Written by Harrison Folland and Chris Walker
On 29 March, the PRA published Policy Statement PS7/21 following on from its Consultation Paper 30/19 on outsourcing and third party risk management. PS7/21 also contains PRA Supervisory Statement SS2/21 on outsourcing and third party risk management.
The Policy Statement and Supervisory Statement will be relevant to banks, building societies, PRA designated investment firms, insurance and reinsurance firms and groups in scope of Solvency II, and branches of overseas banks and insurers.
Relevant changes detailed within the Policy Statement (non-exhaustively) include areas such as:
- Definitions and scope;
- Governance and record-keeping;
- The pre-outsourcing phase;
- Data security;
- Access, audit, and information rights; and
In terms of outsourcing agreements, the PRA has noted that it "recognises that a firm may need to secure specific contractual arrangements with its third party service providers in order to meet its regulatory obligations".
As such, "an expectation has been added [...] that if a third party service provider in a material outsourcing (or other third party) arrangement is unable or unwilling to include certain terms within the contract which reflect the firm’s obligations under the regime, that firm should make the PRA aware of this issue."
The PRA has also included:
- additional guidance in respect of the conduct of on-site audits;
- revised guidance on data security to align with the European Banking Authority's ICT guidelines;
- clarification that services within the scope of operational continuity in resolution (OCIR) requirements will generally constitute a "material outsourcing" - and that the term "material outsourcing" may also encompass "outsourcing arrangements that are not within the scope of OCIR requirements but could impact a firm’s safety and soundness in a going concern scenario. For instance, arrangements involving confidential, personal or sensitive data or with potential high reputational risk";
- examples relating to proportionality, intragroup arrangements and third-country branches; and
- amendments to the definition of "outsourcing", including "removing the expectation that arrangements performed or provided in a prudential context fall within the definition of outsourcing".
The PRA expects firms to comply with SS2/21 by 31 March 2022, in alignment with the expectations set out for operational resilience within Policy Statement PS6/21.
Outsourcing arrangements entered into on or after 31 March 2021 should meet the expectations within SS2/21 by 31 March 2022. Firms should seek to review and update legacy outsourcing agreements entered into before 31 March 2021 at the first appropriate contractual renewal or revision point to meet the expectations in SS2/21 as soon as possible on or after 31 March 2022.
The PRA intends to hold a subsequent consultation establishing proposals for an online portal for firms to submit information on their outsourcing and third party arrangements.
More widely, firms should also be aware that, in parallel to the PRA's publication, the FCA has also published PS21/3 Building operational resilience, with those rules and guidance also due to come into force on 31 March 2022.
Firms also appreciated that the proposals complemented the PRA’s policy proposals on operational resilience, given the many synergies between the two areas. Respondents noted that the proposed operational resilience framework provided a helpful lens for firms to assess how they should monitor their outsourcing and third party arrangements and establish end-to-end resilience for their important business services.