Banks and insurers should develop a single control framework for managing third-party risk, regardless of whether the risks arise in the context of outsourcing arrangements or not. This reflects the evolving approach of UK financial regulators.
Both the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) aim to ensure that holistic risk controls are applied to all third-party arrangements entered into by financial entities and have made it clear that they expect financial entities to effectively manage risks arising from both outsourcing and non-outsourcing arrangements – both intra-group and those put in place with external suppliers – as part of obligations around operational resilience and broader risk management.
The PRA has set out in its supervisory statement on outsourcing and third party risk (SS2/21) its expectations for the risk controls that are to be implemented for non-outsourcing arrangements. At the most basic level, it expects:
It has also been clear in subsequent communications that it will not look favourably on technical arguments around “outsourcing or not” – what matters is the actual risk in practice.
Specifically, for all ‘material’ and ‘high risk’ non-outsourcing third party arrangements, the PRA expects financial entities to put “proportionate, risk-based, suitable” controls in place. These controls need to be “as robust as the controls that would apply to outsourcing arrangements with an equivalent level of materiality or risk”.
The controls across outsourcing and non-outsourcing supply arrangements do not have to be the same and deviations in their scope and nature will vary. Rather than focusing on the outsourcing status of the arrangement, good practice is evolving to apply the controls by reference to the risk that the arrangement represents, with some flexibility to apply different, non-standard controls where justified by the risk assessment. Deviations from the control standard will likely depend in large part on the differences in the subject matter and risk profiles of the specific third-party services to be provided. For example, on-site audit rights may not be appropriate for non-outsourcing supply arrangements such as for financial market infrastructure or pricing data feeds.
We have set out below what control frameworks would apply to different types of supply arrangements that the PRA is concerned with:
Category | Type | Typical supply example | Application |
---|---|---|---|
Material (critical and important) | Outsourcing | Contact centre outsource | PRA SS2/21 applies in its entirety |
Material (critical and important) | Third party arrangements (Non-outsourcing) | Critical software supply; Clearing and settlement services | Proportionate, risk-based, suitable controls – these may be the same controls as for outsourcings of equivalent risk |
Non-material | Outsourcing |
HR function outsource | PRA SS 2/21 as relevant to the supply arrangement and applied proportionately |
Non-material | Third party arrangements (Non-outsourcing) |
IT project services | PRA Fundamental Rules 2, 3, 5, 6 and 7, with others potentially applying on a proportionate basis |
An increasing ‘good practice’ is to operate a single, common materiality and risk-orientated control framework for all third-party arrangements – both outsourcing and non-outsourcing.
A single framework is not mandatory but it will drive consistency where required. It will also mitigate the risk of failing to implement suitable controls solely on the basis that an arrangement has not been classified as outsourcing – which we have often seen in the past. The regulators will not excuse a lack of appropriate controls on the basis that the contract was considered non-outsourcing and therefore outside the usual processes for mitigating outsourcing risk. Increasingly the regulators are asking for details on all “critical and important” supplies.
Risk categorisation decisions would certainly be influenced by whether an arrangement is an outsourcing. However, wider factors are relevant too. These will include whether the arrangement relates to important business services to which operational resilience obligations apply, as well as financial risk, data risk, compliance risk, and such like.
A single framework will reduce administrative burdens and potentially unexpected regulatory compliance gaps. It could include a single approach for conducting assessments of materiality and risk for contract classification purposes and the development of consistent regulatory compliance checklists, contractual provisions and processes for notifying the regulators of new and revised contracts.
The financial entity could also develop templates for material services and for non-material services and ignore whether the arrangement is an outsourcing or not.
Financial entities can use contract playbooks and guidelines to clarify that there is some opportunity for flexibility from a regulatory perspective for non-outsourcing arrangements. These tools could identify where there may be scope to agree deviations from the requirements that apply to outsourcings, depending on the subject matter and risk profile of the arrangement.
Financial entities could meet some resistance from suppliers in seeking to map SS 2/21 controls to non-outsourcing arrangements on the basis that the requirements are not as fixed as for outsourcing arrangements. However, it will be important for financial entities to make clear that it is for them as the regulated entities to answer to regulators and confirm that they have third-party contracts which appropriately address the risks. This does not mean that suppliers cannot meaningfully engage and help to shape controls for particular services, but it is ultimately the financial entities that need to be satisfied of the sufficiency of those controls.
Thought can also be given to how the SS2/21requirements can be applied to outsourcing and non-outsourcing arrangements with similar materiality and risk.
Managing risk in non-outsourcing third-party supply arrangements requires financial entities to look beyond just SS2/21.
A summary of the list of rules that banks and insurers may need to refer to and comply with are set out below.
Ruleset | In-scope outsourcing | In-scope non-outsourcing |
---|---|---|
PRA SS1/21, and equivalent FCA rules (including SYSC15A), on operational resilience | Yes (in the context of ‘important business services’) | Yes (in the context of ‘important business services’) |
PRA SS4/21 on operational continuity in resolution (OCIR), which will apply from 1 January 2023 | Yes (in the context of OCIR 'critical services’) | Yes (in the context of OCIR 'critical services’) |
PRA Fundamental Rules and FCA Principles | Yes | Yes |
Outsourcing Part of the PRA Rulebook | Yes | No |
EBA Guidelines on Outsourcing Arrangements | Yes | No |
EBA Guidelines on ICT and security risk management | Yes | Yes |
MiFID II and delegated regulations | Yes | No |
UK GDPR / GDPR | Yes (in the context of UK / EU personal data) | Yes (in the context of UK / EU personal data) |
Ruleset | In-scope outsourcing | In-scope non-outsourcing |
---|---|---|
PRA SS1/21, and equivalent FCA rules (including SYSC15A), on operational resilience | Yes (in the context of ‘important business services’) | Yes (in the context of ‘important business services’) |
PRA Fundamental Rules and FCA Principles | Yes | Yes |
Outsourcing Part of the PRA Rulebook | Yes | No |
Solvency II and delegated regulations |
Yes | No |
SYSC 13 | Yes | No |
UK GDPR / GDPR | Yes (in the context of UK / EU personal data) | Yes (in the context of UK / EU personal data) |
The application of risk controls as described in PRA SS2/21 and these broader rulesets to material or higher risk non-outsourcing arrangements reflects good practice in the financial services sector and is not new. In the past the risk controls have been applied inconsistently in non-outsourcing arrangements. From now, financial institutions can expect regulators to focus on materiality and risk, not outsourcing or non-outsourcing.
Out-Law Analysis
01 Jun 2022