On 29 March 2021, the UK Prudential Regulation Authority (PRA) published its eagerly anticipated final policy and supervisory statements in relation to outsourcing, third party risk management and operational resilience. As many readers will recall, the final statements follow on from the PRA’s consultation held in 2019, more details of which can be found here. The policy and supervisory statements have been published in coordination with the Financial Conduct Authority and the Bank of England.
The PRA’s final statements will have brought welcome certainty to many – however, what exactly do the statements say? And what impact are they likely to have on the UK financial services sector moving forward?
Outsourcing and Third Party Risk Management
Policy Statement (PS7/21)
The PRA’s Policy Statement can be found here.
The Policy Statement provides detailed commentary to accompany the Supervisory Statement and provides context to the new regulatory framework. The Policy Statement is therefore set out in such a way as to mirror the Supervisory Statement. We recommend reading the Policy Statement in order to aid your understating of the new rules and ensure you are fully prepared.
Supervisory Statement (SS2/21)
The PRA’s Supervisory Statement can be found here.
What is Outsourcing?
The PRA Rulebook defines ‘outsourcing’ as:
“an arrangement of any form between a customer and a service provider, whether a supervised entity or not, by which that service provider performs a process, a service or an activity, whether directly or by sub-outsourcing, which would otherwise be undertaken by the customer itself.”
In the final Supervisory Statement, however, the PRA makes clear that firms should assess the materiality and risks of all third-party agreements using all relevant criteria set out in Chapter 5 of the statement instead of simply applying the formal definition.
What does the Supervisory Statement include?
The Supervisory Statement covers the following areas: proportionality, governance and record-keeping, the pre-outsourcing phase, outsourcing agreements, data security, audit and information rights, sub-outsourcing, business continuity and exit plans.
The Supervisory Statement implements the EBA Guidelines on outsourcing arrangements (and, in some respects, expands on them), together with some elements of the EBA Guidelines on ICT and security risk management. However, it does not implement EIOPA Guidelines on outsourcing to cloud service providers, information and communication technology security and governance, or ESMA Guidelines on outsourcing to cloud service providers. There is some divergence in respect of UK and EU law in this regard and as such, firms whose operations are encapsulated by the Supervisory Statement should take care in applying its requirements.
When will the Supervisory Statement apply?
The requirements will be effective from 31 March 2022.
The PRA expects any outsourcing arrangements entered into on or after 31 March 2021 to be compliant by 31 March 2022, and all older outsourcing arrangements to be reviewed and updated accordingly at the “first appropriate contractual renewal or revision point” to meet the expectations as soon as possible on or after 31 March 2022.
The PRA expects firms to meet their obligations in a manner appropriate to their size, and the scope and complexity of their activities, in line with the principle of proportionality.
Operational Resilience: Impact Tolerances Important for Business
Policy Statement (PS6/21):
The PRA’s Policy Statement can be found here.
The PRA’s policy objective is “to improve the resilience to operational disruptions of both firms and the wider financial sector” by implementing a proportionate minimum standard of operational resilience. In the same vein as the Outsourcing and Third Party Risk Management Policy Statement, this statement provides context to the new regulatory framework and is therefore worth reading.
Supervisory Statement (SS1/21):
The PRA’s Supervisory Statement can be found here.
What is Operational Resilience?
The PRA defines operational resilience as:
“the ability of firms and the financial sector as a whole to prevent, adapt, respond to, recover from, and learn from operational disruptions” and is based on the assumption that “from time to time, disruptions will occur which will prevent firms from operating as usual and see them unable to provide their services for a period.”
What does the Supervisory Statement include?
The statement covers the following areas: important business services, impact tolerances, actions to remain within impact tolerance, mapping, scenario testing, governance, self-assessment, and groups.
When will the Supervisory Statement apply?
The Operational Resilience Supervisory Statement will be effective from 31 March 2022.
In terms of mapping and scenario planning, the PRA considers these ongoing processes and as such, states that “firms are not expected to have performed mapping and scenario testing to the full extent of sophistication by 31 March 2022.”
In regards impact tolerances, firms must have a plan drawn up by no later than 31 March 2025, with evidence of steps being taken to implement it by 31 March 2022.
Looking ahead
The changes made by the PRA modernise the regulatory framework and provide greater clarity and support to all financial services firms located in the UK, including banks, building societies, PRA-designated advice firms, insurers, re-insurers, groups in scope of the Solvency II directive, as well as all UK branches of overseas banks and insurers.
The new arrangements will create some divergence between UK and EU law. We therefore advise any business with operations in both the UK and the EU to ensure full compliance in each jurisdiction, where applicable.
The PRA is planning a follow-up consultation on the idea of developing an online portal for firms to detail their outsourcing and third party arrangements and intends to undertake further analysis on whether additional policy measures to manage the risks that critical third parties could pose to their objectives are appropriate.
How can we help?
MacRoberts’ Information Technology & Outsourcing specialists regularly advise on the regulatory aspects of outsourcings, so please do not hesitate to contact us to find out how we can assist your business.