Operational Resilience – Outsourcing Arrangements
Risk Management Consulting
 

In Focus: Operational Resilience – Outsourcing Arrangements

The need for outsourcing agreements >>

Considerations when negotiating agreements >>

Structure and contents of the agreements >>

Failure to meet requirements – Case study >>

When do firms need to meet these requirements by? >>

PART 6


With increasing pressures for financial services institutions to keep pace with the levels of innovation in the market, firms have sought solutions from third party service providers. This rising trend in outsourcing continues, notably driven by cost reduction, advances in technology and the requirement for firms to increase agility.

As our series on the regulators’ new operational resilience rules continues Lindsey Domingo at Xcina Consulting Limited provides additional insight for organisations to help them ensure their current and new arrangements are in line with the expectations from the FCA and/or PRA.

 

PART 7  |  SCENARIO TESTING  >>

The need for outsourcing agreements

In our previous edition on Outsourcing and Third Party Risk Management, we provided an overview of the key milestones behind the new expectations.

Overview of requirements

TPRM Compliance

One of the key requirements is to put in place robust agreements with outsourcing or other material third-party providers.

When outsourcing or subcontracting a material process or function, firms are effectively handing over their business function. They need to obtain contractual guarantees of service levels and mitigate any risk to their business in case the third-party arrangement is not fit for purpose and the business suffers as a result. Similarly, the third party would be accepting responsibility for the business function, and potentially employees of the business, so the provider needs to know exactly what is expected of them, what they are taking on and the pricing of the outsourced or subcontracted services.

Firms need to have a good contract in place so that the provider complies not only with their business requirements but also with the regulators’ requirements. Regardless of materiality, firms must ensure that outsourcing agreements do not limit the regulators’ ability to effectively supervise the firms, including their outsourced and subcontracted activities.

Considerations when negotiating agreements

Contractual negotiations usually focus on technical, commercial, and value-for-money considerations.  In addition, the FCA states in SYSC 13.9 that, when negotiating with a service provider, a firm should have regard to:

  1. Reporting or notification requirements it may wish to impose on the service provider.
  2. Whether sufficient access will be available to its internal auditors, external auditors, or actuaries and to the FCA (including access to premises and dealing in an open and cooperative way)
  3. Information ownership rights, confidentiality agreements and Chinese walls to protect client and other information (including arrangements at the termination of the contract).
  4. The adequacy of any guarantees and indemnities.
  5. The extent to which the service provider must comply with the firm’s policies and procedures (covering, for example, information security).
  6. The extent to which a service provider will provide business continuity for outsourced operations, and whether exclusive access to its resources is agreed.
  7. The need for continued availability of software following difficulty at a third party supplier.
  8. The processes for making changes to the outsourcing arrangement (for example, changes in processing volumes, activities and other contractual terms) and the conditions under which the firm or service provider can choose to change or terminate the outsourcing arrangement, such as where there is:

    • A change of ownership or control (including insolvency or receivership) of the service provider or firm; or
    • Significant change in the business operations (including sub-contracting) of the service provider or firm; or
    • Inadequate provision of services that may lead to the firm being unable to meet its regulatory obligations

Considerations during contract negotiations

TPRM Compliance

Structure and contents of the agreements

As a minimum material outsourcing agreements should set out the items stipulated by the PRA in supervisory statement SS2/21.  These include:

  1. A clear description of the outsourced function, including the type of support services to be provided
  2. The start date, next renewal date, end date, and notice periods regarding termination for the service provider and the firm
  3. Governing law of the agreement
  4. Each party’s financial obligations
  5. Whether the sub-outsourcing of a material function or part thereof is permitted and, if so, under which conditions
  6. The location(s), i.e. regions or countries, where the material function or service will be provided, and/or where relevant data will be kept, processed, or transferred, including the possible storage location, and a requirement for the service provider to give reasonable notice to the firm in advance if it proposes to change said location(s);
  7. Provisions regarding the accessibility, availability, integrity, confidentiality, privacy, and safety of relevant data
  8. Right of the firm to monitor the service provider’s performance on an ongoing basis
  9. Agreed service levels, which should include qualitative and quantitative performance criteria and allow for timely monitoring
  10. Reporting obligations of the service provider to the firm, including a requirement to notify the firm of any development that may have a material or adverse impact on the service provider’s ability to effectively perform the material function
  11. Whether the service provider should take out mandatory insurance against certain risks (if applicable, the level of insurance cover) requested
  12. Requirements for both parties to implement and test business contingency plans. For the firm, these should take account of their impact tolerances for important business services. Where appropriate, both parties should commit to take reasonable steps to support the testing of such plans.
  13. Provisions to ensure that data owned by the firm can be accessed promptly in the case of the insolvency, resolution, or discontinuation of business operations of the service provider.
  14. The obligation of the service provider to co-operate with the PRA and the Bank of England, as resolution authority, including persons appointed to act on their behalf
  15. For banks, a clear reference to the Bank of England’s resolution powers
  16. The rights of firms and the PRA to inspect and audit the service provider with regard to the material outsourced function
  17. Appropriate and proportionate information security related objectives and measures, including requirements such as minimum ICT security requirements, specifications of firms’ data lifecycles, and any requirements regarding to data security, network security, and security monitoring processes
  18. Operational and security incident handling procedures, including escalation and reporting.
  19. Termination rights and exit strategies covering both stressed and non-stressed scenarios and reasonable steps to support the testing of firms’ termination plans.

Firms may elect to limit contractual termination rights to situations such as: material breaches of law, regulation, or contractual provisions; those that create risks beyond their tolerance; or those that are not adequately notified and remediated in a timely manner.

The FCA provides additional relevant guidance in SYSC 13.9.6.  In implementing a relationship management framework, and drafting the service level agreement with the service provider, a firm should have regard to:

  1. The identification of qualitative and quantitative performance targets to assess the adequacy of service provision, to both the firm and its clients, where appropriate;
  2. The evaluation of performance through service delivery reports and periodic self certification or independent review by internal or external auditors; and
  3. Remedial action and escalation processes for dealing with inadequate performance.

Key elements of outsourcing agreements

TPRM Compliance

The implication is that firms will need to review and, if necessary, repaper existing contracts. All new contracts will need to meet the requirements.

Failure to meet requirements – Case study

Failure to comply with the regulatory expectations for outsourcing and other third-party agreements can have significant adverse business and regulatory implications.

Case study: R. Raphael & Sons PLC (Raphaels)

On 12th November 2015, the Prudential Regulation Authority (PRA) issued a Final Notice to R. Raphael & Sons PLC (Raphaels) for contravening Fundamental Rule 3 contained in the PRA’s Rulebook and levied a fine of £1,825,950. The PRA took enforcement action against the firm for the following:

  • No outsourcing agreement was entered into at the outset of the Joint Venture (JV) with Company C for the outsourced activity.
  • Raphaels failed to enter into a written agreement regarding outsourced important operational functions until 21 months after Company C had commenced providing some of Raphaels’s finance functions.
  • Raphaels did not manage the risks associated or oversee the outsourced important operational functions.
  • The agreement entered into did not include any division of responsibilities and powers and did not accurately capture the extent of the services that were provided by Raphaels group companies.
  • The PRA described the agreement as “materially deficient in setting out the rights and obligations of the respective parties“.
  • The agreement did not specify appropriate arrangements for Raphaels’s oversight of the outsourced functions. Specifically, it neither established a mechanism or terms for Raphaels to supervise the group companies efficiently or at all nor set out service level agreements (SLAs) or means of measuring the effectiveness of the outsourced function.

When do firms need to meet these requirements by?

Timeline for implementation

Firms must comply with the expectations by 31 March 2022.

Timeline

There are also transitional arrangements regarding Registers. Banks, electronic money and payment institutions are already required to maintain a register of their Cloud Outsourcing arrangements in line with the European Banking Authority (EBA) Cloud Recommendations (subsequently integrated in EBA Outsourcing Guidelines). Firms in these categories are expected to continue to maintain this Cloud Register until it is subsumed by the Outsourcing Register (originally 31 December 2021 for firms still following the EBA timeline; however, this is no longer required by UK regulators until 31 March 2022).

In summary, firms need to comply by 31 March 2022 in respect of all material outsourcing and third-party arrangements.

Other chapters in the Operational Resilience series

Operational Resilience and Third Party Risk Management >>

Outsourcing and Third Party Risk Management >>

Important Business Services >>

Vendor Risk Management and Due Diligence >>

Impact Tolerances >> 

Scenario Testing >> 

The Self Assessment >> 

If you’d like to know more about any of our services or have a question, then please let us know.

Get in touch >>

Talk to someone with hands-on experience in your sector.

Request a free consultation >>

Subscribe to Updates

Receive regular updates from our expert consultants as they provide clarification and guidance on issues impacting your organisation.

Subscribe >>