Out-Law Analysis | 16 Mar 2020 | 11:47 am | 4 min. read
The regulator is holding a consultation until 3 April on proposed new guidance on outsourcing and third party risk management. The draft guidance sets out a range of requirements around data, including specific obligations around its location, classification and security. Those requirements effectively prescribe what until now have been considered good practice behaviours that financial institutions should already be familiar with in complying with data protection law and rules set by the Financial Conduct Authority.
The PRA's requirements around the location of data, however, are subtly different to those contained in European Banking Authority (EBA) guidance that is already in force. The differences require further explanation from the UK regulator given the potential implications for outsourcing contracts.
This is part of a series of articles looking at different aspects of the PRA's draft outsourcing guidance. The guidance is relevant to banks, insurers and investment firms, among others and addresses a wide-range of issues, including sub-outsourcing, access and audit rights and data requirements.
In its draft guidance, the PRA explained that where a material outsourcing agreement involves the transfer of data, the PRA expects firms to define, document and understand their and the service provider’s respective responsibilities in respect of that data and take appropriate measures to protect them.
Among the risks that the PRA expects firms to consider include the risk of inappropriate access, insider threats, loss of data, unavailability of data and the unauthorised modification of data
For the purposes of the guidance, 'data' is to be interpreted broadly as including confidential, firm, sensitive and transactional data as well as the systems used to process, transfer or store data.
The PRA said it expects firms to classify relevant data being outsourced based on their confidentiality and sensitivity, and also identify potential risks relating to outsourced data and their impact. Firms are also expected to agree an appropriate level of data availability, confidentiality and integrity.
Among the risks that the PRA expects firms to consider include the risk of inappropriate access, insider threats, loss of data, unavailability of data and the unauthorised modification of data.
The PRA has set out its minimum expectations on the contents of written agreements for material outsourcings. It includes requirements regarding the location of data.
The PRA said the written agreement should detail "the location(s), ie regions or countries where the material function or service will be provided, and/or where relevant data will be kept and stored, processed or transferred, including a requirement for the service provider to notify the firm in advance if it proposes to change said location(s)".
Other than the addition of the words 'or transferred', the text almost mirrors exactly what is set out in the EBA's guidelines on outsourcing. The EBA's guidelines took effect on 30 September 2019.
It is not clear why the PRA has included the additional words and it is possible that it could cause confusion about the detail which should be included in outsourcing contracts – in a cloud computing context it could frustrate cloud providers if it leads to discussions about locations of data where it is only in-transit.
Financial institutions subject to the PRA's guidance should ask the regulator to explain what its intentions are with the different wording as part of the ongoing consultation process.
Beyond the contractual requirements, the PRA has encouraged firms to adopt a risk-based approach to data location, considering data-at-rest, data-in-use and data-in-transit.
When setting their approach, firms should balance potential legal risks against "operational resilience advantages of outsourced data being stored in multiple locations".
Examples of the legal risks that should be considered are given by the PRA. They include risks that may arise under the General Data Protection Regulation (GDPR), which applies to the processing of personal data.
Other legal risks to be factored include conflicting legal or regulatory requirements and challenges to firms’ and the PRA’s ability to access data in certain jurisdictions outside the UK due to local law enforcement, legal or political circumstances. This, the PRA said, includes jurisdictions through which data may be routed.
The PRA expects firms to classify relevant data being outsourced based on their confidentiality and sensitivity.
Expanding on that broad requirement, the regulator said that data classification should "identify data which they would need to access and potentially migrate as a matter of priority in the event of disruption" to help them with other obligations they face under the guidelines on business continuity and exit strategies.
Specific classification requirements have been drafted to account for cloud outsourcing of data. The PRA said firms that plan on outsourcing data to the cloud should "assess the cloud-readiness of their on-premise data and applications", particularly "when dealing with legacy infrastructure and systems".
The PRA's expectations on firms' data security measures when outsourcing data is also set out in the draft guidelines.
Firms are expected to "implement appropriate measures to protect outsourced data" and detail those measures in their outsourcing policy and in the written agreements with outsourcing providers for material outsourcings.
"Robust controls" are mandated for data-in-transit, data-in-memory and data-at-rest. The PRA has provided examples of the preventative and detective measures it expects firms to adopt. These include: encryption; access controls and activity logs; incident detection and response planning; loss prevention and recovery measures, and; data segregation.
Firms are expected to put in train staff and monitor the effectiveness of service providers' controls on an ongoing basis. They should also have procedures in place for deleting data "from all the locations where the service provider may have stored it" in the event of exit or termination, unless it is necessary for the firm or the PRA to retain access to that data.
Since 2015, a trend towards introducing changes to bank governance rules has emerged in France. The main changes focus on the composition and functioning of supervisory bodies as well as risk management and internal controls that are put in place in financial institutions.
The Prudential Regulation Authority in France (ACPR) regularly publishes practical guidelines aimed at professionals working in the financial sector, along with the National Cybersecurity Agency (ANSSI).
With regard to data requirements financial institutions face when outsourcing in France, from a regulatory standpoint, EU legislation is applicable. There is little by way of specific national rules in France. The GDPR is applicable and, from a practical standpoint, the European Banking Authority (EBA) has also published various guidelines that set out the legal framework applicable in France for outsourcing.
In line with the EBA guidelines therefore, the register of all outsourced functions may, in particular, be forwarded at the request of the ACPR, and plans to outsource critical or important functions must be communicated each year as part of the internal control report.
Additional commentary from Pauline Binelli, a Paris-based technology law expert at Pinsent Masons, the law firm behind Out-Law.
17 Feb 2020
09 Mar 2020