Out-Law Analysis 4 min. read
24 Nov 2022, 11:44 am
Financial services firms need to engage the help of service providers to meet their obligations around operational resilience in the UK. The regulatory requirements firms are subject to need to be reflected in services contracts.
The good news is that many of the provisions that firms already include in contracts in order to meet regulatory requirements on outsourcing or the use of third party providers will help firms satisfy operational resilience requirements. However, that should not diminish the need to keep operational resilience front-of-mind for firms when contracting with suppliers.
The UK Prudential Regulation Authority (PRA) defines ‘operational resilience’ as “the ability of firms, their groups and the financial sector as a whole to prevent, adapt to, respond to, recover from, and learn from operational disruptions”. This concept does not suggest that disruption will never happen, but instead focuses on how financial services firms should manage it and learn from it, and to keep it within appropriate tolerances they set.
The first step for financial services firms is to identify their important business services and map “the people, processes, technology, facilities and information necessary” to deliver those services. This mapping exercise will need to consider third party arrangements. Firms will need to review mapping regularly, so it is important to ensure that third party contracts permit disclosure of this information. Firms should strive to ensure that the information is shared with them through the operation of normal governance and management information provisions, rather than having to rely on audit provisions.
Suppliers may be nervous about disclosing sensitive information around potential vulnerabilities in relation to their systems or services, but this information is necessary to consider how disruption would manifest and be mitigated. Therefore, confidentiality provisions should be drafted to permit disclosure where required to satisfy regulatory requirements.
Financial services firms need to set impact tolerances for important business services – this is about ensuring that a maximum tolerable level of disruption is set. Once done, the firm must ensure that the tolerances are reflected in service levels. For example, if payment of an annuity must happen within 36 hours, because any further delay would have a significant impact on vulnerable customers, the service level around supporting that annuity payment must be set at less than 36 hours in the services contract.
Some financial services firms may wish to include specific clauses relating to operational resilience, where they task suppliers with ensuring that the services are not overly dependent on key personnel or specific locations. It is important that the contract also places obligations on the supplier to provide information about how it meets these requirements, to allow the financial firm to assess compliance and manage risk.
Compliance with regulatory outsourcing and third party contracting requirements will already drive a need for certain contract clauses, but financial services firms should note that there is an operational resilience angle to the requirement as well.
In relation to business continuity, the PRA’s supervisory statement SS2/21 requires both customer and supplier to support one another on the testing of business continuity plans – the operational resilience angle is that the plans should take account of the impact tolerances for important business services.
In relation to approved locations, firms will want to approve the locations, at a country or region level, where services are being delivered from or where data is being processed or stored. Operational resilience will be a factor in this approval – there may be an advantage to the service being provided from multiple locations in terms of maximising operational resilience. However, it will also be important to consider whether any locations threaten operational resilience, for example by representing a security concern.
Sub-outsourcing often provokes debate and some challenges in supplier negotiations – suppliers are not keen to give financial services firms disproportionate control over their supply chain, especially where their service offering is delivered to multiple customers and not just the firm in question. However, from an operational resilience perspective, financial services firms need to pay attention to the potential impact of large, complex sub-outsourcing chains on operational resilience. That may provide some added justification for contract negotiations around customer consent and objection rights in relation to sub-outsourcing.
Termination and exit provisions are another core regulatory consideration. Financial services firms need to ensure that the contract includes termination rights that support regulatory compliance, and that any termination allows a smooth transition of the services to another supplier, or back in-house.
The European Banking Authority’s (EBA’s) outsourcing guidelines contain some specific termination triggers to be included in contracts; PRA SS 2/21 is less prescriptive. However, the PRA’s list of “non-exhaustive examples” of potential termination triggers includes “a significant incident at a sub-outsourcer caused extensive and unmanageable operational disruption to a firm so that it could no longer stay within its impact tolerances for important business services”. That will support arguments by financial services firms that they need to be engaged in supply chains and aware of issues that may develop.
Financial services firms are very aware of the contractual requirements driven by regulatory rules around third party contracting such as the PRA’s SS 2/21 and the EBA outsourcing guidelines. Operational resilience is a closely related issue which also feeds into third party contracts. It provides additional justification for financial services firms’ negotiation requirements around sub-outsourcing, audit, business continuity and exit.
While many operational resilience requirements can be covered through these provisions without specific reference to the words “operational resilience”, that does not diminish the need for operational resilience to be an important consideration when drafting and negotiating third party services contracts.
16 Nov 2022
01 Jun 2022