1.1 This Bank of England (the Bank) Policy Statement (PS) provides feedback to responses to the three Consultation Papers (CPs) covering outsourcing and third party risk management for Financial Market Infrastructures (FMIs): Central Counterparties (CCPs), Central Securities Depositories (CSDs), and Recognised Payment System Operators (RPSOs) and Specified Service Providers (SSPs).
1.2 The Bank’s final Supervisory Statements (SS) for outsourcing and third party risk management for each of these types of FMI, and a final outsourcing and third party risk management part to the Code of Practice for RPSOs and SSPs (CoP), are available in the Annex.
1.3 We consider it most expedient to address the feedback from the three consultations in a single PS. This is primarily due to the similarities between the proposed policy documents attached to those CPs. This similarity means that much of the feedback received on a particular CP is also applicable to the policies proposed for other FMIs, and also that many of the responses to the consultation were not directed at a particular FMI type.
Background to policy
1.4 In the three aforementioned CPs, the Bank proposed to update its expectations and requirements regarding outsourcing and third party risk management, in response to FMIs’ evolving business models and industry practices that place increasing reliance on services and technologies provided by third parties.
1.5 The final SS and CoP in the Annex set out how the Bank expects FMIs to comply with the range of requirements and expectations on outsourcing and third party risk management, throughout the lifecycle of such arrangements. In turn, the expectations and requirements are intended to align with and complement the regulatory framework on operational resilience for FMIs published in March 2021 and the supervisory expectations in relation to material outsourcing to the public cloud set out in the Bank’s letters to FMIs in September 2021.
1.6 Supervisory authorities around the world are also updating their rules, expectations, guidance and supervisory practices on outsourcing and third party risk management. In developing this policy, the Bank took account of:
- Financial Stability Board (FSB), ‘Effective Practices for Cyber Incident Response and Recovery’ (FSB Effective Practices) and discussion paper on ‘Regulatory and Supervisory Issues Relating to Outsourcing and Third Party Relationships’;
- G-7 Fundamental Elements for Third Party Cyber Risk Management in the Financial Sector’ (G-7 Third Party Elements);
- International Organisation of Securities Commissions’ (IOSCO) ‘Principles on Outsourcing’.
Overview of policy statement
1.7 The Bank has considered the representations made following its consultation and is publishing responses to those representations.
1.8 The chapters in this PS have been structured similarly to the chapters of the linked supervisory statements. The responses have been grouped as follows:
- general comments;
- definitions and scope;
- governance and record-keeping;
- pre-outsourcing phase;
- outsourcing agreements;
- data security;
- access, audit, and information rights;
- business continuity and exit plans; and
- feedback on the Code of Practice for RPSOs and SSPs.
Summary of responses
1.9 The Bank received 15 responses across the three CPs. Responses were from a range of stakeholders, including FMIs and/or their parent companies, trade associations, third party service providers and FMI participants (eg clearing members). Respondents were generally supportive of the proposals, and welcomed the Bank’s efforts to clarify regulatory expectations and requirements and bolster the operational resilience of FMIs. The vast majority of substantive feedback focused on specific expectations or requirements described in the CPs, and did not disagree with the overall direction of the policy.
Summary of changes to final policy text
1.10 We have made only minor changes to the supervisory statements and Code of Practice for RPSOs and SSPs. These changes, which are described in detail in later sections of this PS, can be summarised as follows:
(a) We have clarified in the final supervisory statements that third parties providing testing summaries and FMIs providing redacted or summarised FMI policies also meet our expectations.
(b) We have made small changes to the definitions across the three supervisory statements and the Code of Practice for the following terms to ensure alignment across the final policy documents: ‘Outsourcing Agreement’, ‘Third Party’, and ‘Sub-outsourcing’.
(c) We have amended the text of the CCP supervisory statement that describes UK EMIR Article 35(1) so that it refers to ‘major activities linked to risk management’ in alignment with the UK EMIR text.
(d) We have confirmed that the policy will have a 12-month implementation period – see Paragraph 1.13 below for details of this.
1.11 In addition to changes made as a result of responses to the consultation, we have amended Paragraph 10.17 in the supervisory statements so that it applies to business continuity plans as well as stressed exit plans. We have also moved the paragraph to the introductory part of the chapter, so that it is now Paragraph 10.4.
1.12 Our detailed feedback to the responses received is outlined in Sections 2–12 of this PS.
Implementation and next steps
1.13 FMIs will be expected to comply with the expectations in the relevant supervisory statement – and for RPSOs and SSPs, the requirements in the Code of Practice also – by 9 February 2024. Outsourcing arrangements entered into on or after 8 February 2023 should meet the expectations in the relevant supervisory statement and/or Code of Practice by 9 February 2024. FMIs should seek to review and update legacy outsourcing agreements entered into before 8 February 2023 at the first appropriate contractual renewal or revision point to meet the expectations in the relevant supervisory statement as soon as possible on or after 9 February 2023.
2: General comments
2.1 Several respondents argued that the requirement to share information about security arrangements and penetration testing results from CSPs would create a risk of leakage of information that could compromise security. Similarly, some respondents argued that the requirement to share relevant FMI policies and other risk management information with third parties creates a ‘concentration of information’ risk at the larger third parties. We consider that the arguments put forward by respondents regarding the importance of minimising the dispersal of sensitive information (from the perspectives of both FMIs and third parties) are valid. We have therefore clarified in the final supervisory statements that testing summaries and redacted or summarised FMI policies also meet our requirements provided that a sufficient level of detail is disclosed.
2.2 Two respondents gave feedback in relation to the policy’s implementation scope and timelines, suggesting that the Bank adopt a long implementation period to allow FMIs to adjust to the new expectations, and to remove existing contracts from the scope of the expectations. In response to this we have confirmed that the policy has a 12-month implementation period, which we consider to be sufficiently long. With regard to the scope, we consider it important to the operational resilience of FMIs that existing or legacy contracts are updated to reflect the expectations set out in the policy. However, in response to the feedback received, we have clarified that legacy arrangements should be reviewed and updated at the first appropriate contractual renewal or revision point.
2.3 One respondent noted the lack of cloud-specific expectations in the consultation. While the Bank acknowledges the prominence of cloud outsourcing in the discussion around modernisation of FMIs’ operations – and technological innovation in the financial services sector more broadly – we note that the policy is intended to cover all forms of outsourcing and third party risk management.
2.4 One respondent – an FMI – highlighted the possibility that service providers might be unwilling to agree to contractual terms which meet the expectations described in the consultation. We note that this possibility was not borne out in the responses from service providers to the consultation, which were generally very supportive of the policy.
2.5 One respondent suggested that the Bank should also consider making its policy applicable to those suppliers that are critical to the provision of FMIs’ Important Business Services. We consider that to have expectations of such entities (where those entities are not themselves FMIs) is outside the scope of the policy. However, we note that many of our expectations of FMIs will affect third parties due to the FMIs’ requirements of the services those third parties provide. We also note that the Bank, Prudential Regulation Authority and Financial Conduct Authority have jointly published a discussion paper on the topic of designation and oversight of entities that provide services that, if disrupted, could threaten the stability of, or confidence in, the financial system of the UK (ie ‘critical third parties’).
2.6 One respondent argued that the supervisory statements were generally too prescriptive and did not take into account the different business/operating models of FMIs, and moreover that the CPMI-IOSCO Principles for Financial Market Infrastructure (PFMIs) already provide an effective guide for risk management at FMIs. We consider that the expectations and requirements described in the policy are applicable across FMI types and business models, and are an important accompaniment to the Bank’s operational resilience policy for FMIs, as well as the PFMIs themselves.
2.7 One respondent – an FMI participant – recommended that the Bank publish or make available information such as lists of critical third party arrangements entered into by FMIs and objection decisions made by the Bank and the rationales for these. We consider this suggestion to be outside the scope of the policy, which is specific to expectations and requirements of outsourcing and third party risk management at FMIs.
3: Definitions and scope
3.1 One respondent suggested that the Bank clarify the position of a linked CSD as a participant rather than a third party. While we do not consider it necessary to amend the supervisory statements to reflect this, we do not consider that linked CSDs are third parties, provided that the linked CSD is not providing a service to the original CSD through a contractual arrangement.
3.2 One respondent suggested that the definition of ‘critical third party’ be aligned with the definition of ‘important business service’ (as defined in the operational resilience policies for FMIs). We note that the outsourcing and third party risk management policy is intended to complement and support the operational resilience policy, and therefore do not consider it necessary to align the two definitions.
3.3 One respondent suggested that the outsourcing and third party risk management policy should not place FMIs in the position of having to choose a subset of participants that can use a specific cloud service provider, while denying other participants the ability to use that provider. We note that this is not an expectation in the policy.
3.4 Numerous respondents suggested minor changes to a number of definitions. Except where noted above in relation to alignment of definitions across the supervisory statements and Code of Practice, we do not consider the suggested changes would have a material benefit to the policy.
4.1 One respondent requested that the policy be amended to limit FMIs’ consideration of key participant outsourcing arrangements to those which have direct and foreseeable risks to FMIs’ important business services. We note that, in order to make a judgement on which participant outsourcing arrangements fit this criteria, an FMI would have had to already assess and understand the risks posed by those outsourcing arrangements. We therefore do not consider it necessary to amend the policy.
4.2 Several respondents suggested that the statement in Paragraph 3.3 of the supervisory statements – which states that intragroup outsourcing is not inherently less risky than outsourcing to third parties outside an FMI’s group – is wrong and should be removed or altered. The Bank does not agree with this in principle, and we have therefore not changed this part of the supervisory statements. However, we would note in Paragraph 3.3 of the supervisory statements that FMIs should comply with the expectations in the SS in a proportionate manner taking into account in particular the level of control and influence the FMI has over the entity that is providing the outsourced service.
4.3 One respondent queried the proposed policy’s focus on control and influence for intragroup outsourcing arrangements. We note that this focus is due to the particular relevance of an FMI’s control and influence over the intragroup entity to which it outsources for its assessment of the suitability of the outsourcing arrangement. We further note that this does not diminish the relevance of other suitability factors which should be considered as set out in the policy.
4.4 One respondent suggested in relation to Paragraph 3.4 of the supervisory statements that the final policy should suggest that FMIs be involved in the development of group policies, in addition to reviewing those policies for consistency and robustness. While we acknowledge that such an approach could give an FMI more assurance that the group policies are robust and consistent, we consider that this approach would not be a substitute for the FMIs’ review of the group policy and so have not made the suggested change to the final policy.
5: Governance and record keeping
5.1 Two respondents argued that the supervisory statements do not clearly distinguish between the role of the board and the role of management. We do not consider this to be the case, as the definition and expectations of FMIs’ boards are clearly described in Paragraphs 4.2 to 4.4 of the supervisory statements.
5.2 One respondent suggested that biennial frequency of reviews of outsourcing and third party risk management frameworks should be specified in the policy. We consider that such a specification would not necessarily be appropriate for all FMIs and have not made this suggested change to the policy.
5.3 One respondent argued that, with respect to Paragraph 4.17, the participant and the cloud service provider are best placed to identify security requirements for the network environment – and that in practice FMIs would use common security standards rather than developing their own. We are, in principle, comfortable with FMIs incorporating common security standards into their policies and expectations, but consider that FMIs should nonetheless communicate those expectations to participants.
5.4 One respondent suggested that the policy clarify that FMIs’ rulebooks should be considered a contract and not a policy for the purposes of Paragraph 4.15. We note that, while FMIs’ rulebooks are not discussed in Paragraph 4.15, they are mentioned in Paragraph 4.17 as an example of an instance where a FMIs might communicate their expectations to participants. However, rulebooks are not captured by references to internal policies and strategies discussed in Paragraph 4.15.
5.5 One respondent requested additional guidance from the Bank on the expectations regarding the information which FMIs should request from their participants on those participants’ own third party risk management. We consider this to be a level of detail beyond the scope of the supervisory statement.
5.6 One respondent suggested that the supervisory statement should include a requirement for FMIs and their third party service providers to understand shared responsibilities before contracts are signed, and provide more guidance on why this understanding is important. We do not consider that including this requirement is necessary, as Paragraph 4.11 of the supervisory statements already clearly states that FMIs should ‘define, document, and understand their and the third parties’ respective responsibilities’.
6: Pre-outsourcing phase: criticality assessment, due diligence and risk assessment
6.1 Several respondents argued that FMIs will struggle to assess concentration risk stemming from outsourcing arrangements on a system-wide level given limited visibility of the whole financial ecosystem. We consider that FMIs will generally not have full visibility of concentration risk across the entire ecosystem. However, we also note that FMIs are in a position to consider whether concentration risks are developing at a system level – and that our expectations here reinforce existing obligations set out in the PFMI.
6.2 One respondent noted that, in the CCP supervisory statement, the description of EMIR Article 35(1) does not match the actual text of the article: the draft supervisory statement refers to the outsourcing of ‘a core service’, whereas EMIR refers to ‘major activities linked to risk management’. We consider this to be a valid observation, and have amended the text of the CCP supervisory statement so that it refers to ‘major activities linked to risk management’ to provide alignment with EMIR.
6.3 Three respondents argued that the Bank’s expectation that FMIs obtain a non-objection for critical outsourcing arrangements introduces external dependencies to FMIs’ decision making and contractual negotiations. We note that the expectation that FMIs will seek the Bank’s non-objection for major changes to their operations or risk profile is a not new expectation. Moreover, we consider it important that the Bank obtains sufficient assurance that FMIs are able to ensure resilience and manage the risks associated with outsourcing on an ongoing basis.
6.4 One respondent suggested that the policy acknowledge that FMIs should inform the Bank if they believe their inability to ascertain necessary information from service providers and/or third parties poses a risk. We consider that this suggestion is effectively already addressed by the text in Paragraphs 5.1 and 6.5 in the supervisory statements – these paragraphs concern our expectations of FMIs’ with respect to informing the Bank of material changes in their risk profile and/or the inability of a third party to facilitate an FMI’s compliance with other regulatory obligations and expectations.
6.5 One respondent noted that assessments of conflicts of interest are not mentioned in relation to the pre-outsourcing phase. We consider that the expectation that FMIs will draw upon their conflict of interest policy in the creation of their third party risk management policy is sufficient to cover this risk, noting that FMIs’ third party risk management policies should inform their approach to conducting the pre-outsourcing phase.
6.6 One respondent suggested that the Bank provide established criteria that it will use to determine whether an objection would be made to a proposed critical third party arrangement. We do not consider this to be necessary as the supervisory statements already describe our expectations with regard to FMIs’ outsourcing and third party risk management.
6.7 One respondent requested that the Bank make clear its timelines for non-objection decisions in the policy. While the Bank will make these decisions in a reasonable timeframe, we do not consider it feasible to define the timelines for non-objection decisions in the policy due to the wide range of outsourcing and third party relationships which may be the subject of such decisions.
6.8 One respondent noted the potential confusion in terminology between the criticality assessment the Bank expects FMIs to perform for all third party arrangements, and the critical third parties referred to in the joint discussion paper mentioned above. We note that the concept of criticality in the policy is aligned with that used in the PFMI, and moreover that the distinction between the two terms is made clear in footnote 4 of the supervisory statements.
6.9 One respondent requested guidance on what constitutes a material change in an FMI’s risk profile with respect to seeking the Bank’s non-objection to an outsourcing arrangement. We consider that this is outside the scope of the policy. We also note that FMIs will naturally interact with the Bank through supervisory engagement, and consider that such engagement provides an ideal platform for FMIs to confirm whether non-objection is required for a particular outsourcing or third party arrangement.
7: Outsourcing agreements
7.1 Several respondents argued that the expectations for the content of contracts for critical outsourcing arrangements outlined in Paragraph 6.4 of the supervisory statements would be difficult to obtain from third parties in practice, and would also necessitate the renegotiation of many existing contracts. We consider that these expectations are a necessary standard that critical outsourcing arrangements should meet. However, as noted above in Paragraph 1.13 we have adopted an implementation period of twelve months combined with an expectation that FMIs seek to review and update legacy outsourcing agreements at the first appropriate contractual renewal or revision point. We consider that this approach to implementation will facilitate FMIs’ meeting the expectations for the content of outsourcing contracts.
8: Data security
8.1 The Bank did not receive any responses to the consultation which included material commentary on this chapter of the supervisory statements.
9: Access, audit and information rights
9.1 Two respondents suggested in relation to Paragraph 8.1 of the supervisory statements that information requests of third parties from the Bank should be sent to the FMI in the first instance, rather than directly to the third party. In practice we would typically request information from a third party after informing the FMI first, or would request the information from the FMI. However, we also consider it important that the Bank has the ability to directly request information from the third party where necessary.
9.2 One respondent requested clarity on whether the expectations described in the access, audit and information chapter of the supervisory statements applied to non-critical outsourcing. As stated in Paragraph 8.2 of the supervisory statements, the expectations in this chapter apply specifically to critical outsourcing arrangements. However, the Bank expects CCPs to adopt a risk-based approach to access, audit, and information rights in respect of all outsourcing arrangements with third parties. In doing so, they should take into account the arrangement’s riskiness and the likelihood of it becoming critical in the future.
9.3 One respondent suggested that Paragraph 8.3 of the supervisory statements clarify that the phrase ‘any other person appointed by [FMIs] or the Bank’ specifically refers to Section 166 reviews. We note that there may be other circumstances in which the Bank or FMI might appoint such a person, and therefore do not consider that the wording should be changed.
10.1 Several respondents noted that the necessary rights of access to monitor sub-outsourcing are difficult to obtain. We consider that these access rights are an important tool for FMIs to be able to effectively manage the operational risk stemming from sub-outsourcing arrangements, and so have not altered the expectation in the final policy.
11: Business continuity and exit plans
11.1 One respondent argued that it is not always feasible to test business continuity and exit plans, and suggested that further clarity be provided on the level of testing expected of FMIs. We consider that some level of testing is always feasible. We also note that Chapter 10 of the supervisory statements already describes our expectations regarding testing in sufficient detail.
11.2 The Bank did not receive any further feedback on Chapter 10’s description of appropriate business continuity and exit planning arrangements. However, we consider that additional clarification here would be useful. Where an FMI is outsourcing a core service, it may decide to adopt one or more of the most resilient options available to support the continuity of its outsourced core service in the event of a serious provider outage. These options might include having a contractual arrangement with a back up vendor that is independent of the primary vendor, or retaining the ability to provide services on premise. Irrespective of the option(s) chosen, the Bank would expect the FMI to demonstrate that:
(a) the outsourcing arrangement it has is sufficiently robust such that the risk of a serious outage is within the FMI’s risk appetite;
(b) the FMI understands the financial stability impacts that would follow a serious outage; and
(c) the FMI has identified the steps it would take to mitigate such impacts were such an outage to occur.
12: Feedback on the code of practice for RPSOs and SSPs
12.1 One respondent expressed concern that there might be inconsistencies in the wording of definitions of key terms in the code of practice and supervisory statement for RPSOs and SSPs. We have revisited the definitions across the three supervisory statements and the code of practice, and have aligned the definitions for the following across the final policy documents: ‘Outsourcing Agreement’, ‘Third Party’, and ‘Sub-outsourcing’.