Outsourcing and third party risk management: The PRA's ...
文章推薦指數: 80 %
Firms can opt to implement a 'holistic, single third party risk management policy covering outsourcing and non-outsourcing third party ... × Advancedsearch Title Channel Module OurFirmGotoOurFirmOurCulture DiversityandInclusion Recognitionandpartnerships Employeenetworks HistoryReputationforexcellenceInnovation Collaborate FastForward TheLensBlog Responsiblebusiness SocialMobility ClimateAction ProBono Citizenship PeopleServicesGotoServicesPractices CapitalMarkets CommercialContracts Competition ConstructionandProjects CorporateandM&A DataPrivacy Disputes Environment FinancialInstitutionsGroup FinancialRegulation Financing GlobalInvestigations InfrastructureandEnergy Insurance IntellectualProperty Pensions,EmploymentandIncentives PrivateEquity RealEstate RestructuringandInsolvency RiskandBusinessTransformation Sport Tax TechGroup Sectors AssetManagement BankingandFinance ConsumerandRetail Government Fintech Healthcare,PharmaandLifeSciences IndustrialProductsandServices InfrastructureandEnergy Insurance Media&Telecoms PrivateEquity RealEstateandConstruction TechandDigital InsightsGotoInsightCoronavirusResourcesHorizonScanningOurPublicationsPodcastsOurBlogsFinancialRegulationWeeklyBulletinTheLawReviewsSustainabilityandClimateChangeResourcesRegulatingDigitalGlobalworkingGotoGlobalworkingAFRICAAMERICASASIAPACIFICEUROPEMIDDLEEASTANDNORTHAFRICACareersGotoCareersTraineesolicitors Aworldofdifference Thetrainingcontract Workexperienceopportunities MeetUs Innovation Apply Profiles Qualifiedlawyers Whotocontact Apply BusinessServices Whotocontact Apply HongKongCareersWorkExperienceforschoolsAlumniPortalMORE...NewsGotoNewsFIRMNEWSRECENTWORKContactusGotoContactusLONDONOFFICEBRUSSELSOFFICEHONGKONGOFFICEBEIJINGOFFICEWEBSITESUPPORTPRESSANDMEDIAQUERIES OurFirmGotoOurFirmOurCulture DiversityandInclusion Recognitionandpartnerships Employeenetworks HistoryReputationforexcellenceInnovation Collaborate FastForward TheLensBlog Responsiblebusiness SocialMobility ClimateAction ProBono Citizenship PeopleServicesGotoServicesPractices CapitalMarkets CommercialContracts Competition ConstructionandProjects CorporateandM&A DataPrivacy Disputes Environment FinancialInstitutionsGroup FinancialRegulation Financing GlobalInvestigations InfrastructureandEnergy Insurance IntellectualProperty Pensions,EmploymentandIncentives PrivateEquity RealEstate RestructuringandInsolvency RiskandBusinessTransformation Sport Tax TechGroup Sectors AssetManagement BankingandFinance ConsumerandRetail Government Fintech Healthcare,PharmaandLifeSciences IndustrialProductsandServices InfrastructureandEnergy Insurance Media&Telecoms PrivateEquity RealEstateandConstruction TechandDigital InsightsGotoInsightCoronavirusResourcesHorizonScanningOurPublicationsPodcastsOurBlogsFinancialRegulationWeeklyBulletinTheLawReviewsSustainabilityandClimateChangeResourcesRegulatingDigitalGlobalworkingGotoGlobalworkingAFRICAAMERICASASIAPACIFICEUROPEMIDDLEEASTANDNORTHAFRICACareersGotoCareersTraineesolicitors Aworldofdifference Thetrainingcontract Workexperienceopportunities MeetUs Innovation Apply Profiles Qualifiedlawyers Whotocontact Apply BusinessServices Whotocontact Apply HongKongCareersWorkExperienceforschoolsAlumniPortalMORE...NewsGotoNewsFIRMNEWSRECENTWORKContactusGotoContactusLONDONOFFICEBRUSSELSOFFICEHONGKONGOFFICEBEIJINGOFFICEWEBSITESUPPORTPRESSANDMEDIAQUERIES ×Close Briefings Outsourcingandthirdpartyriskmanagement:ThePRA'sstanceonriskandcontrols 07May2021 Outsourcingandthirdpartyriskmanagement:ThePRA'sstanceonriskandcontrols Shareon Twitter LinkedIn Facebook Shareon Twitter LinkedIn Facebook Download Print ThisbriefinglooksatthePRA'sPolicyStatementonoutsourcingandthirdpartyriskmanagement(PS7/21)andaccompanyingSupervisoryStatement(SS2/21)which ‘clarifies,develops,andmodernises’longstandingregulatoryrequirementsandexpectationsapplyingtofinancialinstitutionsinthisarea. What'snew? InMarch2021,thePRApublishedaPolicyStatementonoutsourcingandthirdpartyriskmanagement(PS7/21)andanaccompanyingSupervisoryStatement(SS2/21)which‘clarifies,develops,andmodernises’longstandingregulatoryrequirementsandexpectationsapplyingtofinancialinstitutionsinthisarea. SS22/21containsprovisions–tobeappliedinlinewiththeprincipleofproportionality–relatingtothelifecycleoffirms’outsourcingandcertainnon-outsourcingthirdpartyarrangements.TheyapplytoUKbanks,buildingsocieties,PRA-designatedinvestmentfirms,(re)insurancefirmsandgroupsinscopeofSolvencyII,aswellasUKbranchesofoverseasbanksandinsurers.Theusualarrayofmeasuresareaddressed:fromgovernanceandrecordkeeping,theoversightofsub-outsourcingarrangements,rightsofaccess,audit,andinformation,aswellasbusinesscontinuityandexitplanning,someofwhichweexploreinmoredetailbelow. Non-outsourcingthirdpartyarrangements ThePRA’soverarchingaiminsettingtheexpectationsinSS2/21isforfirmstoapplyadequategovernanceandcontrolstoallthirdpartydependenciesthatmightimpactthePRA’sstatutoryobjectives.Thiscouldincludearrangementsthat‘supporttheprovisionofimportantbusinessservicesorcarryahighlevelofrisk’.Assuch,itconfirmswhatwehaveassumedforsometime:thatthirdpartyoperationaldependencieswhichmaynotmeetthedefinitionofan‘outsourcing’shouldberisk-managedonessentiallythesamebasis. TheSSnotes:‘thePRAmaintainsthatcertainnon-outsourcingthirdpartyarrangementsmightbehighlyrelevanttothePRA’sobjectives;forinstance,iftheysupporttheprovisionofimportantbusinessservices.Therefore,theSSsetsouttheexpectationthatfirmsshouldassessthematerialityandrisksofallthirdpartyarrangementsusingallrelevantcriteriainChapter5oftheSS,irrespectiveofwhethertheyfallwithinthedefinitionofoutsourcing.Firmsshouldattachgreaterimportancetothedependenciesandrisksthattheiroutsourcingandthirdpartyarrangementscreatethantospecificdefinitions’. Onceafirmhasconcludedthatanon-outsourcing,thirdpartyarrangementis‘material’or‘highrisk,’havingconsultedtherelevantcriteriainChapter5oftheSS,itmustimplementeffective,risk-basedcontrolswhich‘donothavetobethesameasthosethatapplytooutsourcingarrangements,’butshouldbe‘equallyrobustandcommensuratetothematerialityorriskexposureofthearrangement’. SS2/21doesnotpresentthecompletepictureofrequirements.ThereareseveralotherPRArules,alllistedhelpfullyintheSS(includingtheFundamentalRulesandtheOperationalResiliencePartofthePRARulebook),whichapplytoandgovernthemanagementofthirdpartyarrangements,irrespectiveofwhethertheyfallwithinthedefinitionofoutsourcing.Examplesmightincludethedesignandbuildofanon-premiseITplatform,thepurchaseofdatacollatedbyathirdpartyorthepurchaseof‘offtheshelf’machinelearningmodels.AcloudarrangementwillnotautomaticallyconstituteanoutsourcingunderthePRA’sdefinition,butshouldnonethelessbesubjecttorisk-basedcontrolsthatarecommensuratetoitsmateriality. Firmscanopttoimplementa‘holistic,singlethirdpartyriskmanagementpolicycoveringoutsourcingandnon-outsourcingthirdpartyarrangements’ortheycanhaveseparatebutconsistentandsuitablyrisk-basedpoliciesapplyingtoeachsubset. InteractionwithEBAGuidelinesandotherstandards SS2/21willultimatelyconstitute‘theprimarysourceofreferenceforUKfirmswheninterpretingandcomplyingwithPRArequirementsonoutsourcingandthirdpartyriskmanagement,’thoughinpractice,itisunlikelytobetheonlysource.Therehasbeenarisingtideofguidelinesandrecommendationsforfirmsonoutsourcing,thirdpartyriskmanagement,cloudoutsourcingandinformationandcommunicationtechnology(ICT)riskmanagementemergingfromUK,EUandotherinternationalsupervisoryauthoritiesandotherstandardsetters. AssessingthematerialityofanoutsourcingorotherthirdpartyarrangementunderSS2/21 FirmsshoulddeterminethematerialityofallthirdpartyarrangementsusingrelevantcriteriainChapter5. Itisnotedthat:‘afirmshouldgenerallyconsideranoutsourcingorthirdpartyarrangementasmaterialwhereadefectorfailureinitsperformancecouldmateriallyimpairthe: financialstabilityoftheUK; firms’abilitytomeettheThresholdConditions; compliancewiththeFundamentalRules;requirementsunder‘relevantlegislation’andthePRARulebook; safetyandsoundness; OperationalContinuityInResolutionandifapplicable,resolvability.’ Generallyspeaking,anoutsourcingarrangementwillbeclassifiedas‘material’iftheservicebeingoutsourcedinvolvesan‘entire‘regulatedactivity’’(portfoliomanagementisprovidedasanexample)oran‘internalcontrolorkeyfunction’. Evenifnoneofthesecriteriaapply,firmsareexpectedtoconsultalistoffactorsintheSStofurtherassessthematerialityofaparticularoutsourcingorthirdpartyarrangement. OtherUKstandards: PS7/21andSS2/21aredesignedto‘complementtherequirementsandexpectationsonoperationalresilience’inthePRARulebook,SS1/21‘Operationalresilience:Impacttolerancesforimportantbusinessservices’andtheStatementofPolicy‘Operationalresilience’.Thelatterwerepublishedonthesamedayasthematerialsonoutsourcingandform‘ahelpfullensforfirmstoassesshowtheyshouldmonitortheiroutsourcingandthirdpartyarrangementsandestablishend-to-endresiliencefortheirimportantbusinessservices’. EBAGuidelinesandotherinternationalstandards: SS2/21implementstheEuropeanBankingAuthority(EBA)OutsourcingGuidelines,whichwerefinalisedinFebruary2019andbegantoapplyon30Septemberlastyear,andpartsoftheEBAICTGuidelines.Ithasalso‘takenintoaccount’variousinternationalstandardsincludingtheBasel’s‘Principlesforoperationalresilience’;theFSB’s‘EffectivePracticesforCyberIncidentResponseand Recovery’;andIOSCO’s‘PrinciplesonOutsourcing’,someofwhicharestill indraftform. ThePRAdoesnotexpectfirmstocomplywithanyEUGuidelinesthatcameintoeffectaftertheendoftheimplementationperiod-suchastheEIOPACloudGuidelines,theEIOPAICTGuidelinesortheESMAGuidelinesonoutsourcingtocloudserviceproviders-andithasnotformallyimplementedthemintheSS,butitconsidersthattheexpectationsintheSSare‘atleastequivalenttothemineffectivenessandsubstance’.AllrelevantEUGuidelinescontinuetoapplytotheEuropeanoperationsofUKfirmsandtotheactivitiesundertakenintheEUbyfirmsthatalsohaveaUKpresence.FirmsthataresubjecttoSS2/21willnotneedtocomplywiththeEBA’sdeadlineof31December2021toreviewandupdatelegacyoutsourcingarrangementsofcriticalorimportantfunctionsinlinewiththeOutsourcingGuidelines,thoughthattimelinewillcontinuetoimpactfirmsregulatedintheEU. SS2/21is‘notmateriallydivergent’fromtheEBAGuidelines,butwherethePRA’sexpectationsaremoregranularthanequivalentsectionsintheEBAOutsourcingorICTGuidelines,thePRAconsidersthatthisresults‘inclearer,moreconsistentpolicythatwillprovidefirmswithgreaterregulatorycertainty’.ConsistentwiththeEBAGuidelines,whenconsideringwhetheranarrangementwithathirdpartyfallswithinthedefinitionofoutsourcing,firmsshouldconsiderwhether‘thethirdpartywillperformtherelevantfunctionorservice(orpartthereof)onarecurrentoranongoingbasis’.Thismeansthataone-offpurchase,suchasasoftwarelicence,wouldnotbeanoutsourcing,butitmightstillbeathirdpartyarrangementthattriggerstherequirementforappropriaterisk-basedcontrolsand-dependingontheunderlyingcloudinfrastrucutre–couldrequirethemanagementofconcentrationrisks. Thecriteriaforidentifyinga‘materialoutsourcing’issubstantivelyalignedtotheequivalentEBAtermof‘criticalorimportantoutsourcing’witha‘fewjustifiedexceptions’suchasthosethatreferencethePRA’srequirementsonoperationalresilience.Material/critical/importantarrangementsgeneratemoreonerousrequirements. Advancenotificationofmaterialarrangements ThePRAexpectsadvancenotificationofmaterialthirdpartyarrangementsinasimilarmannerandtimeframeasitwouldamaterialoutsourcingarrangement(notwithstandingthattherelevantPRAruleNotifications2.3(1)(e)appliesonlytothelatter). Thisisbecausematerialthirdpartyarrangementsthatdonotmeettheoutsourcingdefinitionmayconstitute‘informationofwhichthePRAwouldreasonablyexpectnotice’withinthemeaningofFundamentalRule7andSeniorManager ConductRule4.IncertaincircumstancesthePRAwillexpecttobebroughtintotheloopbeforeafinalserviceproviderhasbeenselected. Intragroupandbrancharrangements SS2/21providesmoregranularitythantheEBAGuidelinesontheapplicationoftheprincipleofproportionalitytointragroupoutsourcingarrangements,asapparentlyrequestedbyrespondentstotheunderlyingPRAconsultation. Thedetailsdonotchangethefundamentalpremisethatintragrouparrangementsarenottobetreatedasinherentlylessriskythanarrangementswiththirdpartiesoutsideafirm’sgroup;butthereissomescopeforfirmstomakepragmaticmanagementadjustments.Incertaincases,forexample,firmsmayrelyonbusinesscontinuity,contingency,andexitplansdevelopedatthegrouplevel. Therelevantrequirementsapplyproportionatelydependingontheleveloftherecipientgroup’s‘controlandinfluence’overtheentitythatisprovidingtheoutsourcedservice. ThePRAhasalsosetoutitsapproachtooutsourcingrequirementsandexpectationsfortheUKbranchesofoverseas(third-country)firms.Ataminimum,itwillexpectthosebranchestocompilealistoftheirintragroupoutsourcingarrangements,identifyingthosedeemedmaterial.Anysucharrangementwillneedtobedocumentedinawrittenagreementthatspecifiesexpectedservicelevelsandkeyperformanceindicators.Thereshouldalsobeappropriatemonitoringandoversight,aswellaseffectiveprocessesandmechanismsforescalatinganyconcernsorissuestothefirmorgroup. Sub-outsourcing Firmsareresponsibleforensuringthatthirdpartyserviceprovidersappropriatelymanageanymaterialsub-outsourcing.ThePRAdoesnotexpectfirmstodirectlymonitorfourthpartiesinallcircumstances,butthepotentialimpactoflarge,complexsub-outsourcingchainsonfirms’operationalresiliencewillneedtobeconsidered. Negotiatingwithsuppliers Animbalanceinnegotiatingpowerbetweenarecipientfirmandadominantserviceproviderisnot,notesthePRA,justificationforafirmtoacceptclausesandtermsthatdonotmeetlegalorregulatoryexpectations.FirmsshouldmakethePRAawareifaserviceproviderinaproposedmaterialoutsourcingarrangementisunableor unwillingto‘contractuallyfacilitate’afirm’scompliancewiththePRA’srequirements. Rightsofauditandaccess Firmsareatlibertytochooseanyappropriateauditmethodaslongasitenablesthemtomeettheirlegal,regulatory,operationalresilience,andriskmanagementobligations.Thelevelofassuranceshouldbeinkeepingwiththesignificanceofthefirmandthematerialityofthearrangement(so,asignificantfirmthatoutsourcesanimportantbusinessserviceforwhichithassetalowimpacttolerancewillrequireahigherlevelofassurance.) AdditionalguidancehasbeenaddedtothefinaltextofSS2/21regardingtheconductofon-siteaudits.Inparticular,whereanon-siteauditcouldcreateanunmanageableriskfortheenvironmentoftheproviderorotherclients,thefirmandserviceprovidersshouldagreealternativewaystoprovideanequivalentlevelofassurancewhilenotremovingthecontractualrightsforanon-siteauditfromthewrittenagreement.Formaterialoutsourcingarrangements,thePRAwouldexpectthefirmtoinformitssupervisorifalternativemeansofassurancehavebeenagreed.Access,audit,andinformationrightsextend,whererelevant,torequiringinstitutionstoensurethatthirdpartiesagreetosharetheresultsofsecuritypenetrationtestingtheycarryoutorwhicharecarriedoutontheirbehalf.(InanearlierdraftoftheSS,thePRAhadrequiredthatfirmsensuretheyhavearight,whererelevant,tocarryoutsuchpenetrationtestingthemselves.) Locationofdata Afterconsideringresponsestotheunderlyingconsultation,thePRAhasclarifiedthatitdoesnotfavourorwishtoimposerestrictivedatalocalisationrequirements.Itexpectsfirmstoadoptarisk-basedapproachtothelocationdatasuchthattheycanleveragetheoperationalresilienceadvantagesofoutsourceddatabeingstoredinmultiplelocations,whilstatthesametimemanagingtheattendantrisks. Exitplans Firmsshouldbegintodeveloptheirbusinesscontinuityandexitplans,inparticularforstressedexits,duringthepre-outsourcingphase,oncetheyhavedeterminedthataplannedoutsourcingarrangementismaterial.Oncearrangementsareimplemented,businesscontinuityandexitplansshouldbetestedusingarisk-basedapproach. ThePRArecognisesthatfirms’exitoptionsmightbemorelimitedinanintragroupcontext,particularlyforUKbranchesofthirdcountryfirms,butitnonethelessexpectsallfirmstotakereasonablestepstoidentifyoptions,howeverlimited,formaintainingoperationalresilience. Inmaterialcloudoutsourcingarrangements,thePRAexpectsfirmstoassesstheresiliencerequirementsoftheserviceanddatathatarebeingoutsourcedand,witharisk-basedapproach,decideononeormoreavailablecloudresiliencyoptions(thesemayinclude,multipleorback-upvendorsorbringingdataorapplicationsbackon-premises).Again,theexpectationsareinjectedwithproportionality:sothatifasignificantfirmwantstooutsourceitscorebankingplatformtothecloud,thePRAwillexpectittoadoptoneormoreofthemostresilientoptionsavailable,tomaximisethechancestomaintainitsresilienceintheeventofaseriousoutage. Timing SS2/21willbegintoapplyon31March2022.ThePRAexpectsoutsourcingarrangementsenteredintoonorafter31March2021tobecompliantbythatdate,buthasgivenfirmsadditionaltimetoreviewandupdatepre-existinglegacyoutsourcingagreements‘atthefirstappropriatecontractualrenewalorrevisionpoint’sothattheycomplywiththeSS‘assoonaspossibleonorafterThursday31March2022’. Practices FinancialRegulation DOWNLOADPUBLICATION Outsourcingandthirdpartyriskmanagement-ThePRA'sstanceonriskandcontrols ContactInformation BenKingsley Partner atSlaughterandMay DuncanBlaikie Partner atSlaughterandMay NatalieDonovan PSLCounsel atSlaughterandMay SelminHakki SeniorPSL atSlaughterandMay × DeleteComment? Areyousurewanttodeletecomment? Cancel Delete × Getlink Close × Embed Close × Sharebyemail Includefullcontent Cancel Send × GetQRCode ScanthisQRCodetosharethiscontent Close
延伸文章資訊
- 1PRA issues Supervisory Statement (SS2/21) 'Outsourcing and ...
... Statements (SS2/21) on outsourcing and third party risk management, alongside final policy an...
- 2The PRA's expectations on outsourcing and third party risk ...
Outsourcing arrangements: The PRA expects that if a third party service provider in a material ou...
- 3Outsourcing and Third Party Risk Management - Eversheds ...
Outsourcing & Third Party Risk Management. Global. Financial services - Digital Financial Service...
- 4SS2/21 Outsourcing and third party risk management - Bank of ...
- 5Outsourcing and third party risk management: The PRA's ...
Firms can opt to implement a 'holistic, single third party risk management policy covering outsou...