PRA consultation paper on outsourcing and third party risk management

The Prudential Regulation Authority (PRA) published a consultation paper on outsourcing and third party risk management in December (the Outsourcing CP).

The Outsourcing CP intends to implement and elaborate on the European Banking Authority (EBA) Guidelines on Outsourcing (the Guidelines) and in doing so, modernise the UK regulatory framework governing outsourcing and third party service provision. The Outsourcing CP was published at the same time (and will be consulted upon over the same time period) as:

• a separate but closely connected PRA consultation paper on
  operational resilience and impact tolerances (the PRA Operational
  Resilience CP); and

• an FCA consultation paper on building operational resilience (the FCA
  Operational Resilience CP). This paper also considers the topic of
  outsourcing and third party risk management but in far less detail
  than the Outsourcing CP (see more comments below).

Operational resilience (which relates to the ability of firms and the financial sector to prevent, adapt, respond to, recover and learn from operational disruptions) is high on the regulatory agenda. Whilst operational resilience is heavily about a firm’s internal processes, resourcing, oversight and controls, it can be greatly affected by outsourcing and other third party services arrangements. This is the reason that the related topics are being considered in a coordinated fashion by both the PRA and the FCA.

A summary of the key points and developments in the Outsourcing CP is set out below.

Status, application and relationship between outsourcing rules and guidance

As mentioned above, the Outsourcing CP implements the Guidelines applying to service outsourcings. The Guidelines became effective on 30 September 2019 and in scope financial institutions must make every effort to comply with them.

The FCA had previously notified the EBA of its intent to apply the Guidelines whereas the PRA signalled its intent to do so by 30 June 2020, after consulting with the industry on the PRA’s exact approach and implementation documentation (i.e. the Outsourcing CP), although the exact relationship between the Outsourcing CP and the Guidelines is a little unclear).

Confusingly, despite efforts to harmonise regulatory outsourcing rules, they are still something of a patchwork. Different rules and principles (that are often fundamentally similar) continue to apply to different types of firms. The Guidelines and the outsourcing consultation papers which are the subject of this article apply broadly as follows:

EBA Guidelines

• Credit Institutions;
• Investment Firms;
• Payment Institutions; and
• Electronic Money Institutions.

Outsourcing CP

• Banks;
• Insurers;
• Designated Investment Firms;
• Third Country Branches of Banks and Insurers; and
• Credit Unions and Non-Directive Firms (limited application).

FCA Operational Resilience CP

• Banks;
• Building Societies;
• Designated Investment Firms;
• Solvency II Firms;
• Recognised Investment Firms;
• Enhanced Scope SM&CR Firms;
• Payment Institutions; and
• Electronic Money Institutions.

The FCA Operational Resilience CP only provides limited detail with regard to outsourcing and implementation of the Guidelines but what it does say is broadly consistent with the Guidelines themselves and the PRA’s Outsourcing CP. Therefore, firms subject to the FCA’s but not the PRA’s jurisdiction should continue to abide by (and where relevant continue to implement) the Guidelines, In any case, firms regulated by the FCA will likely have an interest in the PRA’s Outsourcing CP as indicative of the likely enforcement approach in the UK.

The Outsourcing CP presents a draft Supervisory Statement setting out the PRA’s proposals. Although supervisory statements are not part of the PRA Rulebook, the PRA expects the firms it regulates to comply with supervisory statements as part of the general PRA policy framework.

Firms may wish to seek clarity over the relationship of the Guidelines and the PRA’s planned Supervisory Statement on Outsourcing – and whether firms are expected to comply with both or just the Supervisory Statement. The Outsourcing CP (and its draft Supervisory Statement) raise numerous interpretive challenges if needing to be read alongside and reconciled with the drafting of the lengthy Guidelines. Interestingly, as part of the cost benefit analysis in the Outsourcing CP, the PRA states that it does not expect firms to incur significant additional costs as a result of the proposals set out in the Outsourcing CP. That said, some firms may disagree with the impact of the proposals and may wish to clarify certain key areas with the PRA.

The Outsourcing CP also takes into account the EBA Guidelines on ICT and security risk management (see our separate article on these guidelines).

Scope

Both the Outsourcing CP proposals and the Guidelines distinguish between standard outsourcing and those that are considered higher risk (and therefore warranting the application of more stringent rules). The Guidelines describe the high risk outsourcing as critical or important (based on the definition in the MiFID II legislation) and the Outsourcing CP refers to material outsourcing, which is the term used in the PRA Handbook. Although both concepts are broadly similar, the Outsourcing CP states that the definition of material outsourcing should be read as including the definition of "critical or important". The industry is already finding it challenging to establish criteria and processes for identifying and categorising in-scope arrangements. On the face of it, the Outsourcing CP does little to help this apart from identifying some types of arrangement which are unlikely to be considered outsourcing such as sharing of data through APIs, purchase of hardware or software ("for example, off the shelf artificial intelligence/machine learning… models") and the use of aggregators by insurance firms.

In relation to cloud services (and new technology adoption more generally) the PRA has restated its objective to facilitate greater resilience and adoption of the cloud and other new technologies. This is consistent with the message conveyed by the Bank of England in its response to the Future of Finance report. Firms are particularly vexed over how to reconcile their cloud strategies (and to achieve anticipated benefits of those strategies, whether relating to cost, agility, resilience or otherwise), with regulatory requirements. Therefore, whilst no-one could sensibly claim that the Guidelines or the Outsourcing CP truly facilitates cloud adoption, it is clearly the PRA’s intent to create a framework and approach that does so in a controlled manner. As a point of focus for the consultation, the PRA “particularly welcomes views on areas where additional regulatory certainty on the use of the Cloud would be beneficial”.

One of the key areas of divergence between the Outsourcing CP and the Guidelines relates to their proposed scope of application. While the Guidelines apply only to outsourcings, many of the Outsourcing CP proposals (together with those in the PRA Operational Resilience CP) will also apply to other third party arrangements. Although it remains to be seen what types of arrangements will fall within this category (the Outsourcing CP provides the purchase of software or technology products and data sharing arrangements for open banking purposes as examples), the extension widens the scope of application of some requirements under the Outsourcing CP, consistent with the regulators’ broader focus on operational resilience beyond the context of outsourcing arrangements.

Proportionality

Although both the EBA and the PRA emphasise the need to apply their respective rules in accordance with the principle of proportionality, the Outsourcing CP provides examples of how this can be achieved in practice.

For example, the Outsourcing CP distinguishes between significant and non-significant firms (for the purposes of the Outsourcing CP, significant firms are those whose supervisory contact indicated that they are impact category 1 or 2). The Outsourcing CP further states that non-significant firms should apply the rules in the Outsourcing CP on a proportionate manner; for example, by considering whether to outsource their internal audit responsibilities or by preparing their outsourcing policy in accordance with some (but not necessarily all) of the applicable requirements set out in the Outsourcing CP.

Additionally, although both the Guidelines and the Outsourcing CP proposals state that intra-group outsourcing arrangements are not inherently less risky than third party outsourcing, the Outsourcing CP acknowledges that it may be appropriate to take a more proportionate approach with intra-group outsourcings in some cases (for example, where the outsourcing party exerts "control and influence" over the intra-group service provider i.e. this is more likely the case where the service provider entity is a subsidiary rather than parent company of the customer entity). This may warrant firms taking a risk-based approach to which clauses are included in an outsourcing arrangement. The PRA intends to publish further advice on the concept of control and influence in due course.

PRA notification

The PRA will continue to require that firms notify it before they enter into, or make significant change to, any of their material outsourcing arrangements. The Outsourcing CP puts strong emphasis on the need for ongoing monitoring to identify whether any outsourcing arrangement not initially identified as material becomes or is likely to become material.

The PRA is also at pains to point out that assessment of materiality needs to take place early enough to enable timely notification to the PRA with all relevant information (to allow the PRA to meaningfully assess that arrangement before it is entered into).

Outsourcing register

The Outsourcing CP reiterates the Guidelines’ requirements for firms to maintain a record of their outsourcing arrangements, distinguishing between material and non-material outsourcing arrangements (an Outsourcing Register). In particular, the Outsourcing CP acknowledges the importance of the Outsourcing Register in helping the PRA identify systemic risk and concentration risks. The Outsourcing CP provides guidance to firms on how to fill in the qualitative data fields of the Outsourcing Register (which should, helpfully, drive simplicity and consistent approaches to categorising arrangements and the provision of succinct information on assessments made by a firm (for example, as to materiality or risk).

In the longer term, the PRA is considering introducing an online portal for firms’ Outsourcing Registers and is also considering extending the register to cover third party arrangements in addition to outsourcing. The PRA is keen to hear consultation responses in relation to these ideas. If they go ahead, a further consultation will take place on the practicalities and timeframes.

Legacy contract remediation

The PRA also confirms in the Outsourcing CP that it may agree extended timeframes for remediating legacy outsourcing arrangements for compliance with the Guidelines. The Guidelines included a backstop date for remediation of existing contracts to be completed by the end of 2021. The PRA states that it will approach the question of extensions with individual firms on a case-by-case basis. It should not be assumed that an extension will be granted and firms should therefore continue to remediate their non-compliant outsourcing agreements.

Data security

The Guidelines put great emphasis on the importance of data security and the need for firms to have a sophisticated understanding of data security as well as effective controls in place. The Outsourcing CP also puts detailed focus on this area. Firms will need to understand, define, and document their own responsibilities regarding data, and those of the service provider and take appropriate measures to protect that data. Firms should classify data based on confidentiality and sensitivity, identify potential risks regarding outsourced data and their impact, and agree an appropriate level of data availability, confidentiality and integrity. Firms’ data classification should take into account which data would need to be accessed (and potentially moved) as a priority in the event of any disruption.

The Outsourcing CP also proposes that firms should implement measures to protect outsourced data and set these measures out in their outsourcing policy and agreements for material outsourcing. Risks which the PRA expects firms to consider in particular include inappropriate access, insider threats, loss or unavailability of data, and unauthorised modification of data.

The location of data should also be considered and controlled, balancing potential legal risks of transferring data between countries, the PRA’s ability to access data, and conflicting legal requirements, with the advantages to operational resilience of outsourced data being stored in multiple locations.

A number of the examples provided by the PRA in the Outsourcing CP to demonstrate appropriate compliance measures are cloud service-specific, demonstrating the regulatory focus on enabling the use of cloud technologies, albeit in a sophisticated and responsible manner.

Audit and access rights

The Outsourcing CP builds on the access rights contained in the Guidelines, restating, in particular, the importance of access rights in assessing a service provider’s business continuity measures.

The Outsourcing CP also encourages firms to exercise their audit, access and information rights in an outcomes-focused manner. It stresses the potential advantages of using some of the less-onerous auditing methods such as pooled audits and third party certifications and encourages firms to choose the audit methods they consider appropriate to meet their legal, regulatory, operational resilience and risk management obligations (keeping in mind that the level of assurance expected will be more onerous in the case of significant firms and material outsourcings).

Where pooled audits lead to common, shared findings, each participating firm should assess the findings and follow up individually as required.

The Outsourcing CP also provides guidance to firms on the types of requirements that should be set out in any certificates and reports.

Sub-outsourcing

The Outsourcing CP proposes that firms should assess the risks of sub-outsourcing, paying particular attention to the potential impact of long and complex chains of sub-outsourcing on operational resilience and oversight of the outsourcing arrangements. Firms may not be able to monitor all sub-outsourcing but should at least monitor sub-outsourced providers involved in the provision of important business services. Specific guidance from the PRA as to how it expects firms to monitor sub-outsourced providers would be helpful.

Business continuity and exit

Firms should have in place business continuity plans and exit strategies for their material outsourcing agreements, differentiating between stressed and non-stressed exits. Stressed scenarios include service disruption, outage and insolvency, and non-stressed scenarios include exit for commercial, performance or strategic reasons. Given the higher risk of business disruption and operational resilience issues with stressed exits, this is the main area of focus in the Outsourcing CP. Notwithstanding this particular focus of the Outsourcing CP, firms will be aware that the same business disruption and operational resilience issues can arise in non-stressed exits so their approach may not be that different in practice.

The Outsourcing CP also encourages firms to actively consider temporary measures that can help ensure the ongoing provision` of important business services following a disruption and/or a stressed exit, even if they are not suitable long-term solutions.

Notably, the PRA’s proposals encourage firms to test and develop their business continuity and exit plans for material outsourcings, in particular for stressed exits, during the pre-outsourcing phase in order to identify alternative service providers at an earlier stage and estimate the resources that may be required.

The Outsourcing CP lists a number of best practice business continuity examples taken from the insurance industry, the majority of which may also be helpful for other types of firms.

Next steps

The consultation is open for comments until 3 April 2020. Subject to the feedback received by the PRA, the final rules will be published in 2020.

Simmons + Simmons, on behalf of its clients, is able to submit a response to the consultation with its views on the regulators’ proposals. Please get in touch if you would like to discuss further.