Financial institutions should expect their outsourcing and third-party risk management practices to come under increased scrutiny as part of the growing regulatory focus on the operational resilience of the financial services sector. The series of coordinated consultation papers on operational resilience, published by the UK supervisory authorities in December 2019, provide the strongest indication yet that global regulators are moving in this direction.
Along with the consultation papers, the Prudential Regulation Authority (PRA) issued a proposal for modernizing the regulatory framework on outsourcing and third-party risk management to complement the operational resilience policy proposals it issued together with the Bank of England (BOE) and the Financial Conduct Authority (FCA).
The PRA’s proposed framework elaborates on the definition of outsourcing and potential arrangements that may fall within the definition. It also clarifies the principle of proportionality as it applies to outsourcing and third-party risk management, outlines the regulator’s expectations for the Senior Managers and Certification Regime (SM&CR) and for record-keeping of outsourcing arrangements, lays out expectations for institutions during the pre-outsourcing phase, and identifies key areas it expects written agreements for material outsourcing to address.
Additionally, the PRA provides its views on how firms can implement the Final Report on the Guidelines on Outsourcing of the European Banking Authority (EBA), the draft Consultation Paper on the Proposal for Guidelines on Outsourcing to Cloud Service Providers of the European Insurance and Occupational Pensions Authority (EIOPA) and the EBA’s Final Report on Guidelines on ICT (Information and Communication Technology) and Security Risk Management.
The regulator intends to publish a final policy in the second half of 2020.
Relevance and Key Implementation Considerations
The PRA proposal covers all outsourcing arrangements and is broader than previously issued guidance focused on cloud providers and associated relationships. It is relevant to all U.K. regulated financial institutions, including banks, building societies and PRA-designated investment firms, and insurers and insurance intermediaries, as well as credit and nondirective firms.
In accordance with the EBA Outsourcing Guidelines, the PRA advises financial institutions to continue to enter all outsourcing arrangements made after September 31, 2019, into a register, with the goal of finalizing the register by December 31, 2021. The register should include information related to all outsourcing arrangements, including a description of the services provided by each arrangement. A complete listing of fields required is available in the guidance, and institutions should ensure that their data models capture all the required data to be maintained and reported as required. All outsourcing arrangements entered prior to September 30, 2019, should be reviewed and amended to comply with the EBA Outsourcing Guidelines.
The proposal does not set out substantially different expectations than those defined within the EBA Outsourcing Guidelines but rather expands on specific expectations around data security; access, audit and information rights; sub-outsourcing; and business continuity and exit plans.
Below, we provide a summary of the significant proposals.
According to the PRA’s rulebook, outsourcing is defined as “an arrangement of any form between a firm and a service provider, whether a supervised entity or not, by which that service provider performs a process, a service or an activity, whether directly or by sub-outsourcing, which would otherwise be undertaken by the firm itself.”
While the PRA acknowledges that some outsourcing arrangements may fall outside this definition, the regulator expects firms to assume that all activities, functions and services performed or provided by third parties in a “prudential context” come under the definition of outsourcing and therefore are subject to the expectations in its proposal. Essentially, governance, risk management, and systems and controls should apply to all third-party arrangements, irrespective of whether they meet the definition of outsourcing.
Additionally, firms should identify and document “the necessary people, processes, technology, facilities and information required to deliver each of [the firm’s] important business services.” In their consultation papers on operational resilience, the UK regulators define a service as “important” if its disruption poses a risk to an institution’s safety and soundness or financial stability. The identification and documentation requirements are therefore critical in the context of building a third-party risk management program that can satisfy both the PRA’s operational resilience expectations and those associated with outsourcing and broader third-party management.
Contractual arrangements should have appropriate safeguards to protect the firm and support managing the relevant risks. They should not impede the PRA’s ability to supervise the firm or outsourced activity, function or service effectively. While the PRA details 19 expectations for contractual arrangements, none of the specific expectations is significantly new or different from previously issued regulatory guidance on the topic and are consistent with global third-party risk management expectations.
Firms should develop and implement the PRA’s outsourcing and third-party risk management proposals in a manner that is appropriate for their size, scope and complexity of activities. This concept of proportionality focuses on a firm and its entire operations, rather than the materiality of outsourcing arrangements.
Intragroup outsourcing is subject to the same requirements and expectations as third-party outsourcing arrangements; however, firms can adjust the requirements based on the level of control and influence over intragroup arrangements. Firms should consider the level of due diligence, degree of negotiation power and contractual considerations between intragroup entities within the context of outsourcing arrangements.
Governance and Record-Keeping
Firms that outsource must comply with all applicable regulatory requirements and manage the associated risks in a manner consistent with the board’s risk appetite and tolerance levels. Under the PRA’s proposals, the board bears the responsibility for the effective management of all risks, including appropriately identifying the firm’s reliance on critical service providers and ensuring that appropriate risk management strategies are in place for outsourced service providers.
The PRA proposes that firms allocate the responsibilities for the overall framework, policy, systems and controls related to outsourcing to a person designated as having prescribed responsibility. Management information should provide clear, robust, timely and targeted technical detail to facilitate effective oversight and challenge.
Boards should approve, implement and regularly review a written outsourcing policy. The outsourcing policy, along with support policies focused on ICT, information security and operational resilience, should be made available to relevant service providers to make them aware of the firm’s expectations on the topics. There is no one-size-fits-all approach for the content of an outsourcing policy, but generally it should include:
- Responsibilities of key parties, including the board
- Involvement of business lines, internal control functions and other subject-matter experts throughout the life cycle
- Links to other relevant policies
- Documentation and record-keeping requirements
- Procedures for conflicts of interest
- Business continuity planning
The PRA expects firms to determine the materiality of every outsourcing arrangement, perform appropriate risk-based due diligence on all potential service providers and assess the risks of every outsourcing arrangement irrespective of materiality. In the PRA Rulebook, the regulator defines materiality as “services of such importance that weakness, or failure, of the services would cast serious doubt upon the firm’s continuing satisfaction of the threshold conditions or compliance with the Fundamental Rules.” This is an important distinction, as the PRA purposely used this wording to distinguish between “material outsourcing” and other common terms of “critical” or “important” in the context of operational resilience. Materiality must be considered at the individual firm level, although firms should consider information and findings based on groupwide assessments.
Appropriate risk-based assessment activity should take place prior to execution of a contract and continue during the life of an arrangement at appropriate risk-based intervals. Firms are expected to notify the PRA when entering or significantly changing a material outsourcing arrangement.
Last, firms should consider the overall concentration risk as it relates to their reliance on third parties, and specific risks related to multiple arrangements with one provider, particularly where that one provider may be difficult to exit or substitute.
The PRA expects firms to classify relevant data based on their confidentiality and sensitivity, identify potential risks relating to outsourcing data and their impact, and agree on an appropriate level of data availability, confidentiality and integrity. Firms should consider risks related to inappropriate access, insider threats, loss of data, unavailability of data and the unauthorized modification of data.
Data classifications and the data that is expected to be shared should be considered in the context of the controls required around the protection of data, and the associated business continuity and exit strategies. Additionally, risk-based approaches should be considered for data location, data at rest, data in use and data in transit. Firms should also be mindful of data protection requirements, including the GDPR, as well as the resiliency advantages of having data stored in multiple locations.
Access, Audit and Information Rights
The PRA expects firms to exercise their access, audit and information rights when they enter material outsourcing arrangements so they can properly assess whether the service provider is offering the relevant service.
Firms should use a range of audit and other information-gathering methods, including offsite and onsite audits. Both offsite and onsite audits should be conducted by personnel with appropriate knowledge of the risks present within the arrangement and at the appropriate management level to produce outcome-based assessments.
Certifications and reports produced by third parties should be assessed to ensure adequacy of the scope, content and process of the assessment. Additionally, firms should review the expertise and qualifications of those conducting the assessment to confirm that reliance can be placed on the assessment.
Sub-outsourcing is a practice in which the service provider, under an outsourcing arrangement, further transfers an outsourced function to another service provider. Firms should maintain a listing of material sub-outsourcing arrangements and retain appropriate contractual rights related to the rights to sub-outsource activities, including the ability to approve or terminate arrangements based on the performance of sub-outsourced activities. Additionally, any sub-outsourced arrangements should have all the same provisions as those of the contracted entity, including appropriate audit rights and access to information. Firms should contractually retain control over activities that may or may not be sub-outsourced and maintain the right to agree or refuse new or changed sub-outsourcing arrangements during an arrangement.
Business Continuity and Exit Plans
As part of an outsourcing arrangement, the PRA expects firms to develop, maintain and test business continuity plans, as well as have a documented exit strategy, which would identify both stressed and nonstressed scenarios. Business continuity plans should articulate the firm’s ability to anticipate, withstand, respond to and recover from severe but plausible operational disruptions. This should include details on how the firm will mitigate risks in the event of a severe disruption that cannot be managed through the business continuity plan of the service provider. Exit scenarios may include:
- Bringing the data, function or service back in house
- Transferring the data, function or service to another service provider
- Any other viable methods, including exiting a product line or service.
Exit plans should consider all available tools needed to facilitate an exit, including potential new or backup service providers, technology solutions to facilitate switching and portability of data and applications, and industry codes and standards.
Business continuity and exit plans should be developed prior to the execution of an outsourcing contract. When developing these documents, it is important that firms define roles and responsibilities of both parties in stressed and non-stressed scenarios. Testing should be performed periodically for material arrangements, and updates should be made as changes to the arrangement occur and as the firm changes its operations.
Protiviti’s financial services industry subject-matter experts continue to produce additional papers on the topic of operational resilience, including the implications of recent regulatory developments. Protiviti has developed a framework with which institutions can approach and evaluate operational resilience. To learn more about this framework, visit https://www.protiviti.com/US-en/operational-resilience.