PRA guidance has implications for sub-outsourcing

The UK regulator has opened a consultation on proposed new guidance on outsourcing, which is open until 3 April 2020. The guidance is relevant to banks, insurers and investment firms, among others. It addresses a wide-range of issues and has implications for firms' oversight of sub-outsourcing arrangements.

Financial institutions operating cross-border should consider the PRA's draft guidelines alongside the approach taken in other jurisdictions, with sub-outsourcing a topic that financial regulators in both Germany and Ireland have addressed.

The regulation of sub-outsourcing

Regulated financial institutions do not outsource responsibility for regulatory compliance when they outsource functions of their operations. This is also true in cases where service providers transfer parts of the services they have been contracted to provide to other service providers.

In fact, the PRA said in its consultation paper that sub-outsourcing can "amplify certain risks in material outsourcing arrangements", such as risks around data security, and further "limit firms’ ability to manage [those risks]; particularly where large, complex chains of service providers are involved".

With this in mind, the PRA has drawn up guidelines to ensure financial institutions retain a degree of oversight over material outsourcing arrangements which involve or may involve sub-outsourcing. The guidelines are broadly similar to outsourcing guidelines the European Banking Authority (EBA) has previously issued as well as guidelines on outsourcing to cloud service providers more recently finalised by the European Insurance and Occupational Pension Authority (EIOPA). However, the PRA does include some general thoughts which may require financial institutions to revisit the approaches they are taking towards sub-outsourcing.

Due diligence and monitoring

According to the PRA, where a material outsourcing arrangement is likely to involve sub-outsourcing, the PRA "expects firms to assess relevant risks". Firms are expected to "pay particular attention to the potential impact of large, complex sub-outsourcing chains on their operational resilience and ability to oversee outsourcing arrangements".

Service providers can "facilitate firms' due diligence by maintaining up to date lists of their sub-outsourced service providers", the PRA said.

On oversight, the PRA's requirements more closely reflect the EIOPA cloud guidelines than they do the EBA's outsourcing guidance.

The EBA guidelines on outsourcing impose a requirement on financial institutions to take into account the extent to which the potential arrangement will affect their abilities to monitor all risks, but they do not directly state that financial institutions must monitor the sub-outsourced service providers. In contrast, EIOPA has said that firms should set up "monitoring and oversight mechanisms, which should take into account, where feasible and appropriate, the presence of sub-outsourcing of critical or important operational functions or a part thereof". The PRA's draft guidance is similarly worded.

The PRA has said: "While it may not be feasible for firms to monitor every service provider across the supply chain, firms should, at a minimum, monitor those sub-outsourced service providers involved in the provision of important business services, including their ability to stay within the firm's impact tolerances".

The PRA has further explained the conditions that firms must ensure have been met before they agree to sub-outsourcing. It said firms must ensure "the sub-outsourcing will not give rise to undue operational risk for the firm", as clarified in its guidelines. In addition, they must also ensure sub-outsourced service providers undertake to comply with all applicable laws, regulatory requirements and contractual obligations, and further grant equivalent contractual access, audit and information rights to those granted by the service provider.

A written agreement and contractual rights

Where sub-outsourcing is agreed to and concerns material outsourcing arrangements, the regulator said that firms should ensure this is documented in a written agreement between firms and the service provider. The agreement should set out any conditions to be complied with in the case of permissible sub-outsourcing.

The written agreement should further require that service providers obtain prior specific or general written authorisation from the firm before transferring data, in line with the requirements of article 28 of the General Data Protection Regulation, the PRA said.

In Germany

The Federal Financial Supervisory Authority, BaFin, takes a strict approach on sub-outsourcing.

While there is no dedicated guidance on sub-outsourcing, the guidance available on outsourcing in general also covers sub-outsourcing. According to BaFin, the outsourcing contract must contain provisions on the possibility and modalities of sub-outsourcing to ensure that supervisory oversight can still be exercised. In particular, it must be ensured that the information and auditing rights as well as control options of the firm and of BaFin extend to subcontractors.

The outsourcing agreement should contain provisions requiring approval, or specific conditions as to when sub-outsourcing is allowed. The firm should be informed in advance of any sub-outsourcing. In the event of a new sub-outsourcing, the risk analysis should at least be reviewed or carried out again.

BaFin president Felix Hufeld has repeatedly pointed out that the ultimate responsibility for functions being outsourced remains with the management of the financial institution and not with the service providers.

In Ireland

The Central Bank of Ireland (CBI) published a discussion paper on outsourcing in November 2018. This predates the EBA guidelines on outsourcing arrangements. It has not released guidance or reports on the topic since then. However, certain public statements from the CBI indicate that it has material concerns with outsourcing practices of financial institutions in Ireland and that it views the management of outsourcing risk as a central issue from both a conduct and prudential perspective.

The CBI has been clear that it expects appropriate oversight and awareness of outsourcing arrangements and associated risks. In relation to sub-outsourcing specifically, some of the concerns identified in the 2018 paper were:

• A failure of financial institutions to include notice obligations for outsource service providers of any planned sub-outsourcing or material changes in such arrangements 
• A failure by outsource service providers to contractually require sub-outsourcers to fulfil the services in line with the primary outsourcing contract  
• A weakness in governance and oversight provisions in outsourcing contracts generally, including the management and monitoring of services 
• Concentration risk presented by outsource service providers relying on a relatively small pool of sub-outsource providers, in particular for cloud services.

These concerns are addressed, either directly or indirectly, through requirements in the EBA guidelines.

Implications for contract negotiations

Provisions around sub-contracting, and in particular the flow-down of a firm’s rights to sub-contractors, are often one of the more challenging areas to negotiate in outsourcing contracts. Service providers, especially cloud service providers, often object to the extent of the rights that firms want to flow down, and argue that this is not achievable. The various outsourcing guidelines focus on 'sub-outsourcing' and so firms can focus their requirements for flow-down on sub-contracting arrangements that are directly linked to the outsourced services. However, even within this sub-set of sub-contracted services, it can be challenging to achieve a compliant contract with some suppliers.

Monitoring and flowing down rights are part of what firms need to have in contracts to ensure compliance, and so it will be necessary for those suppliers who want to engage with the financial services sector to approach their supply chains on a basis which facilitates this.