Structure and contents of the agreements
As a minimum material outsourcing agreements should set out the items stipulated by the PRA in supervisory statement SS2/21. These include:
- A clear description of the outsourced function, including the type of support services to be provided
- The start date, next renewal date, end date, and notice periods regarding termination for the service provider and the firm
- Governing law of the agreement
- Each party’s financial obligations
- Whether the sub-outsourcing of a material function or part thereof is permitted and, if so, under which conditions
- The location(s), i.e. regions or countries, where the material function or service will be provided, and/or where relevant data will be kept, processed, or transferred, including the possible storage location, and a requirement for the service provider to give reasonable notice to the firm in advance if it proposes to change said location(s);
- Provisions regarding the accessibility, availability, integrity, confidentiality, privacy, and safety of relevant data
- Right of the firm to monitor the service provider’s performance on an ongoing basis
- Agreed service levels, which should include qualitative and quantitative performance criteria and allow for timely monitoring
- Reporting obligations of the service provider to the firm, including a requirement to notify the firm of any development that may have a material or adverse impact on the service provider’s ability to effectively perform the material function
- Whether the service provider should take out mandatory insurance against certain risks (if applicable, the level of insurance cover) requested
- Requirements for both parties to implement and test business contingency plans. For the firm, these should take account of their impact tolerances for important business services. Where appropriate, both parties should commit to take reasonable steps to support the testing of such plans.
- Provisions to ensure that data owned by the firm can be accessed promptly in the case of the insolvency, resolution, or discontinuation of business operations of the service provider.
- The obligation of the service provider to co-operate with the PRA and the Bank of England, as resolution authority, including persons appointed to act on their behalf
- For banks, a clear reference to the Bank of England’s resolution powers
- The rights of firms and the PRA to inspect and audit the service provider with regard to the material outsourced function
- Appropriate and proportionate information security related objectives and measures, including requirements such as minimum ICT security requirements, specifications of firms’ data lifecycles, and any requirements regarding to data security, network security, and security monitoring processes
- Operational and security incident handling procedures, including escalation and reporting.
- Termination rights and exit strategies covering both stressed and non-stressed scenarios and reasonable steps to support the testing of firms’ termination plans.
Firms may elect to limit contractual termination rights to situations such as: material breaches of law, regulation, or contractual provisions; those that create risks beyond their tolerance; or those that are not adequately notified and remediated in a timely manner.
The FCA provides additional relevant guidance in SYSC 13.9.6. In implementing a relationship management framework, and drafting the service level agreement with the service provider, a firm should have regard to:
- The identification of qualitative and quantitative performance targets to assess the adequacy of service provision, to both the firm and its clients, where appropriate;
- The evaluation of performance through service delivery reports and periodic self certification or independent review by internal or external auditors; and
- Remedial action and escalation processes for dealing with inadequate performance.
Key elements of outsourcing agreements
The implication is that firms will need to review and, if necessary, repaper existing contracts. All new contracts will need to meet the requirements.