How financial institutions can manage third-party risk in material non-outsourcing contracts

This represents a change of approach that requires financial institutions to consider the control frameworks they apply.

There are specific regulatory requirements for outsourcing. Though these do not apply in full to material non-outsourcing contracts, there is an expectation that those contracts include protections as robust as those set out in contracts for material outsourcing.

There are a number of ways that financial institutions can apply some flexibility in how they implement third party risk regulatory requirements within material non-outsourcing contracts.

Due diligence

Regulatory rulesets often set out broad due diligence requirements. In an outsourcing context, to comply, financial institutions should obtain sufficient information to assess the potential supplier’s business model, financial situation, ownership structure, expertise and reputation. They should also assess its capacity to deliver the services and financial, human and technology resources, and further consider the supplier’s ICT, risk and security controls, where relevant to the services to be provided.

The due diligence should also be comprehensive enough to determine whether any sub-outsourcing arrangements that the supplier has, or may enter into, could have an adverse impact on the financial institution’s important business services.

In the material non-outsourcing context, the Prudential Regulation Authority (PRA) in particular will expect financial institutions to take the same approach. However, in this context, financial institutions may adjust their pre-contracting processes where appropriate – that is, where aspects of the process would be unsuitable due to the nature of the services which the third-party will provide.

For example, if the third-party will not process critical data, regulatory references to obtaining 'data dictionaries' through due diligence may not be appropriate. On the other hand, where there are market expectations that the type of service provided should meet a recognised industry standard, failure to obtain confirmation of the supplier’s record in meeting that standard may be deemed a failure to meet regulatory due diligence requirements.

Service levels

Regulatory rulesets tend not to dictate the form that service levels are to take in material outsourcing contracts. Typically, though, they set out some broad guiding principles.

One principle requires financial institutions to include performance criteria that are both “qualitative” and “quantitative” within their material outsourcing agreements. Another requires service level regimes to allow for “timely monitoring” and enable “corrective action” to be taken where service levels are not met.

There is largely an equivalent expectation for service levels to be set out in all material non-outsourcing contracts. In particular, where the services enable or form part of the delivery of an important business service, they will need to include performance criteria that are effective to support impact tolerance measures required by the operational resilience frameworks of the Financial Conduct Authority (FCA) and the PRA.   

It is also not common for regulatory rulesets to dictate the form that corrective action should take where failures of service levels are identified. Typically, in an outsourcing context, service levels may be supported by service credit regimes, rectification plan measures and, where practical, step-in rights.

In the context of material non-outsourcing contracts, the relationship will be one that either is not ongoing or recurrent or for services which the financial institution would not normally be expected to undertake itself. For these types of relationships, actions to correct service level failures may take on a very different form and focus more on relationship escalation procedures and other core governance arrangements.

Data security

The approach of financial regulators towards the transfer of data to third-parties is growing more consistent across outsourcing and non-outsourcing. Generally, financial institutions will be expected to “define, document, and understand their and the service provider’s respective responsibilities” and implement appropriate security measures regardless of whether an arrangement is classified as outsourcing.

This applies to the supplier’s processing of both personal and non-personal data. The inclusion of data security requirements in financial regulatory rulesets would largely be redundant if they were aimed only at protecting personal data, the security of which is largely covered by the GDPR and other data protection laws.

Which security measures are appropriate will be context-specific and should be assessed on a case-by-case basis. In many circumstances where critical data is processed, the assessment may require a review of the supplier’s encryption controls, including those which relate to the access of encryption keys, and confirmation of its ability to remove all data from its, and its sub-contractors’, premises on exit.

Audit, access and co-operating with regulators

For material outsourcing contracts the baseline requirement for audit rights requires the financial institution to retain the ability to request additional, appropriate, and proportionate information if such a request is justified from a legal, regulatory, or risk management perspective. Financial institutions also need to retain the right to perform onsite audits, at their discretion.

Certifications and pooled audit arrangements may reduce the need in practice to exercise rights to conduct onsite audits. They cannot, however, be used as a basis for entering into a material outsourcing arrangement that does not include the right to conduct an onsite audit.

In the context of material non-outsourcing contracts, there is often no firm requirement regarding audits except for that provided for in the UK GDPR. GDPR requires that processors of personal data allow for and contribute to audits and inspections conducted by or on behalf of data controllers. 

For material non-outsourcing contracts, we would typically expect to see audit rights applied as a matter of course to meet broader risk control expectations. However, in some contexts this may be limited to requirements to provide information reasonably requested, or be bound to a subset of relevant services.

Sub-outsourcing

Third-party risk regulatory frameworks often include detailed rules for sub-contracting. For material outsourcing, the PRA, for example, requires financial institutions to only agree to sub-outsourcing where the sub-outsourcer will comply with all relevant contractual obligations, and give contractual access, audit, and information rights equivalent to those granted by the supplier.