Outsourcing and third-party risk management – the interaction of the PRA’s new supervisory statement with the EBA Guidelines

0
172

The PRA’s supervisory statement

The Prudential Regulation Authority (PRA) has published a supervisory statement (SS) on outsourcing and third-party risk management. The SS complements and strengthens the PRA’s requirements and expectations regarding operational resilience.

The SS also aims to implement the European Banking Authority Guidelines (EBA Guidelines) on outsourcing arrangements that came into force on 30 September 2019, with a view to all existing arrangements becoming compliant with the EBA Guidelines by 31 December 2021. The PRA’s SS offers clarification on how it expects banks to approach the EBA Guidelines.

Due to come into effect on Thursday 31 March 2022, the SS is relevant to all UK banks, building societies, PRA-designated investment firms, insurers and UK branches of overseas banks and insurers. Accordingly, it aims to promote consistency among banks and insurers.

Defining outsourcing

The PRA Rulebook defines ‘outsourcing’ as “an arrangement of any form between a firm and a service provider, whether a supervised entity or not, by which that service provider performs a process, a service or an activity, whether directly or by sub-outsourcing, which would otherwise be undertaken by the firm itself”. The PRA emphasises that firms should apply adequate governance and controls to all third-party arrangements, irrespective of whether they fall under the definition of outsourcing. Firms should pay particular attention to those arrangements that can impact their statutory objectives, such as those that support the provision of important business services or carry a high level of risk.

Requirements

The SS sets out how PRA-regulated firms should comply with requirements and expectations:

  • On governance, including under the Senior Managers and Certification Regime and record keeping.
  • On how the principle of proportionality applies, in particular to intragroup outsourcing and to ‘non-significant firms’, where ‘significant’ firms are those with a supervisory contact who has indicated they are impact category 1 or 2 (paragraph 3.9 of the SS).
  • During the pre-outsourcing phase.
  • Prior to the outsourcing agreement being signed, firms are expected to:
  1. Determine the materiality of their outsourcing and third-party arrangements, including notification to the PRA where required
  2. Perform due diligence on all potential service providers
  3. Perform risk assessments irrespective of materiality
  • On materiality. This should be assessed during scheduled review periods after an agreement is signed, as well as where a firm plans to scale up its use of the service provider or if a significant organisational change takes place at the service provider that could materially change the nature, scale and complexity of the risks at play in the outsourcing arrangement.
  • Regarding written agreements relating to material outsourcing, which are expected to address the following four areas as a minimum:
  1. Data security (chapter 7 of the SS)
  2. Access, audit and information rights (chapter 8 of the SS)
  3. Sub-outsourcing (chapter 9 of the SS)
  4. Business continuity and exit strategies (chapter 10 of the SS)

Interplay of the PRA’s statement with the EBA Guidelines

The EBA Guidelines require a written contract for all outsourcings. The PRA expands on what should be included within such an agreement. Before entering into such an agreement, the EBA Guidelines require firms to carry out a documented assessment and ongoing monitoring of both operational risks (including legal, ICT, compliance and reputational) and whether the outsourcing concerns a critical or important function. In the PRA’s SS, this is manifested as risk assessment and determining ‘materiality’, as explained in chapter 5.

Once an outsourcing arrangement has been implemented, the PRA expects firms to test their business continuity and exit plans using a risk-based approach and update them with lessons learned from these tests, including any new risks identified and altered recovery objectives and priorities. This is consistent with the EBA Guidelines.

The EBA Guidelines also expect banks to maintain an up-to-date Outsourcing Register from Friday 31 December 2021. This is consistent with the PRA’s expectation that firms keep appropriate records of their outsourcing arrangements.

Next steps

Firms should ensure that any outsourcing arrangements entered into on or after Wednesday 31 March 2021 meet the expectations in the PRA’s SS. Firms should also review and update legacy outsourcing agreements at the first appropriate contractual renewal or revision point.

View Source