1.1 This Supervisory Statement (SS) on outsourcing and third party risk management is relevant to all Bank of England (Bank) supervised central securities depositories (CSDs) and UK entities which are planning to apply to the Bank for authorisation as a UK CSD pursuant to UK CSDR.
1.2 CSDs’ reliance on third parties, in particular through outsourcing arrangements, is well established, and is already subject to existing regulatory requirements and CPMI-IOSCO’s Principles for Financial Markets Infrastructure (PFMI), with which the Bank expects CSDs to have regard. This includes the authorisation requirement set out in Article 19 of the onshored Regulation (EU) No 909/2014 of the European Parliament and of the Council on improving securities settlement in the European Union and on central securities depositories (UK CSDR), where the outsourcing relates to the delivery of core services as defined in Section A of the Annex as well as other detailed onshored requirements as contained in relevant technical standards. CSDs are also expected to have due regard to the Bank’s policy on operational resilience.
1.3 This SS explains the Bank’s supervisory approach to outsourcing and third party risk management, which is relevant to many areas of a CSD’s operations. It provides guidance as to how the Bank expects CSDs to meet their regulatory obligations and sets out more specific requirements and expectations for CSDs than is contained within the PFMI, UK CSDR and relevant technical standards. In particular:
- Chapter 2 elaborates on the definition of ‘third party’ and ‘outsourcing’, and sets out the expectations for managing the risks arising from all third party dependencies that can pose a threat to the safety and efficiency of the CSD thereby impacting financial stability. It also elaborates on the expectation for CSDs to have a sufficient understanding on the risks to settlement services when participants outsource to the cloud.
- Chapter 3 clarifies how the principle of proportionality applies to the expectations in this SS, in particular, to intragroup outsourcing.
- Chapter 4 sets out the Bank’s expectations on governance and accountability, risk management and record keeping.
- Chapter 5 sets out the Bank’s expectations for CSDs during the pre-outsourcing phase. It addresses the criticality and risk assessments of their outsourcing and other third party arrangements (including notification to the Bank where required), and CSDs’ due diligence on third parties.
- Chapter 6 lists the areas that the Bank expects written agreements relating to critical outsourcing arrangements to address as a minimum. The following four areas are then examined in detail in Chapters 7–10:
- data security (Chapter 7);
- access, audit, and information rights (Chapter 8);
- sub-outsourcing (Chapter 9); and
- business continuity and exit strategies (Chapter 10).
1.4 CSDs are required to comply with UK CSDR and relevant technical standards and these will continue to apply.
1.5 These requirements and expectations also complement the ‘Bank of England policy on Operational Resilience of FMIs’ published in March 2021.
1.6 CSDs are expected to comply with the expectations in this SS by 9 February 2024. Outsourcing arrangements entered into on or after 8 February 2023 should meet the expectations in this SS by 9 February 2024. CSDs should seek to review and update legacy outsourcing agreements entered into before 8 February 2023 at the first appropriate contractual renewal or revision point to meet the expectations in this SS as soon as possible on or after 9 February 2024.
1.7 In developing the expectations in this SS, including in relation to cloud usage, the Bank has taken account of:
- Financial Stability Board (FSB), ‘Effective Practices for Cyber Incident Response and Recovery’ (FSB Effective Practices) and Discussion Paper on ‘Regulatory and Supervisory Issues Relating to Outsourcing and Third Party Relationships’;
- G7 Fundamental Elements for Third Party Cyber Risk Management in the Financial Sector’ (G7 Third Party Elements); and
- International Organisation of Securities Commissions’ (IOSCO) ‘Principles on Outsourcing’.
1.8 The SS applies to all forms of outsourcing and, where indicated, third party arrangements. This SS also includes examples, references and sections addressing specific issues of particular relevance to cloud outsourcing, such as data security, business continuity and exit planning. By addressing these issues, the SS seeks to provide conditions that can help give CSDs assurance to deploy the cloud in a safe and resilient manner in line with the Bank’s response to ‘The future of finance report’.
1.11 This draft SS should be read alongside and interpreted consistently with the relevant oversight framework, including the following existing expectations on outsourcing and third party risk management for CSDs:
- UK CSDR & Technical standards;
- CPMI-IOSCO Principles for Financial Market Infrastructure; and
- CPMI-ISOCO Oversight expectations applicable to critical service providers (Annex F).
2: Definitions and scope
2.1 The Bank defines third parties as organisations, whether supervised entities or not, that have entered into business relationships or contracts with a CSD to provide products, services, processes, activities or business functions, whether in whole or in part, including providers of utilities and other services. This definition of ‘third party’ is consistent with the definition used by the G7 Third Party Elements and other international supervisory authorities. The scope of the SS includes products, services, processes, activities or business functions performed or provided by third parties, including both outsourced and non-outsourced arrangements. A CSD will remain responsible if a third party on whom it relies, whether wholly or in part, to provide an important business service, fails to remain within impact tolerances or causes the CSD to fail to do so.
2.2 One type of third party arrangement is outsourcing. In line with the definition of third party, the SS defines outsourcing as an arrangement of any form between a CSD, and a third party, whether a supervised entity or not, by which that third party provides a product, performs a service, a process, an activity or a business function, whether directly or by sub-outsourcing, which would otherwise be undertaken by the CSD itself.
2.3 This definition expands on the approach in UK CSDR Article 30 and PFMI Principle 17: Operational Risk. When a CSD outsources services or activities to a third party, it shall remain fully responsible for discharging all of its obligations, and outsourcing does not result in the delegation of its responsibility. This is a key principle underlying all requirements and expectations regarding outsourcing and other third party arrangements.
Non-outsourcing third party arrangements
2.4 As some non-outsourcing third party arrangements may also impact the Bank’s objectives, the Bank expects CSDs to assess the risks of all third party arrangements irrespective of whether they fall within the definition of outsourcing. CSDs, as risk managers, should apply adequate governance, risk management and controls to manage the risks arising from all their third party arrangements that could pose a threat to the safety and efficiency of settlement services thereby impacting financial stability.
2.5 Examples of non-outsourcing third party arrangements may include but are not limited to:
- purchases of hardware, software, and other information, communication and technology products such as:
- the design and build of an on-premise IT platform;
- the purchase of data collated by third party providers (data brokers);
- open source software, and machine learning libraries developed by third party providers;
- the use of aggregators or facilitators to access another financial market infrastructure; and
- the use of a supply chain for the provision of hardware, and other information, communication and technology products.
2.6 Third party arrangements are also subject to relevant requirements on operational resilience. Where third parties provide or support the provision of important business services, the Bank expects CSDs to manage the risk and obtain appropriate assurance to ensure important business services are able to remain within impact tolerance in the event of an extreme but plausible disruption.
Critical third parties and critical outsourcing arrangements
2.7 The Bank defines critical third parties, for the purposes of this SS, as those where the continuous, secure and efficient delivery of their services to CSDs is critical to the operation of the CSD.footnote  This is irrespective of whether the relationship is an outsourced or non-outsourced arrangement. This definition builds on Annex F where the operational reliability of a CSD may be dependent on the continuous and adequate functioning of such third party arrangements. This definition of criticality extends to outsourcing arrangements and other third party arrangements, where the relevant services are of such importance that a weakness, or failure, of the services would pose a risk to the continuity of service provided by the CSD, and could threaten the safety and efficiency of securities settlement systems.
2.8 Where a third party is identified as a critical third party, the Bank expects CSDs to meet the expectations set out in Annex F, and implement proportionate, risk-based suitable controls. These controls do not necessarily have to be the same as those that apply to outsourcing arrangements. However, the controls should be appropriate to the risks of the third party arrangement and as robust as the controls that would apply to outsourcing arrangements with an equivalent level of risk. It follows that CSDs should apply stricter controls to high-risk, non-outsourcing third party arrangements than to low-risk outsourcing arrangements.
Participant outsourcing arrangements
2.9 Where CSDs permit participants to outsource their connectivity to financial markets infrastructure to the cloud, this may create indirect dependencies on one or more cloud service providers (CSPs), with which a CSD may or may not have a separate, direct contractual relationship (and by extension, concentration risk on a single provider at both the CSD and systemic levels). CSDs act as risk managers and should therefore understand the nature and scope of outsourcing among their participants, including how the use of new technologies, such as the cloud, may introduce new, or increase existing, systemic risks.
2.10 This is also consistent with UK CSDR RTS 2017/392 Article 67: Operational risks that may be posed by key participants, where the Bank expects CSDs, on an ongoing basis to identify, monitor, and manage the operational risks that it faces from key participants.
Important business services
2.11 The Bank’s operational resilience supervisory statement expects CSDs to identify their important business services, and document the necessary people, processes, technology, facilities, and information (the ‘resources’) required to deliver each of their important business services. This process is referred to as mapping. The Bank expects CSDs to map the resources necessary to deliver important business services including where the resources are being provided wholly or in part by a third party or in an intragroup entity. CSDs should identify and understand how their third parties support their important business services, including any reliance placed on supply chains or sub-outsourcing arrangements. As defined in the operational resilience supervisory statement, the Bank considers that a business service is an important business service if a prolonged disruption of that business service would significantly disrupt the orderly functioning of a market which a CSD serves, thereby impacting financial stability in the UK.
2.12 The Bank’s operational resilience supervisory statement also expects CSDs to set an impact tolerance for each of its important business services. The impact tolerance must be set for each important business service at a maximum tolerable level of disruption, whereby further disruption would pose a significant impact to the market the CSD serves. CSDs must take all reasonable actions to ensure it remains within its impact tolerance for each important business service in the event of an extreme but plausible disruption to its operations.
3.1 CSDs should meet the expectations in this SS in a manner appropriate to their size, internal organisation, risk profile, and the nature, scope and complexity of their activities.
3.2 Proportionality and the criticality of outsourcing arrangements (see Chapter 5) are separate but complementary concepts, and CSDs should consider the links between the two. Proportionality focuses on the characteristics of a CSD, including its systemic significance. Criticality assesses the potential impact of a given outsourcing or third party arrangement on the safety and efficiency of settlement services, including: its operational resilience; its ability to comply with legal and regulatory obligations; and the risk that CSDs’ ability to meet these obligations could be compromised if the arrangement is not subject to appropriate controls and oversight. Criticality can change over time, and CSDs should reassess both criticality and proportionality as appropriate.
3.3 Intragroup outsourcing is not inherently less risky than outsourcing to third parties outside a CSD’s group and is subject to the same requirements. CSDs should have due regard to the level of control and influence over the entity that is providing the outsourced service and comply with the expectations in the SS in a proportionate manner.
3.4 Control and influence may vary depending on the characteristics of a group. For instance, a CSD that outsources to a subsidiary may have greater control and influence than one that outsources to its parent company. The following factors may also be relevant when determining the level of control and influence:
- the group’s governance structure, including reporting lines, the level of connectivity between a CSD’s and its group’s boards, board committees, executive committees, internal control functions and/or other relevant functions (eg technology or shared services);
- the allocation of responsibilities throughout the group;
- the ability of a CSD to alter its intragroup outsourcing arrangements and/or influence their terms and conditions to ensure they meet its UK regulatory obligations and manage the relevant CSD’s business and UK-specific risks; and
- the consistency and robustness of group wide standards, controls, policies, and procedures (eg on business continuity plans and cyber security).
3.5 Depending on its level of control and influence in respect of intragroup outsourcing arrangements, a CSD may, for example:
- rely on the vendor due diligence undertaken by the group, although the CSD should still be fully accountable for assessing and deciding whether a potential third party that is part of its group has the ability, capacity, resources, and appropriate organisational structure to support the performance of the outsourced function or third party service;
- rely on the group’s potentially stronger negotiating and purchasing power to enter into group-wide arrangements with external third parties;
- adapt certain clauses in outsourcing agreements (a written agreement is always required – even in intragroup arrangements (see Chapter 6));
- rely on group policies and procedures as long as they comply with their UK legal and regulatory obligations and allow them to manage relevant risks (eg group cyber security or data protection policies, such as binding corporate rules for international data transfers);
- rely on a centralised group process for overseeing third parties, including the exercise of access, audit, and information rights, provided that this process appropriately takes into account and documents any legal entity-specific risks and allows for legal entity-specific risk mitigation where necessary; and
- rely on business continuity, contingency, and exit plans developed at group level, provided that they adequately safeguard their operational resilience (eg where the outsourcing or third party arrangement supports the delivery of an important business service, the group’s business continuity policy sets out a recovery objective that is consistent with the impact tolerance assigned to that important business service).
4: Governance and record keeping
4.1 The Bank sets out expectations in this SS regarding:
- board engagement on outsourcing and third party risks;
- outsourcing and third party risk management;
- allocation of responsibilities;
- outsourcing and third party risk management policies; and
4.2 The term ‘board’ is defined as a CSD’s body or bodies appointed in accordance with national law, which are empowered to set a CSD’s strategy, objectives and overall direction, oversee and monitor executive decision-making, and includes the people who effectively direct the business of a CSD.
Board engagement on outsourcing and third party risks
4.3 Boards and senior management cannot outsource their responsibilities. CSDs that enter into outsourcing arrangements remain fully accountable for complying with all their regulatory obligations. This is a key principle underlying all requirements and expectations regarding outsourcing and non-outsourcing third party arrangements, including the expectations in this SS. This is consistent with UK CSDR Article 30(1).
4.4 CSDs’ boards should establish a clear, documented risk management framework that includes its risk tolerance policy, assigns responsibilities and accountability for risk decisions, and addresses decision making in crises and emergencies. Governance arrangements should ensure that the risk management and internal control functions have sufficient authority, independence, resources, and access to the board. A CSD’s board, or a body designated by the board with responsibility for risk management should:
- set the control environment throughout the CSD, including the risk appetite or tolerance levels in respect of outsourcing and third party risk management;
- bear responsibility for the effective management of all risks to which the CSD is exposed, including by:
- approving the criteria used for assessing and identifying third parties and outsourcing arrangements that are critical to the CSD;
- appropriately identifying and having an understanding of the CSD’s reliance on critical third parties and critical outsourcing arrangements;
- ensuring that the CSD has appropriate and effective risk management systems and strategies in place to deal with outsourcing arrangements and the third parties; and
- ensuring that appropriate risk mitigation steps have been taken where a third party provider on whom it relies, whether wholly or in part, to provide an important business service, is unable to remain within impact tolerance in the event of an extreme but plausible disruption event.
4.5 The Bank expects CSDs to perform the function of a risk manager, and ensure that it has sufficient understanding of the risks to settlement services. This includes being responsible for managing and mitigating risks that its third parties pose to the safety and efficiency of settlement services that may thereby impact the financial stability of the UK.
Outsourcing and third party risk management framework
4.6 CSDs should thoroughly identify, assess, measure, monitor, and control the risks associated with their third parties to within Board approved risk appetite. This is consistent with UK CSDR Article 30(1). The Bank expects a CSD to undertake an assessment of the operational risks arising from the delivery of any important business services that are supported by third parties as well as operational risks arising from the use of information, communications or technology (ICT) systems. CSDs may leverage and build on oversight expectations set out in Annex F. Each CSD is expected to demonstrate that operational risks and operational resilience issues are reflective of its risk profile, product offerings, business model and operational structure.
4.7 CSDs should ensure that key operational risks identified are considered in and/or managed by:
- the design of third party detective, preventative and mitigation controls;
- an embedded risk and control self-assessment process set out in the operational risk management framework;
- specifying expectations, rights and obligations of third parties as part of contract structuring, business continuity and exit management strategy;
- monitoring the operational risks arising from any outsourcing arrangements performed by the third party; and
- the design of disruption scenarios that are extreme but plausible, involving third parties for the purposes of testing and managing the operational resilience of important business services.
4.8 CSDs should set triggers for reperforming risk assessments of third party and outsourcing arrangements to reaffirm the third party and outsourcing risks remain within risk appetite, based on an up-to-date understanding of the risks. This should include: an assessment of potential cyber risks and vulnerabilities related to third parties; monitoring of risk metrics and risk indicators; assessment of emerging risks etc. If a CSD leverages a third party risk management framework used for assessing and managing third party and outsourcing risks, any risk policies, guidelines, standards and procedures should be aligned to the CSD’s broader enterprise risk and operational risk management framework.
4.9 CSDs may also leverage their end-to-end mapping of important business services expected under the Banks’s operational resilience policy to identify their intragroup and other third party dependencies.
4.10 As set out in the Bank’s supervisory statement on operational resilience for central securities depositories, where a third party is unable to meet the impact tolerance set for any important business service, or where there is uncertainty as to whether it can be met, the Bank expects a CSD to set out remedial actions that it will undertake to ensure the impact tolerance can be met at an agreed future date. In such situations, the Bank expects the CSD to explain how such risks will be managed as part of its risk management framework; specifically, how mitigating actions, enhancements to the business continuity and disaster recovery plans, combined with testing, will ensure that the important business service can be brought within the impact tolerance should disruption reoccur. In addition, the Bank expects evidence that important business services assessed as being at risk of breaching its impact tolerance are prioritised when a CSD makes investment decisions and choices about remediation or improvements in its systems, processes and technologies.
Shared responsibility model
4.11 As part of ensuring effective governance of an outsourcing arrangement and in accordance with UK CSDR Article 30(2), the Bank expects CSDs to define, document, and understand their and the third parties’ respective responsibilities. In the case of cloud computing, the term commonly used to help CSDs and cloud providers understand their respective obligations is the ‘shared responsibility model’.
Example of a shared responsibility model in cloud outsourcing
CSPs tend to operate under the ‘shared responsibility model’ whereby:
- CSD is responsible for what is in the cloud and the CSP is responsible for the provision of the cloud;
- CSD remains responsible for correctly identifying and classifying data in line with their legal and regulatory obligations, and adopting a risk based approach to the location of data. They also remain responsible for configuration and monitoring of their data in the cloud to reduce security and compliance incidents;
- CSPs assume responsibility for the infrastructure running the outsourced service, eg data centres, hardware, software etc.; and
- CSDs and CSPs share other responsibilities depending on the service model, eg Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS), etc.
Accountability for outsourcing and third party risks
4.12 The board must ensure that members of the executive of a CSD possess appropriate skills and experience necessary to discharge their responsibilities for the operation and risk management of settlement services, including managing the risks arising from outsourcing and third party arrangements. This is consistent with UK CSDR RTS 2017/392 Article 49.
4.13 Where appropriate, CSDs should assign responsibility for third party risk and outsourcing to an accountable person, either a Board member and/or a senior executive. The responsibilities encompass CSDs overall third party risk management framework, policy, and systems and controls relating to outsourcing. The responsibility for individual outsourcing or third party arrangements may still lie with relevant business lines or other functional areas of the CSD.
4.14 Roles and responsibilities should be clearly defined for day-to-day oversight of third party and outsourcing arrangements. This includes periodic assessment against service level/contractual agreements, as well as operational incidents and management performance metrics. There should also be an independent second-line review function to provide oversight and challenge. This should be complemented by a third-line internal audit function to provide assurance on internal control effectiveness of third party risk management, and compliance with the relevant policies, legal and regulatory requirements.
Outsourcing and third party risk management policies
4.15 In accordance with UK CSDR RTS Article 70(1), CSDs’ boards should approve, regularly review, and implement a written third party risk management policy, and where relevant, an outsourcing policy. This policy should align to and draw upon other relevant internal policies and strategies. A non-exhaustive list of policies that should be considered includes:
- business model and strategy;
- business continuity;
- conflicts of interest;
- data protection;
- information technology;
- cyber security;
- participant rule book or scheme rules;
- operational resilience; and
- risk management.
4.16 CSDs should make outsourced and third parties aware of relevant internal policies, including those on outsourcing, data protection, information technology, cyber security, and operational resilience. Where CSDs’ policies include confidential or sensitive information, CSDs should omit or redact it and only share those sections relevant to the performance of the outsourced or third party service. If redacting or omitting sections of CSDs’ policies is not possible without compromising the readability of the original document, then CSDs should provide separate summaries of the omitted or redacted sections that are relevant to the performance of the outsourced or third party service. Sharing these policies or summaries thereof with third parties does not dilute CSDs’ responsibilities in terms of managing their outsourcing and third party arrangements, but can help those third parties get a better understanding of CSDs’ regulatory obligations and other relevant aspects such as their risk tolerance and expected service levels.
4.17 CSDs should also set out their policy and communicate their expectations (eg as part of the scheme rules or their rulebook) when participants engage in outsourcing arrangements that may create new risks to settlement services, or amplify existing risks. CSDs should set out in their policy how the risks to settlement services may be mitigated. For example, when participants are permitted to outsource their connectivity to financial market infrastructure to the cloud, the safety, efficiency, and operational resilience of settlement services may be dependent on the relevant CSPs.
4.18 CSDs’ business continuity policies and plans should take into account:
- the possibility that the quality of the provision of important business services that are outsourced services deteriorates to unacceptable levels;
- the possibility of a prolonged outage at the critical third party;
- the potential impact of the insolvency or other failure of the critical third party (see Chapter 10); and
- where relevant, political and other risks in the third party’s jurisdiction.
4.19 There is no ‘one size fits all’ template for CSDs’ outsourcing and third party risk management policies, and the policy does not have to be contained in a single document. CSDs are responsible for developing and maintaining a policy that is appropriate to their complexity, organisational structure, and size.
4.20 The outsourcing and third party risk management policy should be principles-based and may be supported by detailed procedures developed, approved, and maintained below board level. However, it should be sufficiently detailed to provide adequate guidance for a CSD’s staff on how to apply its requirements in practice. At a minimum, it should cover the areas in Table A.
Table A: Contents of outsourcing and third party risk management policy
Pre-outsourcing and on-boarding
Participant outsourcing arrangement
4.21 The Bank expects CSDs to keep appropriate records of their outsourcing and third party arrangements. The Bank considers that a CSD in complying with UK CSDR RTS 2017/392 Article 4(2) and PFMI 3.17.20 and 3.17.21 would likely already have records of its outsourcing arrangements for this purpose. The records must be sufficient to enable the CSD to fulfil the expectations concerning concentration risk set out in Paragraph 5.19 below. CSDs should also make any information on their outsourcing and third party arrangements, of which the Bank would reasonably expect notice, available to it. The Bank may also request data on CSDs’ outsourcing arrangements under Section 165(1) and (3) of FSMA by virtue of Paragraph 11 of Schedule 17A of FSMA.
5: Pre-outsourcing phase: criticality assessment, due diligence and risk assessment
5.1 The Bank expects CSDs to:
- assess the criticality of every outsourcing and third party arrangement. Some criteria, or combination of criteria, if met, would result in an expectation that the outsourcing or third party arrangement should be automatically deemed critical;
- define an assessment framework, including the setting of thresholds or classification of criticality that is aligned to the CSD’s broader operational risk management framework, that is used for identifying and managing third party risks;
- notify the Bank and seek the Bank’s non-objection when entering, or significantly changing a critical outsourcing or third party arrangement, or when there is a material change in their risk profile, and that of settlement services;
- perform appropriate and proportionate due diligence on all potential third party arrangements, taking into account expectations set out in PFMI Annex F and where outsourcing involves an important business service, to ensure the third party can maintain the relevant important business within the CSD’s impact tolerances in the event of extreme but plausible disruption;
- assess the risks of every third party arrangement, irrespective of criticality, by identifying the plausible sources of operational risks, including the potential risks arising from the dependency on all third party and outsourcing arrangements, and mitigate their impact through the use of appropriate systems, policies, procedures and controls; and
- set out an appropriate frequency to periodically (re)assess the criticality of third party arrangements. This should include taking reasonable and proportionate steps to identify and manage their overall reliance on third parties, monitor the risk of concentration and manage the risk of vendor lock-in.
5.2 The PFMI defines third parties as critical if the continuous, secure and efficient delivery of these services may be critical to the operations of the CSD. This definition of criticality also extends to outsourcing arrangements and other third party arrangements, where the relevant services are of such importance that a weakness, or failure, of the services would pose a risk to the continuity of service provided by the CSD, and could threaten the safety and efficiency of settlement services. This concept of criticality is consistent with the oversight expectations applicable to critical service providers in Annex F, and materiality, as defined in PRA SS2/21 Outsourcing and third party risk management which applies to PRA-regulated firms.
5.3 The assessment of criticality of outsourcing arrangements should also take into account whether the outsourcing impacts wholly, or in part, the provision of a CSD’s important business services. If a CSD outsources services that affects the delivery of important business services, this arrangement will generally constitute a ‘critical outsourcing arrangement’.
5.4 The concept of criticality itself and the criteria in this chapter apply to all third party arrangements. CSDs should determine the criticality of all third party arrangements using all relevant criteria in this chapter.
Timing and frequency of criticality assessments
5.5 CSDs are expected to set out an appropriate frequency to periodically assess the criticality of their outsourcing and third party arrangements. Criticality may vary throughout the duration of an arrangement and should therefore be (re)assessed:
- prior to signing the written agreement;
- at appropriate pre-determined intervals thereafter eg during scheduled review periods;
- where a CSD plans to scale up its use of the service or dependency on the third party;
- if a significant organisational change at the third party or a sub-outsourced third party takes place that could change the nature, scale, and complexity of the risks inherent in the outsourcing arrangement, including a significant change to the third party’s ownership or financial position; and
- where a third party is identified as supporting an important business service following a review of the CSD’s mapping or testing of important business services, or an operational incident.
5.6 Where a CSD expects an outsourcing or third party arrangement to become critical in the future, it should take reasonable steps to ensure that it can comply with all applicable expectations in Chapters 6 to 10 before the criticality threshold is crossed. If an outsourcing or third party arrangement becomes critical as a result of new information, changes to operational arrangements, or due to an unexpected occurrence of a severe event, such as a pandemic, CSDs should consider whether additional measures to safeguard their operational resilience are warranted, such as revisions to contractual provisions.
Criteria for assessing criticality
5.7 CSDs should develop their own processes for assessing criticality as part of their outsourcing or third party risk management policy. The assessment framework, including the setting of thresholds for classification of criticality, should be aligned to a CSD’s broader operational risk management framework that is used for identifying and managing third party risks. The Bank expects CSDs to generally consider an outsourcing or third party arrangement as critical where a defect or failure in its performance could:
- threaten the safety and efficiency of a securities settlement system, thereby threatening the financial stability of the UK; or
- impact the resolvability of the CSD.
5.8 The Bank also expects CSDs to classify an outsourced or third party arrangement as critical if it involves an important business service or where there is a dependency on a third party for the delivery in part, or in full.
5.9 The Bank expects CSDs to have regard to all applicable criteria in the boxbelow, both individually and collectively, when assessing the criticality of an outsourcing or third party arrangement not otherwise covered in this Chapter. Although in practice, many critical outsourcing and third party arrangements involve ICT products or services (eg cloud), the presence of a given ICT product or service does not, in itself, automatically render an outsourcing arrangement critical.
- Direct connection to the performance of a regulated activity.
- Size and complexity of relevant business area(s) or function(s).
- The potential impact of a disruption, failure, or inadequate performance on the CSD’s:
- Business continuity, operational resilience, and operational risk.
- Ability to:
- comply with legal and regulatory requirements;
- conduct appropriate audits of the relevant function, service, or third party; and
- identify, monitor, and manage all risks.
- Obligations under:
- UK CSDR; and
- the protection of data and the potential impact of a confidentiality breach or failure to ensure data availability and integrity of the institution and its clients, including but not limited to UK GDPR and the Data Protection Act 2018.
- Participants, members, counterparties or customers and the wider ecosystem
- Early intervention, recovery and resolution planning and resolvability.
- The CSD’s ability to scale up the outsourced service.
- Ability to substitute the third party or bring the outsourced service back in-house, including estimated costs, operational impact, risks and timeframe of an exit in stressed and non-stressed scenarios.
Notification to the Bank
5.10 In accordance with UK CSDR Article 19(1), CSDs are expected to notify the Bank and seek the Bank’s non-objection when entering, or significantly changing a critical outsourcing or third party arrangement. Where the outsourcing relates to a core service, CSDs are expected to seek the Bank’s approval. The Bank expects these notifications to be made before entering into the critical outsourcing or third party arrangement. The Bank also expects CSDs to submit these notifications before an outsourcing arrangement that was not initially deemed critical is expected or planned to become so.
5.11 CSDs, as risk managers within the securities settlement system, are also expected to notify the Bank and seek the Bank’s non-objection when there is a material change in their risk profile and that of a securities settlement system. This may include allowing participants to outsource their connectivity to the financial market infrastructure to the cloud.
5.12 CSDs should engage with the Bank early to confirm whether a proposed change falls within the scope of criticality, and if so, to discuss the information that the Bank will require in each case. The Bank expects information to be submitted sufficiently in advance of concluding any relevant contractual arrangement with the third party to allow time for the Bank to review the CSD’s proposal in principle, and to:
- provide additional information if requested to do so;
- in the case of CSD’s planned outsourcing arrangement, to implement follow-up action if appropriate, which may involve:
- enhancing its due diligence, governance, or risk management, and delaying entering into the agreement until it does so; or
- reviewing the written agreement to ensure it complies with their regulatory obligations and risk management expectations (see Chapter 6). In some circumstances, it might be appropriate to notify the Bank sufficiently in advance before a final provider has been selected. An example of this is where a CSD is planning a major migration programme and is still in the process of selecting a provider from a shortlist;
- in the case of participants’ outsourcing arrangements, to implement follow-up actions, if appropriate, which may include:
- enhancing its scheme rules;
- setting out expectations that participants must meet to manage associated risks arising from their outsourcing arrangement; and
- requiring participants to provide assurance of the resiliency of the solution outsourced to third parties eg testing.
5.13 The Bank expects CSDs to conduct appropriate due diligence on the potential third party before entering into an outsourcing or third party arrangement, and to identify a suitable alternative or back-up provider(s) where available. This is in line with UK CSDR RTS Article 68(2). Where relevant, CSDs should consider appropriate business continuity, contingency planning, and disaster recovery arrangements to ensure third parties can recover their support for the relevant important business service within their impact tolerances in the event of extreme but plausible disruption (see Chapter 10). CSDs’ due diligence should consider conflicts of interest in conformity with CSDs’ conflicts of interest policy (see Paragraph 4.15).
5.14 The Bank expects CSDs’ due diligence to take into account expectations set out in Annex F, and furthermore to consider the potential providers’:
- business model, complexity, financial situation, ownership structure, and scale;
- capability, expertise, and reputation;
- financial, human, and technology resources; and
- sub-outsourced third parties, if any, that will be involved in the delivery of important business services or parts thereof.
5.15 The due diligence should also consider whether potential third parties:
- have the appropriate authorisations or registrations required to perform the service;
- comply with UK GDPR, the Data Protection Act 2018, and other applicable legal and regulatory requirements on data protection;
- can demonstrate certified adherence to recognised, relevant industry standards;
- can provide, where applicable and upon request, relevant certificates and documentation (eg data dictionaries); and
- have the ability and capacity to provide the service that the CSD needs in a manner compliant with UK regulatory requirements (including in the event of a sudden spike in demand for the relevant service, for instance as a result of a shift to remote working during a pandemic). A general track-record of previous performance may not be sufficient evidence by itself.
5.16 In line with PFMI Principle 17 for Operational Risk, UK CSDR Article 45(1) and UK CSDR RTS 2017/392 Article 77, CSDs should, in a proportionate manner, identify the plausible sources of operational risks. These should include the potential risks arising from dependencies on third parties, regardless of criticality, and mitigate their impact through the use of appropriate systems, policies, procedures and controls. CSDs should also conduct risk analysis to identify how various scenarios affect the continuity of its critical operations. The Bank expects CSDs to consider:
- operational risks based on an analysis of extreme but plausible scenarios and relevant output from a CSD’s risk and control self-assessment and tail risk management process; for instance, a breach or outage affecting the confidentiality and integrity of sensitive data and/or availability of service provision;
- systemic risks posed by critical third parties because one or more third parties are unable to meet their service obligations, thereby disrupting the important business services of CSDs and affecting the financial stability of the wider UK economy; and
- financial risks, including the scenario where the CSDs are required to provide financial support to a critical outsourced or sub-outsourced third party in distress or take over its business, including as a result of an economic downturn.
5.17 The Bank expects CSDs to carry out risk assessments when there is a significant change to an outsourcing arrangement’s risks due to, for instance, a serious breach/continued breaches of the agreement or a crystallised risk or any other factors.
5.18 CSDs’ risk assessments should balance any risks that the third party or outsourcing arrangement may create against any other risks it may reduce. The assessment should also take into account the design and operating effectiveness of new, or existing, risk mitigation controls to ensure such arrangements remain within a CSD’s risk appetite or threshold.
5.19 As risk managers, the Bank expects CSDs to periodically (re)assess and take reasonable steps to identify and manage:
- their overall reliance on third parties; and
- concentration risks or vendor lock-in at the CSD, due to:
- multiple arrangements with the same or closely connected third parties;
- sub-outsourcing or supply chain dependencies, for instance, where multiple otherwise unconnected third parties depend on the same sub-contractor for the delivery of their services;
- arrangements with third parties that are difficult or impossible to substitute;
- concentration of outsourcing and other third party dependencies in a close geographical location, such as one jurisdiction. This type of concentration may arise even if a CSD uses multiple, unconnected third parties, for instance, a business process outsourcing or offshoring hub; and
- an indirect reliance on other third parties when participants outsource their financial market infrastructure connectivity, including hardware and other solutions, to the cloud. When multiple participants use common third parties, operational risks can be correspondingly concentrated and the third party may become a source of systemic risk.
6: Outsourcing agreements
6.1 In line with UK CSDR Article 30(2), the Bank requires a formalised contractual agreement to be in place for all outsourcing arrangements, irrespective of criticality and including intragroup arrangements.
6.2 Where there is a master service agreement that allows CSDs to add or remove certain services, each outsourced service should be appropriately documented, although not necessarily in a separate agreement.
6.3 CSDs should ensure that written agreements for all outsourcing arrangements include appropriate contractual safeguards to manage and monitor relevant risks. Moreover, regardless of criticality, CSDs should ensure that outsourcing arrangements do not impede or limit the Bank’s ability to effectivity supervise the CSD, or the outsourced activity, function or service.
Critical outsourcing agreements
6.4 Written agreements for critical outsourcing arrangements should set out at least the following:
- a clear description of the outsourced function, including the type of support services to be provided;
- the extent to which the provision of each important business service of the CSD is dependent on a third party;
- the start date, next renewal date, end date, and notice periods regarding termination for the third party and the CSD;
- the governing law of the agreement;
- the parties’ financial obligations;
- whether the sub-outsourcing of a function or part thereof is permitted and, if so, under which conditions;
- the location(s), ie regions or countries, where the function or service will be provided, and/or where relevant data will be kept, processed, or transferred, including the possible storage location, and a requirement for the third party to give reasonable notice to the CSD in advance if it proposes to change said location(s);
- provisions regarding the accessibility, availability, integrity, confidentiality, privacy, and safety of relevant data (see Chapter 7);
- the right of the CSD to monitor the third party’s performance on an ongoing basis (this may be by reference to key performance indicators (KPIs));
- the agreed service levels, which should include qualitative and quantitative performance criteria and allow for timely monitoring, so that appropriate corrective action can be taken if these service levels are not met;
- the reporting obligations of the third party to the CSD, including a requirement to notify the CSD of any development that may have a material or adverse impact on the third party’s ability to effectively perform the function in line with the agreed service levels and in compliance with applicable laws and regulatory requirements;
- whether the third party should take out mandatory insurance against certain risks and, if applicable, the level of insurance cover requested;
- the requirements for both parties to implement and test business contingency plans. For CSDs, these should take account of their impact tolerances for important business services as well as their recovery time and recovery point objectives. Both parties should commit to take reasonable, proportionate steps to develop an effective business continuity plan, and support the testing of such plans;
- provisions to ensure that data owned by the CSD can be accessed promptly in the case of the insolvency, resolution, or discontinuation of business operations of the third party;
- the obligation of the third party to co-operate with the Bank, including persons appointed to act on their behalf;
- the rights of CSDs and the Bank to inspect and audit the third party with regard to the outsourced function; and
- if relevant:
- appropriate and proportionate information security related objectives and measures, including requirements such as minimum information technology security requirements, specifications of CSDs’ data lifecycles, and any requirements regarding to data security, network security, and security monitoring processes;
- operational and security incident handling procedures, including escalation and reporting; and
- termination rights and exit strategies covering both stressed and non-stressed scenarios, as specified in Chapter 10. As in the case of business contingency plans, both parties should commit to take reasonable steps to support the testing of CSDs’ termination plans. CSDs may elect to limit contractual termination rights to situations such as:
- material breaches of law, regulation, or contractual provisions;
- those that create risks beyond their appetite or tolerance; or
- those that are not adequately notified and remediated in a timely manner.
6.5 If a third party in a critical outsourcing arrangement is unable or unwilling to contractually facilitate a CSD’s compliance with its regulatory obligations and expectations, the CSD should notify the Bank. The Bank will have due regard to a CSD’s ability to fulfil its regulatory obligations under Article 30 of UK CSDR.
7: Data security
7.1 In this chapter, the term data is defined broadly to include confidential, firm-sensitive, and transactional data. It may also cover open-source data (eg from social media) collected, analysed, and transferred for the purposes of providing financial services as well as the systems used to process, transfer, or store data. Where a third party arrangement involves a transfer of data to the third party, irrespective of its criticality, or whether it relates to outsourcing or non-outsourcing, the Bank expects CSDs to have sound and robust information security policies, standards, and practices, and take appropriate measures to protect its data from unauthorised disclosure, ensure data integrity, and guarantee the availability of its services. This is in line with Annex F: Information Security. This chapter should also be interpreted consistently with requirements under relevant data protection law, UK CSDR and relevant technical standards.
7.2 The expectations in this chapter apply to critical outsourcing or third party agreements that involve the transfer of data with third parties. Where a critical outsourcing or third party agreement involves the transfer of or access to data, the Bank expects CSDs to define, document, and understand their and the third parties’ respective responsibilities in respect of that data and take appropriate measures to protect them.
7.3 Where a critical outsourcing or third party agreement involves the transfer of data, the Bank expects CSDs to:
- classify relevant data based on their confidentiality and sensitivity;
- identify potential risks relating to the relevant data and their impact (legal, reputational, etc.);
- agree an appropriate level of data availability, confidentiality, and integrity;
- agree an appropriate recovery point and recovery time objective; and
- if appropriate, obtain appropriate assurance and documentation from third parties on the provenance or lineage of the data to satisfy themselves that it has been collected and processed in line with applicable legal and regulatory requirements.
7.4 Some risks relating to data that the Bank expects CSDs to consider include but are not necessarily limited to unauthorised access, loss, unavailability, and theft.
7.5 CSDs are responsible for classifying their data. While the Bank does not prescribe a specific taxonomy for data classification, it expects CSDs to implement appropriate, risk-based technical and organisational measures, aligned to their broader operational risk framework, to protect different classes of data (eg confidential, client, personal, sensitive, transaction), when:
- developing and implementing their third party and outsourcing policy and other relevant policies and strategies, for example, business continuity planning, disaster recovery, information security, operational resilience, and risk management; and
- sharing data with third parties, including but not limited to, as part of an outsourcing arrangement.
7.6 The Bank recognises the potential benefits for operational resilience of CSDs using cloud technology to distribute their data and applications across multiple, geographically dispersed availability zones and regions. This approach can strengthen CSDs’ ability to respond to and recover from local operational outages faster and more effectively, and enhance their ability to cope with fluctuations in demand.
7.7 The Bank also recognises the potential negative consequences of restrictive data localisation requirements on CSDs’ innovation, resilience, and costs. None of the expectations in this SS and in particular this section should be interpreted as explicitly or implicitly favouring restrictive data localisation requirements.
7.8 However, the Bank expects CSDs to adopt a risk-based approach to the location of data that allows them to simultaneously leverage the operational resilience advantages of outsourced data being stored in multiple locations and manage relevant risks, which may include:
- legal risks stemming from conflicting or less developed relevant legal or regulatory requirements in one or more of the countries where the data may be processed or stored;
- challenges to CSDs’ and the Bank’s ability to access data in a timely manner if required (eg as part of their enforcement, or supervisory functions) due to local law enforcement, legal, or political circumstances; and
- other potential risks to the availability, security, or confidentiality of data, for instance, high risk of unauthorised access or IT risks stemming from inadequate data processing equipment.
7.9 As part of their due diligence and risk assessment in the pre-outsourcing phase, CSDs should identify whether their data could be processed in any jurisdictions that are outside their risk appetite or tolerance and, if so, bring this to the attention of the third party when negotiating the contractual arrangement in order to discuss adequate data protection and risk mitigation measures.
7.10 The Bank expects CSDs to implement appropriate measures to protect any transfer of data to a third party and set them out in their outsourcing and third party risk management policy and, where appropriate, in their written agreements.
7.11 The Bank expects CSDs to leverage their existing risk governance and operational risk framework to assess the risks arising when data is in transit, in memory and at rest. CSDs should implement effective controls to mitigate the risks to within their risk appetite or tolerance. Depending on the criticality and risk of the arrangement, these controls may include a range of preventative and detective measures, including but not necessarily limited to:
- configuration management. This is a particularly important measure, as for example, in the context of cloud, misconfiguration of cloud services can be a major cause of data breaches;
- encryption and key management;
- identity and access management, which should include stricter controls for individuals whose role can create a higher risk in the event of unauthorised access (eg systems administrators). CSDs should be particularly vigilant about privileged accounts becoming compromised as a result of phishing attacks and other leaking or theft of credentials;
- the ongoing monitoring of ‘insider threats’ (ie employees or agents of the CSD, and at the third party who may misuse their legitimate access to enterprise data for unauthorised purposes maliciously or inadvertently). The term ‘employee’ should be construed broadly for these purposes and may include contractors, secondees, and sub-outsourced third parties;
- access and activity logging;
- incident detection and response;
- loss prevention and recovery;
- data segregation (if using a multi-tenant environment);
- operating system, network, and firewall configuration;
- staff training;
- the ongoing monitoring of the effectiveness of the third party’s controls, including through the exercise of access and audit rights (see Chapter 8);
- policies and procedures to detect activities that may impact CSDs’ information security (eg data breaches, incidents, or misuse of access by third parties) and respond to these incidents appropriately (including appropriate mechanisms for investigation and evidence collection after an incident); and
- procedures for the deletion of enterprise data from all the locations where the third party may have stored it following an exit or termination, provided that access to the data by the CSD, or the Bank is no longer required. When deciding when to delete data, CSDs will need to consider their obligations under data protection law and their potential data retention obligations.
7.12 Where data is encrypted, CSDs should ensure that any encryption keys or other forms of protection are kept secure, by either the CSD, or the outsourcing provider. The data protected by encryption (although not necessarily the encryption keys themselves) should be provided to the Bank in an accessible format if required.
7.13 The ability of third parties to respond to customer-specific data security requests may vary depending on the service being provided. Generally, the more standardised the service, the more difficult it might be for the third party to accommodate these requests. The Bank’s focus is on the overall effectiveness of the third party’s security environment, which should allow CSDs to meet their regulatory and risk management obligations and be at least as effective as their in-house security environment. As long as third parties can provide assurance that this is the case, the Bank does not have specific expectations around customer-specific requests.
8: Access, audit and information rights
8.1 Section 165(1) and (3) of FSMA by virtue of Paragraph 11 of Schedule 17A of FSMA gives the Bank powers to request information that it requires in connection with its functions in relation to CSDs. These powers are not limited to CSDs and may apply directly to outsourced third parties, other stakeholders in the systems or potential operators of new CSDs.
8.2 The expectations in this chapter apply to critical outsourcing arrangements. However, the Bank expects CSDs to adopt a risk-based approach to access, audit, and information rights in respect of outsourcing arrangements with all third parties. In doing so, they should take into account the arrangement’s riskiness and the likelihood of it becoming critical in the future.
8.3 In line with UK CSDR Article 30, the Bank requires a formalised contractual agreement to be in place for all outsourcing arrangements, irrespective of criticality and including intragroup arrangements. The agreement should allow the CSD and the Bank to have full access to such information it may require. The Bank expects CSDs to ensure that written agreements for critical outsourcing arrangements include provisions for full access and unrestricted rights for audit and information to the following so as to enable CSDs to comply with their legal and regulatory obligations, and to monitor the arrangement:
- CSD’s auditors;
- the Bank; and
- any other person appointed by CSDs or the Bank.
8.4 CSDs’ proposals on effective access, audit and information rights should cover (as appropriate) premises, data, devices, information, systems and networks used for providing the service or monitoring its performance. These should include, where relevant:
- the third party’s policies, processes, and controls on data ethics, data governance, and data security;
- a summary of the results of security penetration testing carried out by the outsourced third party, or on its behalf, on its applications, data, and systems to assess the effectiveness of implemented cyber and internal IT security measures and processes;
- company and financial information; and
- the third party’s external auditors, personnel, and premises.
8.5 The Bank considers that it is not sufficient for CSDs merely to negotiate adequate access, audit, and information rights; these must also be used when appropriate. The purpose of the rights outlined in this chapter is to support CSDs’ identification, assessment, management, and mitigation of any identified risks relating to a critical outsourcing arrangement. The appropriate exercise of these rights is key to providing the assurance that such an arrangement is being provided as agreed with the outsourced provider and in line with regulatory requirements. For example, assessing whether the third party is providing the relevant service effectively and in compliance with the CSD’s expectations on operational resilience.
Pooled audits and third party certificates and reports
8.6 CSDs may use a range of audit and other information gathering methods, including:
- offsite audits, such as certificates and other independent reports supplied by third parties; and
- onsite audits, either individually or in conjunction with other firms (pooled audits).
8.7 CSDs can choose any appropriate audit method as long as it enables them to meet their legal, regulatory, operational resilience, and risk management obligations. The level of assurance expected will, however become more onerous depending on the criticality of the arrangement. For instance, a CSD that outsources an important business service for which it has set a low impact tolerance should demand a higher level of assurance.
Third party reports and certificates
8.8 Certificates and reports supplied by third parties may help CSDs obtain assurance on the effectiveness of the third party’s controls. However, in outsourcing arrangements with critical third parties, the Bank expects CSDs to:
- assess the adequacy of the information in these certificates and reports, and not assume that their mere existence or provision is sufficient evidence that the service is being provided in accordance with their legal, regulatory, and risk management obligations; and
- ensure that certificates and audit reports meet the expectations in Table B.
Table B: Expectations for certificates and audit reports
Expertise, qualification, and skills
8.9 In outsourcing arrangements with critical third parties, the Bank expects CSDs to retain the contractual rights to:
- request additional, appropriate, and proportionate information if such a request is justified from legal, regulatory, or risk management perspectives; and
- perform onsite audits (individual or pooled) at their discretion.
8.10 Before an onsite audit, the Bank expects CSDs, as well as individuals, and organisations acting on their behalf to:
- provide reasonable notice to the third party, unless this is not possible due to a crisis or emergency, or because it would defeat the purpose of the audit. Such notice should include the location and purpose of the visit and the personnel that will participate in the visit;
- verify that whoever is performing the audit has appropriate expertise, qualifications, and skills; and
- take care, if undertaking an audit of a multi-tenanted environment (eg a cloud data centre), to avoid or mitigate risks to other clients of the third party in the course of the audit.
8.11 Certain types of onsite audit may create an unmanageable risk for the environment of the provider or its other clients, for example, by impacting service levels or the confidentiality, integrity, and availability of data. In such cases, the CSD, and the third party may agree alternative ways to provide an equivalent level of assurance, for instance, through the inclusion of specific controls to be tested in a report or certification. The Bank expects that CSDs should retain their underlying right to conduct an onsite audit. For outsourcing arrangements with critical third parties, the Bank would expect the CSD to inform the Bank if alternative means of assurance have been agreed.
8.12 Pooled audits may be organised by groups of firms sharing one or more third parties or facilitated by the third parties. They may be performed by representatives of the participating firms or specialists appointed on their behalf. Pooled audits can be more efficient and cost effective for CSDs and less disruptive for third parties running multi-tenanted environments. They can also help spread costs and disseminate best industry practices with regard to audit methods among CSDs.
8.13 Where pooled audits lead to common, shared findings, the Bank expects CSDs to assess what these findings mean for them individually, align risks and controls assessment to their broader operational risk framework and assess whether there are requirements for follow up actions or remediation on their part.
9.1 This section on sub-outsourcing builds on UK CSDR Article 30 and the existing PFMI Paragraph 3.17.20, where the contractual agreement for outsourcing should ensure that the CSD’s approval is mandatory before the critical third party can itself outsource critical elements of the service provided to the CSD, and that in the event of such an arrangement, full access to the necessary information is preserved. The expectations in this chapter apply to critical outsourcing arrangements.
9.2 The Bank defines sub-outsourcing as a situation where the third party under an outsourcing arrangement further transfers, in whole or in part, an outsourced function to another third party. Sub-outsourcing, which is also sometimes referred to as ‘chain’ outsourcing, can amplify certain risks in an outsourcing arrangement, including:
- limiting CSDs’ ability to manage the risks of the outsourcing arrangement, in particular, where there are large chains of sub-outsourced third parties spread across multiple jurisdictions; and
- giving rise to additional or increased dependencies on certain third parties, which the CSD may not be fully aware of or may not want.
Oversight of sub-outsourcing
9.3 The Bank expects CSDs to assess the relevant risks of sub-outsourcing before they enter into an outsourcing agreement. It is important that CSDs have visibility of the dependencies arising from any chain outsourcing arrangements, and that third parties are encouraged to facilitate this by maintaining up-to-date lists of their sub-outsourced third parties.
9.4 The Bank expects CSDs to pay particular attention to the potential impact of large, complex sub-outsourcing chains on their operational resilience, including how this would affect their recovery time objectives, business continuity plans, and their ability to remain within impact tolerances during operational disruption. CSDs should also consider whether extensive sub-outsourcing could compromise their ability to manage their third party risks by impairing their ability to oversee and monitor an outsourcing arrangement.
9.5 CSDs should assess whether each sub-outsourcing agreement meets the criticality criteria set out in Chapter 5, which includes the potential impact on the CSD’s operational resilience and the provision of important business services. CSDs should only agree to sub-outsourcing if:
- the sub-outsourcing will not impair the CSD’s ability to manage their third party risks;
- the risk assessment of such sub-outsourcing arrangement is within the CSD’s risk appetite or tolerance;
- there is sufficient management information and reporting of key performance indicators, provided by the outsourced third party, or the sub-outsourcing third party that enables the CSD to oversee and monitor the outsourced services; and
- sub-outsourced third parties undertake to:
- comply with all applicable laws, regulatory requirements, and contractual obligations; and
- grant the CSD, and the Bank equivalent contractual access, audit, and information rights to those granted to the third party.
9.6 CSDs should ensure that the third party has the ability and capacity on an ongoing basis to appropriately oversee any critical sub-outsourcing in line with the CSD’s relevant policy or policies. This includes establishing that the third party has in place robust testing, monitoring, and control over its sub-outsourcing.
9.7 If the proposed sub-outsourcing could have significant adverse effects on an outsourcing arrangement to a critical third party or would lead to a substantive increase of risk, the CSD should exercise its right to object to the sub-outsourcing and/or terminate the contract.
9.8 There may be situations where the same third party has a direct contractual relationship with a CSD, and is also a sub-outsourced third party to that CSD. An example might be a CSD that has an agreement with a CSP that provides services to one or more software vendors used by that third party firm. In those situations, where appropriate, CSDs may leverage their direct contractual relationship with that third party to assess its resilience in respect of all the services it relies on that provider for, including as a critical sub-outsourced party.
9.9 In line with Chapter 6 on outsourcing agreements, the Bank expects written agreements for outsourcing to critical third parties to indicate whether or not sub-outsourcing is permitted, and if so:
- define the criticality of services and specify any activities that cannot be sub-outsourced;
- establish the conditions to be complied with in the case of permissible sub-outsourcing, including specifying that the third party is obliged to oversee those services that it has sub-contracted to ensure that all contractual obligations between the third party and the CSD are continuously met;
- require the third party to:
- obtain prior specific or general written authorisation from the CSD before transferring data (see Article 28 UK GDPR); and
- inform the CSD of any planned sub-outsourcing or material changes, in particular where that might affect the ability of the third party to meet its responsibilities under the outsourcing agreement. This includes planned significant changes to sub-contractors and to the notification period. CSDs should be informed sufficiently early to allow them to at least carry out a risk assessment of the proposed changes and object to them before they come into effect; and
- ensure that, where appropriate, CSDs have:
- the right to explicitly approve or object to the intended sub-outsourcing or significant changes thereto; and
- the contractual right to terminate the agreement in the case of specific circumstances (eg where the sub-outsourcing materially increases the risks for the CSD, or where the third party sub-outsources without notifying the CSD).
9.10 Below are some non-exhaustive examples of situations where a CSD may consider exercising its contractual right to terminate the outsourcing agreement:
- without notifying the CSD, the outsourced third party changed its list of sub-outsourced providers to include a firm that had a significant history of data breaches and operational outages;
- a sub-outsourced provider has failed to grant the CSD, and/or the Bank, equivalent access, audit, and information rights;
- a significant incident at a sub-outsourced provider caused extensive and unmanageable operational disruption to a CSD, so that it could no longer stay within its impact tolerances for important business services;
- a sub-outsourced provider repeatedly causes the outsourced provider to fail to meet KPIs and service expectations that have been agreed with the CSD;
- a sub-outsourced provider enters into insolvency proceedings or other legal proceedings that may materially impact the delivery of its services; and
- actions taken following an incident fail to deliver appropriate remediation.
10: Business continuity and exit plans
10.1 The Bank’s primary focus when it comes to business continuity plans and exit strategies is on the ability of CSDs to deliver important business services provided or supported by third parties in line with their impact tolerances in the event of extreme but plausible disruption. This is in line with UK CSDR RTS 2017/392 Article 76.
10.2 The expectations in this chapter apply to critical outsourcing arrangements. Where a CSD deems a non-outsourcing third party arrangement as critical, it should implement appropriate and proportionate business continuity policies, procedures, and devote sufficient resources to ensure that its important business services are available, reliable and resilient.
10.3 For each critical outsourcing arrangement, the Bank expects CSDs to develop, maintain, and test their business continuity plans; and amongst different scenarios, consider the following:
- a documented exit strategy, which should cover and differentiate between situations where a CSD exits an outsourcing agreement:
- in a stressed scenario, (eg following the failure or insolvency of the third party (stressed exit)); and
- through a planned and managed exit due to commercial, performance, or strategic reasons (non-stressed exit).
10.4 The Bank recognises that in an intragroup outsourcing context, CSDs’ business continuity planning and exit options might be more limited than in other scenarios. In this context, the Bank expects CSDs to take reasonable steps to try and identify options, however limited, to maintain their operational resilience.
10.5 Notwithstanding the importance of effectively planning for non-stressed exits, the main focus of this chapter is on business continuity and stressed exits.
10.6 CSDs should implement appropriate business continuity plans for all critical outsourcing arrangements to anticipate, withstand, respond to, and recover from extreme but plausible operational disruption. This is in line with UK CSDR RTS 2017/392 Article 78 and PFMI Paragraph 3.17.14, where the objectives of an FMI business continuity plan should include the system’s recovery time and recovery point. A CSD‘s business continuity plan should ensure that it is able to resume operations within two hours following disruptive events, and the plan should be designed to enable the CSD to complete settlement by the end of day even in the case of extreme circumstances.
10.7 An important objective of the access, audit, and information rights in Chapter 8 is to enable CSDs and the Bank to assess the effectiveness of third parties’ business continuity plans. In particular, they should be able to assess the extent to which in the event of an extreme but plausible disruption scenario affecting the delivery of important business services for which a CSD relies (wholly or in part) on the third party, such services can be recovered within the set impact tolerance. Where the IT services are outsourced, CSDs should further assess if the business continuity plan includes recovery time, and recovery point objectives, and plans to resume operations within two hours following disruptive events, and in the case of extreme circumstances, to complete settlement by the end of day.
10.8 For critical cloud outsourcing arrangements, the Bank expects CSDs to assess the resilience requirements, including recovery time and recovery point objectives, of the service and data that are being outsourced and, with a risk-based approach, decide on one or more available cloud resiliency options. These may include:
- multiple data centres spread across geographical regions;
- multiple active data centres in different availability zones within the same region, which allows the third party to re-route services if a data centre goes down;
- a hybrid cloud (ie a combination of on-premise and public cloud data centres);
- multiple or back-up vendors;
- retaining the ability to bring data or applications back on-premise; and/or
- any other viable approach that can achieve and promote an appropriate level of resiliency.
10.9 There is no hierarchy or one size fits all combination of cloud resiliency options. The optimal option or combination of options will depend on various factors, including but not limited to:
- size and internal organisation and the nature, scope, and complexity of the CSD activities (proportionality);
- potential impact of the outsourcing arrangement on the provision of important business services by the CSD (criticality); and
- the relative cost and benefits of different options, taking into account the risks that failure or prolonged operational disruption may pose to UK financial stability.
10.10 If a CSD wants to outsource its core services to the cloud, or any part of the process, technology, facilities, and information required to deliver its important business service, the Bank may expect it to adopt one or more of the most resilient options available to maximise the chances of maintaining its resilience in the event of a serious outage. Conversely, if a CSD wishes to outsource a business service that is classified as ‘not-important’, it may adopt a less resilient but nonetheless robust option or combination of options by adopting a proportionate and risk-based approach.
10.11 The Bank expects CSDs to consider the implications of deliberately destructive cyber attacks when establishing or reviewing data recovery capabilities, either individually or collaboratively with third parties.
10.12 In line with PFMI Paragraph 3.17.16, in the event of a disruption or emergency (including at a third party), CSDs should ensure that they have effective crisis communication measures in place. This is so all relevant internal and external stakeholders, including the Bank, PRA, FCA, other international regulators, and, if relevant, the third parties themselves, are informed in a timely and appropriate manner.
Stress exit scenario
10.13 CSDs’ exit plans should cover stressed exits and be appropriately documented and tested as far as possible. This is in line with UK CSDR RTS Article 79.
10.14 A key objective of the stressed exit part of exit plans is to provide a last resort risk mitigation strategy in the event of disruption that cannot be managed through other business continuity measures, including those mentioned in the previous section (eg the insolvency or liquidation of a third party).
10.15 The Bank does not prescribe or have a preferred form of exit in stressed scenarios. Its focus is on the outcome of the exit that supports financial stability (ie the continued provision by the CSD of important business services provided or supported by third parties), rather than the method by which it is achieved.
10.16 The Bank does, however, expect CSDs to identify viable forms of exit in a stressed exit scenario, and give meaningful consideration to those that best safeguard their operational resilience, which may include but not be limited to:
- bringing the data, function, or service back in-house/on-premise;
- transferring the data, function, or service to an alternative or back-up third party; or
- any other viable methods.
10.17 The Bank expects CSDs to consider the available tools that could help facilitate an orderly stressed exit from a critical outsourcing arrangement. Such tools are constantly evolving, in particular in technology outsourcing, including cloud, and may include, but are not limited to:
- new potential third parties;
- technology solutions and tools to facilitate the switching and portability of data and applications; and
- industry codes and standards.
10.18 CSDs should also actively consider temporary measures that can help ensure the ongoing provision of important business services following a disruption and/or a stressed exit, even if these are not suitable long-term solutions (eg contractual or escrow arrangements), allowing for continued use of a service or technology for a transitional period following termination.
Governance of business continuity and exit plans
10.19 CSDs should begin to develop their business continuity and exit plans, in particular for stressed exits, during the pre-outsourcing phase once they have determined that a planned outsourcing arrangement is classified as critical. Doing so will enable them to:
- use the due diligence process to identify potential alternative or back-up third parties;
- estimate the cost, resourcing, and timing implications of the proposed business continuity or exit plan in both stressed and non-stressed scenarios as part of the risk assessment;
- identify data they may need to access, recover, or transfer as a priority in a disruption or stressed exit;
- define the KPIs and key risk indicators which, if breached, may trigger an exit (both stressed and non-stressed); and
- assess the operational risk of the business continuity and exit plans to ensure that the plans do not introduce significant incremental risks and that the overall operational risk remains within existing board approved risk appetite.
10.20 CSDs should evaluate what would be involved in delivering an effective stressed exit and use this to formulate plans for such an exit, assisting them in identifying any assets and skills required. As soon as practically possible, CSDs should seek to test the stressed exit plans to ensure they are functional and meet expectations around service continuity, impact tolerances and costs etc.
10.21 Once an outsourcing arrangement has been implemented, CSDs should test their business continuity and exit plans using a risk-based approach. Where possible and relevant, this testing should align to, support, or even be a component of CSD’s scenario testing in meeting UK regulatory operational resilience policy expectations. For instance, the extreme but plausible scenarios that a CSD may select for testing could involve: a failure or disruption at a third party or their supply chain, or a cyber attack at the third party, resulting in breaches of confidential data. CSDs should have due regard to previous incidents or near misses within the organisation, across the financial sector and in other sectors and jurisdictions, as well as business and system disruption scenarios developed for the management of tail risks or capital setting, where applicable.
10.22 For CSDs that are subject to the CBEST framework, the CBEST implementation guide notes that ‘Malicious Insider and Supply Chain Scenarios are a feature of the threat landscape for many firms. These scenarios should always be analysed and discussed during CBEST’. Where required, CSDs ‘should plan in advance the involvement of staff and third parties to increase the reality of assessment’.
10.23 Consistent with PFMI Paragraph 3.17.17 and UK CSDR RTS 2017/392 Article 80, CSDs should update their business continuity and exit plans with lessons learned from these tests, including with new risks and threats identified and changed recovery objectives and priorities (if any).
10.24 CSDs should assign clear roles and responsibilities for business continuity and exit plans. Subject to proportionality, they may establish cross-disciplinary teams to develop, document, test, and execute their business continuity and exit plans, especially in stressed scenarios (which should include communicating with the Bank and other relevant stakeholders in the event of disruption). These teams should include relevant business lines, control functions, technical experts (eg IT specialists), and be chaired by a member of the executive of the CSD. CSDs should also allocate responsibility for signing off business continuity and exit plans, including updates thereafter, and the decision to activate them.
10.25 When developing business continuity and exit plans, CSDs should define the objectives of the plan, including what would constitute successful business continuity or a successful exit in both stressed and non-stressed scenarios, by reference to measurable criteria such as costs, functionality, time, and the CSD’s impact tolerances for important business services. Where relevant, business continuity plans should have due regard to the recovery time objectives set out by PFMI Paragraph 3.17.14.
10.26 CSDs should take reasonable steps to test exit plans; in particular, those relating to stressed exits. The extent and nature of testing will vary depending on the type of outsourcing arrangement and corresponding exit plan. For instance, a CSD running a hybrid cloud structure may take into account the potential back-up functions located in its private cloud elements. Likewise, a CSD that keeps backup copies of data which it has outsourced to the cloud may focus its testing on assessing the ongoing consistency of both sets of data and reconciling them as appropriate. CSDs should also assess and take reasonable steps to manage any operational risks that may be caused or increased by the actual testing (eg data theft).
10.27 Business continuity and exit plans should be reviewed, updated and tested periodically to ensure such plans are kept up to date and take into account triggers or developments that may change the feasibility of the business continuity measures or an exit. These triggers or developments may include those in the following non exhaustive list:
- the emergence of threats, or the identification of vulnerabilities;
- an increase in the number of availability zones or regions offered by a current third party;
- changes to the CSD’s business requirements;
- the emergence of new, potentially viable alternative providers; and/or
- developments in technology or other tools to facilitate the porting of data and applications (eg among cloud providers or between CSDs’ on-premises environments and the cloud).
The Bank, Prudential Regulation Authority (PRA) and Financial Conduct Authority’s (FCA’s) forthcoming joint Discussion Paper on Critical Third Parties would consider those third parties that may be a source of systemic risk to the financial stability of the UK. While we also refer to critical third parties in this SS, this definition should be understood to refer to how financial market infrastructures (FMIs) classify their own third party and outsourcing arrangements as opposed to third parties that could be designated as ‘critical’ under any future regulatory framework.