The PRA’s supervisory statement on outsourcing arrangements and managing third party risk requires insurers to take action now, to ensure that outsourcing agreements which are currently being negotiated comply with the new guidelines.
On 31 March 2021 the PRA released a new supervisory statement relating to outsourcing arrangements and managing third party risk (“SS2/21”). The PRA has also published a policy statement on outsourcing and third party risk management, which summarises the feedback it received to its original proposals and explains the rationale for SS2/21. SS2/21 applies to various types of firms, including all UK Solvency II insurers and UK branches of overseas insurers. The PRA requires insurers to be compliant with SS2/21 in relation to outsourcing agreements entered into on or after 31 March 2021 by the time the new requirements come into force on 31 March 2022. In practice this means insurers should start complying now, to avoid needing to renegotiate before 31 March 2022 deals which have only just been finalised.
The supervisory statement sets out requirements for what needs to be included in a material outsourcing agreement in more granular detail than those already prescribed for insurers (primarily under Solvency II and SYSC 13.9). The contractual requirements mostly originate in the European Banking Association ‘Guidelines on outsourcing arrangements’, which the FCA separately requires UK banks, building societies and certain investment firms to comply with. However, the PRA has also made it clear that it followed its own approach where it thought it beneficial.
SS2/21 focuses in particular on data security, audit, sub-outsourcing and business continuity/exit plans, as well as including a list of provisions the PRA now requires a material outsourcing contract to include. The supervisory statement also sets out requirements for pre-contractual due diligence and internal governance relating to material outsourcings, and obliges insurers to implement proportionate and risk-based controls for non-outsourcing third party arrangements that are material or high-risk (such arrangements may include the purchasing of hardware or software).
The PRA requires material outsourcing agreements entered into on or after 31 March 2021 to be compliant with the new more detailed guidance by 31 March 2022. Any “legacy” agreements entered into prior to 31 March 2021 need to be updated at the first appropriate contractual renewal or revision point, to meet expectations “as soon as possible” after 31 March 2022.
This is a relatively lenient timeline in relation to legacy agreements, but means insurers should promptly familiarise themselves with SS2/21 so that they can align the material outsourcing agreements they are currently negotiating with the new requirements. Insurers should also begin to arrange a review process for their legacy agreements, in order to identify the changes required and consider when the most appropriate point would be to update the contracts. Outsourcing policies and procedures will also need to be reviewed and updated.
In the context of its ongoing focus on building operational resilience within the sector, we expect the PRA to engage with insurers in the year ahead in relation to their plans for embedding these tighter controls around outsourcing. Those firms who fail to meet the PRA’s expectations may face supervisory intervention (e.g. through S.166 Skilled Person reviews or requirement notices) or in the more serious cases, regulatory enforcement action. Senior Managers with responsibility for such arrangements under the Senior Managers Regime should also ensure they are able to explain the reasonable steps they took to ensure compliance with these new requirements.