PS7/21 | CP30/19 Outsourcing and third party risk management

Published on 29 March 2021

Outsourcing and third party risk management – PS7/21

This Prudential Regulation Authority (PRA) Policy Statement (PS) provides feedback to responses to Consultation Paper (CP) 30/19 ‘Outsourcing and third party risk management’ (page 2 of 2). It also contains the PRA’s final Supervisory Statement (SS) 2/21 ‘Outsourcing and third party risk management’ (Appendix 1). 

This PS is relevant to: 

• banks, building societies, and PRA-designated investment firms (banks);
• insurance and reinsurance firms and groups in scope of Solvency II, including the Society of Lloyd’s and managing agents (insurers); and
• branches of overseas banks and insurers (third-country branches).

Some of the contents of SS2/21 are relevant to credit unions and non-directive firms: the PRA rules, statutory powers, and requirements.

Summary of responses

The PRA received 37 responses from a range of stakeholders, from PRA-regulated firms to third party service providers. There was general support for the proposals. Respondents welcomed the PRA’s efforts to clarify and modernise regulatory expectations in an area where regulation had not kept pace with technological change. Firms also appreciated that the proposals complemented the PRA’s policy proposals on operational resilience, given the many synergies between the two areas. Respondents noted that the proposed operational resilience framework provided a helpful lens for firms to assess how they should monitor their outsourcing and third party arrangements and establish end-to-end resilience for their important business services. Overall, responses focussed on specific areas rather than calling for a wholesale revision of the overall policy. Details on these are set out in the associated sections of the Policy Statement.

Implementation

Firms will be expected to comply with the expectations in the SS by Thursday 31 March 2022. This is in line with the timing of the PRA’s requirements and expectations on operational resilience as set out in PS6/21 ‘Operational resilience: Impact tolerances for important business services’, which has been published simultaneously with this PS.

Outsourcing arrangements entered into on or after Wednesday 31 March 2021 should meet the expectations in the SS by Thursday 31 March 2022. Firms should seek to review and update legacy outsourcing agreements entered into before Wednesday 31 March 2021 at the first appropriate contractual renewal or revision point to meet the expectations in the SS as soon as possible on or after Thursday 31 March 2022.

The proposals set out in this PS have been designed in the context of the UK having left the European Union and the transition period having come to an end. Unless otherwise stated, any references to EU or EU derived legislation refer to the version of that legislation which forms part of retained EU law. The PRA will keep the policy under review to assess whether any changes would be required due to changes in the UK regulatory framework.

Policy Statement 7/21

Appendix

• Appendix 1: SS2/21 ‘Outsourcing and third party risk management’

Published on 5 December 2019

Outsourcing and third party risk management - CP30/19

Update 20 March 2020: The deadline for responses will, in line with the FCA, be extended to 1 October 2020. For more information on this please see our statement ‘Bank of England announces supervisory and prudential policy measures to address the challenges of Covid-19’.

Overview

In this consultation paper (CP), the Prudential Regulation Authority (PRA) sets out and invites comments on its proposals for modernising the regulatory framework on outsourcing and third-party risk management. These proposals are set out in the draft Supervisory Statement (SS) on ‘Outsourcing and third-party risk management’ in the Appendix to this CP (draft SS) and pursue the following objectives: 

• complement the policy proposals on operational resilience in CP29/19 ‘Operational resilience: impact tolerances for important business services’, published simultaneously with this CP.
• facilitate greater resilience and adoption of the cloud and other new technologies’ as set out in the Bank of England’s (the Bank’s) response to the ‘Future of Finance’ report.   
• implement the European Banking Authority (EBA) ‘Guidelines on Outsourcing Arrangements’ (EBA Outsourcing Guidelines). The draft SS clarifies how the PRA expects banks to approach the EBA Outsourcing Guidelines in the context of its requirements and expectations. In addition certain chapters in the draft SS elaborate on the expectations in the EBA Outsourcing Guidelines. For instance, chapters 7 (Data Security) and 10 (Business Continuity and exit plans).
• Take into account the:
  • draft European Insurance and Occupational Pensions Authority (EIOPA) ‘Guidelines on Outsourcing to Cloud Service Providers (EIOPA Cloud Guidelines’); and 
  • EBA Guidelines on ICT and security risk management (EBA ICT Guidelines); 

This CP is relevant to all UK banks, building societies and PRA-designated investment firms, insurance and reinsurance firms and groups in scope of Solvency II, including the Society of Lloyd’s and managing agents, and branches of overseas banks and insurers.

Some of the proposals in this CP are relevant to credit unions and non-directive firms (NDFs) namely those in: paragraph 2.3 of this CP; the PRA rules, statutory powers and requirements referenced in tables 2, 5 and 6; and paragraphs 5.11-5.12. In line with the principle of proportionality, the PRA proposes not to apply the remaining sections of the draft SS to credit unions and NDFs.

Responses and next steps

This consultation closes on Friday 3 April 2020. The PRA invites feedback on the proposals set out in this consultation. Please address any comments or enquiries to CP30_19@bankofengland.co.uk.

Implementation

The PRA proposes to publish its final policy on the proposals in this CP in the second half of 2020, (in line with the final policy on Operational Resilience) with implementation of most the proposals shortly after. 

Certain proposals in this CP, which derive from the EBA Outsourcing Guidelines or, (if adopted in the current form), the draft EIOPA Cloud Guidelines would be subject to longer implementation periods. In particular, those relating to:

• the register of outsourcing arrangements (‘Outsourcing Register’); and
• the revision by:
  • banks of outsourcing arrangements entered into before 30 September 2019; and 
  • insurers of cloud Outsourcing arrangements entered into before 1 July 2020 (‘Legacy Outsourcing Arrangements’) to bring them into compliance with the EBA Outsourcing Guidelines and EIOPA Cloud Guidelines respectively.  

Consultation paper 30/19