What is happening and why?
On 5 December 2019, the Prudential Regulation Authority (PRA), published a consultation paper (CP) on outsourcing and third party risk management (CP30/19).
The CP has been triggered by firms increasingly relying on outsourced third party technology, namely cloud outsourcing, to facilitate entry to new markets, lower operational costs and enhance innovation. (But it’s important to note that the CP applies beyond just cloud services.) Such evolving practices create issues around how to manage the risks of such complex technologies including how to protect confidential and sensitive data, whilst ensuring it remains accessible to firms and regulators.
The PRA is seeking to address, among other things, a concern that an overreliance by firms on a small number of dominant outsourced service providers, who are difficult to substitute, could result in a systemic concentration risk. A major disruption at one of these service providers could create a single-point-of-failure with severe financial consequences.
What is the purpose of the CP?
The purpose of the CP is to ‘modernise’ the PRA’s expectations; the appendix contains a draft supervisory statement (DSS) detailing how PRA-regulated firms should comply with regulatory requirements relating to outsourcing and risk management. Through its proposals, the PRA intends to:
- complement the policy proposals set out in its consultation paper on operational resilience (CP29/19);
- facilitate greater resilience and adoption of cloud and other new technologies;
- implement the European Banking Authority (EBA) guidelines on outsourcing arrangements (see here for our recent blog on the impact of these guidelines on financial services firms); and
- take into account the draft European Insurance and Occupational Pensions Authority (EIOPA) guidelines on outsourcing to cloud service providers and the EBA guidelines on ICT and security risk management.
If adopted, it is hoped the CP and DSS will strengthen and modernise the framework for all forms of outsourcing and third party risk management, facilitating a smoother oversight of outsourced and third party service providers by firms and the PRA. This, in turn, will encourage greater resilience and adoption of the cloud and other new technologies.
Who does it apply to?
The CP applies to banks, building societies, PRA-designated investment firms, insurance and reinsurance firms and groups within the scope for Directive 2009/138/EC (Solvency II), including the Society of Lloyds and managing agents, in addition to branches of overseas banks and insurers, collectively ‘firms’. This is a broader group of firms than the EBA guidelines so will potentially affect a wider base of outsourced service providers’ customers.
What are the key developments for firms to be aware of?
The proposals cover a number of areas from governance and record keeping to the approach to audits and sub-outsourcing – all of which are likely to impact the contractual requirements customers demand from their outsourced service providers. The DSS specifies all outsourcing arrangements would need to be set out in a written agreement. Importantly a number of minimum requirements are proposed for ‘material outsourcing’ contracts. Some particularly relevant developments are outlined below:
- Definition of Outsourcing: a broader definition of outsourcing is proposed than the current version in the PRA Rulebook. Firms would be expected to start from the assumption that all activities, functions and services performed or provided by third parties ‘in a prudential context’, as defined in the PRA Rulebook, will come under the definition of outsourcing.
- Material Assessment: as part of the pre-outsourcing phase, and then throughout any arrangement, firms must also self-assess the materiality of their outsourcing and the DSS has prescribed certain criteria which should be taken into account such as the impact on the firm’s financial stability or the impact a failure in the outsourcing arrangement would have on the firm’s regulatory compliance. As a reminder, ‘material outsourcing’ is defined as the outsourcing of ‘services of such importance that weakness, or failure, of the services would cast serious doubt upon the firm’s continuing satisfaction of the threshold conditions or compliance with the Fundamental Rules’.
- Confidentiality of data: as part of the proposal on how firms should ensure data is adequately protected, written agreements for material outsourcing should set out provisions regarding the accessibility, availability, integrity, privacy, safety and now also confidentiality of relevant data. The expectation is that firms will identify and classify data based on its confidentiality and sensitivity and agree an appropriate level of confidentiality, availability and integrity.
- Data security: where the transfer of data takes place in a material outsourcing agreement, firms should adopt the ‘shared responsibility model’ to define, document and understand both parties’ respective responsibilities regarding that data. This could provide a basis for outsourced service providers pushing back on customers who seek to transfer all risk and responsibility to the service provider. To the extent relevant, written agreements should contain:
- appropriate and proportionate information security related objectives and measures including requirements such as minimum cybersecurity requirements, specifications of firms’ data life cycle, and any requirements regarding data security, network security and security monitoring processes; and
- operational and security incident handling procedures including escalation and reporting.
- Business Continuity: the PRA proposes firms ensure they and their service providers have plans to anticipate, withstand and respond to severe but plausible disruption. Written agreements should contain requirements for both parties to implement and test business contingency plans; specifically there should be a dual commitment to support the testing of such plans. Where an outsourced service provider’s standard BCDR procedure does not contemplate joint implementation and testing, it may need to revisit its standard offering and the cost and practical implications of all customers requiring joint testing rights.
In reviewing data recovery capabilities, firms should pay particular attention to the risk of deliberately destructive cyber-attacks. For cloud outsourcing arrangements, firms should consider appropriate resiliency options. In this regard the DSS suggests the use of multiple availability zones, regions or service providers.
- Sub-outsourcing: written agreements for material outsourcing should specify whether sub-outsourcing is permitted and under what conditions. Where a material outsourcing arrangement is likely to involve sub-outsourcing, the PRA has recommended tighter controls on a service provider’s ability to sub-contract services. Firms may soon require service providers to notify them ahead of planned material changes to sub-outsourcing and service providers may need to seek written authorisation for changes where appropriate. Firms may also be required to have termination rights where the sub-outsourcing materially increases the risks for the firm.
The consultation is open for firms to respond to until 3 April 2020. The PRA intends to publish its final policy on the proposals in the second half of 2020, with implementation of the proposals shortly thereafter.
As a result of this CP, financial services customers are likely to review their outsourcing arrangements, particularly where there is a predominant focus on the transfer of data and where there is a cloud component to their IT arrangements. Addenda may be required to ensure existing agreements are adequately modified. Subject to the content of the final policy, outsourced service providers should be prepared for firms to push for more stringent data security policies and business contingency plans to be included in any arrangement going forward.
But it is not all bad news for outsourced service providers. The CP does contemplate some potential benefits in the areas of audit where “third party certification” reports (like SOC reports) and pooled audits (where groups of firms appoint one auditor to audit a service provider once, but for the benefit of the group of firms) may reduce the invasiveness of audits on service providers.
The DSS also has reiterated that while firms can outsource certain functions, they cannot outsource their responsibilities and so remain fully accountable for their own regulatory compliance. As they are best placed to account for the firm’s risk tolerance and approach to compliance, it may be helpful for outsourced service providers to remind their customers of these points during often times heated “compliance with laws” negotiations.