Introduction

Over the last few months, regulators in the EU and UK have set out their expectations on cloud outsourcing in considerable detail. While the direction is clear, firms still have a long and challenging road ahead to meet these expectations. This is because of a number of practical issues, including the lack of breadth and depth of specialist knowledge of the cloud and difficulty in maintaining a holistic view of cloud solutions across organisations. It is encouraging that the Prudential Regulation Authority (PRA) is willing to have an open debate about how to best support firms considering moving to the cloud, in line with the recommendations of the Future of Finance report. The PRA’s recent consultation on outsourcing [1] largely mirrors the EBA’s own guidelines and has initiated a more focussed dialogue in the UK around detailed regulatory expectations in specific areas.  

This blog seeks to explore a selection of themes with a view to identifying the practical considerations for financial services (FS) firms to meet regulatory expectations around cloud-based solutions. While the primary audience is UK FS firms, the practical considerations highlighted will be informative for non-UK and non‑PRA regulated firms. Firms need to ensure that they read the PRA’s draft outsourcing requirements in conjunction with its consultation on operational resilience [2] as there are many inter-dependent requirements for them to consider for cloud programmes. 

Firms to take a view of all third party arrangements 

The PRA clarifies that firms need to look at all arrangements with third parties. Firms should ensure that they have appropriate governance and internal controls to identify, manage and report risks resulting from all third-party arrangements, including when they leverage embedded capabilities, such as AI solutions offered by cloud Service Providers (CSPs). 

Materiality and “important business services” 

Given that the PRA’s outsourcing paper should be read alongside its paper on operational resilience, firms will have to review the outsourced business service from two perspectives - firstly, whether it constitutes a material outsourcing arrangement, and secondly, whether it constitutes an important business service under the PRA operational resilience supervisory statement (SS).

In publishing a paper on outsourcing more broadly, the PRA has aligned its requirements with the wider EBA scope which includes all outsourcing arrangements, rather than EIOPA’s narrower focus on cloud outsourcing alone. The PRA’s non-exhaustive list of what would typically count as material outsourcing will likely provide some pointers for firms designing their evaluation approach.

For firms designing their approach to materiality assessments, it is important to note that what is perhaps not material at pre-outsourcing assessment stage may very soon turn out to be material as the relationship between the firm and the CSP matures and more services are used, or new sensitive data is migrated. Accordingly, firms need to re-examine periodically the materiality of an outsourced arrangement as its scope, and ultimately risk profile, develop.

In the same vein, firms looking to enter into an arrangement with a CSP may find completing a thorough pre-contract stage materiality assessment challenging, as they may not know some granular details of the arrangement until beyond the contract execution stage. Firms may need access to the cloud environment (post-contract stage) to finalise the detailed design, testing and, ultimately, scope of the CSP service that they will use.

Therefore, the frequency of materiality assessments and the related risk and control framework adequacy reviews need to be synchronised with the outcomes of the broader design and testing activity. The fluidity of the scope and extent of services that may be used over time also require robust governance that provides a single view of all CSP services used across the organisation, across multiple teams, and the cumulative impact on materiality. This needs to be considered alongside the concentration risk to fourth parties which is discussed further below.

Additionally, all this needs to feed through to the wider operational resilience regulatory change programme, which the PRA operational resilience SS envisages having a maximum implementation timeline of three years.

Governance and individual accountability

The PRA expects firms’ boards to assess and manage the full range of cloud outsourcing risks to which the firm is exposed, including setting the control environment. This includes building a clear picture of a firm’s reliance on CSPs, and ensuring that effective risk management strategies for dealing with CSPs are in place.

In addition, the governance around outsourcing to the cloud is inextricably linked to the Senior Managers and Certification Regime. The PRA expects the prescribed responsibility for a firm’s regulatory obligations in relation to outsourcing to be allocated to (one of) the individuals performing the Chief Operations Senior Management Function (SMF 24), requiring clear senior management understanding and implementation of the firm’s overall policy, framework and systems and controls in relation to outsourcing. Under the PRA operational resilience SS, the individual(s) performing SMF24 should also hold overall responsibility for implementing operational resilience policies and reporting to the Board.

This requirement also reinforces the need for firms to consider operational resilience and outsourcing arrangements in unison. Boards and senior management, specifically Risk Committees, will need to show comprehensive understanding of the business, technical and execution risks associated with cloud migration. We know that this is already a key area of scrutiny when firms engage the regulators around their cloud migration plans.  

In order to demonstrate this, regular reporting to senior management from both risk and technology teams, with alignment on the pace of cloud adoption within the firm, will be important. Developing expertise at Board level to review and challenge the cloud adoption strategy and related risk management measures will continue to stretch firms migrating from in-house legacy infrastructures. We often see organisations struggling to align their Board-approved cloud strategy to the eventual operational management of the cloud and risk management processes but the emphasis on individual accountability within the PRA outsourcing SS may help to reinforce the importance of achieving alignment.

Business continuity plans and exit strategies

For material outsourcing arrangements, the PRA expects firms to develop, maintain and test a business continuity plan and an exit strategy. This is another area that Boards and senior management need to consider alongside the wider impact tolerance testing of “severe but plausible” scenarios, as part of the IT operational resilience change programme.

People, processes, technology, facilities and information required to deliver each material cloud outsourcing arrangement should be mapped, along with Board-level approval.

Firms are also required to develop and document an exit strategy, detailing how they will leave a material cloud outsourcing arrangement under stressed and non-stressed conditions. The PRA does not have a preferred form of exit in either case – its focus is on the outcome of the exit, as opposed to the means by which it is achieved. The practical challenge of lifting and shifting large amounts of data and capabilities in a stressed scenario from a CSP in a short space of time is an important one. From an industry perspective, there is no clear view of what is deemed an acceptable period of time to do this. The requirement for firms to develop, maintain and test these plans as far as possible may be particularly concerning. This is particularly the case for complex cloud-based systems, where services can be fully defined only after testing on the cloud environment, following contract finalisation.

One notable point in the PRA outsourcing SS is the requirement on firms to notify the PRA of prospective material outsourcing arrangements before they sign the contract. We know that  a number of firms have left this until late in their cloud migration journey, resulting in significant delays to the project as a result of having to respond to the PRA’s questions on their plans.

Areas for future regulatory focus

Concentration risk

The development of outsourcing registers will enable firms to understand their own level of concentration risk to an outsourced provider, including an overview of sub-outsourcing. As time progresses, and as registers at the individual firm level are completed, a more comprehensive industry-wide picture of concentration risk will be available for regulators.

In the meantime, regulatory discussions around managing systemic third-party concentration risks will continue in the international fora, but will proceed slowly. The EU can be expected to take the lead, after the European Commission launched a consultation [3] in December 2019 on a potential initiative on digital operational resilience in financial services, with a legislative proposal expected to follow later in 2020. 

The consultation seeks views on a potential oversight framework for ICT third party providers, along with specific measures to address concentration risk, including diversification strategies.

Access, audit and information rights

Practically managing access, audit and information rights in contracts with CSPs will continue to be challenging for firms. Particularly, ensuring that contracts provide firms, firms’ auditors, the PRA and the Bank of England with “unrestricted access” to the data, devices, information, systems and networks used for providing the cloud service, along with access to the CSPs’ personnel and premises. It is particularly difficult for firms to manage these rights in contracts, given the ease of deploying cloud-based solutions internationally, and CSPs’ reluctance to share the physical location of their underlying infrastructure. 

In the context of access, audit and information rights, the PRA, in principle, supports pooled audits organised by groups of firms sharing one or more CSPs. Despite offering cost and operational efficiencies, questions remain around the extent to which pooled audits are an effective method of auditing CSPs, as the audit must still be tailored to the specific risks of each firm and its outsourcing arrangement. Moreover, further clarity would be welcome in two areas: firstly, guidance around the level of detail that individual firms will need to secure in pooled audits; and secondly, clarity around the level of reliance that firms can place on CSPs’ own assurance certifications. In the interim, in our view, the European-wide application of proportionality should continue to be used as a frame of reference.

Next steps 

This package of publications on outsourcing and operational resilience clearly sets out the direction of travel for the PRA’s approach to FS firms’ use of CSPs.

Firms will welcome the level of detail set out in these publications to promote consistency, including materiality criteria, data security factors and the outsourcing register. It is never easy for a FS regulator to strike a balance between allowing firms to be part of an ecosystem dominated by large, currently unregulated CSPs and managing the resulting risks, including potentially risks to financial stability.  It is therefore positive that the PRA has opened a dialogue with industry and is seeking practical solutions to address key regulatory focus areas. Both the outsourcing and operational resilience consultations close on 3 April 2020.




------------------------------------------------------------------------

Footnotes


[1] The PRA’s recent consultation paper (CP) on “Outsourcing and third party risk management”, including a draft supervisory statement (PRA outsourcing SS). The CP is relevant to all UK banks, building societies and PRA-designated investment firms; insurance and reinsurance firms and groups in scope of Solvency II, including the Society of Lloyd’s and managing agents; and branches of overseas banks and insurers. The draft outsourcing SS implements the European Banking Authority’s (EBA) “Guidelines on Outsourcing Arrangements” (EBA outsourcing guidelines) and takes into account the European Insurance and Occupational Pensions Authority (EIOPA) ”Guidelines on outsourcing to cloud Service Providers” (EIOPA cloud outsourcing guidelines).

[2] The PRA’s recent CP on “Operational resilience: impact tolerances for important business services”, including a draft supervisory statement (PRA operational resilience SS).

[3] The Commission’s recent CP on “Digital Operational Resilience Framework for financial services: Making the EU financial sector more secure”