In this consultation paper (CP), the Prudential Regulation Authority (PRA) sets out and invites comments on its proposals for modernising the regulatory framework on outsourcing and third-party risk management. These proposals are set out in the draft Supervisory Statement (SS) on ‘Outsourcing and third-party risk management’ in the Appendix to this CP (draft SS) and pursue the following objectives:
- complement the policy proposals on operational resilience in CP29/19 ‘Operational resilience: impact tolerances for important business services’, published simultaneously with this CP.
- facilitate greater resilience and adoption of the cloud and other new technologies’ as set out in the Bank of England’s (the Bank’s) response to the ‘Future of Finance’ report.
- implement the European Banking Authority (EBA) ‘Guidelines on Outsourcing Arrangements’ (EBA Outsourcing Guidelines). The draft SS clarifies how the PRA expects banks to approach the EBA Outsourcing Guidelines in the context of its requirements and expectations. In addition certain chapters in the draft SS elaborate on the expectations in the EBA Outsourcing Guidelines. For instance, chapters 7 (Data Security) and 10 (Business Continuity and exit plans).
- Take into account the:
- draft European Insurance and Occupational Pensions Authority (EIOPA) ‘Guidelines on Outsourcing to Cloud Service Providers (EIOPA Cloud Guidelines’); and
- EBA Guidelines on ICT and security risk management (EBA ICT Guidelines);
This CP is relevant to all UK banks, building societies and PRA-designated investment firms, insurance and reinsurance firms and groups in scope of Solvency II, including the Society of Lloyd’s and managing agents, and branches of overseas banks and insurers.
Some of the proposals in this CP are relevant to credit unions and non-directive firms (NDFs) namely those in: paragraph 2.3 of this CP; the PRA rules, statutory powers and requirements referenced in tables 2, 5 and 6; and paragraphs 5.11-5.12. In line with the principle of proportionality, the PRA proposes not to apply the remaining sections of the draft SS to credit unions and NDFs.
Responses and next steps
This consultation closes on Friday 3 April 2020. The PRA invites feedback on the proposals set out in this consultation. Please address any comments or enquiries to CP30_19@bankofengland.co.uk.
The PRA proposes to publish its final policy on the proposals in this CP in the second half of 2020, (in line with the final policy on Operational Resilience) with implementation of most the proposals shortly after.
Certain proposals in this CP, which derive from the EBA Outsourcing Guidelines or, (if adopted in the current form), the draft EIOPA Cloud Guidelines would be subject to longer implementation periods. In particular, those relating to:
- the register of outsourcing arrangements (‘Outsourcing Register’); and
- the revision by:
- banks of outsourcing arrangements entered into before 30 September 2019; and
- insurers of cloud Outsourcing arrangements entered into before 1 July 2020 (‘Legacy Outsourcing Arrangements’) to bring them into compliance with the EBA Outsourcing Guidelines and EIOPA Cloud Guidelines respectively.