Last week we looked at Operational Resilience. Another key area of focus for businesses in the financial services industry is Outsourcing and Third-Party Risk Management (TPRM). Both sets of policies require firms to undertake a thorough review of several key areas and are closely linked.
With less than a year (31 March 2022) to deliver the changes, our Senior Director and Regulatory Compliance Lead, Lindsey Domingo examines the implications for PRA and FCA regulated firms and service providers. The approach taken by each firm will vary, but the details and significant milestones behind the new expectations is discussed below.
The Prudential Regulation Authority (PRA) new policy statement on Outsourcing and Third-Party Risk Management was issued on 29 March 2021, at the same time as its policy statement on Operational Resilience, and aims to leverage and complement existing requirements
Outsourcing is not a new regulatory topic, however, the existing framework had not kept up to date with the pace of change, due to the changing nature of outsourcing as well as new technologies.
The PRA’s aim in respect of outsourcing is for firms to apply adequate governance and controls for all third-party dependencies that could impact its statutory objectives. A consultation paper published by the PRA on this topic in December 2019 aimed to implement and further elaborate on the outsourcing guidelines from the European Banking Authority (EBA).
In its response to the 2019 Future of Finance Report, the Bank of England had made the commitment to facilitate firms’ use of the Cloud and new technologies to increase their Operational Resilience. One approach taken by the PRA to achieve this, is to provide regulatory clarity around topics such as data security, access, audit and information rights, business continuity and exit planning.
The PRA’s new policy statement takes into account other relevant international guidelines and standards, notably from:
The FCA did not propose new Outsourcing requirements but reminded firms of existing rules and guidance (in particular SYSC 8 and SYSC 13.9, FG16/5 – FCA Guidance for firms outsourcing to the cloud and other third-party IT services, and the EBA Guidelines).
The new Outsourcing requirements from the PRA are more detailed and prescriptive compared to the FCA’s – however they are aligned (if firms comply with the PRA requirements, they should also be covering the FCA’s requirements, except for FCA notifications).
The PRA policy statement places increased and more specific obligations on firms in terms of knowing their providers and where they are at on an ongoing basis.
These obligations will also be of interest to providers – even if they are not regulated themselves – but are supporting solo-or dual-regulated firms. For instance, providers need to be prepared to support firms’ operational resilience testing.
Third party refers to any external entity that has entered into a business relationship or contract with the regulated firm to provide a product or service. This includes suppliers, vendors, business partners and affiliates, brokers, distributors, resellers, and agents. They can be both upstream (suppliers and vendors) and downstream (distributors and agents).
Outsourcing is an arrangement of any form whereby a service provider performs a process, a service or an activity, which would otherwise be undertaken by the firm itself (PRA and FCA)
The criteria to determine whether an arrangement constitutes outsourcing or not include the following:
The PRA has provided a list of exceptions (for instance, one-off purchases such as software licences would not be regarded as outsourcing). There is some room for judgment and interpretation. Debates within firms and providers as to whether a relationship should be classified as outsourcing have tended to focus on the letter of the definition and have often had the objective of trying to avoid higher levels of scrutiny and oversight.
With the new policy statement, there is a key shift in emphasis from ‘Outsourcing’ per se to ‘Materiality’. Whilst the definition of outsourcing is unchanged, there is recognition that some non-outsourcing third-party arrangements can give rise to comparable risk.
Non-outsourcing third-party arrangements are those third-party arrangements which fall outside the definition of outsourcing. Effective risk-based controls are required for material non-outsourcing third-party arrangements commensurate to the risks of the arrangement. Hence there is a requirement to assess materiality for all third-party arrangements.
The three main points of difference to note compared with the consultation paper from December 2019 relate to:
What is Materiality?
A function is regarded as material (also referred to as critical or important) where a weakness or failure of the service would cast doubt on the firm’s safety and soundness, including its financial performance, financial resilience (i.e. assets, capital, funding and liquidity), operational resilience (ability to continue providing important business services) and soundness or continuity of its regulated activities and continued satisfaction of the Threshold Conditions and of the Firm’s regulatory obligations.
Firms are required to determine the materiality of every outsourcing and third-party arrangement. Materiality may vary throughout the duration of an arrangement and should therefore be (re)assessed at intervals.
Notification to PRA/FCA – What has changed?
There are more mandated touchpoints with the regulator than before. Firms must:
Firms are required to perform appropriate and proportionate due diligence on all potential service providers and assess the risks of every outsourcing arrangement irrespective of materiality.
Due Diligence and Risk Assessment feed into each other and notably cover financial, operational, information security, legal and regulatory, geographical, concentration, reputation, capabilities, integration with the Firm’s processes. This is about taking full ownership of risks, not just ticking boxes. An enhanced level of due diligence is expected for material outsourcing arrangements.
Risk Management / Ongoing Vendor Management
Performing a Risk Assessment is an exercise that should not be limited to the point of onboarding.
Continuous monitoring and ongoing risk management has implications for the firm in terms of:
Often this has tended to be compliance-led and questionnaire-based. Firms need to revisit how vendors are categorised and assessed, reviewing requirements for appropriate skillsets and resources. The effort should not be underestimated. Technology can help; however, the approach has to be tailored to the nature of the service, taking full ownership of the underlying risks.
Business Continuity and Exit Planning
For each material outsourcing arrangement, firms need to develop, monitor and test a Business Continuity Plan (BCP) and exit strategy. The expectation is that, once materiality has been determined, plans should be developed before finalising the contract, and must allow business continuity in the event of a significant loss of services from the third-party provider.
Once an outsourcing arrangement has been implemented, firms should test their business continuity and exit plans on a risk-based approach.
Firms need to have a good contract so that the provider complies with the firm’s requirements as well as the regulators’. Regardless of materiality, firms must ensure that outsourcing agreements do not limit the regulators’ ability to effectively supervise the firm including its outsourced activities. As a minimum, material outsourcing agreements should set out the items listed in the supervisory statement (firms need to review and, if necessary, repaper existing contracts).
Security and Resilience
On data security there are 13 control areas referenced in the PRA policy, including encryption and key management, identity & access management and incident management. When any data is shared, the expectation is that the service provider’s environment should be at least as effective and secure as your own.
With regard to Operational Resilience, firms need to involve third-party providers in scenario testing.
Access, Information and Audit
Firms can carry out their own audits but should be mindful that the process is not too disruptive, and they can make use of pooled audits. Alternative forms of assurance from third-party may also be considered, such as previous disaster recovery test results, independent reports and third-party certification.
Governance and Record-Keeping
Firms remain fully responsible for all their regulatory obligations irrespective of outsourcing or subcontracting. They need to maintain an Outsourcing register, in line with the required contents set by the European Banking Authority (EBA). The Board must approve, regularly review, and implement an outsourcing policy and set the control environment, including appetite and tolerance levels for outsourcing and third-party risk management.
The Outsourcing Prescribed Responsibility is generally allocated to the SMF24 function and covers the firm’s overall framework, policy, and systems and controls relating to outsourcing. However, responsibility for individual outsourcing arrangements may still lie with relevant business lines or other areas of the firm.
Timeline for implementation
Firms must comply with the expectations by 31 March 2022.
There are also transitional arrangements regarding Registers. Banks, electronic money and payment institutions are already required to maintain a register of their Cloud Outsourcing arrangements in line with the European Banking Authority (EBA) Cloud Recommendations (subsequently integrated in EBA Outsourcing Guidelines). Firms in these categories are expected to continue to maintain this Cloud Register until it is subsumed by the Outsourcing Register (originally 31 December 2021 for firms still following the EBA timeline; however, this is no longer required by UK regulators until 31 March 2022).
In summary, firms need to comply by 31 March 2022 in respect of all material outsourcing and third-party arrangements.