The PRA's expectations on outsourcing and third party risk management

At the end of March, the Prudential Regulation Authority (PRA) published Policy Statement 7/21 (PS7/21) and Supervisory Statement 2/21 (SS21/2) which set out its expectations of PRA-regulated firms regarding outsourcing and third party risk management.

The publications are part of the wider operational resilience policy package released jointly with the Bank of England (the Bank) and the UK Financial Conduct Authority (FCA). For further information on this policy package, please see our previous post here.

In this post, we briefly explain the background to these publications and review the implications for both PRA-regulated firms and service providers. Briefly, the financial services firms to which SS21/2 is directed are:

• banks, building societies, and PRA-designated investment firms (banks);
• insurance and reinsurance firms and groups in scope of Solvency II, including the Society of Lloyd’s and managing agents (insurers); and
• branches of overseas banks and insurers (third-country branches).

It is important to note that while these firms are regulated by the PRA for prudential purposes, they will also be subject to the FCA in regards to the conduct of business matters. As such, the outsourcing and third party arrangements of the firms within scope of SS21/2 are of interest to both the PRA and the FCA; albeit that the regulators will apply different, but complementary lenses in supervising firms’ approaches to those arrangements.

Key takeaways

• In SS21/2, the PRA does not diverge from the prevailing principle that firms remain responsible for compliance with regulatory expectations. The existence of an outsourcing or third party arrangement does not diminish a firm’s – and its Senior Managers’ – responsibilities.
• The SS comes into effect in under 12 months’ time. This means that, from 31 March 2022, firms are expected to meet the PRA’s requirements as set out in SS21/2. PRA-regulated firms will need to use this short implementation period to overlay the PRA expectations onto their outsourcing and third party arrangements. For large, complex firms, it is likely that the implementation of the requirements will require a cross-divisional project for which express accountability should be assigned to a Senior Manager.
• While SS21/2 and the associated PS are relevant for PRA-regulated firms, they are also relevant to unregulated third party service providers as these documents provide information about the expectations which their PRA-regulated customers must meet to maintain regulatory compliance and to be operationally resilient. The relevance for third party service providers includes those third parties which are within the same group as the firm and those which are external to the firm’s group.
• SS21/2 and PS7/21 is set against the backdrop of earlier EU legislation and guidance, in particular guidance issued by the European Banking Authority (EBA). The SS provides further clarity on how regulated firms ought to engage and contract with third parties. In particular, the SS goes further than the “outsourcing” arrangements covered in the EBA Guidelines, to also consider non-outsourcing third party agreements which are either material or high risk.
• The PRA does not dictate a one-size-fits-all approach. As described at 3.1 of the SS21/2, firms are expected to meet the requirements in SS21/2 “in a manner appropriate to: their size and internal organisation; the nature, scope and complexity of their activities; and the criticality or importance of the outsourced functions, in line with the principle of proportionality.”
• Intragroup arrangements are not to be treated as inherently less risky than arrangements with third party service providers outside of a firm’s group.
• The SS clarifies that PRA-regulated firms should assess the risks of sub-outsourcings before entering into any arrangements to ensure visibility of the supply chain. Where the sub-outsourcing meets the materiality criteria, the PRA has more onerous expectations of the firm and its ongoing responsibility to oversee any material sub-outsourcing.

The background

Prior to Brexit, the UK requirements on outsourcing were largely covered in EU legislation and materials issued by the EU supervisory bodies. Of particular relevance in the context of SS21/2 are the EBA Guidelines on outsourcing which were published in February 2019 and entered into force on 30 September 2019, and for which transitional provisions apply until 31 December 2021. The UK FCA notified the EBA of its intention to comply with the EBA Guidelines in February 2019. The FCA's approach is important because firms subject to the PRA's SS will also be subject to the FCA's requirements.

The SS is annotated with wording to say that it 'comes into effect' on 31 March 2022, but this should not be misunderstood. It means that outsourcing arrangements entered into, on or after 31 March 2021 should meet the expectations in the SS by 31 March 2022.  Firms should also seek to review and update their outsourcing arrangements entered into before 31 March 2021 (legacy agreements) “at the first appropriate contractual renewal or revision point” as soon as possible on or after 31 March 2022.

The PRA's text recognises that some legacy arrangements may not have a suitable renewal point before 31 March 2022; this enables firms to make the revisions to legacy arrangements which are required to meet the PRA's expectations at the first available renewal point after 31 March 2022.  In effect, on 31 March 2022, firms are likely to have a mix of the following:

• arrangements entered into after 31 March 2021 which meet the expectations set out in the SS; and
• legacy arrangements, which have not yet been revised but for which there is an upcoming renewal or revision point which will be used at the first available opportunity to make revisions to bring the arrangement into line with the PRA's expectations.

While the March 2022 date in SS21/2 and the December 2021 date in the aforementioned EBA Guidelines do not align, this timing issue is unlikely to have significant practical implications from the UK regulators' perspective. The PRA has explicitly stated that SS21/2 implements the EBA Guidelines in a manner aligned to the PRA’s expectations, while the FCA has said that it does not expect firms to report to it on their progress to meeting the 31 December 2021 deadline. However, where arrangements of critical or important outsourcing arrangements entered into on or after 31 March 2021 have not been finalised by 31 March 2022 both the PRA and the FCA expect to be informed.

For firms operating internationally, the EBA timescales and/or any other jurisdictional requirements may need to be factored into firms' compliance programme/s.

The PRA’s overarching aim is that firms appropriately manage third party dependencies to mitigate risk to the PRA’s statutory objectives. While the SS elaborates on the definition of “outsourcing” as used in the relevant Parts of the PRA Rulebook, the SS also notes that some arrangements with third parties fall outside of the scope of the PRA Rulebook definition. However, the SS reminds firms that third party arrangements nevertheless remain subject to the PRA’s Fundamental Rules and relevant rules on risk management and governance.

Practical steps for firms

The key areas with which the PRA-regulated firms should ensure compliance include:

• Proportionate, risk-based, suitable controls for any material and/or high risk third party arrangements: The SS states that firms should assess all third party arrangements for materiality and high risk, irrespective of whether they fall within the definition of outsourcing, using all the relevant criteria from Chapter 5 of the SS.

As a guide, materiality is determined where a defect or failure in its performance could materially impair the financial stability of the UK, or a firm’s: (i) ability to meet the threshold conditions for authorisation and to remain authorised; (ii) compliance with the Fundamental Rules; (iii) requirements under “relevant legislation”’ and the PRA Rulebook; or (iv) safety and soundness, including its financial resilience (i.e., assets, capital, funding, and liquidity) or operational resilience (i.e., its ability to continue providing important business services).

Where non-outsourcing, third party arrangements are deemed to be material or high risk, then effective, “proportionate, risk-based, suitable controls” should be implemented. These should be equally robust and commensurate to the materiality or risk exposure of the arrangement. If materiality is determined, the requirements include notifying the PRA of the material arrangements entered into or amended, and implementing follow-up actions such as enhancing due diligence, governance or risk management, or rewriting an agreement where necessary.  Chapter 6 of the SS also provides further guidance on what should be included in written material outsourcing agreements.

• Intragroup arrangements not to be inherently treated as lower risk: The SS states that intragroup arrangements are not to be treated as inherently less risky than those with service providers outside of a firm’s group. However, the SS also provides that:
  • firms can comply with some of the outsourcing requirements proportionately, depending on their level of “control and influence” over the entity that is providing the outsourced service;
  • the determination of the level of control and influence can be based on the group’s governance structure, the allocation of senior management functions, the ability to alter intragroup outsourcing arrangements and the consistency of group wide standards; and
  • firms may leverage existing regulatory frameworks to also meet expectations for intragroup outsourcing agreements.

The SS sets out additional examples of how proportionality can apply to intragroup arrangements and third-country branches. For example, a firm may adjust its vendor due diligence, adapt certain clauses in outsourcing agreements and rely on group policies and procedures, as long as it complies with its UK legal and regulatory obligations and allows it to manage relevant risks.

• Outsourcing arrangements: The PRA expects that if a third party service provider in a material outsourcing (or other relevant third party) arrangement is unable or unwilling to include certain terms within its contract that reflect the firm’s obligations, that firm should inform the PRA. Beyond this, the PRA also has proposals for an online portal to integrate and streamline existing notification obligations, and where firms will be required to submit information on their outsourcing and third party arrangements.
• Data security: None of the expectations in the SS should be interpreted as explicitly or implicitly favouring or imposing restrictive data localisation requirements. However, the PRA expects firms to adopt a risk-based approach to the location of data that allows them to leverage the operational resilience advantages of outsourced data being stored in multiple locations while managing relevant risks.

Conclusion

SS21/2 offers helpful insight into the PRA’s expectations on outsourcing and third party arrangements. Increasing interdependencies between the regulated and unregulated sectors and digitalisation has driven regulatory focus on operational resilience, of which outsourcing and third party risk management are a key element. The importance of firms effectively and efficiently managing outsourcing and third party risk is crucial. As the PRA’s Deputy CEO and Executive Director for the Regulatory Operations and Supervisory Risk Specialists observed in their speech on 5 May 2021:

“There is no bail out option if your firm is unable to function because of an operational incident. There is no operator of last resort function in Threadneedle Street.”

Firms should expect both the PRA and the FCA to closely scrutinise their systems and controls around outsourcing and third party arrangements; for example, this may mean short notice requests for outsourcing registers and related information. Firms which are not able to demonstrate good, effective management of this risk may be expected to face increased scrutiny from supervisors. In some circumstances, regulatory enforcement is a possibility. The potential outcomes of enforcement include fines, limitations being imposed on the firm’s activities, public censure/publicity which may damage the firm’s reputation with clients and stakeholders, and significant remedial work.

In conclusion, while the finalising of the PRA’s expectations on outsourcing and third party risk management within the context of operational resilience is an important milestone, the broader operational resilience landscape will continue to develop both at the domestic and international level. While the outcomes of different policies from different jurisdictions may be well aligned, approaches and timelines will differ which will create complexity for firms operating cross-border.

Key dates summary

Our Operational Resilience Hub helps to keep you up to date on the upcoming regulatory expectations. The hub features an interactive timeline which covers a number of jurisdictions and output from global standard setters such as the BCBS. The content includes operational resilience, cyber resilience, outsourcing, and more.