Outsourcing & Third-party Risk Management – PRA ...
文章推薦指數: 80 %
PRA Policy statement on third-party risk management. Operational resilience workshops. Operational resilience consulting. Ops resilience consultancy. About JobSearch Latest TransitionalPeriod–ThenextstepsforOperationalResilience FCAgivesInsuranceFirmsguidanceonareasforresilienceimprovement TheBusinessCaseforOperationalResilience Insights Blog Webinars ClientStories Challenges DigitalTransformation OperationalResilience FutureWorkforce AI,Technology&Automation RegulatoryChange Recruitment&Retention OrganisationalEffectiveness Industries InvestmentFirms Banking FinTech Insurance Lenders Finance Solutions Recruitment Disciplines RiskManagement OperationalResilience FinancialCrime ClientAssets(CASS) DataProtection&Privacy InformationSecurity Compliance Services RetainedSearch TalentPipeline Multi-HireRetainedSearch ContractRecruitment EmbeddedResource Consulting Disciplines RiskConsulting OperationalResilience RegulatoryCompliance CASSAdvisory FinancialCrimeAdvisory Services RiskAdvisory ClientRiskTraining Learning BrowseCourses In-HouseLearning Partners Careers JobSearch WorkForUs WhyChooseUs Training About MeetTheTeam PrivacyPolicy JobSearch Outsourcing&Third-partyRiskManagement–PRAexpectationsformalisedinnewstatements OnthesamedayasthePrudentialRegulationAuthoritypublishedtheirOperationalResiliencePolicyandSupervisoryStatements,theregulatormadeitadouble-headerwithidenticalpublicationsforOutsourcing&Third-PartyRiskManagement. InsightsontheOperationalResiliencepublicationsareprovidedinaseparateblog,howeverduetotheinterconnectsbetweencomponentsandthecomplementaryapproachwedorecommendreadingbothasapair. Scope,definition,andtimelines ThePRA’sOutsourcing&Third-PartyRiskManagement(O&TPRM)requirementsarerelevanttoallUKBanks,BuildingSocieties,PRA-designatedInvestmentFirms,SolvencyIIFirms,andThird-countrybranches. ThePRARulebookdefines‘outsourcing’as‘anarrangementofanyformbetweenafirmandaserviceprovider,whetherasupervisedentityornot,bywhichthatserviceproviderperformsaprocess,aserviceoranactivity,whetherdirectlyorbysub-outsourcing,whichwouldotherwisebeundertakenbythefirmitself’. ThePRAalsohighlightfirmsshoulddifferentiatebetweenaone-offproductorservicepurchaseandoutsourcingperformedonanongoingorcontinuousbasis. Aswithoperationalresilience,thePRAhasgivenfirmsayeartomeettheexpectationsoftheirSupervisoryStatement,withthecompliancedeadlinebeing31March2022. Highlightsofkeyrequirementsforfirms Outsourcingagreements Alloutsourcingarrangementsmustbesetoutinawrittenagreement UnderaMasterServiceAgreement(MSA),eachoutsourcedserviceshouldbeappropriatelydocumented Writtenagreementsfornon-materialarrangementsshouldstillincludecontractualsafeguardstomanagerisks,whilstallowingthePRAappropriateaccesstosuperviseboththefirmandfunction Datasecurity Firmsmust: classifyrelevantdatabasedontheirconfidentialityandsensitivity; identifypotentialrisksrelatingtotherelevantdataandtheirimpact(legal,reputational,etc.); agreeanappropriatelevelofdataavailability,confidentiality,andintegrity;and ifappropriate,obtainappropriateassuranceanddocumentationfromthirdpartiesontheprovenanceorlineageofthedatatosatisfythemselvesthatithasbeencollectedandprocessedinlinewithapplicablelegalandregulatoryrequirements. Sub-outsourcing Firmsmustassesstherelevantrisksofsub-outsourcingbeforetheyenterintoanoutsourcingagreement.Itisimportantthatfirmshavevisibilityofthesupplychain,andthatserviceprovidersareencouragedtofacilitatethisbymaintainingup-to-datelistsoftheirsub-outsourcedserviceproviders. Firmsshouldassesswhethersub-outsourcingismateriallyimportant,whichincludesthepotentialimpactonthefirm’soperationalresilienceandtheprovisionofimportantbusinessservices. Firmsshouldensurethattheserviceproviderhastheabilityandcapacityonanongoingbasistoappropriatelyoverseeanymaterialsub-outsourcinginlinewiththefirm’srelevantpolicyorpolicies. Businesscontinuity&exitplans Foreachmaterialoutsourcingarrangement,firmsshoulddevelop,maintain,andtestabusinesscontinuityplananddocumentedexitstrategy,whichshouldcoveranddifferentiatebetweensituationswhereafirmexitsanoutsourcingagreement: instressedcircumstances,(e.g.,followingthefailureorinsolvencyoftheserviceprovider(stressedexit));and throughaplannedandmanagedexitduetocommercial,performance,orstrategicreasons(non-stressedexit). Access,auditandinformationrights Firmsmusttakereasonablestepstoensurethatwrittenagreementsformaterialoutsourcingarrangementsprovidethem,theirauditors,thePRA,theBoE,andanyotherpersonappointedbyfirmsortheBankandPRA,withfullaccessandunrestrictedrightsforaudit. Firmsmustexercisetheiraccess,audit,andinformationrightsinrespectofmaterialoutsourcingarrangementsinanoutcomes-focusedway,toassesswhethertheserviceproviderisprovidingtherelevantserviceeffectivelyandincompliancewiththefirm’slegalandregulatoryobligationsandexpectations,includingasregardsoperationalresilience. Proportionality FirmsshouldmeetthePRA’sexpectationsinamannerappropriatetotheirsizeandinternalorganisation;thenature,scope,andcomplexityoftheiractivities;andthecriticalityorimportanceoftheoutsourcedfunction. Proportionalityandmaterialitycanchangeovertimeandfirmsshouldreassessbothasappropriate. Intragroupoutsourcingissubjecttothesamerequirementsandexpectationsasoutsourcingtoserviceprovidersoutsideafirm’sgroupandshouldnotbetreatedasbeinginherentlylessrisky. Nextsteps: Forfurtherinsightsonoperationalresilience,gotoourOperationalResiliencemicro-site Topics: Featured, RiskManagement, Insurance, Banking, ProfessionalServices, Flexible, TalentSolutions, operationalresilience Tweet March30,2021 WrittenbyRossMolyneux Rossspecialisesinriskmanagementandregulation.Hehasworkedextensivelyacrossnon-financialandfinancialriskmanagementengagementsinhistimeinconsultinginboththeUKandNewZealand. LinkedIn Moreinterestinginsights Recruitment Consulting Learning CONTACTUS 02038001099 [email protected] FourthLineLtd4thFloor,ArkwrightHouseParsonageGardensManchesterM32LF CompanyNumber:6952875 VATNumber:981375491 CONNECTWITHUS Stayuptodatewithindustrynews,specialistsectorthemedeventsandwebinars. OurServices Recruitment Consulting ClientTraining Disciplines RiskManagement FinancialCrime ClientAssets-CASS OperationalResilience DataProtection OperationalResilience InformationSecurity PrivacyPolicy ComplaintsPolicy Copyright©2019,Fourthline.AllRightsReserved.
延伸文章資訊
- 1Outsourcing and third party risk management: The PRA's ...
In March 2021, the PRA published a Policy Statement on outsourcing and third party risk managemen...
- 2The PRA's expectations on outsourcing and third party risk ...
Outsourcing arrangements: The PRA expects that if a third party service provider in a material ou...
- 3Outsourcing & Third-party Risk Management – PRA ...
PRA Policy statement on third-party risk management. Operational resilience workshops. Operationa...
- 4SS2/21 Outsourcing and third party risk management - Bank of ...
This Supervisory Statement (SS) sets out the Prudential Regulation Authority's (PRA) expectations...
- 5Implementing the PRA Supervisory Statement on outsourcing ...
The Prudential Regulation Authority (PRA) released its much anticipated “Outsourcing and third pa...