Out-Law Analysis 5 min. read
01 Jun 2022, 9:50 am
The expectations of UK financial services regulators over how financial entities manage third-party risk focus more on the materiality of the risk than on whether the third-party arrangements constitute an outsourcing or not.
This represents a change of approach that requires financial institutions to consider the control frameworks they apply.
There are specific regulatory requirements for outsourcing. Though these do not apply in full to material non-outsourcing contracts, there is an expectation that those contracts include protections as robust as those set out in contracts for material outsourcing.
There are a number of ways that financial institutions can apply some flexibility in how they implement third party risk regulatory requirements within material non-outsourcing contracts.
Regulatory rulesets often set out broad due diligence requirements. In an outsourcing context, to comply, financial institutions should obtain sufficient information to assess the potential supplier’s business model, financial situation, ownership structure, expertise and reputation. They should also assess its capacity to deliver the services and financial, human and technology resources, and further consider the supplier’s ICT, risk and security controls, where relevant to the services to be provided.
The due diligence should also be comprehensive enough to determine whether any sub-outsourcing arrangements that the supplier has, or may enter into, could have an adverse impact on the financial institution’s important business services.
In the material non-outsourcing context, the Prudential Regulation Authority (PRA) in particular will expect financial institutions to take the same approach. However, in this context, financial institutions may adjust their pre-contracting processes where appropriate – that is, where aspects of the process would be unsuitable due to the nature of the services which the third-party will provide.
For example, if the third-party will not process critical data, regulatory references to obtaining 'data dictionaries' through due diligence may not be appropriate. On the other hand, where there are market expectations that the type of service provided should meet a recognised industry standard, failure to obtain confirmation of the supplier’s record in meeting that standard may be deemed a failure to meet regulatory due diligence requirements.
Regulatory rulesets tend not to dictate the form that service levels are to take in material outsourcing contracts. Typically, though, they set out some broad guiding principles.
One principle requires financial institutions to include performance criteria that are both “qualitative” and “quantitative” within their material outsourcing agreements. Another requires service level regimes to allow for “timely monitoring” and enable “corrective action” to be taken where service levels are not met.
There is largely an equivalent expectation for service levels to be set out in all material non-outsourcing contracts. In particular, where the services enable or form part of the delivery of an important business service, they will need to include performance criteria that are effective to support impact tolerance measures required by the operational resilience frameworks of the Financial Conduct Authority (FCA) and the PRA.
It is also not common for regulatory rulesets to dictate the form that corrective action should take where failures of service levels are identified. Typically, in an outsourcing context, service levels may be supported by service credit regimes, rectification plan measures and, where practical, step-in rights.
In the context of material non-outsourcing contracts, the relationship will be one that either is not ongoing or recurrent or for services which the financial institution would not normally be expected to undertake itself. For these types of relationships, actions to correct service level failures may take on a very different form and focus more on relationship escalation procedures and other core governance arrangements.
The approach of financial regulators towards the transfer of data to third-parties is growing more consistent across outsourcing and non-outsourcing. Generally, financial institutions will be expected to “define, document, and understand their and the service provider’s respective responsibilities” and implement appropriate security measures regardless of whether an arrangement is classified as outsourcing.
This applies to the supplier’s processing of both personal and non-personal data. The inclusion of data security requirements in financial regulatory rulesets would largely be redundant if they were aimed only at protecting personal data, the security of which is largely covered by the GDPR and other data protection laws.
Which security measures are appropriate will be context-specific and should be assessed on a case-by-case basis. In many circumstances where critical data is processed, the assessment may require a review of the supplier’s encryption controls, including those which relate to the access of encryption keys, and confirmation of its ability to remove all data from its, and its sub-contractors’, premises on exit.
For material outsourcing contracts the baseline requirement for audit rights requires the financial institution to retain the ability to request additional, appropriate, and proportionate information if such a request is justified from a legal, regulatory, or risk management perspective. Financial institutions also need to retain the right to perform onsite audits, at their discretion.
Certifications and pooled audit arrangements may reduce the need in practice to exercise rights to conduct onsite audits. They cannot, however, be used as a basis for entering into a material outsourcing arrangement that does not include the right to conduct an onsite audit.
In the context of material non-outsourcing contracts, there is often no firm requirement regarding audits except for that provided for in the UK GDPR. GDPR requires that processors of personal data allow for and contribute to audits and inspections conducted by or on behalf of data controllers.
For material non-outsourcing contracts, we would typically expect to see audit rights applied as a matter of course to meet broader risk control expectations. However, in some contexts this may be limited to requirements to provide information reasonably requested, or be bound to a subset of relevant services.
Third-party risk regulatory frameworks often include detailed rules for sub-contracting. For material outsourcing, the PRA, for example, requires financial institutions to only agree to sub-outsourcing where the sub-outsourcer will comply with all relevant contractual obligations, and give contractual access, audit, and information rights equivalent to those granted by the supplier.
For material outsourcing arrangements, the PRA also requires that financial institutions retain the right to object to a decision to sub-outsource or terminate the agreement where a material sub-outsourcing could have a significant adverse effect or would lead to a substantive increase of risk.
In the context of material non-outsourcing contracts, more flexibility may be applied. While the underlying principles remain the same and should account for the materiality and risk level of the arrangement, the strict requirements and full flow-down of terms may not be necessary in all circumstances.
While flexibility may be applied, contracts that fail to include risk-based oversight measures to drive controls will fall short of the expectations of regulators. Supply chain risk and sub-contracting are areas that attract regulator attention and areas where heightened risk is perceived. Therefore, financial institutions are likely to consider it necessary to include controls which restrict the sub-contracting of sensitive activity and ensure compliance with data protection legal requirements.
As regulators like the PRA are focussing more on the materiality of contracts rather than their classification as outsourcing or not outsourcing, financial institutions need to implement effective contracting strategies that are consistent with this regulatory approach.
Understanding where a unified approach to implementing controls for outsourcing and non-outsourcing would be the best solution, as well as where flexibility between the two approaches may be more appropriate, is central to balancing the need to maintain effective relationships with important suppliers and other critical third-parties against the need to address regulatory risk. We expect market practice in this area to evolve as more arrangements come before the regulator.