Regulators publish rules on operational resilience for finance sector

On 29 March 2021, the Bank of England, FCA and PRA jointly issued a paper explaining their policy on strengthening operational resilience in the financial sector. This follows on from their joint Discussion Paper published in July 2018 and resulting consultation papers (CPs) on implementation launched by the FCA and PRA in December 2019. The key outcomes from the consultations and resulting amendments to the rules are summarised in this article, with a focus on the policy's impact on outsourcing and other third party arrangements. For background on the Discussion Paper and consultation papers, please see our article on the topic.

The majority of changes reflected feedback requesting further alignment and harmonisation of the FCA and PRA proposals with the EBA Guidelines on Outsourcing, and additional guidance on the scope and expectations relating to key concepts such as important business services, impact tolerance, intolerable harm, mapping, governance and self-assessment.

FCA Policy Statement PS21/3

The FCA's policy statement summarises responses to consultation CP19/32 and provides minor amendments to the proposed rules, as well as additional guidance on important points, as a result of feedback it received. The FCA has largely implemented the proposed rules as consulted on, but has provided further clarity on the level of granularity expected of firms by adding varied case study examples throughout the policy statement, as well as giving firms more time and flexibility to meet mapping and scenario testing requirements.

The FCA has not proposed new requirements in relation to third-party service provision and outsourcing, as existing rules were deemed sufficient. However, the policy statement provides that in relation to mapping important business services and scenario testing which involve third party providers, firms are still responsible for mapping these relationships accurately and understanding potential vulnerabilities. If third parties cannot or will not provide sufficient information, then firms may need to review and where necessary change their arrangements. Ultimately, if a third-party provider supplying an important business service to a firm fails to remain within impact tolerances, that failure will be the responsibility of the firm.

Firms have one year to implement necessary changes before the operational resilience rules and guidance come into force on 31 March 2022. During this implementation period, and before 31 March 2022, firms should carry out mapping and scenario testing to the level of sophistication necessary to accurately identify important business services, set impact tolerances and identify vulnerabilities in their operational resilience. From 31 March 2022 to 31 March 2025, there will be a three-year transitional period for firms to implement measures to enable them to remain within their impact tolerances. However, the FCA is clear that a firm that is not making reasonable effort to remain within its impact tolerances during the transitional period would be in breach and consequently, firms should remain within their impact tolerances as soon as reasonably practicable during this period.

PRA Policy Statement PS6/21

PS6/21 sets out feedback received on consultation CP29/19, lists resulting clarifications and minor amendments made to the rules in the new supervisory statement SS1/21 and group supervision part of the PRA rulebook, and publishes a new statement of policy, in relation to operational resilience and impact tolerances for important business services.

In the CP, the PRA introduced a requirement for firms to assure themselves that third party providers do not limit a firm's ability to remain within its impact tolerances ("assurance work"). Many respondents to the CP indicated that the PRA should take an active role in liaising with large third party providers and facilitating independent certification methodologies to avoid duplication in assessment of third party providers by individual firms. The PRA's response has been to emphasise that the responsibility for ensuring the operational resilience of third parties lies with individual firms, although the PRA would encourage an industry solution based on synergies in assurance work. The supervisory statement requires that firms exercise their access, audit and information rights with material outsourcing providers to assess whether the providers are providing services effectively and in compliance with firms' operational resilience obligations. However, firms can use offsite or onsite audits, certificates or independent reports to assist with these requirements, including the pooling of audits in collaboration with other firms.

Furthermore, the PRA has responded to feedback to provide clarification on the expectations for firms in relation to undertaking assurance work, updating the supervisory statement to confirm a proportionate approach should be used. This may mean it is not always appropriate to carry out sophisticated testing on large third party providers, in which case alternative methods can be used to gain assurance of providers' operational resilience, such as desktop testing. If firms can satisfy themselves that a third party has undertaken scenario testing and can evidence this, that may be sufficient.

Regarding sub-outsourcing, firms should ensure service providers are able to appropriately oversee any material sub-outsourcing, including by confirming the provider has implemented robust testing, monitoring and control over its sub-outsourcing.

The expectations detailed in the supervisory statement are effective from 31 March 2022. Before then, firms should carry out mapping and scenario testing to the level of sophistication necessary to accurately identify important business services, set impact tolerances and identify vulnerabilities in their operational resilience. Firms are then expected to have a prioritised plan setting out what steps they will take in order to be able to remain within their impact tolerances within a reasonable time, and no later than by 31 March 2025.

PRA Policy Statement PS7/21

PS7/21 covers feedback from the PRA on consultation CP30/19 and consequent amendments to rules as finalised in supervisory statement SS2/21 in relation to outsourcing and third party risk management. The PRA has confirmed that the final SS2/21 has been reviewed to implement and ensure consistency with the EBA Guidelines on Outsourcing and parts of the EBA ICT Guidelines relevant to the management of ICT third-party risk.

Scope. The PRA has amended the draft policy scope to confirm that third party arrangements provided in a prudential context are no longer presumed to fall within the definition of outsourcing in the PRA Rulebook and instead, materiality should be assessed using the same criteria as for other third party arrangements. Further, the PRA has clarified that if a firm outsources a service within the scope of operational continuity in resolution requirements, this arrangement will generally constitute 'material outsourcing', although 'material outsourcing' will also encompass other outsourcing arrangements that could impact a firm's safety and soundness.

Notification. When selecting a new third party provider, it might be appropriate for firms to notify the regulator of a planned material arrangement before a final service provider has been selected. Additionally, an amendment to the supervisory statement now requires firms to give the PRA notice of material non-outsourcing third party arrangements, as well as material outsourcing arrangements as previously proposed. Firms should also make the PRA aware if a third party service provider in a material arrangement is unable or unwilling to include contractual terms required for the firm to comply with its obligations.

Data security. According to the supervisory statement, firms are expected to implement appropriate measures to protect outsourced data (depending on the materiality and risk of the outsourcing arrangement) and set out these measures in their outsourcing policy or material outsourcing contracts. An illustrative list of these measures and controls is detailed in the supervisory statement and includes configuration management, encryption and key management, identity and access management, the ongoing monitoring of insider threats, incident detection and response, loss prevention and recovery, and staff training. Further, these rules on data security have been extended to apply to all outsourcing and third party arrangements, in order to align with the EBA ICT Guidelines. Following confusion from respondents to the CP, the PRA has also clarified in the supervisory statement to make clear that only data protected by encryption (not necessarily the encryption keys themselves) should be provided to the PRA in an accessible format if required.

Record-keeping. The PRA is planning a follow-up consultation on record-keeping, which would set out detailed proposals for an online portal to integrate and streamline notifications, on which firms would need to submit information on their outsourcing and third party arrangements. In the meantime, firms should continue to meet existing record keeping requirements (including with regard to maintenance of an outsourcing register). Hence, for those caught by the EBA Guidelines on Outsourcing, this means following the record keeping expectations in those Guidelines.

Firms must comply with the expectations detailed in the supervisory statement by 31 March 2022. Therefore, outsourcing arrangements entered into on or after 31 March 2021 should meet these expectations by 31 March 2022. This is an odd formulation but practically it means ensuring compliance as soon as possible after 31 March 2021 and no later than 31 March 2022. However, in relation to legacy outsourcing agreements, the PRA has amended its guidance to be more pragmatic and firms are now asked to review and update these agreements at the first appropriate contractual renewal or review, in order to meet the supervisory statement expectations as soon as possible on or after 31 March 2022. Similarly, firms no longer need to inform the PRA if they have not met this timeline. This apparent relaxation appears helpful at first glance although is complicated by the fact that the FCA has not as yet aligned its approach (and the fact that other European regulators with jurisdiction over a firm may not have similarly relaxed the deadline and remediation expectations).

Next steps

Over the past year, the operational resilience of firms has been tested to an unprecedented level. In responses to the CPs, firms acknowledged developing increased awareness of dependencies across firms, sectors and markets (including on third parties and outsourcing arrangements) and the importance of coordinating approaches to operational resilience at an international level. The disruption caused (which regulators admit has not been as terrible as they would have thought) has proved the importance of reinforcing operational resilience and the PRA, FCA and Bank of England are keen to capitalise on these learning points, and to use the momentum of the pandemic to push firms towards a greater level of operational resilience as soon as reasonably practicable.

As set out in this article, firms should now begin mapping important business services and conducting scenario testing to comply with operational resilience requirements, as well as considering their new obligations in relation to notifications to regulators and executing the re-papering of outsourcing arrangements.

For further information, please see:

• FCA Policy Statement PS21/3
• PRA Policy Statement PS6/21
• PRA Policy Statement PS7/21
• PRA Supervisory Statement SS1/21
• PRA Supervisory Statement SS2/21
• EBA ICT GL