Outsourcing and third party risk management: The PRA's ...

Firms can opt to implement a 'holistic, single third party risk management policy covering outsourcing and non-outsourcing third party ... × Advancedsearch Title Channel Module OurFirmGotoOurFirmOurCulture DiversityandInclusion Recognitionandpartnerships Employeenetworks HistoryReputationforexcellenceInnovation Collaborate FastForward TheLensBlog Responsiblebusiness SocialMobility ClimateAction ProBono Citizenship PeopleServicesGotoServicesPractices CapitalMarkets CommercialContracts Competition ConstructionandProjects CorporateandM&A DataPrivacy Disputes Environment FinancialInstitutionsGroup FinancialRegulation Financing GlobalInvestigations InfrastructureandEnergy Insurance IntellectualProperty Pensions,EmploymentandIncentives PrivateEquity RealEstate RestructuringandInsolvency RiskandBusinessTransformation Sport Tax TechGroup Sectors AssetManagement BankingandFinance ConsumerandRetail Government Fintech Healthcare,PharmaandLifeSciences IndustrialProductsandServices InfrastructureandEnergy Insurance Media&Telecoms PrivateEquity RealEstateandConstruction TechandDigital InsightsGotoInsightCoronavirusResourcesHorizonScanningOurPublicationsPodcastsOurBlogsFinancialRegulationWeeklyBulletinTheLawReviewsSustainabilityandClimateChangeResourcesRegulatingDigitalGlobalworkingGotoGlobalworkingAFRICAAMERICASASIAPACIFICEUROPEMIDDLEEASTANDNORTHAFRICACareersGotoCareersTraineesolicitors Aworldofdifference Thetrainingcontract Workexperienceopportunities MeetUs Innovation Apply Profiles Qualifiedlawyers Whotocontact Apply BusinessServices Whotocontact Apply HongKongCareersWorkExperienceforschoolsAlumniPortalMORE...NewsGotoNewsFIRMNEWSRECENTWORKContactusGotoContactusLONDONOFFICEBRUSSELSOFFICEHONGKONGOFFICEBEIJINGOFFICEWEBSITESUPPORTPRESSANDMEDIAQUERIES OurFirmGotoOurFirmOurCulture DiversityandInclusion Recognitionandpartnerships Employeenetworks HistoryReputationforexcellenceInnovation Collaborate FastForward TheLensBlog Responsiblebusiness SocialMobility ClimateAction ProBono Citizenship PeopleServicesGotoServicesPractices CapitalMarkets CommercialContracts Competition ConstructionandProjects CorporateandM&A DataPrivacy Disputes Environment FinancialInstitutionsGroup FinancialRegulation Financing GlobalInvestigations InfrastructureandEnergy Insurance IntellectualProperty Pensions,EmploymentandIncentives PrivateEquity RealEstate RestructuringandInsolvency RiskandBusinessTransformation Sport Tax TechGroup Sectors AssetManagement BankingandFinance ConsumerandRetail Government Fintech Healthcare,PharmaandLifeSciences IndustrialProductsandServices InfrastructureandEnergy Insurance Media&Telecoms PrivateEquity RealEstateandConstruction TechandDigital InsightsGotoInsightCoronavirusResourcesHorizonScanningOurPublicationsPodcastsOurBlogsFinancialRegulationWeeklyBulletinTheLawReviewsSustainabilityandClimateChangeResourcesRegulatingDigitalGlobalworkingGotoGlobalworkingAFRICAAMERICASASIAPACIFICEUROPEMIDDLEEASTANDNORTHAFRICACareersGotoCareersTraineesolicitors Aworldofdifference Thetrainingcontract Workexperienceopportunities MeetUs Innovation Apply Profiles Qualifiedlawyers Whotocontact Apply BusinessServices Whotocontact Apply HongKongCareersWorkExperienceforschoolsAlumniPortalMORE...NewsGotoNewsFIRMNEWSRECENTWORKContactusGotoContactusLONDONOFFICEBRUSSELSOFFICEHONGKONGOFFICEBEIJINGOFFICEWEBSITESUPPORTPRESSANDMEDIAQUERIES ×Close Briefings Outsourcingandthirdpartyriskmanagement:ThePRA'sstanceonriskandcontrols 07May2021 Outsourcingandthirdpartyriskmanagement:ThePRA'sstanceonriskandcontrols Shareon Twitter LinkedIn Facebook Shareon Twitter LinkedIn Facebook Download Print ThisbriefinglooksatthePRA'sPolicyStatementonoutsourcingandthirdpartyriskmanagement(PS7/21)andaccompanyingSupervisoryStatement(SS2/21)which ‘clarifies,develops,andmodernises’longstandingregulatoryrequirementsandexpectationsapplyingtofinancialinstitutionsinthisarea.  What'snew? InMarch2021,thePRApublishedaPolicyStatementonoutsourcingandthirdpartyriskmanagement(PS7/21)andanaccompanyingSupervisoryStatement(SS2/21)which‘clarifies,develops,andmodernises’longstandingregulatoryrequirementsandexpectationsapplyingtofinancialinstitutionsinthisarea.  SS22/21containsprovisions–tobeappliedinlinewiththeprincipleofproportionality–relatingtothelifecycleoffirms’outsourcingandcertainnon-outsourcingthirdpartyarrangements.TheyapplytoUKbanks,buildingsocieties,PRA-designatedinvestmentfirms,(re)insurancefirmsandgroupsinscopeofSolvencyII,aswellasUKbranchesofoverseasbanksandinsurers.Theusualarrayofmeasuresareaddressed:fromgovernanceandrecordkeeping,theoversightofsub-outsourcingarrangements,rightsofaccess,audit,andinformation,aswellasbusinesscontinuityandexitplanning,someofwhichweexploreinmoredetailbelow.  Non-outsourcingthirdpartyarrangements ThePRA’soverarchingaiminsettingtheexpectationsinSS2/21isforfirmstoapplyadequategovernanceandcontrolstoallthirdpartydependenciesthatmightimpactthePRA’sstatutoryobjectives.Thiscouldincludearrangementsthat‘supporttheprovisionofimportantbusinessservicesorcarryahighlevelofrisk’.Assuch,itconfirmswhatwehaveassumedforsometime:thatthirdpartyoperationaldependencieswhichmaynotmeetthedefinitionofan‘outsourcing’shouldberisk-managedonessentiallythesamebasis.  TheSSnotes:‘thePRAmaintainsthatcertainnon-outsourcingthirdpartyarrangementsmightbehighlyrelevanttothePRA’sobjectives;forinstance,iftheysupporttheprovisionofimportantbusinessservices.Therefore,theSSsetsouttheexpectationthatfirmsshouldassessthematerialityandrisksofallthirdpartyarrangementsusingallrelevantcriteriainChapter5oftheSS,irrespectiveofwhethertheyfallwithinthedefinitionofoutsourcing.Firmsshouldattachgreaterimportancetothedependenciesandrisksthattheiroutsourcingandthirdpartyarrangementscreatethantospecificdefinitions’.  Onceafirmhasconcludedthatanon-outsourcing,thirdpartyarrangementis‘material’or‘highrisk,’havingconsultedtherelevantcriteriainChapter5oftheSS,itmustimplementeffective,risk-basedcontrolswhich‘donothavetobethesameasthosethatapplytooutsourcingarrangements,’butshouldbe‘equallyrobustandcommensuratetothematerialityorriskexposureofthearrangement’.  SS2/21doesnotpresentthecompletepictureofrequirements.ThereareseveralotherPRArules,alllistedhelpfullyintheSS(includingtheFundamentalRulesandtheOperationalResiliencePartofthePRARulebook),whichapplytoandgovernthemanagementofthirdpartyarrangements,irrespectiveofwhethertheyfallwithinthedefinitionofoutsourcing.Examplesmightincludethedesignandbuildofanon-premiseITplatform,thepurchaseofdatacollatedbyathirdpartyorthepurchaseof‘offtheshelf’machinelearningmodels.AcloudarrangementwillnotautomaticallyconstituteanoutsourcingunderthePRA’sdefinition,butshouldnonethelessbesubjecttorisk-basedcontrolsthatarecommensuratetoitsmateriality.  Firmscanopttoimplementa‘holistic,singlethirdpartyriskmanagementpolicycoveringoutsourcingandnon-outsourcingthirdpartyarrangements’ortheycanhaveseparatebutconsistentandsuitablyrisk-basedpoliciesapplyingtoeachsubset. InteractionwithEBAGuidelinesandotherstandards  SS2/21willultimatelyconstitute‘theprimarysourceofreferenceforUKfirmswheninterpretingandcomplyingwithPRArequirementsonoutsourcingandthirdpartyriskmanagement,’thoughinpractice,itisunlikelytobetheonlysource.Therehasbeenarisingtideofguidelinesandrecommendationsforfirmsonoutsourcing,thirdpartyriskmanagement,cloudoutsourcingandinformationandcommunicationtechnology(ICT)riskmanagementemergingfromUK,EUandotherinternationalsupervisoryauthoritiesandotherstandardsetters.  AssessingthematerialityofanoutsourcingorotherthirdpartyarrangementunderSS2/21 FirmsshoulddeterminethematerialityofallthirdpartyarrangementsusingrelevantcriteriainChapter5.  Itisnotedthat:‘afirmshouldgenerallyconsideranoutsourcingorthirdpartyarrangementasmaterialwhereadefectorfailureinitsperformancecouldmateriallyimpairthe: financialstabilityoftheUK; firms’abilitytomeettheThresholdConditions; compliancewiththeFundamentalRules;requirementsunder‘relevantlegislation’andthePRARulebook; safetyandsoundness;  OperationalContinuityInResolutionandifapplicable,resolvability.’  Generallyspeaking,anoutsourcingarrangementwillbeclassifiedas‘material’iftheservicebeingoutsourcedinvolvesan‘entire‘regulatedactivity’’(portfoliomanagementisprovidedasanexample)oran‘internalcontrolorkeyfunction’.   Evenifnoneofthesecriteriaapply,firmsareexpectedtoconsultalistoffactorsintheSStofurtherassessthematerialityofaparticularoutsourcingorthirdpartyarrangement.    OtherUKstandards: PS7/21andSS2/21aredesignedto‘complementtherequirementsandexpectationsonoperationalresilience’inthePRARulebook,SS1/21‘Operationalresilience:Impacttolerancesforimportantbusinessservices’andtheStatementofPolicy‘Operationalresilience’.Thelatterwerepublishedonthesamedayasthematerialsonoutsourcingandform‘ahelpfullensforfirmstoassesshowtheyshouldmonitortheiroutsourcingandthirdpartyarrangementsandestablishend-to-endresiliencefortheirimportantbusinessservices’.  EBAGuidelinesandotherinternationalstandards: SS2/21implementstheEuropeanBankingAuthority(EBA)OutsourcingGuidelines,whichwerefinalisedinFebruary2019andbegantoapplyon30Septemberlastyear,andpartsoftheEBAICTGuidelines.Ithasalso‘takenintoaccount’variousinternationalstandardsincludingtheBasel’s‘Principlesforoperationalresilience’;theFSB’s‘EffectivePracticesforCyberIncidentResponseand Recovery’;andIOSCO’s‘PrinciplesonOutsourcing’,someofwhicharestill indraftform.  ThePRAdoesnotexpectfirmstocomplywithanyEUGuidelinesthatcameintoeffectaftertheendoftheimplementationperiod-suchastheEIOPACloudGuidelines,theEIOPAICTGuidelinesortheESMAGuidelinesonoutsourcingtocloudserviceproviders-andithasnotformallyimplementedthemintheSS,butitconsidersthattheexpectationsintheSSare‘atleastequivalenttothemineffectivenessandsubstance’.AllrelevantEUGuidelinescontinuetoapplytotheEuropeanoperationsofUKfirmsandtotheactivitiesundertakenintheEUbyfirmsthatalsohaveaUKpresence.FirmsthataresubjecttoSS2/21willnotneedtocomplywiththeEBA’sdeadlineof31December2021toreviewandupdatelegacyoutsourcingarrangementsofcriticalorimportantfunctionsinlinewiththeOutsourcingGuidelines,thoughthattimelinewillcontinuetoimpactfirmsregulatedintheEU. SS2/21is‘notmateriallydivergent’fromtheEBAGuidelines,butwherethePRA’sexpectationsaremoregranularthanequivalentsectionsintheEBAOutsourcingorICTGuidelines,thePRAconsidersthatthisresults‘inclearer,moreconsistentpolicythatwillprovidefirmswithgreaterregulatorycertainty’.ConsistentwiththeEBAGuidelines,whenconsideringwhetheranarrangementwithathirdpartyfallswithinthedefinitionofoutsourcing,firmsshouldconsiderwhether‘thethirdpartywillperformtherelevantfunctionorservice(orpartthereof)onarecurrentoranongoingbasis’.Thismeansthataone-offpurchase,suchasasoftwarelicence,wouldnotbeanoutsourcing,butitmightstillbeathirdpartyarrangementthattriggerstherequirementforappropriaterisk-basedcontrolsand-dependingontheunderlyingcloudinfrastrucutre–couldrequirethemanagementofconcentrationrisks. Thecriteriaforidentifyinga‘materialoutsourcing’issubstantivelyalignedtotheequivalentEBAtermof‘criticalorimportantoutsourcing’witha‘fewjustifiedexceptions’suchasthosethatreferencethePRA’srequirementsonoperationalresilience.Material/critical/importantarrangementsgeneratemoreonerousrequirements. Advancenotificationofmaterialarrangements  ThePRAexpectsadvancenotificationofmaterialthirdpartyarrangementsinasimilarmannerandtimeframeasitwouldamaterialoutsourcingarrangement(notwithstandingthattherelevantPRAruleNotifications2.3(1)(e)appliesonlytothelatter). Thisisbecausematerialthirdpartyarrangementsthatdonotmeettheoutsourcingdefinitionmayconstitute‘informationofwhichthePRAwouldreasonablyexpectnotice’withinthemeaningofFundamentalRule7andSeniorManager ConductRule4.IncertaincircumstancesthePRAwillexpecttobebroughtintotheloopbeforeafinalserviceproviderhasbeenselected. Intragroupandbrancharrangements  SS2/21providesmoregranularitythantheEBAGuidelinesontheapplicationoftheprincipleofproportionalitytointragroupoutsourcingarrangements,asapparentlyrequestedbyrespondentstotheunderlyingPRAconsultation. Thedetailsdonotchangethefundamentalpremisethatintragrouparrangementsarenottobetreatedasinherentlylessriskythanarrangementswiththirdpartiesoutsideafirm’sgroup;butthereissomescopeforfirmstomakepragmaticmanagementadjustments.Incertaincases,forexample,firmsmayrelyonbusinesscontinuity,contingency,andexitplansdevelopedatthegrouplevel. Therelevantrequirementsapplyproportionatelydependingontheleveloftherecipientgroup’s‘controlandinfluence’overtheentitythatisprovidingtheoutsourcedservice.   ThePRAhasalsosetoutitsapproachtooutsourcingrequirementsandexpectationsfortheUKbranchesofoverseas(third-country)firms.Ataminimum,itwillexpectthosebranchestocompilealistoftheirintragroupoutsourcingarrangements,identifyingthosedeemedmaterial.Anysucharrangementwillneedtobedocumentedinawrittenagreementthatspecifiesexpectedservicelevelsandkeyperformanceindicators.Thereshouldalsobeappropriatemonitoringandoversight,aswellaseffectiveprocessesandmechanismsforescalatinganyconcernsorissuestothefirmorgroup.  Sub-outsourcing  Firmsareresponsibleforensuringthatthirdpartyserviceprovidersappropriatelymanageanymaterialsub-outsourcing.ThePRAdoesnotexpectfirmstodirectlymonitorfourthpartiesinallcircumstances,butthepotentialimpactoflarge,complexsub-outsourcingchainsonfirms’operationalresiliencewillneedtobeconsidered.  Negotiatingwithsuppliers  Animbalanceinnegotiatingpowerbetweenarecipientfirmandadominantserviceproviderisnot,notesthePRA,justificationforafirmtoacceptclausesandtermsthatdonotmeetlegalorregulatoryexpectations.FirmsshouldmakethePRAawareifaserviceproviderinaproposedmaterialoutsourcingarrangementisunableor unwillingto‘contractuallyfacilitate’afirm’scompliancewiththePRA’srequirements.  Rightsofauditandaccess Firmsareatlibertytochooseanyappropriateauditmethodaslongasitenablesthemtomeettheirlegal,regulatory,operationalresilience,andriskmanagementobligations.Thelevelofassuranceshouldbeinkeepingwiththesignificanceofthefirmandthematerialityofthearrangement(so,asignificantfirmthatoutsourcesanimportantbusinessserviceforwhichithassetalowimpacttolerancewillrequireahigherlevelofassurance.) AdditionalguidancehasbeenaddedtothefinaltextofSS2/21regardingtheconductofon-siteaudits.Inparticular,whereanon-siteauditcouldcreateanunmanageableriskfortheenvironmentoftheproviderorotherclients,thefirmandserviceprovidersshouldagreealternativewaystoprovideanequivalentlevelofassurancewhilenotremovingthecontractualrightsforanon-siteauditfromthewrittenagreement.Formaterialoutsourcingarrangements,thePRAwouldexpectthefirmtoinformitssupervisorifalternativemeansofassurancehavebeenagreed.Access,audit,andinformationrightsextend,whererelevant,torequiringinstitutionstoensurethatthirdpartiesagreetosharetheresultsofsecuritypenetrationtestingtheycarryoutorwhicharecarriedoutontheirbehalf.(InanearlierdraftoftheSS,thePRAhadrequiredthatfirmsensuretheyhavearight,whererelevant,tocarryoutsuchpenetrationtestingthemselves.) Locationofdata  Afterconsideringresponsestotheunderlyingconsultation,thePRAhasclarifiedthatitdoesnotfavourorwishtoimposerestrictivedatalocalisationrequirements.Itexpectsfirmstoadoptarisk-basedapproachtothelocationdatasuchthattheycanleveragetheoperationalresilienceadvantagesofoutsourceddatabeingstoredinmultiplelocations,whilstatthesametimemanagingtheattendantrisks.  Exitplans  Firmsshouldbegintodeveloptheirbusinesscontinuityandexitplans,inparticularforstressedexits,duringthepre-outsourcingphase,oncetheyhavedeterminedthataplannedoutsourcingarrangementismaterial.Oncearrangementsareimplemented,businesscontinuityandexitplansshouldbetestedusingarisk-basedapproach. ThePRArecognisesthatfirms’exitoptionsmightbemorelimitedinanintragroupcontext,particularlyforUKbranchesofthirdcountryfirms,butitnonethelessexpectsallfirmstotakereasonablestepstoidentifyoptions,howeverlimited,formaintainingoperationalresilience. Inmaterialcloudoutsourcingarrangements,thePRAexpectsfirmstoassesstheresiliencerequirementsoftheserviceanddatathatarebeingoutsourcedand,witharisk-basedapproach,decideononeormoreavailablecloudresiliencyoptions(thesemayinclude,multipleorback-upvendorsorbringingdataorapplicationsbackon-premises).Again,theexpectationsareinjectedwithproportionality:sothatifasignificantfirmwantstooutsourceitscorebankingplatformtothecloud,thePRAwillexpectittoadoptoneormoreofthemostresilientoptionsavailable,tomaximisethechancestomaintainitsresilienceintheeventofaseriousoutage.  Timing  SS2/21willbegintoapplyon31March2022.ThePRAexpectsoutsourcingarrangementsenteredintoonorafter31March2021tobecompliantbythatdate,buthasgivenfirmsadditionaltimetoreviewandupdatepre-existinglegacyoutsourcingagreements‘atthefirstappropriatecontractualrenewalorrevisionpoint’sothattheycomplywiththeSS‘assoonaspossibleonorafterThursday31March2022’.    Practices FinancialRegulation DOWNLOADPUBLICATION Outsourcingandthirdpartyriskmanagement-ThePRA'sstanceonriskandcontrols ContactInformation BenKingsley Partner atSlaughterandMay DuncanBlaikie Partner atSlaughterandMay NatalieDonovan PSLCounsel atSlaughterandMay SelminHakki SeniorPSL atSlaughterandMay × DeleteComment? Areyousurewanttodeletecomment? Cancel Delete × Getlink Close × Embed Close × Sharebyemail Includefullcontent Cancel Send × GetQRCode ScanthisQRCodetosharethiscontent Close