Access and audit: the PRA's outsourcing expectations

Agreeing rights to access, audit and request information held by service providers is something that financial institutions, in particular banks, will by now be accustomed to when negotiating outsourcing contracts.

However, banks, insurers and investment firms, among others, will likely need to go further than they have before in relation to the access and audit rights they secure for both themselves and regulators if the PRA's proposals are finalised in their current form.

Based on the current wording, there is a risk that financial institutions and their service providers will have different views of how the obligations can be met under contract, or indeed whether they are a matter for contract or the financial institution's internal policies, and clarification is needed on how the requirements can be met in practice.

This is part of a series of articles looking at different aspects of the PRA's draft outsourcing guidance. The guidance is relevant to banks, insurers and investment firms, among others and addresses a wide-range of issues, including sub-outsourcing and access and audit rights.

The access and audit requirements

The PRA's proposals are broadly similar to access and auditing rights requirements that have been imposed in the European Banking Authority's (EBA's) guidelines on outsourcing finalised last year. However, the language used by the PRA is broader in some respects.

According to the PRA's proposed new guidelines on outsourcing, the regulator will expect financial institutions subject to its guidance to take reasonable steps to ensure that written agreements for material outsourcing arrangements provide them, the PRA and, if applicable, the Bank of England "unrestricted access, audit and information rights".

Those access, audit and information rights must "enable firms to comply with their legal and regulatory obligations; and identify, monitor and manage risks relating to the arrangement".

The regulator's proposals on effective access, audit and information rights are broad ranging, covering – as appropriate – "data, devices, information, systems and networks used for providing the outsourced service or monitoring its performance", as well as company and financial information; and  the service provider’s external auditors, personnel and premises.

The PRA said it expects firms to exercise their access, audit and information rights in respect of material outsourcing arrangements in "an outcomes-focused way" so as to "assess whether the service provider is providing the relevant service effectively and in compliance with the firm’s legal and regulatory obligations and expectations, including as regards operational resilience.

The regulator backed the use of third party certification and pooled audits as means by which firms can meet its requirements on access, audit and information rights. Pooled audits let multiple financial institutions arrange audits of their service providers' premises to take place at the same time and/or through the same third party auditors to help reduce the cost of those audits for both institutions and providers.

Achieving compliance

Unlike the EBA guidelines on outsourcing, the PRA requires financial institutions to obtain unrestricted 'information rights' in addition to unrestricted access and audit rights. It also broadens the purposes for which those rights may be exercised. The practical implications are as yet uncertain, but greater detail or guidance on these points from the PRA would be welcome.

In relation to pooled audits, the PRA said that each participating financial institution should assess what the findings mean for it individually and whether the audit requires any follow-up. That means financial institutions relying on pooled audits will need to ensure that audit provisions are worded in a way that gives scope for individual follow-up with the service provider. This 'follow-up' may take the form of rights of further review if any concerns arise from a pooled audit that may impact on a financial institution specifically, for example. If that is the case, this could invite push back from providers as they may see it as undermining the benefits of having agreed audits on a pooled basis. Again, clarification from the PRA on this would be useful. 

According to the PRA, an important objective of the access, audit and information rights provisions is to enable financial institutions and the relevant regulators to "assess the effectiveness of service providers' business continuity plans". This is reflective of a wider emphasis on business continuity that is evident throughout the PRA's proposals, both from a contracting and internal policy perspective, and should be an area of focus for institutions for implementation – assuming the emphasis is the same once the PRA finalises its proposals.