PRA tightens rules on outsourcing of data

The regulator is holding a consultation until 3 April on proposed new guidance on outsourcing and third party risk management. The draft guidance sets out a range of requirements around data, including specific obligations around its location, classification and security. Those requirements effectively prescribe what until now have been considered good practice behaviours that financial institutions should already be familiar with in complying with data protection law and rules set by the Financial Conduct Authority.

The PRA's requirements around the location of data, however, are subtly different to those contained in European Banking Authority (EBA) guidance that is already in force. The differences require further explanation from the UK regulator given the potential implications for outsourcing contracts.

This is part of a series of articles looking at different aspects of the PRA's draft outsourcing guidance. The guidance is relevant to banks, insurers and investment firms, among others and addresses a wide-range of issues, including sub-outsourcing, access and audit rights and data requirements.

Broad data requirements

In its draft guidance, the PRA explained that where a material outsourcing agreement involves the transfer of data, the PRA expects firms to define, document and understand their and the service provider’s respective responsibilities in respect of that data and take appropriate measures to protect them.

For the purposes of the guidance, 'data' is to be interpreted broadly as including confidential, firm, sensitive and transactional data as well as the systems used to process, transfer or store data.

The PRA said it expects firms to classify relevant data being outsourced based on their confidentiality and sensitivity, and also identify potential risks relating to outsourced data and their impact. Firms are also expected to agree an appropriate level of data availability, confidentiality and integrity.

Among the risks that the PRA expects firms to consider include the risk of inappropriate access, insider threats, loss of data, unavailability of data and the unauthorised modification of data.

Obligations on data location

The PRA has set out its minimum expectations on the contents of written agreements for material outsourcings. It includes requirements regarding the location of data.

The PRA said the written agreement should detail "the location(s), ie regions or countries where the material function or service will be provided, and/or where relevant data will be kept and stored, processed or transferred, including a requirement for the service provider to notify the firm in advance if it proposes to change said location(s)".

Other than the addition of the words 'or transferred', the text almost mirrors exactly what is set out in the EBA's guidelines on outsourcing. The EBA's guidelines took effect on 30 September 2019.

It is not clear why the PRA has included the additional words and it is possible that it could cause confusion about the detail which should be included in outsourcing contracts – in a cloud computing context it could frustrate cloud providers if it leads to discussions about locations of data where it is only in-transit.

Financial institutions subject to the PRA's guidance should ask the regulator to explain what its intentions are with the different wording as part of the ongoing consultation process.

Beyond the contractual requirements, the PRA has encouraged firms to adopt a risk-based approach to data location, considering data-at-rest, data-in-use and data-in-transit.

Data classification 

The PRA expects firms to classify relevant data being outsourced based on their confidentiality and sensitivity.

Expanding on that broad requirement, the regulator said that data classification should "identify data which they would need to access and potentially migrate as a matter of priority in the event of disruption" to help them with other obligations they face under the guidelines on business continuity and exit strategies.

Specific classification requirements have been drafted to account for cloud outsourcing of data. The PRA said firms that plan on outsourcing data to the cloud should "assess the cloud-readiness of their on-premise data and applications", particularly "when dealing with legacy infrastructure and systems".

Data security

The PRA's expectations on firms' data security measures when outsourcing data is also set out in the draft guidelines.

Firms are expected to "implement appropriate measures to protect outsourced data" and detail those measures in their outsourcing policy and in the written agreements with outsourcing providers for material outsourcings.

"Robust controls" are mandated for data-in-transit, data-in-memory and data-at-rest. The PRA has provided examples of the preventative and detective measures it expects firms to adopt. These include: encryption; access controls and activity logs; incident detection and response planning; loss prevention and recovery measures, and; data segregation.

Firms are expected to put in train staff and monitor the effectiveness of service providers' controls on an ongoing basis. They should also have procedures in place for deleting data "from all the locations where the service provider may have stored it" in the event of exit or termination, unless it is necessary for the firm or the PRA to retain access to that data.

The position in France

Since 2015, a trend towards introducing changes to bank governance rules has emerged in France. The main changes focus on the composition and functioning of supervisory bodies as well as risk management and internal controls that are put in place in financial institutions.

The Prudential Regulation Authority in France (ACPR) regularly publishes practical guidelines aimed at professionals working in the financial sector, along with the National Cybersecurity Agency (ANSSI).