The UK’s Prudential Regulation Authority (PRA) has issued a policy statement (PS7 / 21) and a surveillance declaration (SS2 / 21) on clarifying and modernizing regulatory expectations for outsourcing and third-party risk management on March 29. The expectations of PS7 / 21 and SS2 / 21 apply to banks, investment firms designated by PRA, insurers and overseas branches. banks and insurers and apply not only to “outsourcing” but also to provisions for non-outsourced equipment or high-risk services. Expectations apply at the legal entity level rather than at the group level (with the exception of expectations regarding intragroup agreements).
The PRA’s expectations for third-party risk management should be read in conjunction with the proposed operational resilience framework.
In line with the timeline of PRA operational resilience requirements and expectations, outsourcing agreements entered into as of March 31, 2021 are expected to meet SS2 / 21 expectations by March 31, 2022. Companies should seek to review and update traditional outsourcing. agreements concluded before March 31, 2021, at the first appropriate contractual renewal or revision point.
Fortunately, the PRA says that due to the disruption and reshuffling caused by the COVID-19 pandemic and changes in the regulatory landscape in the UK, EU and the world, it now considers only ” it is proportionate for companies to do their utmost to comply with the indicative timeline and review process of their old critical or material outsourcing agreements by December 31, 2021, as shown in the lines European Banking Authority (EBA) guidelines on outsourcing agreements.
The PRA states in PS7 / 21 that it has received general support for the proposals in its December 2019 consultation paper (CP30 / 19) and the responses have focused on specific areas for which the PRA has made revisions. targeted to its final policy:
- Definitions and scope: SS2 / 21 does not include the presumption in CP30 / 19 that arrangements executed or provided in a “prudential context” as defined in the PRA Rulebook will fall under the definition of “outsourcing”. Instead, companies should assess the importance and risks of all agreements with third parties. Companies should implement risk-based controls for agreements with non-subcontracted third parties considered to be of significant or high risk, although these controls are not necessarily the same as those that apply to non-subcontracted agreements. outsourcing. SS2 / 21 specifies examples of non-outsourced third-party agreements to include the design and construction of an on-premises computing platform, the purchase of data gathered by a third party, and the purchase of “ready-to-use” machine learning models. to work “. In the case of insurers, the use of aggregators (e.g. price comparison platforms) and delegated underwriting will be considered non-outsourcing. The PRA states that whether an agreement is a one-time service (eg, software licenses) or recurring (eg, SaaS) will be a factor in determining whether an agreement constitutes an outsourcing. Cloud deals should not automatically be considered outsourcing, although the primary purpose of PRA is to determine whether the deal is significant or high risk, even if it is not. an “outsourcing” according to the PRA Rulebook. Finally, SS2 / 21 retains the definition of “material” from the PRA Rulebook, but specifies that materiality should be interpreted as incorporating the concept of “critical or significant operational function” in the relevant European legislation retained, such as Solvency II.
- Proportionality: SS2 / 21 includes additional examples from CP30 / 19 of how a company can proportionally comply with expectations of intra-group outsourcing agreements, for example by relying on a centralized group process to oversee third-party service providers external and relying on adequate business continuity, and exit plans developed at group level. ‘Proportionality’, which focuses on the characteristics of a business such as its size, internal organization, complexity of activities and systemic importance, is distinct but complementary to the assessment of the ‘materiality’ of the business. potential impact of a given subcontractor or third party. agreement on the safety and soundness of a company.
- Governance and record keeping: PRA announced a follow-up consultation on proposals for an online portal through which companies would submit information about their outsourcing and third-party agreements to identify, monitor and manage systemic concentration risk. In the meantime, companies should keep proper records of their outsourcing arrangements, which for banks includes a record of outsourcing arrangements in line with EBA guidelines. Notable expectations that remain from CP30 / 19 include board commitment to outsourcing, compliance with threshold conditions to prevent companies from becoming ’empty shells’, enforcement of Senior management and certification regime outsourcing, and some content of a company’s outsourcing policy.
- Pre-outsourcing: SS2 / 21 specifies that the outsourcing of a service as part of the operational continuity of the resolution requirements will generally constitute a “material outsourcing”, as well as arrangements involving confidential, personal or sensitive data or presenting a high potential risk for reputation. SS2 / 21 states that in certain circumstances it may be appropriate for companies to notify the PRA of a planned material arrangement before an end service provider has been selected.
- Outsourcing Agreements: CP30 / 19 specified various provisions that the PRA expects companies to include in outsourcing agreements, implementing EBA’s outsourcing guidelines. SS2 / 21 includes an additional expectation for a company to notify the ARP if a third party service provider under a major outsourcing or other third party agreement is unable or unwilling to include certain conditions in the contract that reflect the company’s obligations under the plan. SS2 / 21 also specifies contractual termination rights that companies can choose to include in their contracts, such as for material violations of the law, situations that create risks beyond their tolerance, or situations that are not. properly notified and corrected in a timely manner.
- Data security: SS2 / 21 has been revised from CP30 / 19 to take into account subsequent EBA ICT guidelines and respondent comments, including regarding security checks, data location and data classification . The PRA clarified that SS2 / 21 should not be interpreted as favoring or imposing explicitly or implicitly restrictive data localization requirements, although companies should take a risk-based approach to data localization.
- Access, audit and information rights: SS2 / 21 includes additional guidance to CP30 / 19 that when an on-site audit could create an unmanageable risk for the supplier and / or other clients, the firm and the service provider must agree on other means to provide an equivalent level of assurance without removing the contractual rights for an on-site audit. For material subcontracting, the company must inform the PRA of these alternatives.
- Subcontracting: SS2 / 21 expectations have been clarified from CP30 / 19 to only apply to “material” subcontracts. The primary responsibility of a business is to ensure that third party service providers appropriately handle any significant outsourcing, and the PRA will not expect businesses to directly monitor third parties under all circumstances. With respect to contractual provisions, SS2 / 21 mirrors the provisions contained in CP30 / 19 and includes additional examples of triggers for the right to terminate with respect to significant subcontracts.
- Business continuity and exit plans: SS2 / 21 states that before a contractual agreement becomes effective, companies should assess what would be involved in achieving an effective stressed out exit and use that in formulating their exit plan. For cloud arrangements, the PRA clarifies that there is no hierarchy or unique combination of cloud resiliency options.
Interaction with the EBA, EIOPA and ESMA guidelines
The PRA states that SS2 / 21 should be the primary source of reference for UK businesses when interpreting and complying with PRA requirements for outsourcing and third party risk management. SS2 / 21 implements the EBA Guidelines on Outsourcing Agreements and parts of the EBA Guidelines on ICT and Security Risk Management.
SS2 / 21 does not implement the European Insurance and Occupational Pensions Authority (EIOPA) directives on outsourcing to cloud service providers and the directives on information technology security and governance. communication (which we note the UK Financial Conduct Authority confirmed it would not apply), or the European Securities and Markets Association (ESMA) guidelines on outsourcing to cloud service providers, which each came into effect after December 31, 2020 (i.e. the end of the Brexit implementation period). The EIOPA and ESMA guidelines will continue to apply to the European operations of UK companies and to activities undertaken in the EU by companies also present in the UK. However, the PRA considers the expectations of SS2 / 21 to be at least equivalent to these guidelines in terms of efficacy and substance and provides additional guidance on key topics covered in these guidelines, such as data security, business continuity and the application of intra-group proportionality of outsourcing and outsourcing agreements for branches in third countries.