At the end of 2019, the UK Prudential Regulation Authority (PRA) released its consultation paper (link here) setting out its proposals on a regulatory framework to modernise outsourcing and third-party risk management. The original deadline for responding to the proposals was 3 April 2020, but this has now been extended to 1 October 2020, which was announced as part of the Bank of England’s and the PRA’s measures to respond to the economic shock caused by COVID-19.
In response to the growing dependency on third-party technology solutions (e.g. cloud outsourcing), the PRA wants to highlight the new risks associated with such an increasingly complex and constantly evolving area. As firms find themselves increasingly dependent on such services, any major disruption or outage could result in adverse consequences for financial stability. The consultation seeks to modernise the PRA’s expectations and sets out how firms should comply with existing requirements on such risks.
Some of the key points include:
- Scope: the consultation is relevant to banks, building societies, PRA-designated investment firms, and insurers (including all their third-country branches) (together, firms).
- Common theme of proportionality in the PRA’s expectations: firms acting in a manner appropriate to their size and internal organisation, and the nature, scope and complexity of their activities. Especially for intra-group outsourcing, depending on their level of ‘control and influence’ over the group company providing the outsourced service, firms may instil measures such as adjusting their vendor due diligence and adapting certain clauses in their written outsourcing agreements.
- Governance and record-keeping: board engagement on outsourcing (board and senior management outsourcing is prohibited, and boards bear responsibility for the effective management of all risks to which the firm is exposed), outsourcing and the Senior Managers and Certification Regime (allocating a prescribed responsibility for a firm’s regulatory obligations in relation to outsourcing to a senior management function), and in line with the European Banking Authority (EBA) Outsourcing Guidelines (2019) – the need for written outsourcing policies and for banks to maintain an up-to-date register of information on all outsourcing arrangements entered into after 30 September 2019.
- Pre-outsourcing phase – due diligence, materiality and risk assessments: ‘material outsourcing’ is defined in the PRA Rulebook and firms should develop their own processes for assessing materiality as part of their outsourcing policy. The consultation also listed general criteria in determining that an outsourcing arrangement is automatically material outsourcing – such as when a defect or failure in its performance could materially impair the financial stability of the UK or the firm’s ability to meet the threshold conditions.
- Minimum areas to address in written agreements: clear description of outsourced function, start date, next renewal date, end date and termination notice periods, court jurisdiction and governing law, the parties’ financial obligations, and other vital clauses (set out in paragraph 6.5 (Appendix) of the consultation).
The consultation provides a comprehensive outlook on the obligations of firms and references the EBA Outsourcing Guidelines closely in many areas. The proposals set out in the consultation are now open to responses until 1 October 2020 (see here). Please get in touch if you would like help putting together a response to the consultation. We also have our own thoughts on areas of improvement based on our learnings from other markets.