In December last year, the Bank of England, Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) issued a suite of related consultation papers that are relevant to buyers and providers of outsourced services.

The documents include FCA[1] and PRA[2] consultation papers on operational resilience (which in the case of the FCA consultation paper includes a chapter on outsourcing), and an additional PRA consultation paper[3] on outsourcing and risk management.  Importantly, the PRA consultation paper on outsourcing also includes the PRA’s proposals for implementation of the European Banking Authority’s guidelines on outsourcing[4].

The publication of these papers is, in large part, driven by the regulators’ view that operational resilience – a firm’s ability to prevent, respond to and recover from operational disruption – is becoming increasingly important as the financial sector becomes more dynamic, complex and reliant on technology and third party technology providers, including cloud providers.

The consultation period for all papers closes on 3^rd April 2020, with the regulators aiming to publish final documents in the second half of this year.

Consultation Papers on Operational Resilience

The regulators’ proposed approach to operational resilience is based on the assumption that firms will, at some point, suffer operational disruption that will prevent them from providing their services for a period of time.  The regulators are concerned that some firms do not plan sufficiently for this, and as a result, may be unable to manage these disruptions effectively when they occur.

The papers have three broad aims:

• Ensuring firms prioritise those activities which, if disrupted, would pose a risk to the stability of the financial sector and/or cause intolerable levels of harm to consumers or market integrity. The regulators’ view is that addressing this is likely to mean a shift away from thinking about the resilience of individual systems and resources, and a shift towards looking more holistically at the resilience of the services that are provided to end-customers (and which may be underpinned by a number of different systems and resources)
• Setting clear standards for operational resilience: in particular, setting maximum levels of disruption, including time limits, within which firms will be able to resume the delivery of important business services (so called ‘impact tolerances’). The regulators expect that each impact tolerance would be expressed as a clear metric, including a maximum tolerable duration for which delivery of the service would be affected (though the regulators note that a metric based on time alone may be insufficient and that other factors might include a maximum number of transactions and/or customers affected by the disruption).  It is possible that dual regulated firms would need two impact tolerances for each important business service because of the different policies and requirements of each supervisory authority
• Investing to build resilience: firms will be expected to take actions which will improve resilience (including potentially replacing outdated systems, achieving full fail-over capability, and addressing key personnel dependencies), and to have in place robust contingency arrangements to enable them to resume the delivery of important business services.

To achieve these aims, the regulators propose that firms should:

• map all relevant resources. This would involve firms considering the chain of activities that make up a business service, determining which parts of the chain (including any outsourced services) are critical to delivery of that service, and focussing their work on the resources needed to deliver those activities.  This mapping exercise would also allow firms to identify vulnerabilities such as limited substitutability of resources and single points of failure
• test their ability to remain within impact tolerances, and address any deficiencies as a matter of priority, and
• implement business continuity planning requirements, operational risk management requirements, and outsourcing requirements (see below).

The proposals in these operational resilience consultation papers, if implemented, would potentially have the following impacts on firms’ approach to contracting for technology and sourcing projects: 

• Greater focus on operational resilience at all phases of the contract lifecycle, including the pre-contract due diligence phase, and as part of the ongoing contract governance processes
• Greater focus on contingency planning, including back-up, business continuity and disaster recovery, and including regular testing and updating of relevant plans. Given the supervisory authorities’ assumption that firms will suffer operational disruption at some point, there is likely to be a greater emphasis than before on recovery of services, and not just prevention of disruptions
• A requirement for greater co-operation between different suppliers whose activities, systems and resources are critical to delivery of a firm’s business services, including end-to-end testing of BCDR plans and recovery and resolution in the event of a disruption
• Greater emphasis on service levels and, in particular, end-to-end service levels where possible, measured by reference to the availability of a business service, rather than the individual systems used in the delivery of those services. This will be much more challenging in a multi-sourcing environment where different suppliers are responsible for different parts of the chain
• A requirement for greater transparency over the resources used by suppliers to deliver their services, to enable firms to identify and address any vulnerabilities. This information should be documented and firms should have the right to disclose this information to its regulators if requested
• Greater focus on effective escalation and incident management processes (including escalation paths used to manage communications) in the event of a service disruption, and
• Requirements on suppliers to assist firms in meeting self-assessment requirements.

PRA Consultation paper on outsourcing and third party risk management

The PRA consultation paper on outsourcing and risk management sets out the PRA’s proposals on modernising the regulatory framework on outsourcing and third party risk management, and seeks to achieve a number of objectives, including:

• Implementing the EBA guidelines on outsourcing
• Complementing the consultation paper on operational resilience (referred to earlier in this note)
• Facilitating greater resilience and adoption of the cloud and other new technologies, as set out in the Bank of England’s response to the ‘Future of Finance’ report[5].

The paper also takes into account the draft European Insurance and Occupational Pensions Authority (EIOPA) Guidelines on Outsourcing to Cloud Providers[6] (albeit acknowledging that these were in draft form at the time of publication of the consultation paper and could therefore change), and the EBA Guidelines on ICT and security risk management[7].

While acknowledging the benefits that outsourcing and the use of third party service providers can deliver (including, in the case of cloud services, potentially greater resilience than on-premises solutions), the paper identifies a number of associated risks and challenges.  These include:

• security and accessibility of data
• complexity of some technologies making it difficult for boards and senior management to understand and manage relevant risks
• additional risks created by ‘chain outsourcing’, where the primary service provider subcontracts to one or more sub-outsourcers
• vendor lock-in, where firms’ ability to exit outsourcing arrangements is limited due to the significant costs, disruption, resources and time required to do so
• concentration risk caused by a large number of firms being reliant on a small number of dominant service providers.

One of the key objectives of the proposals in the paper is to ‘clarify, strengthen and update the PRA’s expectations on how firms should manage outsourcing and third party risks’, including by:

• promoting consistent, structured and thorough vendor due diligence and pre-contract risk assessments
• specifying minimum contractual safeguards that material outsourcing arrangements should meet
• setting expectations on how firms protect data that they outsource
• developing, documenting and testing robust BCDR plans and exit strategies
• exploring ways in which to mitigate concentration risk, including by ‘potentially building applications able to substitute a critical supplier with another’.

Some of the key points to note from the PRA proposals are:

1. Extension of EIOPA Cloud Guidelines

Unlike the proposals in the EIOPA Cloud Guidelines, the PRA’s proposals would cover all outsourcings entered into by insurers – not just those relating to cloud.

2. Extension of outsourcing register

The PRA proposals contemplate broadening the arrangements which are to be covered in the outsourcing register beyond those envisaged by the EBA Outsourcing Guidelines.  These additional arrangements include (among others) off-the-shelf machine learning (ML) models, open source software and ML libraries developed by third parties, data sharing with third parties (including through APIs as part of Open Banking) and, in the case of insurers, the use of aggregators and delegated underwriting. 

3. Materiality assessments

Some regulatory rules and guidance on outsourcing (including  parts of the EBA Outsourcing Guidelines) apply only to ‘material’ outsourcings.  In order to address inconsistencies between firms in their materiality assessments and, to help ensure that the PRA has sufficient time to assess any material outsourcing arrangements, the paper proposes to (i) introduce common criteria which, if met, would result in an expectation that the outsourcing arrangement should be automatically deemed material, and (ii) clarify that the PRA expects firms to notify it of material outsourcings sufficiently in advance of entering into them to allow appropriate supervisory scrutiny.  These proposals, if implemented, would likely have an impact on firms’ timescales for tendering and entering into new outsourcing arrangements.

The PRA expects that materiality assessments would be carried out before contract signature and at appropriate intervals during the term to take account of any material changes.  These could include where a firm plans to scale up its use of or dependency on a service provider, or if there is an organisational change at the service provider or a material subcontractor (including change of ownership or financial position).  Firms will need to consider including their approach to materiality assessments in their outsourcing policy, as well as appropriate reporting obligations on their service providers to ensure that materiality can be assessed in the event of organisational change at the service provider/its material subcontractors.

The paper also proposes a (non-exhaustive) list of criteria to take into account in assessing materiality, as well as some criteria that will generally render an outsourcing arrangement automatically material

4. Intra-group outsourcing

Although intra-group arrangements are subject to the same requirements as outsourcing to third parties outside the group, the PRA proposes that some of the requirements can be applied ‘proportionately’ in relation to intra-group outsourcings.  The PRA give, as examples, the ability to adjust vendor due diligence and the ability to adapt certain clauses in the outsourcing agreement.  There is an opportunity, as part of the consultation, for firms to seek to expand the areas in which a different (and more proportionate) approach can be applied in relation to intra-group outsourcings.

5. Board engagement on outsourcing

The draft paper elaborates on the role of the board (or other governing body) in relation to outsourcing and the management of risk. The draft proposes that firms’ boards should ‘bear responsibility for the effective management of all risks to which the firm is exposed, including by appropriately identifying and understanding the firm’s reliance on critical service providers, and ensuring that the firm has, from board level downwards, appropriate and effective risk management systems and strategies to deal with outsourced service providers.  In addition, the PRA expects management information on outsourcing provided to the board to be clear, consistent, robust, timely, well-targeted and contain a level of technical detail to facilitate effective oversight and challenge by the board.

6. Content of outsourcing policy

The EBA Outsourcing Guidelines envisage that firms’ boards should approve, regularly review and implement a written outsourcing policy.  The paper recognises that there is no ‘one-size-fits-all’ template for firms’ outsourcing policies, and that firms are responsible for developing and maintain a policy that is appropriate to their complexity, organisational structure and size.  The paper sets out a number of areas that each policy should cover as a minimum, including:

• board responsibilities, the involvement of internal control functions and other individuals (in particular, SMFs) in respect of outsourcing arrangements
• documentation and record-keeping requirements
• procedures for identification and management of potential conflicts of interest
• any differences between the approach to intra- and extra-group outsourcings, material and non-material outsourcings, outsourcing to service providers outside the UK
• pre-outsourcing and on-boarding including vendor due diligence processes and processes for assessing the materiality and risks of outsourcing arrangements
• oversight arrangements (including day-to-day oversight, performance assessment against service levels, independent review and audit of compliance with legal and regulatory requirements and policies)
• Termination, including exit strategies and termination processes.

7. Material Outsourcing Agreements

The areas that the PRA proposes should be covered in all outsourcing agreements very closely mirror the areas identified in the EBA Outsourcing Guidelines.  The key areas where the two differ are in relation to:

• information security, where the PRA proposes as an additional area of coverage ‘appropriate and proportionate information security related objectives and measures, including…minimum cybersecurity requirements, specifications of firm’s data life cycle’ and operational and security incident handling procedures, and
• a greater emphasis on termination rights and exit strategies in stressed scenarios.

8. Data security

The PRA proposals on data security are much more granular and detailed than those contained in the EBA Outsourcing Guidelines, and enjoy a chapter of their own in the PRA proposals.  These proposals include a minimum set of preventative and detective measures to ensure firms implement robust controls for data in transit, at rest and ‘in memory’.  Notably, firms will also be expected to make any encryption keys available to the PRA.

9. Exit Planning and Stressed Exits

As is standard for important outsourcing arrangements, the PRA expects firms to have in place, and to regularly test, business continuity and exit plans.  However, the paper proposes that firms have in place separate exit strategies for stressed and non-stressed’ exits, with a view to ensuring that, even when a firm exits in a stressed scenario (e.g. supplier insolvency), it can continue to deliver its important business services in line with their impact tolerances following the stressed exit.  Whilst largely just a reflection of good practice in this area, the PRA’s proposals would likely mean that firms test and are able to demonstrate that they can either deliver services in house/on-premise and/or transfer the service to another provider whilst remaining within their impact tolerances in a distressed exit scenario.

In addition, the paper proposes that firms should develop its exit plans (stressed and non-stressed) during the pre-outsourcing phase.  Firms may find this challenging if the transition to the chosen supplier involves an up front transformation project.

It should be noted that the PRA makes express reference to use of a firm’s access, audit and information rights (see below) in order to assess the effectiveness of service provider’s business continuity plans and it is likely therefore that, going forward, there will be a greater emphasis by the PRA in checking that these business continuity plans are in place, up to date, effective and regularly tested.

The PRA also proposes that, in relation to material cloud outsourcing arrangements, firms have carried out an assessment of the resilience of the services and data being outsourced.  Whilst the vast majority of firms will already do this, the PRA’s proposals would mean that documenting the resiliency upon which the firm is relying, including the firm’s reasons for choosing a particular resiliency option, will be important.

10. Access, audit and information rights

The PRA proposals on access, audit and information rights differ from the equivalent parts of the EBA Outsourcing Guidelines, appearing to be weaker in some respects and more onerous in others.  For example, while the EBA Outsourcing Guidelines in these areas are expressed in absolute terms (firms “should ensure”), the PRA proposes that firms take “reasonable steps” to ensure.  It is unclear whether this difference is intentional or not, but if the reasonable steps qualification remains in the final form paper, it may make it more difficult for firms to secure agreement from their service providers to allow for the access, audit and information rights envisaged by the EBA Outsourcing Guidelines.

For more information on these consultation papers or our upcoming client event covering these topics, please contact Paul O’Hare.

[1] https://www.fca.org.uk/publication/consultation/cp19-32.pdf

[2] https://www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/consultation-paper/2019/cp2919.pdf?la=en&hash=393834B1FDE05A8571522FD72A6A8D997079714C

[3] https://www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/consultation-paper/2019/cp3019.pdf?la=en&hash=4766BFA4EA8C278BFBE77CADB37C8F34308C97D5

[4] https://eba.europa.eu/sites/default/documents/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf?retry=1

[5] https://www.bankofengland.co.uk/research/future-finance

[6] https://eiopa.europa.eu/Publications/Consultations/2019-07-01%20ConsultationDraftGuidelinesOutsourcingCloudServiceProviders.pdf

[7] https://eba.europa.eu/sites/default/documents/files/documents/10180/2522896/32a28233-12f5-49c8-9bb5-f8744ccb4e92/Final%20Guidelines%20on%20ICT%20and%20security%20risk%20management.pdf

 

• Share this blog

• Twitter
• Facebook
• Linkedin