The PRA's expectations on outsourcing and third party risk ...
文章推薦指數: 80 %
Outsourcing arrangements: The PRA expects that if a third party service provider in a material outsourcing (or other relevant third party) ...
ThePRA’sexpectationsonoutsourcingandthirdpartyriskmanagement
Categories
Thispostispartofthefollowingcategories:
Banking,OperationalResilience,Outsourcing,Prudential,Regulatory,UK
AttheendofMarch,thePrudentialRegulationAuthority(PRA)publishedPolicyStatement7/21(PS7/21)andSupervisoryStatement2/21 (SS2/21)whichsetoutitsexpectationsofPRA-regulatedfirmsregardingoutsourcingandthirdpartyriskmanagement.
ThepublicationsarepartofthewideroperationalresiliencepolicypackagereleasedjointlywiththeBankofEngland(theBank)andtheUKFinancialConductAuthority(FCA).Forfurtherinformationonthispolicypackage,pleaseseeourpreviouspost here.
Inthispost,webrieflyexplainthebackgroundtothesepublicationsandreviewtheimplicationsforbothPRA-regulatedfirmsandserviceproviders.Briefly,thefinancialservicesfirmstowhichSS2/21isdirectedare:
banks,buildingsocieties,andPRA-designatedinvestmentfirms(banks);
insuranceandreinsurancefirmsandgroupsinscopeofSolvencyII,includingtheSocietyofLloyd’sandmanagingagents(insurers);and
branchesofoverseasbanksandinsurers(third-countrybranches).
ItisimportanttonotethatwhilethesefirmsareregulatedbythePRAforprudentialpurposes,theywillalsobesubjecttotheFCAinregardstotheconductofbusinessmatters.Assuch,theoutsourcingandthirdpartyarrangementsofthefirmswithinscopeofSS2/21areofinteresttoboththePRAandtheFCA;albeitthattheregulatorswillapplydifferent,butcomplementarylensesinsupervisingfirms’approachestothosearrangements.
Keytakeaways
InSS21/2,thePRAdoesnotdivergefromtheprevailingprinciplethatfirmsremainresponsibleforcompliancewithregulatoryexpectations.Theexistenceofanoutsourcingorthirdpartyarrangementdoesnotdiminishafirm’s–anditsSeniorManagers’–responsibilities.
TheSScomesintoeffectinunder12months’time.Thismeansthat,from31March2022,firmsareexpectedtomeetthePRA’srequirementsassetoutinSS21/2.PRA-regulatedfirmswillneedtousethisshortimplementationperiodtooverlaythePRAexpectationsontotheiroutsourcingandthirdpartyarrangements.Forlarge,complexfirms,itislikelythattheimplementationoftherequirementswillrequireacross-divisionalprojectforwhichexpressaccountabilityshouldbeassignedtoaSeniorManager.
WhileSS21/2andtheassociatedPSarerelevantforPRA-regulatedfirms,theyarealsorelevanttounregulatedthirdpartyserviceprovidersasthesedocumentsprovideinformationabouttheexpectationswhichtheirPRA-regulatedcustomersmustmeettomaintainregulatorycomplianceandtobeoperationallyresilient.Therelevanceforthirdpartyserviceprovidersincludesthosethirdpartieswhicharewithinthesamegroupasthefirmandthosewhichareexternaltothefirm’sgroup.
SS21/2andPS7/21issetagainstthebackdropofearlierEUlegislationandguidance,inparticularguidanceissuedbytheEuropeanBankingAuthority(EBA).TheSSprovidesfurtherclarityonhowregulatedfirmsoughttoengageandcontractwiththirdparties.Inparticular,theSSgoesfurtherthanthe“outsourcing”arrangementscoveredinthe EBAGuidelines,toalsoconsidernon-outsourcingthirdpartyagreementswhichareeithermaterialorhighrisk.
ThePRAdoesnotdictateaone-size-fits-allapproach.Asdescribedat3.1oftheSS21/2,firmsareexpectedtomeettherequirementsinSS21/2“inamannerappropriateto:theirsizeandinternalorganisation;thenature,scopeandcomplexityoftheiractivities;andthecriticalityorimportanceoftheoutsourcedfunctions,inlinewiththeprincipleofproportionality.”
Intragrouparrangementsarenottobetreatedasinherentlylessriskythanarrangementswiththirdpartyserviceprovidersoutsideofafirm’sgroup.
TheSSclarifiesthatPRA-regulatedfirmsshouldassesstherisksofsub-outsourcings before enteringintoanyarrangementstoensurevisibilityofthesupplychain.Wherethesub-outsourcingmeetsthematerialitycriteria,thePRAhasmoreonerousexpectationsofthefirmanditsongoingresponsibilitytooverseeanymaterialsub-outsourcing.
Thebackground
PriortoBrexit,theUKrequirementsonoutsourcingwerelargelycoveredinEUlegislationandmaterialsissuedbytheEUsupervisorybodies.OfparticularrelevanceinthecontextofSS21/2aretheEBAGuidelinesonoutsourcingwhichwerepublishedinFebruary2019andenteredintoforceon30September2019,andforwhichtransitionalprovisionsapplyuntil31December2021.TheUKFCAnotifiedtheEBAofitsintentiontocomplywiththeEBAGuidelinesinFebruary2019.TheFCA’sapproachisimportantbecausefirmssubjecttothePRA’sSSwillalsobesubjecttotheFCA’srequirements.
TheSSisannotatedwithwordingtosaythatit‘comesintoeffect’on31March2022,butthisshouldnotbemisunderstood.Itmeansthatoutsourcingarrangementsenteredinto,onorafter31March2021shouldmeettheexpectationsintheSSby31March2022. Firmsshouldalsoseektoreviewandupdatetheiroutsourcingarrangementsenteredintobefore31March2021(legacyagreements)“atthefirstappropriatecontractualrenewalorrevisionpoint”assoonaspossibleonorafter31March2022.
ThePRA’stextrecognisesthatsomelegacyarrangementsmaynothaveasuitablerenewalpointbefore31March2022;thisenablesfirmstomaketherevisionstolegacyarrangementswhicharerequiredtomeetthePRA’sexpectationsatthefirstavailablerenewalpointafter31March2022. Ineffect,on31March2022,firmsarelikelytohaveamixofthefollowing:
arrangementsenteredintoafter31March2021whichmeettheexpectationssetoutintheSS;and
legacyarrangements,whichhavenotyetbeenrevisedbutforwhichthereisanupcomingrenewalorrevisionpointwhichwillbeusedatthefirstavailableopportunitytomakerevisionstobringthearrangementintolinewiththePRA’sexpectations.
WhiletheMarch2022dateinSS21/2andtheDecember2021dateintheaforementionedEBAGuidelinesdonotalign,thistimingissueisunlikelytohavesignificantpracticalimplicationsfromtheUKregulators’perspective.ThePRAhasexplicitlystatedthatSS21/2implementstheEBAGuidelinesinamanneralignedtothePRA’sexpectations,whiletheFCAhassaidthatitdoesnotexpectfirmstoreporttoitontheirprogresstomeetingthe31December2021deadline.However,wherearrangementsofcriticalorimportantoutsourcingarrangementsenteredintoonorafter31March2021havenotbeenfinalisedby31March2022boththePRAandtheFCAexpecttobeinformed.
Forfirmsoperatinginternationally,theEBAtimescalesand/oranyotherjurisdictionalrequirementsmayneedtobefactoredintofirms’complianceprogramme/s.
ThePRA’soverarchingaimisthatfirmsappropriatelymanagethirdpartydependenciestomitigaterisktothePRA’sstatutoryobjectives.WhiletheSSelaboratesonthedefinitionof“outsourcing”asusedintherelevantPartsofthePRARulebook,theSSalsonotesthatsomearrangementswiththirdpartiesfalloutsideofthescopeofthePRARulebookdefinition.However,theSSremindsfirmsthatthirdpartyarrangementsneverthelessremainsubjecttothePRA’s FundamentalRules andrelevantrulesonriskmanagementandgovernance.
Practicalstepsforfirms
ThekeyareaswithwhichthePRA-regulatedfirmsshouldensurecomplianceinclude:
Proportionate,risk-based,suitablecontrolsforanymaterialand/orhighriskthirdpartyarrangements: TheSSstatesthatfirmsshouldassess all thirdpartyarrangementsformaterialityandhighrisk,irrespectiveofwhethertheyfallwithinthedefinitionofoutsourcing,usingalltherelevantcriteriafromChapter5oftheSS.
Asaguide,materialityisdeterminedwhereadefectorfailureinitsperformancecouldmateriallyimpairthefinancialstabilityoftheUK,orafirm’s:(i)abilitytomeetthethresholdconditionsforauthorisationandtoremainauthorised;(ii)compliancewiththeFundamentalRules;(iii)requirementsunder“relevantlegislation”’andthePRARulebook;or(iv)safetyandsoundness,includingitsfinancialresilience(i.e.,assets,capital,funding,andliquidity)oroperationalresilience(i.e.,itsabilitytocontinueprovidingimportantbusinessservices).
Wherenon-outsourcing,thirdpartyarrangementsaredeemedtobematerialorhighrisk,theneffective,“proportionate,risk-based,suitablecontrols”shouldbeimplemented.Theseshouldbeequallyrobustandcommensuratetothematerialityorriskexposureofthearrangement.Ifmateriality is determined,therequirementsincludenotifyingthePRAofthematerialarrangementsenteredintooramended,andimplementingfollow-upactionssuchasenhancingduediligence,governanceorriskmanagement,orrewritinganagreementwherenecessary. Chapter6oftheSSalsoprovidesfurtherguidanceonwhatshouldbeincludedinwrittenmaterialoutsourcingagreements.
Intragrouparrangementsnottobeinherentlytreatedaslowerrisk: TheSSstatesthatintragrouparrangementsarenottobetreatedasinherentlylessriskythanthosewithserviceprovidersoutsideofafirm’sgroup.However,theSSalsoprovidesthat:
firmscancomplywithsomeoftheoutsourcingrequirementsproportionately,dependingontheirlevelof“controlandinfluence”overtheentitythatisprovidingtheoutsourcedservice;
thedeterminationofthelevelofcontrolandinfluencecanbebasedonthegroup’sgovernancestructure,theallocationofseniormanagementfunctions,theabilitytoalterintragroupoutsourcingarrangementsandtheconsistencyofgroupwidestandards;and
firmsmayleverageexistingregulatoryframeworkstoalsomeetexpectationsforintragroupoutsourcingagreements.
TheSSsetsoutadditionalexamplesofhowproportionalitycanapplytointragrouparrangementsandthird-countrybranches.Forexample,afirmmayadjustitsvendorduediligence,adaptcertainclausesinoutsourcingagreementsandrelyongrouppoliciesandprocedures,aslongasitcomplieswithitsUKlegalandregulatoryobligationsandallowsittomanagerelevantrisks.
Outsourcingarrangements: ThePRAexpectsthatifathirdpartyserviceproviderinamaterialoutsourcing(orotherrelevantthirdparty)arrangementisunableorunwillingtoincludecertaintermswithinitscontractthatreflectthefirm’sobligations,thatfirmshouldinformthePRA.Beyondthis,thePRAalsohasproposalsforanonlineportaltointegrateandstreamlineexistingnotificationobligations,andwherefirmswillberequiredtosubmitinformationontheiroutsourcingandthirdpartyarrangements.
Datasecurity: NoneoftheexpectationsintheSSshouldbeinterpretedasexplicitlyorimplicitlyfavouringorimposingrestrictivedatalocalisationrequirements.However,thePRAexpectsfirmstoadoptarisk-basedapproachtothelocationofdatathatallowsthemtoleveragetheoperationalresilienceadvantagesofoutsourceddatabeingstoredinmultiplelocationswhilemanagingrelevantrisks.
Conclusion
SS21/2offershelpfulinsightintothePRA’sexpectationsonoutsourcingandthirdpartyarrangements.Increasinginterdependenciesbetweentheregulatedandunregulatedsectorsanddigitalisationhasdrivenregulatoryfocusonoperationalresilience,ofwhichoutsourcingandthirdpartyriskmanagementareakeyelement.Theimportanceoffirmseffectivelyandefficientlymanagingoutsourcingandthirdpartyriskiscrucial.AsthePRA’sDeputyCEOandExecutiveDirectorfortheRegulatoryOperationsandSupervisoryRiskSpecialistsobservedintheir speechon5May2021:
“Thereisnobailoutoptionifyourfirmisunabletofunctionbecauseofanoperationalincident.ThereisnooperatoroflastresortfunctioninThreadneedleStreet.”
FirmsshouldexpectboththePRAandtheFCAtocloselyscrutinisetheirsystemsandcontrolsaroundoutsourcingandthirdpartyarrangements;forexample,thismaymeanshortnoticerequestsforoutsourcingregistersandrelatedinformation.Firmswhicharenotabletodemonstrategood,effectivemanagementofthisriskmaybeexpectedtofaceincreasedscrutinyfromsupervisors.Insomecircumstances,regulatoryenforcementisapossibility.Thepotentialoutcomesofenforcementincludefines,limitationsbeingimposedonthefirm’sactivities,publiccensure/publicitywhichmaydamagethefirm’sreputationwithclientsandstakeholders,andsignificantremedialwork.
Inconclusion,whilethefinalisingofthePRA’sexpectationsonoutsourcingandthirdpartyriskmanagementwithinthecontextofoperationalresilienceisanimportantmilestone,thebroaderoperationalresiliencelandscapewillcontinuetodevelopbothatthedomesticandinternationallevel.Whiletheoutcomesofdifferentpoliciesfromdifferentjurisdictionsmaybewellaligned,approachesandtimelineswilldifferwhichwillcreatecomplexityforfirmsoperatingcross-border.
Keydatessummary
30September2019
TheEBAGuidelinesapplytoalloutsourcingarrangementsenteredinto,reviewedoramendedonorafter30September2019.
29March2021
ThePRApublishesitsfinalpolicyonoutsourcingandthirdpartyriskmanagementaspartofthewideroperationalresiliencepackageissuedbytheUKauthorities.
31December2021
UndertheEBAGuidelines,outsourcingarrangementsenteredinto,reviewedoramendedonorafter30September2019,shouldbecompliant.
(TheFCAdoesnotexpectfirmstoinformitofprogresstomeetingthistimeline.)
31March2022
Outsourcingarrangementsenteredintoonorafter31March2021shouldmeetthePRA’sexpectationsby31March2022.Wherearrangementsofcriticalorimportantoutsourcingarrangementsenteredintoonorafter31March2021havenotbeenfinalisedby31March2022,firmsshouldnotifytheregulators.
Inrespectoflegacyoutsourcingarrangements(i.e.,arrangementsenteredintobefore31March2021),firmsshouldseektoreviewandupdatetheseatthefirstappropriatecontractualrenewalorrevisionpointassoonaspossibleonorafterThursday31March2022.ThePRA’stextrecognisesthatsomelegacyarrangementsmaynothaveasuitablerenewalpointbefore31March2022;thisenablesfirmstomaketherevisionstolegacyarrangementswhicharerequiredtomeetthePRA’sexpectationsatthefirstavailablerenewalpointafter31March2022.
Underthebroaderoperationalresiliencerequirements, firmsareexpectedtohaveidentifiedtheirimportantbusinessservicesandsetimpacttolerances; mappedtheirimportantbusinessservicesandstartedscenariotesting;andhavedevelopedandputintoeffectastrategyorplanthatsetsouthowtheywillcomplywiththeregulators’requirementsandexpectations.
31March2025
Underthebroaderoperationalresiliencerequirements,firmsshouldhavesound,effective,andcomprehensivestrategies,processes,andsystemsthatenablethemtoaddressriskstotheirabilitytoremainwithintheirimpacttoleranceforeachimportantbusinessserviceintheeventofaseverebutplausibledisruption(orextremedisruption).
Our OperationalResilienceHub helpstokeepyouuptodateontheupcomingregulatoryexpectations.Thehubfeaturesan interactivetimelinewhichcoversanumberofjurisdictionsandoutputfromglobalstandardsetterssuchastheBCBS.Thecontentincludesoperationalresilience,cyberresilience,outsourcing,andmore.
NickPantlin
Partner
+442074662570
CatDankos
RegulatoryConsultant
+442074667494
TerenceLau
SeniorAssociate
+442074662441
StefanieLo
TraineeSolicitor
+442074663560
ClaireWiseman
ProfessionalSupportLawyer
+44204662267
Sharethis:TwitterLinkedInEmailPrint
Next
Previous
Subscribe
LeaveaReplyCancelreplyYouremailaddresswillnotbepublished.Requiredfieldsaremarked*CommentYoumayusetheseHTMLtagsandattributes:Name*
Email*
Website
Δ
SendtoEmailAddress
YourName
YourEmailAddress
Cancel
Postwasnotsent-checkyouremailaddresses!
Emailcheckfailed,pleasetryagain
Sorry,yourblogcannotsharepostsbyemail.
延伸文章資訊
- 1Managing Outsourcing and Offshoring Risk | Protiviti - United Kingdom
- 2Outsourcing and third-party risk management – the interaction ...
Outsourcing and third-party risk management – the interaction of the PRA's new supervisory statem...
- 3Third-party outsourcing - FutureLearn
- 4Outsourcing and third party risk management - KPMG ...
Outsourcing and Third Party Risk Management ('TPRM') has become one of the key areas of focus for...
- 5Outsourcing and third party risk management - assets.kpmg
Outsourcing and Third Party Risk Management ('TPRM') has become one of the key areas of focus for...