Regulatory outsourcing - The final PRA outsourcing supervisory statement

The PRA has issued a Supervisory Statement on Outsourcing and Third Party Risk management with which all entities regulated by the PRA will need to comply. For some, the framework will be familiar as it is intended to 'implement' the EBA Guidelines on Outsourcing. For others, it may represent a major shift in approaches to contracting and risk management. 

At this briefing session we will review this Supervisory Statement in detail and outline the steps that regulated entities should take when contracting with outsourcing and third party providers. We will consider: 

• the relevant timelines for compliance and how the Supervisory Statement relates to other regulatory frameworks including the requirements of the Financial Conduct Authority
• the extent to which contracts need to be prepared or renegotiated with technology and other providers to comply with the Supervisory Statement 
• substantive areas including: 
  • what is outsourcing and ‘material outsourcing’ from a PRA perspective? 
  • how does the PRA statement change due diligence and risk assessment expectations?
  • data and systems security requirements
  • access, audit and information rights requirements
  • sub-outsourcing requirements
  • business continuity and exit plans
  • general contractual requirements to consider 
  • concentration risk
  • the relevance of third party providers to operational resilience and in keeping within impact tolerances

As we will consider in detail requirements covered in the EBA Guidelines on Outsourcing, this session will be particularly useful for those who are not familiar with these Guidelines. However we will touch on the key differences between the two regimes.