30th Floor, North Tower, Beijing Kerry Centre, 1 Guanghua Road, Chaoyang District, Beijing, 100020
+86 10 8519 0011
50th Floor, Central Plaza, 18 Harbour Road, Wan Chai, Hong Kong
+852 2521 5621
Room 4605, Park Place, 1601 Nanjing West Road, Jing An District, Shanghai, 200040
+8621 6321 1166
Suite 2405, 24/F, SCIA Tower, Qianhai Shenzhen-Hong Kong Modern Service Industry Cooperation Zone of Shenzhen, Shenzhen, 518000
+86 755 6123 5666
Select your language
Please accept the geolocation request appearing in your browser
Find other officesOUT-LAW ANALYSIS 5 min. read
01 Jun 2022, 9:50 am
The expectations of UK financial services regulators over how financial entities manage third-party risk focus more on the materiality of the risk than on whether the third-party arrangements constitute an outsourcing or not.
This represents a change of approach that requires financial institutions to consider the control frameworks they apply.
There are specific regulatory requirements for outsourcing. Though these do not apply in full to material non-outsourcing contracts, there is an expectation that those contracts include protections as robust as those set out in contracts for material outsourcing.
There are a number of ways that financial institutions can apply some flexibility in how they implement third party risk regulatory requirements within material non-outsourcing contracts.
Regulatory rulesets often set out broad due diligence requirements. In an outsourcing context, to comply, financial institutions should obtain sufficient information to assess the potential supplier’s business model, financial situation, ownership structure, expertise and reputation. They should also assess its capacity to deliver the services and financial, human and technology resources, and further consider the supplier’s ICT, risk and security controls, where relevant to the services to be provided.
The due diligence should also be comprehensive enough to determine whether any sub-outsourcing arrangements that the supplier has, or may enter into, could have an adverse impact on the financial institution’s important business services.
In the material non-outsourcing context, the Prudential Regulation Authority (PRA) in particular will expect financial institutions to take the same approach. However, in this context, financial institutions may adjust their pre-contracting processes where appropriate – that is, where aspects of the process would be unsuitable due to the nature of the services which the third-party will provide.
For example, if the third-party will not process critical data, regulatory references to obtaining 'data dictionaries' through due diligence may not be appropriate. On the other hand, where there are market expectations that the type of service provided should meet a recognised industry standard, failure to obtain confirmation of the supplier’s record in meeting that standard may be deemed a failure to meet regulatory due diligence requirements.
Regulatory rulesets tend not to dictate the form that service levels are to take in material outsourcing contracts. Typically, though, they set out some broad guiding principles.
One principle requires financial institutions to include performance criteria that are both “qualitative” and “quantitative” within their material outsourcing agreements. Another requires service level regimes to allow for “timely monitoring” and enable “corrective action” to be taken where service levels are not met.
There is largely an equivalent expectation for service levels to be set out in all material non-outsourcing contracts. In particular, where the services enable or form part of the delivery of an important business service, they will need to include performance criteria that are effective to support impact tolerance measures required by the operational resilience frameworks of the Financial Conduct Authority (FCA) and the PRA.
It is also not common for regulatory rulesets to dictate the form that corrective action should take where failures of service levels are identified. Typically, in an outsourcing context, service levels may be supported by service credit regimes, rectification plan measures and, where practical, step-in rights.
In the context of material non-outsourcing contracts, the relationship will be one that either is not ongoing or recurrent or for services which the financial institution would not normally be expected to undertake itself. For these types of relationships, actions to correct service level failures may take on a very different form and focus more on relationship escalation procedures and other core governance arrangements.
The approach of financial regulators towards the transfer of data to third-parties is growing more consistent across outsourcing and non-outsourcing. Generally, financial institutions will be expected to “define, document, and understand their and the service provider’s respective responsibilities” and implement appropriate security measures regardless of whether an arrangement is classified as outsourcing.
This applies to the supplier’s processing of both personal and non-personal data. The inclusion of data security requirements in financial regulatory rulesets would largely be redundant if they were aimed only at protecting personal data, the security of which is largely covered by the GDPR and other data protection laws.
Which security measures are appropriate will be context-specific and should be assessed on a case-by-case basis. In many circumstances where critical data is processed, the assessment may require a review of the supplier’s encryption controls, including those which relate to the access of encryption keys, and confirmation of its ability to remove all data from its, and its sub-contractors’, premises on exit.
For material outsourcing contracts the baseline requirement for audit rights requires the financial institution to retain the ability to request additional, appropriate, and proportionate information if such a request is justified from a legal, regulatory, or risk management perspective. Financial institutions also need to retain the right to perform onsite audits, at their discretion.
Certifications and pooled audit arrangements may reduce the need in practice to exercise rights to conduct onsite audits. They cannot, however, be used as a basis for entering into a material outsourcing arrangement that does not include the right to conduct an onsite audit.
In the context of material non-outsourcing contracts, there is often no firm requirement regarding audits except for that provided for in the UK GDPR. GDPR requires that processors of personal data allow for and contribute to audits and inspections conducted by or on behalf of data controllers.
For material non-outsourcing contracts, we would typically expect to see audit rights applied as a matter of course to meet broader risk control expectations. However, in some contexts this may be limited to requirements to provide information reasonably requested, or be bound to a subset of relevant services.
Third-party risk regulatory frameworks often include detailed rules for sub-contracting. For material outsourcing, the PRA, for example, requires financial institutions to only agree to sub-outsourcing where the sub-outsourcer will comply with all relevant contractual obligations, and give contractual access, audit, and information rights equivalent to those granted by the supplier.
For material outsourcing arrangements, the PRA also requires that financial institutions retain the right to object to a decision to sub-outsource or terminate the agreement where a material sub-outsourcing could have a significant adverse effect or would lead to a substantive increase of risk.
In the context of material non-outsourcing contracts, more flexibility may be applied. While the underlying principles remain the same and should account for the materiality and risk level of the arrangement, the strict requirements and full flow-down of terms may not be necessary in all circumstances.
While flexibility may be applied, contracts that fail to include risk-based oversight measures to drive controls will fall short of the expectations of regulators. Supply chain risk and sub-contracting are areas that attract regulator attention and areas where heightened risk is perceived. Therefore, financial institutions are likely to consider it necessary to include controls which restrict the sub-contracting of sensitive activity and ensure compliance with data protection legal requirements.
As regulators like the PRA are focussing more on the materiality of contracts rather than their classification as outsourcing or not outsourcing, financial institutions need to implement effective contracting strategies that are consistent with this regulatory approach.
Understanding where a unified approach to implementing controls for outsourcing and non-outsourcing would be the best solution, as well as where flexibility between the two approaches may be more appropriate, is central to balancing the need to maintain effective relationships with important suppliers and other critical third-parties against the need to address regulatory risk. We expect market practice in this area to evolve as more arrangements come before the regulator.
Written by
Stay ahead by signing up to our weekly email of news and expert analysis, tailored for you
TMT sourcing & advisory
Valid email address
Thanks, we have sent an email to
Please check your inbox to confirm your subscription. The confirmation email may take up to 15 minutes to arrive.
• Check your spam or junk folder
• Ensure your email address was entered correctly.
• You can amend your details and resubmit if required
• If the email has still not arrived, please contact us for assistance
OUT-LAW NEWS
Lucy Townley tells HRNews how new laws in force from 18 February 2026 make dismissal during protected industrial action much riskier for employers.
OUT-LAW NEWS
A High Court ruling ordering the chief executive of a Russian industrial giant to hand over documents underlines that senior executives may not be able to distance themselves from information within their company when it comes to disclosure in litigation, according to experts.
OUT-LAW NEWS
The first stage of a major reformation of the relationship between employers and trade unions in the UK, which will begin its phased implementation later this month, will increase exposure for companies including those which have not previously engaged in industrial relations, according to an expert.
We use cookies that are essential for our site to work. To improve our site, we would like to use additional cookies to help us understand how visitors use it, measure traffic to our site from social media platforms and to personalise your experience. Some of the cookies that we use are provided by third parties. To accept all cookies click ‘accept all’. To reject all optional cookies click ‘reject all’. To choose which optional cookies to allow click ‘cookie settings’. This tool uses a cookie to remember your choices.
Please visit our cookie policy for more information.
