Outsourcing and Third Party Risk Management - Eversheds ...

Outsourcing & Third Party Risk Management. Global. Financial services - Digital Financial Services; Technology, Media and Telecoms. 14-04-2021. EvershedsSutherland Globalhome Aboutus AboutEvershedsSutherland Corporateresponsibility Diversity Alumni ServiceExcellence Globalservices/practices CommercialandIT Competition,EUandtrade Constructionandengineering Corporate Corporatecounselprogam Corporatecrime/whitecollarcrime Employmentlaw Energy Entitymanagement Finance,financialservicesregulation Insurance Intellectualproperty Konexo Litigationanddisputemanagement Pensions,benefitsandexecutive Realestateandplanning Tax Industries/sectors Constructionandengineering Consumer Education Energy ESG Financialservices Governmentsandinfrastructure Healthandlifesciences Industrials Insurance Realestate Technology,mediaandtelecoms Timberandagribusiness Ourpeople Events Newsandarticles Careers ContactusSearchwebsite Africa Angola Mauritius Mozambique SouthAfrica Tunisia OtherAfricancountries Asia China HongKongSAR India Japan CentralandEasternEurope CzechRepublic Estonia Hungary Latvia Lithuania Poland Romania Russia Slovakia LatinAmerica MiddleEast Iraq Jordan Qatar SaudiArabia,Kingdomof UnitedArabEmirates NorthAmerica UnitedStatesofAmerica WesternEurope Austria Belgium Finland France Germany Ireland Italy Luxembourg Netherlands Portugal Spain Sweden Switzerland UnitedKingdom Businessgroups Africa TheCIS India Iran Japan LatinAmerica NordicsandBaltics GlobalmenuOurglobalpagesCloseGlobalhomeAboutusAboutEvershedsSutherlandCorporateresponsibilityDiversityAlumniServiceExcellenceGlobalservices/practicesBrowsefullserviceslistGlobalservices/practicesCommercialandITAllcommercialandITCommercialcontractsConsumerFinancialservicesregulationIntellectualpropertyOutsourcingPaymentsystemsanddigitalcommercePrivacy,dataprotectionandcybersecurityProcurementandStateAidTechnologyandlicensingTelecommunicationsCompetition,EUandtradeAllcompetition,EUandtradeAbuseofdominanceAntitrustandcompetitionlitigationCompetitioncomplianceandcounsellingCompetitioninvestigationsDawnraidsEUandinternationaltradelawExportcontrols,sanctionsandanti-moneylaunderingForeigninvestmentandnationalsecurityMarketandsectorinquiriesMergercontrolTradeanddistributionConstructionandengineeringAllconstructionandengineeringConstructiondisputesContractsandprocurementEPCProjectsupportPublicsectorRealestateTransportCorporateAllcorporateCapitalmarketsCorporategovernanceCorporatereorganizationsCorporatesecretarialservicesInvestmentfundformationMergersandacquisitions(M&A)Privateequity/venturecapitalCorporatecounselprogramAllcorporatecounselprogram Corporatecrime/whitecollarcrimeandinvestigationsAllcorporatecrime/whitecollarcrimeandinvestigationsAnti-briberyandcorruptionEnvironmentalhealthandsafetyExportcontrols,sanctionsandanti-moneylaunderingFraudandwhitecollarGlobalcomplianceandcrisismanagementInvestigationsPublicinquiriesEmploymentlawAllemploymentlawDiscriminationlawEmploymentlitigationanddisputeresolutionExecutiveemploymentissuesGlobalcontractsandpoliciesGlobalmobilityandimmigrationHumanrights&modernslaveryLaborlawandtradeunionissuesPersonnelrecordsandemployeedataprivacyPeopleinM&AandoutsourcingRestructuringandredundancyEnergyAllenergyAgriculture,softsandmetalstradingCleanenergyElectricpowerEnergydisputesEnergyfinanceEnergyregulationsEnergytradingEnvironmentalGasMiningNuclearOilandgasWaterEntitymanagementAllentitymanagementBoardadviceandsupportCorporatesecretarialservicesDirectordutiesProjectmanagementWorldwideComplianceFinance,financialservicesregulationandinvestmentproductsAllfinance,financialservicesregulationandinvestmentproductsAcquisitionandleveragedfinanceAssetfinanceAssetmanagementCommodities&securitieslitigationandregulatoryenforcementCorporatebankingDebtcapitalmarketsDerivativesDistribution/broker-dealerFinancialservicesdisputesFinancialservicesregulationFundstaxInvestmentfundformationIslamicfinanceProjectfinancePublicfinanceRealestatefinanceReservebasedlendingRestructuringandinsolvencySecuritisationandstructuredfinanceTradefinanceInsuranceAllinsuranceCaptivesInsuranceandreinsurancedisputesInsuranceM&A,reinsuranceandrestructuringsInsurancefinancingandcapitalmarketsInsuranceregulationandcomplianceInsuranceandretirementproducts,insurancedistributionInvestigationsandenforcementPensionrisktransferTaxationIntellectualpropertyAllintellectualpropertyCopyrightIntellectualpropertylitigationMediaPatentsReputationmanagementTechnologyandcommunicationsdisputesTrademarkTradesecret Konexo Whereactivitymeetscreativity AlternativelegalandcomplianceservicesdevelopedbyEvershedsSutherland Legal,compliance,corporatesecretarialandHRservicesthatconnectwithyouinmanyways.That’sKonexo.Throughcreativeuseofemergingtechnologyandglobalresources,weconnectyourneedswithrealbenefits,andyourchallengeswithtransformativesolutions.Thisiswherecomplexitymeetsclarity. KonexoisnowpresentintheUK,US,HongKong,SingaporeandMalaysia. FindoutmorebyvisitingtheKonexowebsite LitigationanddisputemanagementAlllitigationanddisputemanagementAntitrustandcompetitionlitigationAppellateClassactionandmasstortlitigationCommerciallitigationCommodities&securitieslitigationandregulatoryenforcementCostsConstructionandinfrastructuredisputesEnergy&infrastructuredisputesFinancialservicesdisputesFundingGlobalcomplianceandcrisismanagementInsuranceandreinsurancedisputesIntellectualpropertylitigationInternationalarbitrationPensionsandbenefitsdisputesProductliabilityProfessionalliabilityLitigationtechnologyandprojectmanagementRealestatelitigationShippingandinternationaltradedisputesTaxcontroversyandlitigationPensions,benefitsandexecutivecompensationAllpensions,benefitsandexecutivecompensationExecutivecompensationPensionplandisputeresolutionPensionplaninsuranceandderiskingPensionplaninvestmentPublicsectorpensionsQualifiedandapprovedpensionplansRealestateandplanningAllrealestateandplanningCommercialdevelopmentandleasingCorporaterealestateDatacentersEnvironmentalInstitutionalinvestmentandfundformationPlanning,consentingandpermittingPropertyduediligenceandtransactionsupportRealestatefinanceandcapitalmarketsRealestatelitigationRealestatetaxResidentialandprivaterentedsectorTaxAlltaxExecutivecompensationFederaltaxaccountingFinancialservicesandfinancialproductstaxationFundstaxIndirecttax/VATInsurancetaxationInternationaltaxM&AandreorganizationsPartnershiptaxationRealestatetaxTaxcontroversyandlitigationTax-exemptorganizationsTrustsandestatesU.S.stateandlocaltaxIndustries/sectorsAllsectorsandsubsectorsGlobalindustries/sectorsConstructionandengineeringAllconstructionandengineeringConstructionandinfrastructuredisputesContractsandprocurementEPCProjectsupportPublicsectorRealestateTransportConsumerAllconsumerFoodandbeverageHospitalityandleisureRetailEducationAlleducationAcademiesFurthereducation(UK)Highereducation(UK)Schools(includingindependentschoolsUK)EnergyAllenergyAgriculture,softsandmetalstradingCleanenergyElectricpowerEnergydisputesEnergyfinanceEnergyregulationsEnergytradingEnvironmentalGasMiningNuclearOilandgasWaterESGAllESGEnvironmentalSocialGovernanceESGforCorporatesESGforFinancialServicesFinancialservicesAllfinancialservicesGovernmentsandinfrastructureAllgovernmentsandinfrastructureGovernmentandstrategicprojectsInfrastructureTransportHealthandlifesciencesAllhealthandlifesciencesIndependenthospitalsLifesciencesPublichealthcareSeniorlivingandsocialcareIndustrialsAllIndustrialsAerospace,defenseandsecurityAutomotiveChemicalsManufacturingandindustrialengineeringInsuranceAllinsuranceCaptivesInsuranceandreinsurancedisputesInsuranceM&A,reinsuranceandrestructuringsInsurancefinancingandcapitalmarketsInsuranceregulationandcomplianceInsuranceandretirementproducts,insurancedistributionInvestigationsandenforcementPensionrisktransferTaxationRealestateAllrealestateandplanningCommercialdevelopmentandleasingCorporaterealestateDatacentersEnvironmentalInstitutionalinvestmentandfundformationPlanning,consentingandpermittingPropertyduediligenceandtransactionsupportRealestatefinanceandcapitalmarketsRealestatetaxResidentialandprivaterentedsectorTechnology,mediaandtelecomsAlltechnology,mediaandtelecomsArtificialintelligenceDatacentersMediaTechnologyTechnologyandcommunicationsdisputesTelecomsTimberandagribusinessAlltimberandagribusinessOurpeopleEvents/webinarsEvents,webinarsandtrainingLegaleventsandtraining:choosealocation WesternEuropeLegaleventsandtraininginAustriaLegaleventsandtraininginFinlandLegaleventsandtraininginFranceLegaleventsandtraininginGermanyLegaleventsandtraininginIrelandLegaleventsandtraininginNorthernIrelandLegaleventsandtraininginSpainLegaleventsandtraininginUnitedKingdomCentralandEasternEuropeLegaleventsandtraininginCzechRepublicLegaleventsandtraininginEstoniaLegaleventsandtraininginHungaryLegaleventsandtraininginPolandLegaleventsandtraininginRomaniaLegaleventsandtraininginRussiaLegaleventsandtraininginSlovakiaAsiaLegaleventsandtraininginChinaLegaleventsandtraininginHongKongSARNorthAmericaLegaleventsandtraininginUnitedStatesofAmericaAfricaLegaleventsandtraininginSouthAfricaNewsandarticlesEvershedsSutherland(International)PressHubEvershedsSutherland(US)PressHubNewsandarticles:choosealocationWesternEuropeLegalnewsandarticlesinAustriaLegalnewsandarticlesinBelgiumLegalnewsandarticlesinFinlandLegalnewsandarticlesinFranceLegalnewsandarticlesinGermanyLegalnewsandarticlesinIrelandLegalnewsandarticlesinItalyLegalnewsandarticlesinNetherlandsLegalnewsandarticlesinNorthernIrelandLegalnewsandarticlesinSpainLegalnewsandarticlesinSwedenLegalnewsandarticlesinSwitzerlandLegalnewsandarticlesinUnitedKingdomCentralandEasternEuropeLegalnewsandarticlesinCzechRepublicLegalnewsandarticlesinEstoniaLegalnewsandarticlesinHungaryLegalnewsandarticlesinLatviaLegalnewsandarticlesinLithuaniaLegalnewsandarticlesinPolandLegalnewsandarticlesinRomaniaLegalnewsandarticlesinRussiaLegalnewsandarticlesinSlovakiaAfricaLegalnewsandarticlesinSouthAfricaAsiaLegalnewsandarticlesinChinaLegalnewsandarticlesinHongKongSARMiddleEastLegalnewsandarticlesinIraqLegalnewsandarticlesinJordanLegalnewsandarticlesinQatarLegalnewsandarticlesinUnitedArabEmiratesNorthAmericaLegalnewsandarticlesinUnitedStatesofAmericaCareersCareerswithEvershedsSutherlandCareers:choosealocationWesternEuropeCareerswithalawfirminAustriaCareerswithalawfirminBelgiumCareerswithalawfirminFinlandCareerswithalawfirminFranceCareerswithalawfirminGermanyCareerswithalawfirminIrelandCareerswithalawfirminItalyCareerswithalawfirminLuxembourgCareerswithalawfirminNetherlandsCareerswithalawfirminSpainCareerswithalawfirminSwedenCareerswithalawfirminSwitzerlandCareerswithalawfirminUnitedKingdomCentralandEasternEuropeCareerswithalawfirminEstoniaCareerswithalawfirminHungaryCareerswithalawfirminLatviaCareerswithalawfirminLithuaniaCareerswithalawfirminPolandCareerswithalawfirminRomaniaAfricaCareerswithalawfirminSouthAfricaAsiaCareerswithalawfirminChinaCareerswithalawfirminHongKongSARMiddleEastCareerswithalawfirminIraqCareerswithalawfirminJordanCareerswithalawfirminQatarCareerswithalawfirminSaudiArabiaCareerswithalawfirminUnitedArabEmiratesNorthAmericaCareerswithalawfirminUnitedStatesofAmericaOutsourcing&ThirdPartyRiskManagementGlobalFinancialservices-DigitalFinancialServicesTechnology,MediaandTelecoms14-04-2021ThePRAhasrecentlypublishedPolicyStatementPS7/21,whichcontainsthePRA’sfinalSupervisoryStatementSS2/21on“Outsourcingandthirdpartyriskmanagement”followingonfromConsultationPaperCP30/19inDecember2019.Inessence,thisupdateisthePRA’slatestanddefinitivepositiononoutsourcingandthirdpartyriskmanagementwhichisintendedto(amongstotherobjectives)implementtheEuropeanBankingAuthorityGuidelinesonOutsourcingArrangements(“EBAGuidelines”)andfacilitategreateradoptionofcloudandothernewtechnologies. Wehavehighlightedinthisbriefingsomeofthekeypointsforfinancialinstitutionstobeawareoffollowingthisupdate,withaparticularfocusonchangesmadeasaresultofresponsestotheconsultation.ThisbriefingshouldbereadinconjunctionwithourarticleonthepublicationbytheBankofEngland,PRAandFCAoftheirfinalrulesandguidanceonoperationalresilienceforfinancialinstitutionsandfinancialmarketinfrastructuresavailablehere. Outsourcingandotherthirdpartyarrangements ThecorerequirementsofSS2/21continuetoapplytoan“outsourcing”thathasthenowwell-rehearseddefinitionofbeinganarrangementbetweenthefirmandaserviceproviderwheretheserviceproviderperformsaprocess,serviceoractivitywhichwouldotherwisebeundertakenbythefirmitself.ThePRAhashelpfullyelectednottobroadenthisdefinition(aswasenvisagedasapossibilityinCP30/19)toincludeotherthirdpartyarrangementsthatareperformedinaprudentialcontext,whichweareawarewasasuggestionthathadcausedsomeconcerninthemarket. Thereremainsadistinctionbetweenan“outsourcing”anda“non-outsourcingthirdpartyarrangement”.ThePRAis(notsurprisingly)clearthatanon-outsourcingthirdpartyarrangementcanstillbematerialorhighriskandifthatisthecasethenthefirmshouldimplementproportionate,risk-based,suitablecontrolsbutthosearenotnecessarilythesameasthosethatwouldapplytoanoutsourcingarrangement–theyshouldbeappropriatetothematerialityandrisksofthethirdpartyarrangementbutstillasrobustasthecontrolsthatwouldapplytooutsourcingarrangementswithanequivalentlevelofrisk. Thisishelpfulguidanceastherecontinuestobeanincreasedrelianceonsolutionsthataretechnologyheavybutperhapsserviceorprocesslight.Wecanexpectfirmstostarttolookattheiroutsourcingandotherthirdpartyarrangementsonamoreholisticbasis. Thereisalsohelpfulclarificationthatcertainarrangementsamongregulatedfinancialinstitutions,includingbetweenfirmsandfinancialmarketinfrastructuresdonotfallwithinthedefinitionofoutsourcing.Thesearrangementsincludeclearing,settlementandinparticularcustodyservices;toaddresssomerecentdebatethatsucharrangementscouldbecaughtbytheoutsourcingregulatoryframework. Intra-groupArrangements ThePRAhasstatedthatintragrouparrangementsshouldnotbetreatedas“inherentlylessrisky”thanthirdpartyarrangementsandissubjecttothesamerequirementsandexpectations.However,ithasconfirmedthattheprinciplesofproportionalitymaybeabletobeappliedtointra-grouparrangementswiththeresultthatcertainaspectscouldbemanageddifferentlyinpractice.Whenexercisingproportionality,afirmshouldtakeintoaccounttheirlevelof“controlandinfluence”overtheentityprovidingtheoutsourcedservice.  Whileanintra-groupoutsourcingarrangementmustalwaysbedocumentedinwriting,thePRAhasstatedthatitmaybeproportionatetoadaptcertainclausesinoutsourcingagreements.Oneexamplegiven(dependingonthecircumstances)isthatthefirmmaybeabletorelyongroupwidebusinesscontinuitypoliciesandexitplans.  DataLocation Amongotherclarificationsinrelationtodatasecurity,thePRAhasconfirmedthatitexpectsfirmsto“knowthelocationoftheirdataatalltimes,includingwhenintransit”.ThePRAsuggeststhatfirmsidentifywhethertheirdatacouldbeprocessedinanyhighriskjurisdictionsoutsidetherisktoleranceintheiroutsourcingpolicy.However,thePRAhasdeclinedtogosofarastopublishalistofwhatitconsiderstobeahighriskjurisdictionsandfirmsareexpectedtoreachtheirownconclusions,dependingonfactorssuchasthelocalregulatoryrequirementsinaparticularjurisdiction,theeaseofaccessingthedatainatimelymannerandotherpotentialriskstotheavailability,securityorconfidentialityofdata.  On-SiteAudits ThePRAhasprovidedfurtherclarificationontheirinterpretationoftherequirementundertheEBAGuidelinestohaveunrestrictedrightsofaudit.Inparticular,thePRAhasacknowledgedthattheremaybecertaintypesofonsiteauditwhichcouldcreateanunmanageableriskfortheenvironmentoftheserviceprovider.Insuchcircumstances,thePRAconfirmsthatitmaybeappropriateforthefirmtoagreewiththeserviceprovideranalternativewayofachievinganequivalentlevelofreassurance.However,itappearsthatthisisverymuchintendedtobeanexceptiontoapplyinlimitedcircumstancesonly. Onthechallengingtopicofpenetrationtesting,helpfulguidancehasalsobeenprovidedthatratherthanfirmsbeingexpectedtopentesttheinfrastructureofitsserviceproviders,whatismorerelevantisaccesstotheresultsofthetestingthattheserviceprovider(oritsthirdpartycontractorsonitsbehalf)performonitsowntechnology.  Sub-Outsourcing ThePRAhasclarifiedanumberofissuesaroundsub-outsourcingincludingthefollowing: thedetailedexpectationsonsub-outsourcingonlyapplytomaterialsub-outsourcing,tobedeterminedinaccordancewiththematerialitycriteriasetoutinChapter5ofSS2/21;and firmsarenotexpectedtodirectlymonitorthesub-outsourcingpartiesthemselvesprovidedtheycaneffectivelyoverseeandmonitortheoutsourcingarrangementasawhole,includingbyensuringtheserviceproviderappropriatelymanagesthesub-outsourcing. TerminationRights  SS2/21includessomeupdatedguidanceforfirmsonhowtoapproachthetopicofterminationandtheterminationrightsthatarereferencedintheEBAGuidelines.Therequirementsinrespectofterminationwillofcourseneedtobeappliedonacasebycasebasis,butinbroadtermsthelanguageinSS2/21makesitfareasiertoapplywhatarefairlywellestablishedmarketpracticeterminationrightsforathirdpartyoutsourcingortechnologyarrangement. Non-ContractualRequirements Therearealsoanumberofnon-contractualrequirementsinthecontextofthirdpartyoutsourcingswhichthePRAhasdrawnoutinmoredetail.Inparticular,thePRAhasclarifiedanumberofpointsaroundthenotificationandrecordkeepingrequirements,includingthefollowing: thePRAconsidersthat,insomecircumstances,itmaybeappropriatetonotifyitofaplannedmaterialoutsourcingpriortoselectionoffinalserviceprovider.ThisunderlinestherequirementtoengagewithandnotifythePRAatanearlystageinplannedoutsourcings–thiscannotbestressedenoughincurrenttimes; thePRAalsoexpectstobenotifiedofmaterialnon-outsourcingthirdpartyarrangementswhichmayconstitute“informationofwhichthePRAwouldreasonablyexpectnotice”; thePRAexpectstobemadeawareinacircumstancewhereathirdpartyserviceprovidertoamaterialoutsourcingisunableorunwillingtoincludecertaintermswithinthecontractwhicharerequiredbythePRA;and thePRAisgoingtopublishasubsequentconsultationsettingoutproposalsforanonlinecentralisedportaltobepopulatedbyfirmswithinformationontheiroutsourcingarrangements.Thiswouldlinkinwiththeexistingobligationsonfirmstomaintainthisinternalregisteroftheiroutsourcingarrangements. TimelineforCompliance ThePRAhasconfirmedthatfirmswillbeexpectedtocomplywiththerequirementssetoutinSS2/21byThursday31March2022inrespectofoutsourcingarrangementsenteredintoonorafterWednesday31March2021.Inrespectoflegacyoutsourcingagreements,thePRAexpectsfirmstoworktowardsremediatingthesecontractsatthefirstappropriatecontractualrenewalorrevisionpointassoonaspossibleonorafter31March2022. Inwelcomenewsfordual-regulatedfirms,theFCAhassinceupdateditsexpectationsforFCA-regulatedfirmswhoarewithinscopeoftheEBAGuidelines,confirmingthatitnolongerexpectsfirmstoreporttotheFCAontheirprogresstowardsmeetingtheEBA-imposeddeadlineof31December2021tocomplywiththeEBAGuidelines.Instead,inlinewiththePRA’sapproachunderSS2/21andtherelatedrulesandguidanceonoperationalresilience,theFCAnowexpectsfirmstoreviewanyoutstandingimportantorcriticalarrangementsatthefirstappropriatecontractrenewalfollowingthefirstrenewaldateorrevisionpointandinformtheFCAwherethosearrangementshavenotbeenfinalisedby31March2022. Simon GamlinPartner+442079194689+442079194689ConnectwithSimon GamlinonLinkedInKirstin McCrackenPrincipalAssociate+442079190851+442079190851ConnectwithKirstin McCrackenonLinkedInNal TownleySeniorAssociate+442079194654+442079194654ConnectwithNal TownleyonLinkedInThisinformationisforguidancepurposesonlyandshouldnotberegardedasasubstitutefortakinglegaladvice.Pleaserefertothefulltermsandconditionsonourwebsite.