Outsourcing & Third-party Risk Management – PRA ...

PRA Policy statement on third-party risk management. Operational resilience workshops. Operational resilience consulting. Ops resilience consultancy. About JobSearch Latest TransitionalPeriod–ThenextstepsforOperationalResilience FCAgivesInsuranceFirmsguidanceonareasforresilienceimprovement TheBusinessCaseforOperationalResilience Insights Blog Webinars ClientStories Challenges DigitalTransformation OperationalResilience FutureWorkforce AI,Technology&Automation RegulatoryChange Recruitment&Retention OrganisationalEffectiveness Industries InvestmentFirms Banking FinTech Insurance Lenders Finance Solutions Recruitment Disciplines RiskManagement OperationalResilience FinancialCrime ClientAssets(CASS) DataProtection&Privacy InformationSecurity Compliance Services RetainedSearch TalentPipeline Multi-HireRetainedSearch ContractRecruitment EmbeddedResource Consulting Disciplines RiskConsulting OperationalResilience RegulatoryCompliance CASSAdvisory FinancialCrimeAdvisory Services RiskAdvisory ClientRiskTraining Learning BrowseCourses In-HouseLearning Partners Careers JobSearch WorkForUs WhyChooseUs Training About MeetTheTeam PrivacyPolicy JobSearch Outsourcing&Third-partyRiskManagement–PRAexpectationsformalisedinnewstatements OnthesamedayasthePrudentialRegulationAuthoritypublishedtheirOperationalResiliencePolicyandSupervisoryStatements,theregulatormadeitadouble-headerwithidenticalpublicationsforOutsourcing&Third-PartyRiskManagement. InsightsontheOperationalResiliencepublicationsareprovidedinaseparateblog,howeverduetotheinterconnectsbetweencomponentsandthecomplementaryapproachwedorecommendreadingbothasapair. Scope,definition,andtimelines ThePRA’sOutsourcing&Third-PartyRiskManagement(O&TPRM)requirementsarerelevanttoallUKBanks,BuildingSocieties,PRA-designatedInvestmentFirms,SolvencyIIFirms,andThird-countrybranches. ThePRARulebookdefines‘outsourcing’as‘anarrangementofanyformbetweenafirmandaserviceprovider,whetherasupervisedentityornot,bywhichthatserviceproviderperformsaprocess,aserviceoranactivity,whetherdirectlyorbysub-outsourcing,whichwouldotherwisebeundertakenbythefirmitself’. ThePRAalsohighlightfirmsshoulddifferentiatebetweenaone-offproductorservicepurchaseandoutsourcingperformedonanongoingorcontinuousbasis. Aswithoperationalresilience,thePRAhasgivenfirmsayeartomeettheexpectationsoftheirSupervisoryStatement,withthecompliancedeadlinebeing31March2022. Highlightsofkeyrequirementsforfirms Outsourcingagreements Alloutsourcingarrangementsmustbesetoutinawrittenagreement UnderaMasterServiceAgreement(MSA),eachoutsourcedserviceshouldbeappropriatelydocumented Writtenagreementsfornon-materialarrangementsshouldstillincludecontractualsafeguardstomanagerisks,whilstallowingthePRAappropriateaccesstosuperviseboththefirmandfunction Datasecurity Firmsmust: classifyrelevantdatabasedontheirconfidentialityandsensitivity; identifypotentialrisksrelatingtotherelevantdataandtheirimpact(legal,reputational,etc.); agreeanappropriatelevelofdataavailability,confidentiality,andintegrity;and ifappropriate,obtainappropriateassuranceanddocumentationfromthirdpartiesontheprovenanceorlineageofthedatatosatisfythemselvesthatithasbeencollectedandprocessedinlinewithapplicablelegalandregulatoryrequirements. Sub-outsourcing Firmsmustassesstherelevantrisksofsub-outsourcingbeforetheyenterintoanoutsourcingagreement.Itisimportantthatfirmshavevisibilityofthesupplychain,andthatserviceprovidersareencouragedtofacilitatethisbymaintainingup-to-datelistsoftheirsub-outsourcedserviceproviders. Firmsshouldassesswhethersub-outsourcingismateriallyimportant,whichincludesthepotentialimpactonthefirm’soperationalresilienceandtheprovisionofimportantbusinessservices. Firmsshouldensurethattheserviceproviderhastheabilityandcapacityonanongoingbasistoappropriatelyoverseeanymaterialsub-outsourcinginlinewiththefirm’srelevantpolicyorpolicies. Businesscontinuity&exitplans Foreachmaterialoutsourcingarrangement,firmsshoulddevelop,maintain,andtestabusinesscontinuityplananddocumentedexitstrategy,whichshouldcoveranddifferentiatebetweensituationswhereafirmexitsanoutsourcingagreement: instressedcircumstances,(e.g.,followingthefailureorinsolvencyoftheserviceprovider(stressedexit));and throughaplannedandmanagedexitduetocommercial,performance,orstrategicreasons(non-stressedexit). Access,auditandinformationrights Firmsmusttakereasonablestepstoensurethatwrittenagreementsformaterialoutsourcingarrangementsprovidethem,theirauditors,thePRA,theBoE,andanyotherpersonappointedbyfirmsortheBankandPRA,withfullaccessandunrestrictedrightsforaudit. Firmsmustexercisetheiraccess,audit,andinformationrightsinrespectofmaterialoutsourcingarrangementsinanoutcomes-focusedway,toassesswhethertheserviceproviderisprovidingtherelevantserviceeffectivelyandincompliancewiththefirm’slegalandregulatoryobligationsandexpectations,includingasregardsoperationalresilience. Proportionality FirmsshouldmeetthePRA’sexpectationsinamannerappropriatetotheirsizeandinternalorganisation;thenature,scope,andcomplexityoftheiractivities;andthecriticalityorimportanceoftheoutsourcedfunction. Proportionalityandmaterialitycanchangeovertimeandfirmsshouldreassessbothasappropriate. Intragroupoutsourcingissubjecttothesamerequirementsandexpectationsasoutsourcingtoserviceprovidersoutsideafirm’sgroupandshouldnotbetreatedasbeinginherentlylessrisky. Nextsteps: Forfurtherinsightsonoperationalresilience,gotoourOperationalResiliencemicro-site   Topics: Featured, RiskManagement, Insurance, Banking, ProfessionalServices, Flexible, TalentSolutions, operationalresilience Tweet March30,2021 WrittenbyRossMolyneux Rossspecialisesinriskmanagementandregulation.Hehasworkedextensivelyacrossnon-financialandfinancialriskmanagementengagementsinhistimeinconsultinginboththeUKandNewZealand. LinkedIn Moreinterestinginsights Recruitment Consulting Learning CONTACTUS 02038001099 [email protected] FourthLineLtd4thFloor,ArkwrightHouseParsonageGardensManchesterM32LF CompanyNumber:6952875 VATNumber:981375491 CONNECTWITHUS Stayuptodatewithindustrynews,specialistsectorthemedeventsandwebinars.      OurServices Recruitment Consulting ClientTraining Disciplines RiskManagement FinancialCrime ClientAssets-CASS OperationalResilience DataProtection OperationalResilience InformationSecurity PrivacyPolicy ComplaintsPolicy Copyright©2019,Fourthline.AllRightsReserved.