- The PRA has finalised its policy on outsourcing and third-party risk management to facilitate innovation and greater resilience in financial services.
- It includes important amendments and clarifications in areas such as pre-outsourcing, contractual arrangements, audit rights, concentration risk, data security, and business continuity and exit plans.
- The requirements apply to all material outsourcing as well as third-party relationships. In addition to Cloud, third-party provision of payments or Artificial Intelligence (AI) technology could fall into scope, for example.
- Firms can expect significant scrutiny over the next 12 months to ensure they are on track to comply with the new requirements by March 2022. This timeline is likely to be particularly challenging for UK insurers.
- Early and collaborative regulatory engagement will be critical to developing a successful outsourcing and third-party risk management strategy.
As part of their digital transformation, financial services firms are increasingly leveraging external third-party providers. In this context, the Prudential Regulation Authority (PRA) finalised its policy approach to outsourcing and third-party risk management on Monday. The policy aims at facilitating innovation in a way that reduces operational risks. Firms should consider it in conjunction with the finalised approach to operational resilience, published at the same time.
The policy is immediately relevant for firms' Cloud migration programmes, which have been under the regulatory spotlight for some time. But, as we predicted in our Regulatory Outlook 2021, the PRA confirmed that firms must consider the materiality and risks of all their outsourcing and third-party relationships. Services from payments or Artificial Intelligence (AI) technology providers, for example, could fall into scope.
The final policy is broadly in line with the initial draft proposals, as feedback from stakeholders was generally supportive. There are however some targeted amendments and clarifications, which firms should note. This article explores the key ones.
Overview of key changes
Scope and definitions - The PRA dropped the demand that firms classify third-party arrangements provided in a prudential context as outsourcing to avoid generating an onerous reclassification task. But the substance doesn't change. As mentioned above, the PRA still expects firms to assess the materiality and risks of all third-party arrangements, whether they classify as outsourcing or not. For material and high-risk third-party relationships, controls should be as robust as those that apply to outsourcing arrangements, though not necessarily identical.
Pre-outsourcing phase - The PRA issued several clarifications. First, it is the risk of the outsourced service, not of the service provider, that should drive the materiality assessments. In our experience, this has been a source of debate within firms. Second, the term material outsourcing should include all arrangements that could affect a firm's safety and soundness, both in a resolution and going concern scenario. Third, in addition to the requirement to notify the regulator before entering into any material outsourcing arrangement, the PRA stressed that in some instances it might be appropriate for firms to notify the regulator before the final selection the third-party provider. For example, in the case of a significant migration programme. Finally, the PRA expects firms to notify it of material third-party arrangements in a similar manner and timeframe as they would for a material outsourcing arrangement.
Outsourcing agreements, access, audit, and information rights - The PRA recognises the challenges that some firms encounter in negotiating outsourcing agreements that meet its expectations. However, the PRA decided not to dilute its expectations in this area. Key provisions - especially around audit and information rights, data security, and business continuity and exit plans - must be contractually effective. Instead, it asks that firms make the PRA aware if a third-party in a material outsourcing or third-party arrangement is unable or unwilling to include contractual terms necessary to ensure regulatory compliance.
The PRA did ease some of the expectations concerning on-site audits. Some on-site audits can create unmanageable risk for the third-party provider or its clients – for example they could have a detrimental impact on service levels or confidentiality of data. In such cases, alternative ways to provide the same assurance level can be agreed and notified to the PRA (e.g. testing specific controls in a report/certification). We expect firms to welcome this change, as well as the PRA's confirmation that they can rely on the service provider’s penetration testing results. In a Cloud context, we previously highlighted reliance on CSPs' own assurance certifications as an area where firms would like further clarification. In recent years, our annual Third-Party Risk Management survey also points to an increase in prominence of risk intelligent solutions (e.g. data feeds) as a key part of a firm’s integrated assurance toolkit or playbook.
Sub-outsourcing and concentration risk - The PRA clarified that it does not expect firms to monitor fourth-parties’ arrangements directly in all circumstances. However, firms are responsible for ensuring that third-party providers appropriately manage any material sub-outsourcing. Firms should also consider the impact of large, complex sub-outsourcing chains on their operational resilience. When assessing chains, firms only need to consider sub-outsourcing that affects their evaluation of the materiality of the outsourcing arrangement. Sub-outsourced printing services, for example, are unlikely to affect materiality in most circumstances.
Firms should consider fourthparty/supply chain dependencies when assessing and managing concentration risk. For instance, they should understand if multiple otherwise unconnected service providers depend on the same material sub-contractor to deliver their services. In light of COVID-19, the PRA also expects firms to consider geographic concentration risk as well. This risk arises when a firm has multiple arrangements in the same region or jurisdictions, even if they are with numerous independent third parties.
The PRA also announced its intent to consult on creating an online portal to capture firms’ outsourcing and third-party relationships, and develop a comprehensive industry-wide picture of concentration risk.
Business continuity and exit planning - The PRA clarified that firms need to develop an exit plan before an outsourcing arrangement takes effect. In several cases however, the lack of interoperability between providers can make the transfer of Intellectual Property based services challenging. For example, AI models built in the operating environment of one Cloud provider might not transfer easily to another.
The PRA also provided practical examples of how proportionality applies to intragroup outsourcing and third-country branches. For instance, in some cases, firms may rely on business continuity, contingency, and exit plans developed at the group level.
Finally, the PRA clarified that its data security expectations should not be interpreted as favouring or imposing data localisation requirements. The PRA added that firms should monitor data protection authorities' guidance in light of the Court of Justice of the European Union's Schrems II ruling. We set out our views on what the ruling means for financial services firms' Cloud plans earlier this year.
Conclusion & next steps
COVID-19 has created a unique operational and business environment, with an overnight shift to remote working and digital channels. Third-party technology providers have been – and will remain – central to this shift, with Cloud as the foundational infrastructure.
Against this background, the PRA has confirmed a one-year implementation period - aligned with the timelines for implementing the operational resilience framework. This means all new outsourcing arrangements entered into on or after 31 March 2021 must meet the PRA's expectations by 31 March 2022. Firms should review and update legacy arrangements to comply as soon as possible on or after this date.
Firms can expect significant scrutiny over the next 12 months to ensure they are on track to comply with the new requirements. Given that the PRA's approach is closely aligned to that of the European Banking Authority - in place since 2019 - the short implementation period should not be a significant challenge for banks. The same cannot be said for insurers. Because the equivalent European Insurance and Occupational Pensions Authority's guidelines only came into effect after the Brexit transition period, UK insurers have typically been able to defer enhancing their outsourcing and third-party risk governance and management frameworks - until now.
As we set out previously, early collaborative regulatory engagement will be one of the critical components for a successful outsourcing and third-party risk management strategy.