The Prudential Regulatory Authority (PRA) published its final Policy (PS7/21) and Supervisory Statement (SS2/21) focusing on mitigating third-party supplier risk to the Financial institutions trading within the UK. In this blog we look at what this means for those operating in the financial markets.
To meet the expectations of today’s digitally-focussed consumers, financial organisations are adopting new technologies at a faster rate than ever before. From rapidly scaling their processing capabilities to providing always-on banking services, there are almost limitless motivations for this adoption. However, many firms lack the required in-house technical capabilities, and therefore turn to external providers and software vendors for support.
In response to this surge in dependence on third-party technology solutions, the Prudential Regulatory Authority (PRA) published its final Policy (PS7/21) and Supervisory Statement (SS2/21) focusing on mitigating third party supplier risk to the Financial institutions trading within the UK.
The policy aims to improve the resilience of both firms and the wider financial sector to operational disruptions, and contains results of the PRA’s Consultation Paper 30/19 from December 2019. It also consolidates the PRA’s requirements, facilitating greater resilience around the adoption of cloud and other new technologies.
Areas covered by the Supervisory Statement include:
● Governance and record-keeping
● Outsourcing agreements
● Data security
● Audit and information rights
● Business continuity
● Exit plans
So, what risks does the policy aim to mitigate?
For a long time, risk has been largely considered from a technical or cyber security-focused perspective. However, these regulatory changes broaden the scope of risk in line with the increasing number of third-party supplied services used by financial businesses.
According to the Bank of England, 40-90% of banks’ workloads globally could be hosted on public cloud or software-as-a-service within a decade. It’s therefore important to consider the impact on business continuity if one of those suppliers were to fail – and this remains a firm focus for financial regulators, both in the UK and around the world, including the Bank of England, the Financial Conduct Authority (FCA) and the PRA.
What do financial firms need to do?
The SS2/21 predominantly focusses on “important business services”, such as critical third-party applications, which, if disrupted, would impact the PRA’s objective of creating a more coherent regulatory landscape. As well as damaging a firm’s reputation, the PRA also considers the wider impact to financial stability of the UK.
As a result, the regulator makes it clear that firms should assess the materiality and risks of all third-party agreements using all relevant criteria set out in Chapter 5 of the statement. Although certain elements such as network controls, host infrastructure and physical security fall out of the control of firms, SS2/21 stipulates these firms are now responsible for assessing and taking reasonable steps to manage concentration risk and vendor lock-in.
This means ensuring that outsourcers have processes in place to anticipate, withstand and respond to disruption and requires firms to identify dependencies and set impact tolerances which will require greater engagement with their vendors.
The PRA advises all regulated entities to ‘actively consider’ an Escrow Agreement when undertaking business continuity and exit planning.
Where arrangements are identified as being material or high risk, there should be “proportionate, risk based, suitable controls” which are as robust as those which would apply to an outsourcing agreement of equivalent materiality or risk – putting service providers firmly under the microscope and therefore making them an integral element of the requirements set out in SS2/21.
Once any impact tolerances have been set, firms will need to put in place whatever measures are required to ensure that they will not be breached in practice. Every firm must have a pre-developed “stressed exit plan” in place – meaning that they have measures to maintain business continuity should an IT failure occur within their supply chain. These plans must also be tested to ensure that they work, and the results of this must be presented to the regulator.
Although the PRA does not mandate or favour the inclusion of any single resiliency option in outsourcing contracts, it is advised that all regulated entities ‘actively consider’ an Escrow Agreement when undertaking business continuity and exit planning.