How should firms be demonstrating compliance and approaching this exercise?
Firms are required to determine the materiality of every outsourcing and third-party arrangement. Materiality may vary throughout the duration of an arrangement and should therefore be (re)assessed at intervals.
Notification to PRA/FCA – What has changed?
There are more mandated touchpoints with the regulator than before. Firms must:
- Notify the relevant regulators before entering or significantly changing a material outsourcing arrangement.
- Notify regulators of any non-outsourcing material third parties and any issues to do with access and audit
- Notify under FCA Principle 11 / PRA Fundamental Rule 7 anything the regulators would reasonably expect notice of.
Firms are required to perform appropriate and proportionate due diligence on all potential service providers and assess the risks of every outsourcing arrangement irrespective of materiality.
Due Diligence and Risk Assessment feed into each other and notably cover financial, operational, information security, legal and regulatory, geographical, concentration, reputation, capabilities, integration with the Firm’s processes. This is about taking full ownership of risks, not just ticking boxes. An enhanced level of due diligence is expected for material outsourcing arrangements.
Risk Management / Ongoing Vendor Management
Performing a Risk Assessment is an exercise that should not be limited to the point of onboarding.
Continuous monitoring and ongoing risk management has implications for the firm in terms of:
- Understanding the provider’s business and risk profile – not just assigning a RAG or Tier rating
- How frequently you engage with providers (more regular touchpoints)
- The nature of the conversations taking place with the provider
- Monitoring leading measures, not just lagging measures such as quality of service.
Often this has tended to be compliance-led and questionnaire-based. Firms need to revisit how vendors are categorised and assessed, reviewing requirements for appropriate skillsets and resources. The effort should not be underestimated. Technology can help; however, the approach has to be tailored to the nature of the service, taking full ownership of the underlying risks.
Business Continuity and Exit Planning
For each material outsourcing arrangement, firms need to develop, monitor and test a Business Continuity Plan (BCP) and exit strategy. The expectation is that, once materiality has been determined, plans should be developed before finalising the contract, and must allow business continuity in the event of a significant loss of services from the third-party provider.
Once an outsourcing arrangement has been implemented, firms should test their business continuity and exit plans on a risk-based approach.
Firms need to have a good contract so that the provider complies with the firm’s requirements as well as the regulators’. Regardless of materiality, firms must ensure that outsourcing agreements do not limit the regulators’ ability to effectively supervise the firm including its outsourced activities. As a minimum, material outsourcing agreements should set out the items listed in the supervisory statement (firms need to review and, if necessary, repaper existing contracts).
Security and Resilience
On data security there are 13 control areas referenced in the PRA policy, including encryption and key management, identity & access management and incident management. When any data is shared, the expectation is that the service provider’s environment should be at least as effective and secure as your own.
With regard to Operational Resilience, firms need to involve third-party providers in scenario testing.
Access, Information and Audit
Firms can carry out their own audits but should be mindful that the process is not too disruptive, and they can make use of pooled audits. Alternative forms of assurance from third-party may also be considered, such as previous disaster recovery test results, independent reports and third-party certification.
Governance and Record-Keeping
Firms remain fully responsible for all their regulatory obligations irrespective of outsourcing or subcontracting. They need to maintain an Outsourcing register, in line with the required contents set by the European Banking Authority (EBA). The Board must approve, regularly review, and implement an outsourcing policy and set the control environment, including appetite and tolerance levels for outsourcing and third-party risk management.
The Outsourcing Prescribed Responsibility is generally allocated to the SMF24 function and covers the firm’s overall framework, policy, and systems and controls relating to outsourcing. However, responsibility for individual outsourcing arrangements may still lie with relevant business lines or other areas of the firm.