Following the PRA's December 2019 consultation on operational resilience and outsourcing (CP30/19) (see article here), on 29 March 2021:
- the PRA published a policy statement on outsourcing and third party risk management (PS7/21) (Outsourcing Statement); and
- the FCA, the PRA and the Bank of England (BoE) published policy statements and supervisory materials setting out their final rules and guidance on operational resilience (PS21/3) (the Operational Resilience Statement).
The Outsourcing Statement sets expectations on firms to maintain important business services when outsourcing or using third party providers. It reinforces the themes in the Operational Resilience Statement that firms should plan for, and minimise, disruption to services.
The Outsourcing Statement contains some important clarifications:
- Definitions and scope – Firms should assess the materiality and risks of all third party arrangements, irrespective of whether they fall within the definition of outsourcing.
- Proportionality – The PRA's position remains that intragroup arrangements should not be treated as inherently less risky than arrangements with third parties outside a firm's group, although it acknowledges they may be managed differently in practice.
- Governance and record-keeping – The PRA is planning an online portal on which all firms would need to submit information on their outsourcing and third party arrangements.
- Pre-outsourcing phase – "material outsourcing" will generally include any outsourced service within the scope of operational continuity in resolution (OCIR) requirements, but may also encompass outsourcing arrangements that are not within the scope of OCIR where they could impact a firm's safety and soundness as a going concern. In some circumstances, the PRA expects firms to notify it of a planned material arrangement before a final service provider has been selected.
- Outsourcing agreements – If a third party service provider is unable or unwilling to include terms within the contract which reflect the firm's obligations under the regime, that firm should notify the PRA. This is significant, as in many instances firms will be unable to negotiate desired terms with large vendors.
- Data security – The PRA has clarified:
- it did not intend to impose restrictive data localisation requirements, but expects firms to adopt a risk-based approach to the location of data;
- it must have access to encrypted data, but does not need to access the encryption keys; and
- third parties must share the results of security penetration testing they carry out or which are carried out on their behalf, but firms do not require a right to carry out penetration testing themselves.
- Access, audit and information rights – Where service providers are reluctant to permit firms to conduct an on-site audit of their facilities, the firm and service provider should agree alternative ways to provide an equivalent level of assurance while not removing the contractual rights for an on-site audit from the written agreement. For material outsourcing arrangements, the PRA would expect the firm to inform their supervisor if alternative means of assurance have been agreed.
- Sub-outsourcing – The requirement to flow down certain obligations (e.g. audit rights and obligations to comply with applicable law) to sub-outsourcing arrangements only applies to material sub-outsourcing. The PRA does not expect firms to monitor sub-contractors directly.
- Business continuity and exit plans – Firms should evaluate what would be involved in delivering an effective stressed exit and use this to formulate their exit plan. Additional guidance has been added concerning resilience options for cloud arrangements.
Firms will be expected to comply with the Outsourcing Statement by 31 March 2022. Outsourcing arrangements entered into on or after 31 March 2021 should comply by 31 March 2022. Firms should seek to review and update legacy outsourcing agreements entered into before 31 March 2021 at the first appropriate contractual renewal or revision point to comply as soon as possible on or after 31 March 2022.
One of the key objectives of the Outsourcing Statement is to implement the European Banking Authority (EBA) "Guidelines on outsourcing arrangements". The EBA Outsourcing guidelines require firms to bring legacy outsourcing arrangements (other than cloud arrangements) in compliance with the guidelines by no later than 31 December 2021. However, significantly the PRA has now made clear "due to the disruption and reprioritisation caused by the COVID-19 pandemic and changes to the UK, EU and global regulatory landscape in this area" that "it is no longer proportionate" for firms to be required to comply with this timeline and are not expected to inform the PRA if they have not met the timeline.
The more generous timeline for compliance with the Operational Reliance and Outsourcing Statements appears to have superseded the timelines in the EBA outsourcing guidelines. This will be welcomed by many firms who are behind on their remediation projects, both because of the delay to the publication of the Outsourcing Statement and because they have been engaged in "firefighting" more urgent matters since the start of the pandemic. The EBA's deadline will still apply to firms regulated within the EU.
Operational Resilience Statement
The Operational Resilience Statement aims to ensure firms and the sector can prevent, adapt, respond to, recover and learn from operational disruptions. Firms will be required to implement an operational resilience framework to identify the "important business services" that, if disrupted, would:
- cause intolerable levels of harm to one or more of the firm's clients; or
- pose a risk to the soundness, stability or resilience of the UK financial system or the orderly operation of financial markets.
Firms are required to set an "impact tolerance" for each of their important business services at the first point at which disruption would cause intolerable levels of harm to consumers or risk to market integrity, and take actions to ensure they remain within these impact tolerances.
Following consultation, the regulators have sought to clarify how the Operational Resilience Statement fits with the broader domestic and international regulatory landscape and other FCA policy initiatives, and set out how they will further support firms in implementing the rules.
In line with the timescales for the Outsourcing Statement, the new rules will come into effect on 31 March 2022. The authorities have set out a timetable for the implementation of the framework, which will consist of a one-year implementation period, ending on 31 March 2022, and a three-year transitional period, ending on 31 March 2025.