexistingnotificationobligations,andwherefirmswillberequiredtosubmitinformationontheiroutsourcingandthirdpartyarrangements. Datasecurity: NoneoftheexpectationsintheSSshouldbeinterpretedasexplicitlyorimplicitlyfavouringorimposingrestrictivedatalocalisationrequirements.However,thePRAexpectsfirmstoadoptarisk-basedapproachtothelocationofdatathatallowsthemtoleveragetheoperationalresilienceadvantagesofoutsourceddatabeingstoredinmultiplelocationswhilemanagingrelevantrisks. Conclusion SS21/2offershelpfulinsightintothePRA’sexpectationsonoutsourcingandthirdpartyarrangements.Increasinginterdependenciesbetweentheregulatedandunregulatedsectorsanddigitalisationhasdrivenregulatoryfocusonoperationalresilience,ofwhichoutsourcingandthirdpartyriskmanagementareakeyelement.Theimportanceoffirmseffectivelyandefficientlymanagingoutsourcingandthirdpartyriskiscrucial.AsthePRA’sDeputyCEOandExecutiveDirectorfortheRegulatoryOperationsandSupervisoryRiskSpecialistsobservedintheir speechon5May2021: “Thereisnobailoutoptionifyourfirmisunabletofunctionbecauseofanoperationalincident.ThereisnooperatoroflastresortfunctioninThreadneedleStreet.” FirmsshouldexpectboththePRAandtheFCAtocloselyscrutinisetheirsystemsandcontrolsaroundoutsourcingandthirdpartyarrangements;forexample,thismaymeanshortnoticerequestsforoutsourcingregistersandrelatedinformation.Firmswhicharenotabletodemonstrategood,effectivemanagementofthisriskmaybeexpectedtofaceincreasedscrutinyfromsupervisors.Insomecircumstances,regulatoryenforcementisapossibility.Thepotentialoutcomesofenforcementincludefines,limitationsbeingimposedonthefirm’sactivities,publiccensure/publicitywhichmaydamagethefirm’sreputationwithclientsandstakeholders,andsignificantremedialwork. Inconclusion,whilethefinalisingofthePRA’sexpectationsonoutsourcingandthirdpartyriskmanagementwithinthecontextofoperationalresilienceisanimportantmilestone,thebroaderoperationalresiliencelandscapewillcontinuetodevelopbothatthedomesticandinternationallevel.Whiletheoutcomesofdifferentpoliciesfromdifferentjurisdictionsmaybewellaligned,approachesandtimelineswilldifferwhichwillcreatecomplexityforfirmsoperatingcross-border. Keydatessummary 30September2019 TheEBAGuidelinesapplytoalloutsourcingarrangementsenteredinto,reviewedoramendedonorafter30September2019. 29March2021 ThePRApublishesitsfinalpolicyonoutsourcingandthirdpartyriskmanagementaspartofthewideroperationalresiliencepackageissuedbytheUKauthorities. 31December2021 UndertheEBAGuidelines,outsourcingarrangementsenteredinto,reviewedoramendedonorafter30September2019,shouldbecompliant. (TheFCAdoesnotexpectfirmstoinformitofprogresstomeetingthistimeline.) 31March2022 Outsourcingarrangementsenteredintoonorafter31March2021shouldmeetthePRA’sexpectationsby31March2022.Wherearrangementsofcriticalorimportantoutsourcingarrangementsenteredintoonorafter31March2021havenotbeenfinalisedby31March2022,firmsshouldnotifytheregulators. Inrespectoflegacyoutsourcingarrangements(i.e.,arrangementsenteredintobefore31March2021),firmsshouldseektoreviewandupdatetheseatthefirstappropriatecontractualrenewalorrevisionpointassoonaspossibleonorafterThursday31March2022.ThePRA’stextrecognisesthatsomelegacyarrangementsmaynothaveasuitablerenewalpointbefore31March2022;thisenablesfirmstomaketherevisionstolegacyarrangementswhicharerequiredtomeetthePRA’sexpectationsatthefirstavailablerenewalpointafter31March2022. Underthebroaderoperationalresiliencerequirements, firmsareexpectedtohaveidentifiedtheirimportantbusinessservicesandsetimpacttolerances; mappedtheirimportantbusinessservicesandstartedscenariotesting;andhavedevelopedandputintoeffectastrategyorplanthatsetsouthowtheywillcomplywiththeregulators’requirementsandexpectations. 31March2025 Underthebroaderoperationalresiliencerequirements,firmsshouldhavesound,effective,andcomprehensivestrategies,processes,andsystemsthatenablethemtoaddressriskstotheirabilitytoremainwithintheirimpacttoleranceforeachimportantbusinessserviceintheeventofaseverebutplausibledisruption(orextremedisruption). Our OperationalResilienceHub helpstokeepyouuptodateontheupcomingregulatoryexpectations.Thehubfeaturesan interactivetimelinewhichcoversanumberofjurisdictionsandoutputfromglobalstandardsetterssuchastheBCBS.Thecontentincludesoperationalresilience,cyberresilience,outsourcing,andmore.     NickPantlin Partner +442074662570 CatDankos RegulatoryConsultant +442074667494 TerenceLau SeniorAssociate +442074662441 StefanieLo TraineeSolicitor +442074663560 ClaireWiseman ProfessionalSupportLawyer +44204662267 Sharethis:TwitterLinkedInEmailPrint Next Previous Subscribe LeaveaReplyCancelreplyYouremailaddresswillnotbepublished.Requiredfieldsaremarked*CommentYoumayusetheseHTMLtagsandattributes:Name* Email* Website Δ SendtoEmailAddress YourName YourEmailAddress Cancel Postwasnotsent-checkyouremailaddresses! Emailcheckfailed,pleasetryagain Sorry,yourblogcannotsharepostsbyemail.