PRA - New rules on outsourcing and third-party risk management

On 31 March 2021, the PRA published a Supervisory Statement containing additional requirements on outsourcing and third-party risk management, with a 31 March 2022 deadline for compliance.

The Regulator is seeking to ensure that firms apply governance and controls to third party dependencies which adequately mitigate risks to their safety and soundness, policyholder protection (for insurers) and UK financial stability.

The rules apply to:

• UK banks, building societies, and PRA-designated investment firms;
• Insurance and reinsurance firms and groups in scope of Solvency II, including the Society of Lloyd’s and managing agents; and
• UK branches of overseas banks and insurers;
• Credit unions and non-directive firms are subject to limited requirements.

The rules are applicable to all forms of outsourcing under the PRA’s definition: ‘an arrangement of any form between a firm and a service provider, whether a supervised entity or not, by which that service provider performs a process, a service or an activity, whether directly or by sub-outsourcing, which would otherwise be undertaken by the firm itself’.
However, where firms may have non-outsourcing third party arrangements in place that could impact the PRA’s objectives, the PRA expects firms to assess the materiality and risks of all third-party arrangements irrespective of whether they fall within the definition of outsourcing.

Relationship to existing requirements

The new rules are aligned with existing FCA rules and guidance on outsourcing as outlined in the Systems and Controls (SYSC) Sourcebook and in the ‘Finalised Guidance 16/5: Guidance for firms outsourcing to the ‘cloud’ and other third party IT services’ publication. Additionally, the rules complement PRA and FCA requirements on operational resilience, also published on 31 March 2021. A summary of those expectations can be found here.

What are the requirements?

Firms are required to implement appropriate controls for oversight and monitoring across relevant outsourcing activities as detailed below:

Governance

There is an existing requirement on firms to allocate the Prescribed Responsibility for outsourcing-related regulatory obligations to an SMF. This Regulators intention is for this responsibility to encompass the firm’s overall framework for managing outsourcing and will generally sit with the SMF24 in most firms. Responsibility for specific outsourcing arrangements may sit with relevant business lines.

The Supervisory Statement details specific responsibilities that should be held by the Board of a firm, including:

• the firm’s outsourcing framework, policies, systems and controls – responsibility for individual outsourcing arrangements may still lie with relevant business lines;
• setting the control environment throughout the firm, including appetite and tolerance levels for outsourcing and third-party risk management;
• the effective management of all risks to which the firm is exposed – this includes identifying and understanding the firm’s reliance on critical service providers, and ensuring the firm has fit-for-purpose management systems and strategies to manage these risks;
• approving, implementing and regularly reviewing the firm’s outsourcing policy.

Outsourcing policy

Firms and groups must develop and maintain an outsourcing policy proportionate to their size, complexity and organisational structure. They are also expected to inform outsourced and third-party providers of relevant internal policies such as those on outsourcing, information security and operational resilience.

An outsourcing policy can be principles based and need not be contained in a single document. However, the policy is required to cover several elements, including but not limited to:

• the involvement of business lines, internal control functions, and other individuals (particularly SMFs) with regards to outsourcing arrangements;
• Business continuity planning (BCP);
• processes for vendor due diligence and for assessing the materiality and risks of outsourcing arrangements;
• responsibility for signing-off new outsourcing arrangements, particularly material arrangements;
• procedures for the ongoing assessment of service providers’ performance; and
• exit strategies and termination processes.

Pre-outsourcing

i. Materiality

Firms will need to assess the materiality of each third party agreement and notify the PRA before a material outsourcing arrangement is entered into or materially changed. The PRA has clarified that it will consider the timeliness of these notifications when assessing firms’ compliance with Fundamental Rule 7 [1]. Similarly, material non-outsourcing third party arrangements may need to be communicated to the PRA, as per Fundamental Rule 7 and Senior Manager Conduct Rule/Conduct Standard 4 [2].

Firms should consider an outsourcing or third-party arrangement as material where a weakness or failure of the service could materially impair the firm’s:

• ability to meet the Threshold Conditions or comply with the Fundamental Rules;
• safety and soundness, including financial and operational resilience;
• policyholder protection; and
• operational Continuity in Resolution and resolvability. 

Materiality should be reviewed at appropriate intervals (e.g. during scheduled review periods) as well as:

• Prior to entering into a written agreement
• where firms plan to scale up their use of the service or dependency on the service provider; and
• in the event of an organisational change at the provider (or sub-outsourced provider) that could materially change the nature, scale and complexity of the risks inherent in the outsourcing arrangement.

ii. Due diligence

Firms will need to perform due diligence on all potential service providers before entering an outsourcing arrangement. They should also identify alternative or back-up providers, and where these are not available consider business continuity, contingency planning, and disaster recovery arrangements to ensure they can continue providing relevant important business within their impact tolerances in the event of a material disruption at their chosen service provider.

In the case of material outsourcing, the PRA expects due diligence to consider the potential providers’:

• business model, complexity, financial situation, nature, ownership structure, and scale;
• capability, expertise, and reputation;
• financial, human, and technology resources;
• ICT controls and security; and
• any sub-outsourced service providers involved in the delivery of important business services.

iii. Risk assessment

Firms must assess and periodically review the potential risks posed by all third-party arrangements regardless of materiality, considering:

• operational risks based on an analysis of severe but plausible scenarios; and
• financial risks, including the potential need to provide financial support to a material outsourced or sub-outsourced service provider in distress or take over its business.

Firms and groups will be expected to take reasonable steps to manage risks including concentration risks, vendor lock-in and overall reliance on third parties.

Outsourcing agreements

Written agreements for material outsourcing arrangements should be appropriately documented. Furthermore, the PRA requires these agreements to cover several elements, including but not limited to:

• agreed service levels, performance criteria, and ongoing performance monitoring rights;
• reporting obligations of the service provider to the firm, including a requirement to notify the firm of any development which may materially impact on the service provider’s ability to effectively perform the function;
• the requirements for both parties to implement and test business contingency plans;
• full and unrestricted rights for audit and information to the firm, the firm’s auditors, the PRA, the BoE (as a resolution authority) and any other person appointed by the firm, PRA or BoE; and
• termination rights and exit strategies covering both stressed and non-stressed scenarios. 

Data security

Where a material outsourcing or third-party agreement involves the transfer of or access to data, the PRA expects firms to define, document, and understand their responsibilities in respect of that data, as well as those of the service provider. Firms will also be expected to take appropriate measures to protect data, including:

• classifying relevant data based on their confidentiality and sensitivity;
• implementing technical organisation measures to protect different classes of data;
• identifying potential risks relating to the data; and
• if appropriate, obtaining assurance and documentation from third parties on the provenance or lineage of data to ensure it has been collected and processed in line with applicable legal and regulatory requirements.

Third-country branches

The PRA expects third-country branches to have:

• a clear, documented list of their intragroup outsourcing arrangements, and to identify material arrangements;
• documented written agreements for all intragroup outsourcing arrangements (particularly those deemed material), setting out expected service levels and key performance indicators (KPIs);
• appropriate visibility, oversight and monitoring of firm and intragroup outsourcing arrangements;
• visibility of material sub-outsourced providers; and
• effective procedures for escalating concerns, issues, and regulatory feedback on intragroup outsourcing arrangements to the entire firm or group.

Intragroup outsourcing arrangements

These arrangements will be subject to the same requirements and expectations as external service providers. However, firms may comply with some of the requirements proportionately depending on their level of control or influence over intragroup providers. For instance, they may in certain cases rely on group-level monitoring, business continuity, contingency and exit plans if these arrangements meet the PRA’s requirements.

Sub-outsourcing

The PRA Rulebook acknowledges that a service provider may perform ‘a process, a service or an activity which would otherwise be undertaken by the firm itself […] directly or by sub-outsourcing’.

There is a requirement on firms to identify whether sub-outsourcing meets materiality criteria and to identify any potential operational risks on the firm’s ability to deliver important business services. Firms should not agree to sub-outsourcing arrangements that give rise to undue operational risk for the firm. Firms must also ensure that:

• sub-outsourced service providers comply with all applicable laws, regulatory requirements, and contractual obligations; and
• sub-outsourced service providers grant the firm, BoE, and PRA equivalent contractual access, audit, and information rights to those granted to the service provider.
• service providers have the ability to appropriately oversee sub-outsourced services to ensure compliance with the firm’s policies 
• contractual rights are in place to allow the firm to approve or object to material sub-outsourcing, and to be able to terminate the agreement where sub-outsourcing incurs a material increase in third party risk. 

Business continuity and stressed exits

During the pre-outsourcing phase, once firms have determined that an arrangement is material, they should begin to implement business continuity plans for severe but plausible operational disruptions and require service providers to do the same.

Firms will also need to document an exit strategy, differentiating between stressed and non-stressed exits. This should involve estimating cost, resourcing and timing implications, as well as data the firm may need to access, recover or transfer as a priority. Additionally, firms will need to define KPIs and KRIs which, if breached, may trigger an exit.

Once an outsourcing arrangement has been implemented, firms should test their business continuity and exit plans on a risk-based approach. Where relevant this testing should align to, support, or be part of firms’ scenario testing under Operational Resilience.

Clear roles and responsibilities should be assigned for business continuity and exit plans, including sign-off, periodic reviews and activation decisions.

Next Steps

The PRA’s requirements cover all stages of the outsourcing process. Firms must now review their current outsourcing practices against these new requirements and draft an action plan to address identified gaps. Outsourcing arrangements entered on or after 31 March 2021 should meet the PRA’s expectations by 31 March 2022. Legacy outsourcing agreements should be updated at the first appropriate contractual renewal or revision point to meet the new requirements as soon as possible on or after 31 March 2022.

If you have questions or require assistance, please get in touch.

[1] Fundamental Rule 7 – A firm must deal with its regulators in an open and co-operative way, and must disclose to the PRA appropriately anything relating to the firm of which the PRA would reasonably expect notice.

[2] Senior Manager Conduct Rule 4: 'You must pay due regard to the interests of customers and treat them fairly' Rule 5: 'You must observe proper standards of market conduct'