National contact

PRA - New rules on outsourcing and risk management
On 31 March 2021, the PRA published a Supervisory Statement containing additional requirements on outsourcing and third-party risk management, with a 31 March 2022 deadline for compliance.
The Regulator is seeking to ensure that firms apply governance and controls to third party dependencies which adequately mitigate risks to their safety and soundness, policyholder protection (for insurers) and UK financial stability.
The rules apply to:
The rules are applicable to all forms of outsourcing under the PRA’s definition: ‘an arrangement of any form between a firm and a service provider, whether a supervised entity or not, by which that service provider performs a process, a service or an activity, whether directly or by sub-outsourcing, which would otherwise be undertaken by the firm itself’.
However, where firms may have non-outsourcing third party arrangements in place that could impact the PRA’s objectives, the PRA expects firms to assess the materiality and risks of all third-party arrangements irrespective of whether they fall within the definition of outsourcing.
The new rules are aligned with existing FCA rules and guidance on outsourcing as outlined in the Systems and Controls (SYSC) Sourcebook and in the ‘Finalised Guidance 16/5: Guidance for firms outsourcing to the ‘cloud’ and other third party IT services’ publication. Additionally, the rules complement PRA and FCA requirements on operational resilience, also published on 31 March 2021. A summary of those expectations can be found here.
Firms are required to implement appropriate controls for oversight and monitoring across relevant outsourcing activities as detailed below:
Governance
There is an existing requirement on firms to allocate the Prescribed Responsibility for outsourcing-related regulatory obligations to an SMF. This Regulators intention is for this responsibility to encompass the firm’s overall framework for managing outsourcing and will generally sit with the SMF24 in most firms. Responsibility for specific outsourcing arrangements may sit with relevant business lines.
The Supervisory Statement details specific responsibilities that should be held by the Board of a firm, including:
Outsourcing policy
Firms and groups must develop and maintain an outsourcing policy proportionate to their size, complexity and organisational structure. They are also expected to inform outsourced and third-party providers of relevant internal policies such as those on outsourcing, information security and operational resilience.
An outsourcing policy can be principles based and need not be contained in a single document. However, the policy is required to cover several elements, including but not limited to:
Pre-outsourcing
i. Materiality
Firms will need to assess the materiality of each third party agreement and notify the PRA before a material outsourcing arrangement is entered into or materially changed. The PRA has clarified that it will consider the timeliness of these notifications when assessing firms’ compliance with Fundamental Rule 7 [1]. Similarly, material non-outsourcing third party arrangements may need to be communicated to the PRA, as per Fundamental Rule 7 and Senior Manager Conduct Rule/Conduct Standard 4 [2].
Firms should consider an outsourcing or third-party arrangement as material where a weakness or failure of the service could materially impair the firm’s:
Materiality should be reviewed at appropriate intervals (e.g. during scheduled review periods) as well as:
ii. Due diligence
Firms will need to perform due diligence on all potential service providers before entering an outsourcing arrangement. They should also identify alternative or back-up providers, and where these are not available consider business continuity, contingency planning, and disaster recovery arrangements to ensure they can continue providing relevant important business within their impact tolerances in the event of a material disruption at their chosen service provider.
In the case of material outsourcing, the PRA expects due diligence to consider the potential providers’:
iii. Risk assessment
Firms must assess and periodically review the potential risks posed by all third-party arrangements regardless of materiality, considering:
Firms and groups will be expected to take reasonable steps to manage risks including concentration risks, vendor lock-in and overall reliance on third parties.
Outsourcing agreements
Written agreements for material outsourcing arrangements should be appropriately documented. Furthermore, the PRA requires these agreements to cover several elements, including but not limited to:
Data security
Where a material outsourcing or third-party agreement involves the transfer of or access to data, the PRA expects firms to define, document, and understand their responsibilities in respect of that data, as well as those of the service provider. Firms will also be expected to take appropriate measures to protect data, including:
Third-country branches
The PRA expects third-country branches to have:
Intragroup outsourcing arrangements
These arrangements will be subject to the same requirements and expectations as external service providers. However, firms may comply with some of the requirements proportionately depending on their level of control or influence over intragroup providers. For instance, they may in certain cases rely on group-level monitoring, business continuity, contingency and exit plans if these arrangements meet the PRA’s requirements.
Sub-outsourcing
The PRA Rulebook acknowledges that a service provider may perform ‘a process, a service or an activity which would otherwise be undertaken by the firm itself […] directly or by sub-outsourcing’.
There is a requirement on firms to identify whether sub-outsourcing meets materiality criteria and to identify any potential operational risks on the firm’s ability to deliver important business services. Firms should not agree to sub-outsourcing arrangements that give rise to undue operational risk for the firm. Firms must also ensure that:
Business continuity and stressed exits
During the pre-outsourcing phase, once firms have determined that an arrangement is material, they should begin to implement business continuity plans for severe but plausible operational disruptions and require service providers to do the same.
Firms will also need to document an exit strategy, differentiating between stressed and non-stressed exits. This should involve estimating cost, resourcing and timing implications, as well as data the firm may need to access, recover or transfer as a priority. Additionally, firms will need to define KPIs and KRIs which, if breached, may trigger an exit.
Once an outsourcing arrangement has been implemented, firms should test their business continuity and exit plans on a risk-based approach. Where relevant this testing should align to, support, or be part of firms’ scenario testing under Operational Resilience.
Clear roles and responsibilities should be assigned for business continuity and exit plans, including sign-off, periodic reviews and activation decisions.
The PRA’s requirements cover all stages of the outsourcing process. Firms must now review their current outsourcing practices against these new requirements and draft an action plan to address identified gaps. Outsourcing arrangements entered on or after 31 March 2021 should meet the PRA’s expectations by 31 March 2022. Legacy outsourcing agreements should be updated at the first appropriate contractual renewal or revision point to meet the new requirements as soon as possible on or after 31 March 2022.
If you have questions or require assistance, please get in touch.
[1] Fundamental Rule 7 – A firm must deal with its regulators in an open and co-operative way, and must disclose to the PRA appropriately anything relating to the firm of which the PRA would reasonably expect notice.
[2] Senior Manager Conduct Rule 4: 'You must pay due regard to the interests of customers and treat them fairly' Rule 5: 'You must observe proper standards of market conduct'
This website uses cookies.
Some of these cookies are necessary, while others help us analyse our traffic, serve advertising and deliver customised experiences for you.
For more information on the cookies we use, please refer to our Privacy Policy.
This website cannot function properly without these cookies.
Analytical cookies help us enhance our website by collecting information on its usage.
We use marketing cookies to increase the relevancy of our advertising campaigns.