PRA outsourcing guidance will spur contracts review

Out-Law Analysis | 17 Feb 2020 | 10:30 am | 3 min. read

Banks, insurers and investment firms operating in the UK should conduct a major contract review to take account of draft guidance on outsourcing that has been issued by the Prudential Regulation Authority (PRA).

The PRA's proposed new guidelines on outsourcing impact many financial institutions operating in the UK. Those institutions already face a major compliance exercise to update contracts with service providers as a result of outsourcing guidance issued by other regulators.

The scope and timing of the guidelines

The PRA confirmed that its draft guidelines are relevant to all UK banks, building societies and PRA-designated investment firms, as well as UK insurance and reinsurance firms and groups in scope of the Solvency II regime. This, it said, includes the Society of Lloyd’s and managing agents.

In addition, UK branches of overseas banks and insurers are also within the scope of the new guidelines. Some of the proposals are relevant to credit unions and non-directive firms (NDFs).–NDFs are firms that are not subject to the Solvency II regime but which nevertheless are subject to some parts of the PRA Rulebook.

The PRA has said that it proposes to publish its final policy "in the second half of 2020 … with implementation of most the proposals shortly after." However, it has also said that the parts of its guidelines which "derive from the EBA outsourcing guidelines or (if adopted in the current form) the draft EIOPA cloud guidelines would be subject to longer implementation periods".

The PRA's draft guidelines were opened out for consultation prior to Christmas 2019. The finalised EIOPA cloud guidelines were published last week. This indicates that we might expect the PRA to update its PRA's draft guidelines too. The PRA's consultation is open until 3 April 2020.

The challenge facing firms

The PRA's draft new outsourcing guidelines are just the latest requirements that financial institutions will need to map against their existing contracts with service providers. In addition to the EBA's (European Banking Authority's) outsourcing guidelines, which the PRA said its draft new guidelines implement, the PRA's proposals also take account of recently finalised guidelines on ICT and security risk management issued by the EBA as well as EIOPA's draft cloud outsourcing guidelines as they were at the time.

The raft of new guidelines reflects the move by regulators to address the risks associated with financial institutions increasingly seeking to access new technologies by outsourcing functions of their operations to third party service providers, including those offer cloud-based solutions.

Taken together, the various regulatory guidelines represent a major compliance exercise for institutions. With the scope for significant overlap between guidelines developed at EU level and across various sub-sectors of financial services, it is perhaps unsurprising – though not to be recommended – that some institutions are choosing a 'wait and see' approach before updating their policies and contracts as more guidance continues to emerge.

A recent poll from a pan-European event run by Pinsent Masons, the law firm behind Out-Law, found that just 3% of credit institutions, investment firms and payment institutions, as well as the service providers they engage with, have redrafted their template documents to take account of EBA guidelines on outsourcing. Those guidelines were finalised in February 2019 and began to apply on 30 September last year.

The survey found that 48% of businesses subject to the EBA guidelines had not started the process of redrafting template documents, while just 39% said they had started remediating existing contracts, or received correspondence about such remediation, to account for the EBA outsourcing guidelines.

Factoring in the guidelines from the EIOPA and PRA, as well as from the EBA, therefore represents a major compliance exercise and is one of the reasons we have been calling for greater harmonisation from the supervisory bodies in terms of the terminology used and substance of their guidelines.

The requirements that the PRA plans to impose on the institutions are designed to address some risks it said arise from outsourcing. These include cyber risk and broader protection of data, appropriate oversight of sub-contracting arrangements, business continuity and consolidation risk, and the ease with which institutions can terminate contracts and retain access to their data.

The new outsourcing guidelines were issued by the PRA alongside a new shared policy summary and consultation papers issued in coordination with the Financial Conduct Authority (FCA) and Bank of England, which were aimed at improving the operational resilience of firms and financial markets infrastructure.