PS7/21 | CP30/19 Outsourcing and third party risk management

Outsourcing and third party risk management – PS7/21. This Prudential Regulation Authority (PRA) Policy Statement (PS) provides feedback to ... Ouruseofcookies Weusenecessarycookiestomakeoursitework(forexample,tomanageyoursession).We’dalsoliketousesomenon-essentialcookies(includingthird-partycookies)tohelpusimprovethesite.Byclicking‘Acceptrecommendedsettings’onthisbanner,youacceptouruseofoptionalcookies. Necessarycookies Analyticscookies   Yes Yes Acceptrecommendedcookies Yes No Proceedwithnecessarycookiesonly Necessarycookies Necessarycookiesenablecorefunctionalityonourwebsitesuchassecurity,networkmanagement,andaccessibility.Youmaydisablethesebychangingyourbrowsersettings,butthismayaffecthowthewebsitefunctions. Analyticscookies Weuseanalyticscookiessowecankeeptrackofthenumberofvisitorstovariouspartsofthesiteandunderstandhowourwebsiteisused.FormoreinformationonhowthesecookiesworkpleaseseeourCookiepolicy. Skiptomaincontent Home Prudentialregulation PS7/21|CP30/19Outsourcingandthirdpartyriskmanagement PS7/21|CP30/19Outsourcingandthirdpartyriskmanagement PolicyStatement7/21|ConsultationPaper30/19 Relatedlinks Relatedlinks FCAPS PS6/21‘Operationalresilience:Impacttolerancesforimportantbusinessservices’ Publishedon29March2021 Outsourcingandthirdpartyriskmanagement–PS7/21 ThisPrudentialRegulationAuthority(PRA)PolicyStatement(PS)providesfeedbacktoresponsestoConsultationPaper(CP)30/19‘Outsourcingandthirdpartyriskmanagement’(page2of2).ItalsocontainsthePRA’sfinalSupervisoryStatement(SS)2/21‘Outsourcingandthirdpartyriskmanagement’(Appendix1).  ThisPSisrelevantto:  banks,buildingsocieties,andPRA-designatedinvestmentfirms(banks); insuranceandreinsurancefirmsandgroupsinscopeofSolvencyII,includingtheSocietyofLloyd’sandmanagingagents(insurers);and branchesofoverseasbanksandinsurers(third-countrybranches). SomeofthecontentsofSS2/21arerelevanttocreditunionsandnon-directivefirms:thePRArules,statutorypowers,andrequirements. Summaryofresponses ThePRAreceived37responsesfromarangeofstakeholders,fromPRA-regulatedfirmstothirdpartyserviceproviders.Therewasgeneralsupportfortheproposals.RespondentswelcomedthePRA’seffortstoclarifyandmoderniseregulatoryexpectationsinanareawhereregulationhadnotkeptpacewithtechnologicalchange.FirmsalsoappreciatedthattheproposalscomplementedthePRA’spolicyproposalsonoperationalresilience,giventhemanysynergiesbetweenthetwoareas.Respondentsnotedthattheproposedoperationalresilienceframeworkprovidedahelpfullensforfirmstoassesshowtheyshouldmonitortheiroutsourcingandthirdpartyarrangementsandestablishend-to-endresiliencefortheirimportantbusinessservices.Overall,responsesfocussedonspecificareasratherthancallingforawholesalerevisionoftheoverallpolicy. DetailsonthesearesetoutintheassociatedsectionsofthePolicyStatement. Implementation FirmswillbeexpectedtocomplywiththeexpectationsintheSSbyThursday31March2022.ThisisinlinewiththetimingofthePRA’srequirementsandexpectationsonoperationalresilienceassetoutinPS6/21‘Operationalresilience:Impacttolerancesforimportantbusinessservices’,whichhasbeenpublishedsimultaneouslywiththisPS. OutsourcingarrangementsenteredintoonorafterWednesday31March2021shouldmeettheexpectationsintheSSbyThursday31March2022.FirmsshouldseektoreviewandupdatelegacyoutsourcingagreementsenteredintobeforeWednesday31March2021atthefirstappropriatecontractualrenewalorrevisionpointtomeettheexpectationsintheSSassoonaspossibleonorafterThursday31March2022. TheproposalssetoutinthisPShavebeendesignedinthecontextoftheUKhavinglefttheEuropeanUnionandthetransitionperiodhavingcometoanend.Unlessotherwisestated,anyreferencestoEUorEUderivedlegislationrefertotheversionofthatlegislationwhichformspartofretainedEUlaw.ThePRAwillkeepthepolicyunderreviewtoassesswhetheranychangeswouldberequiredduetochangesintheUKregulatoryframework. PolicyStatement7/21 Appendix Appendix1:SS2/21‘Outsourcingandthirdpartyriskmanagement’ Publishedon 5December2019 Outsourcingandthirdpartyriskmanagement-CP30/19 Update20March2020:Thedeadlineforresponseswill,inlinewiththeFCA,beextendedto1October2020.Formoreinformationonthispleaseseeourstatement‘BankofEnglandannouncessupervisoryandprudentialpolicymeasurestoaddressthechallengesofCovid-19’. Overview Inthisconsultationpaper(CP),thePrudentialRegulationAuthority(PRA)setsoutandinvitescommentsonitsproposalsformodernisingtheregulatoryframeworkonoutsourcingandthird-partyriskmanagement.TheseproposalsaresetoutinthedraftSupervisoryStatement(SS)on‘Outsourcingandthird-partyriskmanagement’intheAppendixtothisCP(draftSS)andpursuethefollowingobjectives:  complementthepolicyproposalsonoperationalresilienceinCP29/19‘Operationalresilience:impacttolerancesforimportantbusinessservices’,publishedsimultaneouslywiththisCP. facilitategreaterresilienceandadoptionofthecloudandothernewtechnologies’assetoutintheBankofEngland’s(theBank’s)responsetothe‘FutureofFinance’report.   implementtheEuropeanBankingAuthority(EBA)‘GuidelinesonOutsourcingArrangements’(EBAOutsourcingGuidelines).ThedraftSSclarifieshowthePRAexpectsbankstoapproachtheEBAOutsourcingGuidelinesinthecontextofitsrequirementsandexpectations.InadditioncertainchaptersinthedraftSSelaborateontheexpectationsintheEBAOutsourcingGuidelines.Forinstance,chapters7(DataSecurity)and10(BusinessContinuityandexitplans). Takeintoaccountthe: draftEuropeanInsuranceandOccupationalPensionsAuthority(EIOPA)‘GuidelinesonOutsourcingtoCloudServiceProviders(EIOPACloudGuidelines’);and  EBAGuidelinesonICTandsecurityriskmanagement(EBAICTGuidelines);  ThisCPisrelevanttoallUKbanks,buildingsocietiesandPRA-designatedinvestmentfirms,insuranceandreinsurancefirmsandgroupsinscopeofSolvencyII,includingtheSocietyofLloyd’sandmanagingagents,andbranchesofoverseasbanksandinsurers. SomeoftheproposalsinthisCParerelevanttocreditunionsandnon-directivefirms(NDFs)namelythosein:paragraph2.3ofthisCP;thePRArules,statutorypowersandrequirementsreferencedintables2,5and6;andparagraphs5.11-5.12.Inlinewiththeprincipleofproportionality,thePRAproposesnottoapplytheremainingsectionsofthedraftSStocreditunionsandNDFs. Responsesandnextsteps ThisconsultationclosesonFriday3April2020.ThePRAinvitesfeedbackontheproposalssetoutinthisconsultation.PleaseaddressanycommentsorenquiriestoCP30_19@bankofengland.co.uk. Implementation ThePRAproposestopublishitsfinalpolicyontheproposalsinthisCPinthesecondhalfof2020,(inlinewiththefinalpolicyonOperationalResilience)withimplementationofmosttheproposalsshortlyafter.  CertainproposalsinthisCP,whichderivefromtheEBAOutsourcingGuidelinesor,(ifadoptedinthecurrentform),thedraftEIOPACloudGuidelineswouldbesubjecttolongerimplementationperiods.Inparticular,thoserelatingto: theregisterofoutsourcingarrangements(‘OutsourcingRegister’);and therevisionby: banksofoutsourcingarrangementsenteredintobefore30September2019;and  insurersofcloudOutsourcingarrangementsenteredintobefore1July2020(‘LegacyOutsourcingArrangements’)tobringthemintocompliancewiththeEBAOutsourcingGuidelinesandEIOPACloudGuidelinesrespectively.   Consultationpaper30/19 ConvertthispagetoPDF Otherprudentialregulationreleases PrudentialRegulation//PRARegulatoryDigest 01April2022 PRARegulatoryDigest-March2022 PRARegulatoryDigest-March2022 PrudentialRegulation//Discussionpaper 31March2022 DP1/22–Theprudentialliquidityframework:... DP1/22–Theprudentialliquidityframework:Supportingliquidassetusability PrudentialRegulation//Policystatement 25March2022 PS3/22|CP1/22-FinancialServicesCompensation... PS3/22|CP1/22-FinancialServicesCompensationScheme–ManagementExpensesLevyLimit2022/23 PrudentialRegulation//Letter 24March2022 LetterfromSamWoods‘Existingorplanned... LetterfromSamWoods‘Existingorplannedexposuretocryptoassets’ ViewmoreOtherprudentialregulationreleases Backtotop Giveyourfeedback Wasthispageuseful? Yes,itwasuseful Yes No,itwasn'tuseful No PageUrlIsMobileBrowserIPAddressOperatingSystem Thanks! Wouldyouliketogivemoredetail? PressSpacebarorEntertoselect Whatdidyouthinkofthispage? Addyourdetails...PageUrlIsMobileBrowserOperatingSystem Pleaseprovethatyou'renotarobot: