How are Outsourcing and TPRM being defined?
The Prudential Regulation Authority’s (PRA) new policy statement on Outsourcing and Third-Party Risk Management was issued on 29 March 2021, at the same time as its policy statement on Operational Resilience, and aims to leverage and complement existing requirements
Outsourcing is not a new regulatory topic, however, the existing framework had not kept up to date with the pace of change, due to the changing nature of outsourcing as well as new technologies.
The PRA’s aim in respect of outsourcing is for firms to apply adequate governance and controls for all third-party dependencies that could impact its statutory objectives. A consultation paper published by the PRA on this topic in December 2019 aimed to implement and further elaborate on the outsourcing guidelines from the European Banking Authority (EBA).
In its response to the 2019 Future of Finance Report, the Bank of England had made the commitment to facilitate firms’ use of the Cloud and new technologies to increase their Operational Resilience. One approach taken by the PRA to achieve this, is to provide regulatory clarity around topics such as data security, access, audit and information rights, business continuity and exit planning.
The PRA’s new policy statement takes into account other relevant international guidelines and standards, notably from:
- The European Banking Authority (EBA), which issued guidelines on Outsourcing, ICT and Security Risk Management
- The European Insurance and Occupational Pensions Authority (EIOPA)
- The Basel Committee (BCBS)
- The Financial Stability Board (FSB)
- The Commission Delegated Regulation on organisational requirements and operating conditions (MODR)
- The International Organisation of Securities Commissions (IOSCO)
The FCA did not propose new Outsourcing requirements but reminded firms of existing rules and guidance (in particular SYSC 8 and SYSC 13.9, FG16/5 – FCA Guidance for firms outsourcing to the cloud and other third-party IT services, and the EBA Guidelines).
Have you read our responses behind other key questions? You can view them by clicking on the links to the pages below:
- Which institutions are impacted by the Outsourcing and Third-Party Risk Management obligations?
- Why is this important? – Key definitions explained
- How should firms be demonstrating compliance and approaching this exercise?
- When do firms need to meet these requirements by?