BoE consultation papers on FMI outsourcing & third party arrangements

On 14 April 2022 the Bank of England (BoE) published three consultation papers, inviting comments on its proposals relating to outsourcing and third party risk management in Financial Market Infrastructures (FMIs) (the FMI Consultation Papers).

The FMI Consultation Papers set out:

• draft supervisory statements for central counterparties (CCPs) and  central securities depositaries (CSDs); and

• draft supervisory statements  and a proposed new chapter of the BoE Code of Practice, for recognised payment system operators (RPSOs) and specified service providers (SSPs),

together referred to as FMI entities.

The FMI Consultation Papers are relevant for all FMI entities that are currently supervised by the BoE or those UK entities which are planning to apply to the BoE for authorisation as a CCP, CSD, RPSO or SSP.

Although the supervisory statements are not binding, they provide guidance to the relevant FMI entities on how the BoE will assess compliance with the regulatory framework for outsourcing and its expectations on the relationship between FMI entities and third parties who provide the outsourced services. The aim of these supervisory statements is to facilitate adoption of cloud and similar technologies in response to the BoE's Future of Finance report, as FMI entities' interactions with third parties have evolved significantly and cloud outsourcing has become a particular area of focus.

The proposals within the FMI Consultation Papers apply to all forms of outsourcing that an FMI enters into. They also address issues that are of increased relevance to cloud outsourcing such as data security and business continuity. While there is a focus on outsourcing, the BoE expects FMI entities to assess the risks of all third party arrangements irrespective of whether they fall within the definition of 'outsourcing'.  

The proposed supervisory statements set out the BoE's 'expectations' for FMI entities when entering into outsourcing or third party arrangements,  which should be met in a manner appropriate to their size, internal organisation, risk profile, and the nature, scope and complexity of their activities. FMI entities remain fully responsible for discharging all of their obligations, and should ensure that the outsourcing does not result in the delegation of responsibility.

The FMI Consultation Papers have been announced after the publication of the PRA Supervisory Statement SS2/21 on outsourcing and third party risk management (SS2/21). These Consultation Papers appear to carry across the majority of expectations set out in the SS2/21 for PRA Firms to FMI entities. The SS2/21 is intended to be read in conjunction with the EBA outsourcing guidelines and provides practical guidance where service providers are unable to comply with certain EBA requirements. The FMI Consultation Papers on the other hand, while setting out similar, and in places identical, requirements for FMI entities, do not reference the EBA guidelines. Nonetheless there is an obvious overlap among the three sets of guidance, and we don't consider these proposals as a substantial change from the existing position, but rather a development of more specific guidance under the same principles.

There are many requirements set out in the proposed supervisory statements in the FMI Consultation Papers that are directly taken from the SS2/21, including the categorisation of intra-group outsourcing arrangements as being subject to the same requirements, the principle of proportionality, elements of the data security assessment (e.g classification of data and requirement to obtain appropriate documentation) and record-keeping. However, there are new requirements introduced by the draft supervisory statements proposed in the FMI Consultation Papers. While there are some subtle differences in the focus or requirements in certain areas such as data security and governance, the one key addition in the FMI Consultation Papers is in the pre-outsourcing stage. The FMI Consultation Papers propose to introduce a requirement to seek a non-objection notification from the BoE when notifying it of a critical outsourcing or third party arrangement, or a material change to an existing critical outsourcing or third party arrangement. The SS2/21 only requires the BoE to be notified.

With regard to how the three FMI Consultation Papers compare to each other, the BoE's expectations are broadly similar across the three FMI Consultation Papers and we have summarised some of the key proposed expectations below, including where there is deviation from the SS2/21.

Proposed expectations

• *Risk Assessment. *Prior to entering into an outsourcing arrangement or any arrangement with a third party, an assessment should be undertaken to ascertain if it is a critical outsourcing and/or with a critical third party. This will be a subjective determination based on the importance of the outsourced function to the FMI entity, but the draft supervisory statements propose some criteria against which an arrangement can be assessed, and if certain criteria are met, the arrangement will be deemed 'critical'. It should be noted that this definition is not interpreted in light of any regulatory framework that designates third parties as critical but rather the FMI entity's own assessment. When assessing criticality, a FMI entity should consider whether the arrangement affects, wholly or in part, the provision of the FMI entity's important business services. In order to assist with this risk assessment, the BoE expects FMI entities to produce a risk assessment framework with thresholds of criticality.  This is in principle a similar concept to the assessment required to be undertaken pursuant to SS2/21 in determining the 'materiality' of an outsourcing. The definitions of "material" and "critical" are analogous in that they focus on the importance of the function to the entity, and it is taken on a subjective view.

• Critical Third Parties. Similar to outsourcings that are considered "material" for the purposes of the SS2/21,where a third party is identified as a critical third party, the BoE expects FMI entities to enhance their due diligence and supervision of the arrangement and has set out a higher level of expectation in Annex F to the consultation papers that entities must meet.

• Notification. The BoE expects FMI entities to notify it and seek a non-objection notification from the BoE in advance of entering into, or significantly changing, a critical outsourcing or arrangement with a critical third party. As discussed above, the requirement to seek a non-objection notification from the BoE prior to entering into an outsourcing is an additional layer that was not set out in the SS2/21.

• Contractual Requirements. FMI entities are required to document all outsourcing arrangements, irrespective of criticality, in the form of a written agreement. Where the arrangement is documented by way of an MSA, each outsourced service will need to be documented, which can be through an order form. It is crucial that any agreement provides for the ability for the BoE to supervise the FMI entity and arrangement, and allows sufficient audit and information rights. The draft supervisory statements set out areas that the BoE expects parties to address in an agreement (data security, access, audit and information rights; sub-outsourcing and business continuity and exit strategies) which are the same as required by in the SS2/21. The papers similarly set out other key terms which are consistent with the SS2/21 including KPI's, financial obligations, governing law and termination and term provisions. We do not regard the position taken in the draft consultation papers with regard to the written agreement as any more onerous than what is required under the SS2/21 or the EBA guidelines. 

• Governance. The supervisory statements set out certain expectations around board engagement on risks of particular outsourcings or third party arrangements, the allocation of responsibilities and determining relevant risk management policies. These requirements are the same as set out in the SS2/21. However there is a proposed stronger focus on risk management in the FMI Consultation Papers than was adopted by the PRA. The BoE expects FMI entities to 'perform the function of a risk manager' being responsible for risk management and mitigation and to undertake appropriate risk mitigation steps where a third party is providing an important business service.

• Intra-group Outsourcings. Similarly to the SS2/21, theBoE is clear in these FMI Consultation Papers that it does not regard intra-group outsourcing arrangements as lower risk than outsourcings or arrangements with other third parties, and therefore should be treated in the same way as any other arrangements.This includes undertaking the risk assessment, documenting the arrangement with a compliant contractual agreement and meeting all other expectations in the FMI entity's relevant supervisory statement, in a proportionate manner.

• Business continuity and exit. BoE expects FMI entities to have in place a business continuity plan and an exit strategy that considers both stressed situations and planned commercial exits. These need to be well-tested and documented. While the consultation papers provide guidance on both forms of exit, as in the SS2/21, there is a greater focus on stressed exits.

• Data security. Data security is particularly relevant for outsourcings and arrangements with cloud service providers (CSPs). Responsibilities of both parties need to be clearly defined and documented, ideally in a contract or policy, and data that is handled by third parties should be classified based on characteristics such as confidentiality and whether it is personal data, with appropriate measures implemented as a result of these classifications. While there are basic principles that are similar across the SS2/21 and the BoE FMI entities consultation papers, the consultation papers go into further detail on areas of data location, data classification and data encryption.

• Resilience. Where a critical outsourcing is with a CSP, FMI entities are expected to assess resilience requirements that the CSP has implemented, including the recovery time, and decide on a resiliency option considering the potential for cyber-attacks both accidental and deliberate. The SS2/21 sets out the expectation that firms would assess resilience, decide on a cloud resiliency option, and while this is a key requirement in the consultation papers, it goes further than the SS2/21 to include recovery time and objectives as part of the resilience assessment,

Conclusion

The expectations on FMI entities appears to be broadly consistent with current BoE and PRA expectations under the SS2/21, although RPSOs and SSPs will likely be subject to increased supervision as there is a proposal within the RSPO's and SSSP Consultation Paper for a chapter to be included for these entities in the BoE's code of practice. The new part of the Code of Practice will not apply to CCPs or CSD's as they are subject to their own consultations which should provide an equivalent outcome in respect of the management of the outsourcing and third party risks.

We expect that the expectations in the FMI Consultation Papers will not on the whole impose a greater burden on FMI entities than the SS2/21 expectations that are imposed on PRA Firms. That said, the timing to enter into an outsourcing arrangement may be elongated than for PRA Firms due to the need to receive a non-objection notification from the BoE. There are also additional considerations where FMI entities are entering into outsourcings with CSP's that were not stipulated in the SS2/21. However, it appears that the primary aim of these FMI Consultation Papers is simply to extend the already existing expectations under the SS2/21 and EBA guidelines to FMI entities.

The consultation process will close on 14 July 2022. You can see the three FMI Consultation Papers here in full and any comments on these consultation papers should be addressed to FMIFeedback@bankofengland.co.uk.  

We will continue to provide updates on these FMI Consultation Papers and the implications for the relevant FMI entities following the closure of the consultation process, but please contact the Digital Business team if you have any questions.