Outsourcing and Third Party Risk Management - Eversheds ...
文章推薦指數: 80 %
Outsourcing & Third Party Risk Management. Global. Financial services - Digital Financial Services; Technology, Media and Telecoms. 14-04-2021.
EvershedsSutherland
Globalhome
Aboutus
AboutEvershedsSutherland
Corporateresponsibility
Diversity
Alumni
ServiceExcellence
Globalservices/practices
CommercialandIT
Competition,EUandtrade
Constructionandengineering
Corporate
Corporatecounselprogam
Corporatecrime/whitecollarcrime
Employmentlaw
Energy
Entitymanagement
Finance,financialservicesregulation
Insurance
Intellectualproperty
Konexo
Litigationanddisputemanagement
Pensions,benefitsandexecutive
Realestateandplanning
Tax
Industries/sectors
Constructionandengineering
Consumer
Education
Energy
ESG
Financialservices
Governmentsandinfrastructure
Healthandlifesciences
Industrials
Insurance
Realestate
Technology,mediaandtelecoms
Timberandagribusiness
Ourpeople
Events
Newsandarticles
Careers
ContactusSearchwebsite
Africa
Angola
Mauritius
Mozambique
SouthAfrica
Tunisia
OtherAfricancountries
Asia
China
HongKongSAR
India
Japan
CentralandEasternEurope
CzechRepublic
Estonia
Hungary
Latvia
Lithuania
Poland
Romania
Russia
Slovakia
LatinAmerica
MiddleEast
Iraq
Jordan
Qatar
SaudiArabia,Kingdomof
UnitedArabEmirates
NorthAmerica
UnitedStatesofAmerica
WesternEurope
Austria
Belgium
Finland
France
Germany
Ireland
Italy
Luxembourg
Netherlands
Portugal
Spain
Sweden
Switzerland
UnitedKingdom
Businessgroups
Africa
TheCIS
India
Iran
Japan
LatinAmerica
NordicsandBaltics
GlobalmenuOurglobalpagesCloseGlobalhomeAboutusAboutEvershedsSutherlandCorporateresponsibilityDiversityAlumniServiceExcellenceGlobalservices/practicesBrowsefullserviceslistGlobalservices/practicesCommercialandITAllcommercialandITCommercialcontractsConsumerFinancialservicesregulationIntellectualpropertyOutsourcingPaymentsystemsanddigitalcommercePrivacy,dataprotectionandcybersecurityProcurementandStateAidTechnologyandlicensingTelecommunicationsCompetition,EUandtradeAllcompetition,EUandtradeAbuseofdominanceAntitrustandcompetitionlitigationCompetitioncomplianceandcounsellingCompetitioninvestigationsDawnraidsEUandinternationaltradelawExportcontrols,sanctionsandanti-moneylaunderingForeigninvestmentandnationalsecurityMarketandsectorinquiriesMergercontrolTradeanddistributionConstructionandengineeringAllconstructionandengineeringConstructiondisputesContractsandprocurementEPCProjectsupportPublicsectorRealestateTransportCorporateAllcorporateCapitalmarketsCorporategovernanceCorporatereorganizationsCorporatesecretarialservicesInvestmentfundformationMergersandacquisitions(M&A)Privateequity/venturecapitalCorporatecounselprogramAllcorporatecounselprogram Corporatecrime/whitecollarcrimeandinvestigationsAllcorporatecrime/whitecollarcrimeandinvestigationsAnti-briberyandcorruptionEnvironmentalhealthandsafetyExportcontrols,sanctionsandanti-moneylaunderingFraudandwhitecollarGlobalcomplianceandcrisismanagementInvestigationsPublicinquiriesEmploymentlawAllemploymentlawDiscriminationlawEmploymentlitigationanddisputeresolutionExecutiveemploymentissuesGlobalcontractsandpoliciesGlobalmobilityandimmigrationHumanrights&modernslaveryLaborlawandtradeunionissuesPersonnelrecordsandemployeedataprivacyPeopleinM&AandoutsourcingRestructuringandredundancyEnergyAllenergyAgriculture,softsandmetalstradingCleanenergyElectricpowerEnergydisputesEnergyfinanceEnergyregulationsEnergytradingEnvironmentalGasMiningNuclearOilandgasWaterEntitymanagementAllentitymanagementBoardadviceandsupportCorporatesecretarialservicesDirectordutiesProjectmanagementWorldwideComplianceFinance,financialservicesregulationandinvestmentproductsAllfinance,financialservicesregulationandinvestmentproductsAcquisitionandleveragedfinanceAssetfinanceAssetmanagementCommodities&securitieslitigationandregulatoryenforcementCorporatebankingDebtcapitalmarketsDerivativesDistribution/broker-dealerFinancialservicesdisputesFinancialservicesregulationFundstaxInvestmentfundformationIslamicfinanceProjectfinancePublicfinanceRealestatefinanceReservebasedlendingRestructuringandinsolvencySecuritisationandstructuredfinanceTradefinanceInsuranceAllinsuranceCaptivesInsuranceandreinsurancedisputesInsuranceM&A,reinsuranceandrestructuringsInsurancefinancingandcapitalmarketsInsuranceregulationandcomplianceInsuranceandretirementproducts,insurancedistributionInvestigationsandenforcementPensionrisktransferTaxationIntellectualpropertyAllintellectualpropertyCopyrightIntellectualpropertylitigationMediaPatentsReputationmanagementTechnologyandcommunicationsdisputesTrademarkTradesecret
Konexo
Whereactivitymeetscreativity
AlternativelegalandcomplianceservicesdevelopedbyEvershedsSutherland
Legal,compliance,corporatesecretarialandHRservicesthatconnectwithyouinmanyways.That’sKonexo.Throughcreativeuseofemergingtechnologyandglobalresources,weconnectyourneedswithrealbenefits,andyourchallengeswithtransformativesolutions.Thisiswherecomplexitymeetsclarity.
KonexoisnowpresentintheUK,US,HongKong,SingaporeandMalaysia.
FindoutmorebyvisitingtheKonexowebsite
LitigationanddisputemanagementAlllitigationanddisputemanagementAntitrustandcompetitionlitigationAppellateClassactionandmasstortlitigationCommerciallitigationCommodities&securitieslitigationandregulatoryenforcementCostsConstructionandinfrastructuredisputesEnergy&infrastructuredisputesFinancialservicesdisputesFundingGlobalcomplianceandcrisismanagementInsuranceandreinsurancedisputesIntellectualpropertylitigationInternationalarbitrationPensionsandbenefitsdisputesProductliabilityProfessionalliabilityLitigationtechnologyandprojectmanagementRealestatelitigationShippingandinternationaltradedisputesTaxcontroversyandlitigationPensions,benefitsandexecutivecompensationAllpensions,benefitsandexecutivecompensationExecutivecompensationPensionplandisputeresolutionPensionplaninsuranceandderiskingPensionplaninvestmentPublicsectorpensionsQualifiedandapprovedpensionplansRealestateandplanningAllrealestateandplanningCommercialdevelopmentandleasingCorporaterealestateDatacentersEnvironmentalInstitutionalinvestmentandfundformationPlanning,consentingandpermittingPropertyduediligenceandtransactionsupportRealestatefinanceandcapitalmarketsRealestatelitigationRealestatetaxResidentialandprivaterentedsectorTaxAlltaxExecutivecompensationFederaltaxaccountingFinancialservicesandfinancialproductstaxationFundstaxIndirecttax/VATInsurancetaxationInternationaltaxM&AandreorganizationsPartnershiptaxationRealestatetaxTaxcontroversyandlitigationTax-exemptorganizationsTrustsandestatesU.S.stateandlocaltaxIndustries/sectorsAllsectorsandsubsectorsGlobalindustries/sectorsConstructionandengineeringAllconstructionandengineeringConstructionandinfrastructuredisputesContractsandprocurementEPCProjectsupportPublicsectorRealestateTransportConsumerAllconsumerFoodandbeverageHospitalityandleisureRetailEducationAlleducationAcademiesFurthereducation(UK)Highereducation(UK)Schools(includingindependentschoolsUK)EnergyAllenergyAgriculture,softsandmetalstradingCleanenergyElectricpowerEnergydisputesEnergyfinanceEnergyregulationsEnergytradingEnvironmentalGasMiningNuclearOilandgasWaterESGAllESGEnvironmentalSocialGovernanceESGforCorporatesESGforFinancialServicesFinancialservicesAllfinancialservicesGovernmentsandinfrastructureAllgovernmentsandinfrastructureGovernmentandstrategicprojectsInfrastructureTransportHealthandlifesciencesAllhealthandlifesciencesIndependenthospitalsLifesciencesPublichealthcareSeniorlivingandsocialcareIndustrialsAllIndustrialsAerospace,defenseandsecurityAutomotiveChemicalsManufacturingandindustrialengineeringInsuranceAllinsuranceCaptivesInsuranceandreinsurancedisputesInsuranceM&A,reinsuranceandrestructuringsInsurancefinancingandcapitalmarketsInsuranceregulationandcomplianceInsuranceandretirementproducts,insurancedistributionInvestigationsandenforcementPensionrisktransferTaxationRealestateAllrealestateandplanningCommercialdevelopmentandleasingCorporaterealestateDatacentersEnvironmentalInstitutionalinvestmentandfundformationPlanning,consentingandpermittingPropertyduediligenceandtransactionsupportRealestatefinanceandcapitalmarketsRealestatetaxResidentialandprivaterentedsectorTechnology,mediaandtelecomsAlltechnology,mediaandtelecomsArtificialintelligenceDatacentersMediaTechnologyTechnologyandcommunicationsdisputesTelecomsTimberandagribusinessAlltimberandagribusinessOurpeopleEvents/webinarsEvents,webinarsandtrainingLegaleventsandtraining:choosealocation
WesternEuropeLegaleventsandtraininginAustriaLegaleventsandtraininginFinlandLegaleventsandtraininginFranceLegaleventsandtraininginGermanyLegaleventsandtraininginIrelandLegaleventsandtraininginNorthernIrelandLegaleventsandtraininginSpainLegaleventsandtraininginUnitedKingdomCentralandEasternEuropeLegaleventsandtraininginCzechRepublicLegaleventsandtraininginEstoniaLegaleventsandtraininginHungaryLegaleventsandtraininginPolandLegaleventsandtraininginRomaniaLegaleventsandtraininginRussiaLegaleventsandtraininginSlovakiaAsiaLegaleventsandtraininginChinaLegaleventsandtraininginHongKongSARNorthAmericaLegaleventsandtraininginUnitedStatesofAmericaAfricaLegaleventsandtraininginSouthAfricaNewsandarticlesEvershedsSutherland(International)PressHubEvershedsSutherland(US)PressHubNewsandarticles:choosealocationWesternEuropeLegalnewsandarticlesinAustriaLegalnewsandarticlesinBelgiumLegalnewsandarticlesinFinlandLegalnewsandarticlesinFranceLegalnewsandarticlesinGermanyLegalnewsandarticlesinIrelandLegalnewsandarticlesinItalyLegalnewsandarticlesinNetherlandsLegalnewsandarticlesinNorthernIrelandLegalnewsandarticlesinSpainLegalnewsandarticlesinSwedenLegalnewsandarticlesinSwitzerlandLegalnewsandarticlesinUnitedKingdomCentralandEasternEuropeLegalnewsandarticlesinCzechRepublicLegalnewsandarticlesinEstoniaLegalnewsandarticlesinHungaryLegalnewsandarticlesinLatviaLegalnewsandarticlesinLithuaniaLegalnewsandarticlesinPolandLegalnewsandarticlesinRomaniaLegalnewsandarticlesinRussiaLegalnewsandarticlesinSlovakiaAfricaLegalnewsandarticlesinSouthAfricaAsiaLegalnewsandarticlesinChinaLegalnewsandarticlesinHongKongSARMiddleEastLegalnewsandarticlesinIraqLegalnewsandarticlesinJordanLegalnewsandarticlesinQatarLegalnewsandarticlesinUnitedArabEmiratesNorthAmericaLegalnewsandarticlesinUnitedStatesofAmericaCareersCareerswithEvershedsSutherlandCareers:choosealocationWesternEuropeCareerswithalawfirminAustriaCareerswithalawfirminBelgiumCareerswithalawfirminFinlandCareerswithalawfirminFranceCareerswithalawfirminGermanyCareerswithalawfirminIrelandCareerswithalawfirminItalyCareerswithalawfirminLuxembourgCareerswithalawfirminNetherlandsCareerswithalawfirminSpainCareerswithalawfirminSwedenCareerswithalawfirminSwitzerlandCareerswithalawfirminUnitedKingdomCentralandEasternEuropeCareerswithalawfirminEstoniaCareerswithalawfirminHungaryCareerswithalawfirminLatviaCareerswithalawfirminLithuaniaCareerswithalawfirminPolandCareerswithalawfirminRomaniaAfricaCareerswithalawfirminSouthAfricaAsiaCareerswithalawfirminChinaCareerswithalawfirminHongKongSARMiddleEastCareerswithalawfirminIraqCareerswithalawfirminJordanCareerswithalawfirminQatarCareerswithalawfirminSaudiArabiaCareerswithalawfirminUnitedArabEmiratesNorthAmericaCareerswithalawfirminUnitedStatesofAmericaOutsourcing&ThirdPartyRiskManagementGlobalFinancialservices-DigitalFinancialServicesTechnology,MediaandTelecoms14-04-2021ThePRAhasrecentlypublishedPolicyStatementPS7/21,whichcontainsthePRA’sfinalSupervisoryStatementSS2/21on“Outsourcingandthirdpartyriskmanagement”followingonfromConsultationPaperCP30/19inDecember2019.Inessence,thisupdateisthePRA’slatestanddefinitivepositiononoutsourcingandthirdpartyriskmanagementwhichisintendedto(amongstotherobjectives)implementtheEuropeanBankingAuthorityGuidelinesonOutsourcingArrangements(“EBAGuidelines”)andfacilitategreateradoptionofcloudandothernewtechnologies.
Wehavehighlightedinthisbriefingsomeofthekeypointsforfinancialinstitutionstobeawareoffollowingthisupdate,withaparticularfocusonchangesmadeasaresultofresponsestotheconsultation.ThisbriefingshouldbereadinconjunctionwithourarticleonthepublicationbytheBankofEngland,PRAandFCAoftheirfinalrulesandguidanceonoperationalresilienceforfinancialinstitutionsandfinancialmarketinfrastructuresavailablehere.
Outsourcingandotherthirdpartyarrangements
ThecorerequirementsofSS2/21continuetoapplytoan“outsourcing”thathasthenowwell-rehearseddefinitionofbeinganarrangementbetweenthefirmandaserviceproviderwheretheserviceproviderperformsaprocess,serviceoractivitywhichwouldotherwisebeundertakenbythefirmitself.ThePRAhashelpfullyelectednottobroadenthisdefinition(aswasenvisagedasapossibilityinCP30/19)toincludeotherthirdpartyarrangementsthatareperformedinaprudentialcontext,whichweareawarewasasuggestionthathadcausedsomeconcerninthemarket.
Thereremainsadistinctionbetweenan“outsourcing”anda“non-outsourcingthirdpartyarrangement”.ThePRAis(notsurprisingly)clearthatanon-outsourcingthirdpartyarrangementcanstillbematerialorhighriskandifthatisthecasethenthefirmshouldimplementproportionate,risk-based,suitablecontrolsbutthosearenotnecessarilythesameasthosethatwouldapplytoanoutsourcingarrangement–theyshouldbeappropriatetothematerialityandrisksofthethirdpartyarrangementbutstillasrobustasthecontrolsthatwouldapplytooutsourcingarrangementswithanequivalentlevelofrisk. Thisishelpfulguidanceastherecontinuestobeanincreasedrelianceonsolutionsthataretechnologyheavybutperhapsserviceorprocesslight.Wecanexpectfirmstostarttolookattheiroutsourcingandotherthirdpartyarrangementsonamoreholisticbasis.
Thereisalsohelpfulclarificationthatcertainarrangementsamongregulatedfinancialinstitutions,includingbetweenfirmsandfinancialmarketinfrastructuresdonotfallwithinthedefinitionofoutsourcing.Thesearrangementsincludeclearing,settlementandinparticularcustodyservices;toaddresssomerecentdebatethatsucharrangementscouldbecaughtbytheoutsourcingregulatoryframework.
Intra-groupArrangements
ThePRAhasstatedthatintragrouparrangementsshouldnotbetreatedas“inherentlylessrisky”thanthirdpartyarrangementsandissubjecttothesamerequirementsandexpectations.However,ithasconfirmedthattheprinciplesofproportionalitymaybeabletobeappliedtointra-grouparrangementswiththeresultthatcertainaspectscouldbemanageddifferentlyinpractice.Whenexercisingproportionality,afirmshouldtakeintoaccounttheirlevelof“controlandinfluence”overtheentityprovidingtheoutsourcedservice.
Whileanintra-groupoutsourcingarrangementmustalwaysbedocumentedinwriting,thePRAhasstatedthatitmaybeproportionatetoadaptcertainclausesinoutsourcingagreements.Oneexamplegiven(dependingonthecircumstances)isthatthefirmmaybeabletorelyongroupwidebusinesscontinuitypoliciesandexitplans.
DataLocation
Amongotherclarificationsinrelationtodatasecurity,thePRAhasconfirmedthatitexpectsfirmsto“knowthelocationoftheirdataatalltimes,includingwhenintransit”.ThePRAsuggeststhatfirmsidentifywhethertheirdatacouldbeprocessedinanyhighriskjurisdictionsoutsidetherisktoleranceintheiroutsourcingpolicy.However,thePRAhasdeclinedtogosofarastopublishalistofwhatitconsiderstobeahighriskjurisdictionsandfirmsareexpectedtoreachtheirownconclusions,dependingonfactorssuchasthelocalregulatoryrequirementsinaparticularjurisdiction,theeaseofaccessingthedatainatimelymannerandotherpotentialriskstotheavailability,securityorconfidentialityofdata.
On-SiteAudits
ThePRAhasprovidedfurtherclarificationontheirinterpretationoftherequirementundertheEBAGuidelinestohaveunrestrictedrightsofaudit.Inparticular,thePRAhasacknowledgedthattheremaybecertaintypesofonsiteauditwhichcouldcreateanunmanageableriskfortheenvironmentoftheserviceprovider.Insuchcircumstances,thePRAconfirmsthatitmaybeappropriateforthefirmtoagreewiththeserviceprovideranalternativewayofachievinganequivalentlevelofreassurance.However,itappearsthatthisisverymuchintendedtobeanexceptiontoapplyinlimitedcircumstancesonly.
Onthechallengingtopicofpenetrationtesting,helpfulguidancehasalsobeenprovidedthatratherthanfirmsbeingexpectedtopentesttheinfrastructureofitsserviceproviders,whatismorerelevantisaccesstotheresultsofthetestingthattheserviceprovider(oritsthirdpartycontractorsonitsbehalf)performonitsowntechnology.
Sub-Outsourcing
ThePRAhasclarifiedanumberofissuesaroundsub-outsourcingincludingthefollowing:
thedetailedexpectationsonsub-outsourcingonlyapplytomaterialsub-outsourcing,tobedeterminedinaccordancewiththematerialitycriteriasetoutinChapter5ofSS2/21;and
firmsarenotexpectedtodirectlymonitorthesub-outsourcingpartiesthemselvesprovidedtheycaneffectivelyoverseeandmonitortheoutsourcingarrangementasawhole,includingbyensuringtheserviceproviderappropriatelymanagesthesub-outsourcing.
TerminationRights
SS2/21includessomeupdatedguidanceforfirmsonhowtoapproachthetopicofterminationandtheterminationrightsthatarereferencedintheEBAGuidelines.Therequirementsinrespectofterminationwillofcourseneedtobeappliedonacasebycasebasis,butinbroadtermsthelanguageinSS2/21makesitfareasiertoapplywhatarefairlywellestablishedmarketpracticeterminationrightsforathirdpartyoutsourcingortechnologyarrangement.
Non-ContractualRequirements
Therearealsoanumberofnon-contractualrequirementsinthecontextofthirdpartyoutsourcingswhichthePRAhasdrawnoutinmoredetail.Inparticular,thePRAhasclarifiedanumberofpointsaroundthenotificationandrecordkeepingrequirements,includingthefollowing:
thePRAconsidersthat,insomecircumstances,itmaybeappropriatetonotifyitofaplannedmaterialoutsourcingpriortoselectionoffinalserviceprovider.ThisunderlinestherequirementtoengagewithandnotifythePRAatanearlystageinplannedoutsourcings–thiscannotbestressedenoughincurrenttimes;
thePRAalsoexpectstobenotifiedofmaterialnon-outsourcingthirdpartyarrangementswhichmayconstitute“informationofwhichthePRAwouldreasonablyexpectnotice”;
thePRAexpectstobemadeawareinacircumstancewhereathirdpartyserviceprovidertoamaterialoutsourcingisunableorunwillingtoincludecertaintermswithinthecontractwhicharerequiredbythePRA;and
thePRAisgoingtopublishasubsequentconsultationsettingoutproposalsforanonlinecentralisedportaltobepopulatedbyfirmswithinformationontheiroutsourcingarrangements.Thiswouldlinkinwiththeexistingobligationsonfirmstomaintainthisinternalregisteroftheiroutsourcingarrangements.
TimelineforCompliance
ThePRAhasconfirmedthatfirmswillbeexpectedtocomplywiththerequirementssetoutinSS2/21byThursday31March2022inrespectofoutsourcingarrangementsenteredintoonorafterWednesday31March2021.Inrespectoflegacyoutsourcingagreements,thePRAexpectsfirmstoworktowardsremediatingthesecontractsatthefirstappropriatecontractualrenewalorrevisionpointassoonaspossibleonorafter31March2022.
Inwelcomenewsfordual-regulatedfirms,theFCAhassinceupdateditsexpectationsforFCA-regulatedfirmswhoarewithinscopeoftheEBAGuidelines,confirmingthatitnolongerexpectsfirmstoreporttotheFCAontheirprogresstowardsmeetingtheEBA-imposeddeadlineof31December2021tocomplywiththeEBAGuidelines.Instead,inlinewiththePRA’sapproachunderSS2/21andtherelatedrulesandguidanceonoperationalresilience,theFCAnowexpectsfirmstoreviewanyoutstandingimportantorcriticalarrangementsatthefirstappropriatecontractrenewalfollowingthefirstrenewaldateorrevisionpointandinformtheFCAwherethosearrangementshavenotbeenfinalisedby31March2022. Simon GamlinPartner+442079194689+442079194689ConnectwithSimon GamlinonLinkedInKirstin McCrackenPrincipalAssociate+442079190851+442079190851ConnectwithKirstin McCrackenonLinkedInNal TownleySeniorAssociate+442079194654+442079194654ConnectwithNal TownleyonLinkedInThisinformationisforguidancepurposesonlyandshouldnotberegardedasasubstitutefortakinglegaladvice.Pleaserefertothefulltermsandconditionsonourwebsite.
延伸文章資訊
- 1FG16/5 Guidance for firms outsourcing to the 'cloud' and other third-party ...
- 2PS7/21 | CP30/19 Outsourcing and third party risk management
Outsourcing and third party risk management – PS7/21. This Prudential Regulation Authority (PRA) ...
- 3Outsourcing and third party risk management - KPMG ...
Outsourcing and Third Party Risk Management ('TPRM') has become one of the key areas of focus for...
- 4PRA issues Supervisory Statement (SS2/21) 'Outsourcing and ...
... Statements (SS2/21) on outsourcing and third party risk management, alongside final policy an...
- 5Managing Outsourcing and Offshoring Risk | Protiviti - United Kingdom