What service providers can expect from PRA risk requirements

Out-Law Analysis | 22 Mar 2022 | 2:00 pm | 5 min. read

Service providers can expect customers in the UK financial services sector to request changes to their existing contracts and to pursue new agreements that conform to tougher regulatory requirements that reflect the risks arising from those customers’ dependency on them.

Many banks, insurers, investment firms and other financial services providers are regulated by the Prudential Regulation Authority (PRA) whose supervisory statement on outsourcing and third party risk (SS2/21)includes detailed rules for contracts between the entities that the PRA regulates and their suppliers. Those rules take effect from 31 March 2022.

Which contracts?

SS2/21 sets out requirements which govern both outsourcing and non-outsourcing contracts. This is unlike other regulatory regimes which tend to focus only on outsourcing.

If a service provider supplies services that are not typically thought of as outsourcing but are delivered to PRA-regulated customers, those services may still be caught by the PRA’s framework. The PRA expects controls for material non-outsourcing contracts to be “as robust as” those included in outsourcing contracts.

However, the extent of application of the rules set out in SS2/21 to a contract is not the same for every contract. It will depend on whether the contract is for a material service or a non-material one. The level of risk associated with the contract will also be relevant to determining the extent to which it needs to comply with SS2/21.

Comply by when?

SS2/21 sets out different timelines for compliance for new and existing contracts. Any contract entered into after 31 March 2021 will be considered a new contract and will need to comply by 31 March 2022.

‘Legacy’ contracts entered into before 31 March 2021 that do not comply will need to be revised, but the date by which changes should be made is not fixed. The PRA has set out that existing outsourcing contracts need to be remediated “at the first appropriate contractual renewal or revision point … as soon as possible on or after 31 March 2022”.

While this means that those legacy contracts do not need to be revised before 31 March 2022, there is an expectation from the PRA that the financial services entities it regulates will put plans in place to revise contracts “as soon as possible” on or after that date.

What changes can we expect to see to contracts?

The PRA is focused on mitigating the risks associated with financial services entities depending on third parties for operational functions. SS2/21 includes a range of requirements for contracts aimed at addressing the risks of operational disruption and other supplier performance failures.

Service levels and corrective action

Contracts will need to be reviewed to determine whether or not they include service levels that are precise quantitative and qualitative measures of performance. Those measures will need to be supported by clear notification requirements on suppliers to enable financial services entities to monitor performance and take corrective action if the agreed service levels are not met.

Locations

The PRA is concerned with the geographical risks that can arise when services or data are provided or stored outside the UK. To comply with the PRA’s requirements, financial services entities will need visibility over the regions or countries from which services and data are provided or stored and advance notice of changes to those locations.  

Data and cybersecurity

Like regulators in other jurisdictions, the PRA “encourages” the financial services entities it regulates to “take into account global standards on ICT risk management”. Its focus is on the overall security environment of ICT suppliers. It expects robust security controls to be put in place for data-in-transit, data-in-memory, and data-at-rest and for encryption keys to be kept secure wherever there is a need for encryption.

Audit, access and cooperation

The PRA expects financial services entities to retain "full access and unrestricted rights for audit and information". The purpose of these rights is to enable the entity to comply with its legal and regulatory obligations and monitor the service arrangement.     

There are also broader obligations on the regulated entity to ensure that it can provide the PRA with any information that it requires. The PRA can require financial services entities "to provide information or produce documents with respect to any matter" and suppliers to those entities to provide information directly to the PRA which it "considers is or might be, relevant to the stability of the UK financial system”.

Sub-outsourcing and fourth party risk

The PRA is particularly concerned about the risks of long supply chains and introduced specific expectations around approval processes and visibility of sub-outsourcers. Those expectations include confirmation that suppliers have robust testing and monitoring arrangements in place with their sub-outsourcers and that they can give assurance that the financial services entity as the supplier’s customer, and the PRA, as the customer’s regulator, will have “equivalent contractual access, audit, and information rights” over sub-outsourcer premises, systems and information. 

Business continuity and operational resilience

There is a clear focus on not just developing but also testing business continuity plans. The PRA wants to see that both financial services entities and their suppliers have in place and test their own business continuity plans and that they take reasonable steps to support the testing of each other’s plans where appropriate. 

Business continuity plans and tests should focus on the potential for severe interruptions to operations. Financial services entities will focus on the practicalities around the extent to which business continuity measures put in place by their suppliers support their own compliance with broader impact tolerance and operational resilience requirements.

Termination and exit

While the PRA has not generally prescribed the circumstances in which it expects financial services entities to terminate agreements with suppliers, it has set out specific expectations for terminating contracts where sub-outsourcing failures occur. It expects those entities to terminate their contracts with suppliers if a sub-outsourcing arrangement materially increases the risk of the supplier arrangement or a new sub-outsourcing begins without the entity receiving prior notification of it.

The PRA expects to see financial services entities prepare for exits in stressed circumstances – for example, following the failure or insolvency of a supplier – as well as in non-stressed circumstances – where the relationship comes to an end through a planned and managed process for commercial, performance, or strategic reasons. Like with business continuity plans, there is an expectation that exit plans will be tested.

Overlap with EBA and other frameworks

Regulatory compliance for financial services entities has become more complex over recent years. Not only do UK financial services entities need to consider the requirements of both the PRA and the Financial Conduct Authority (FCA), where they have EU operations, regulatory frameworks put in place by the European Banking Authority (EBA), European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA) may also be relevant.

In some EU countries, local regulators have issued their own locally applicable rulesets too. Where this has occurred, additional requirements may also form part of the basis of requests for change or the terms of new contracts. 

It is likely that operational resilience will continue to be a core focus of financial regulators in the years ahead, and this means their suppliers and service providers should expect regulatory frameworks to impose further requirements on regulated financial services entities and that some of these requirements will flow-down to their contracts.

In the UK, the PRA and FCA regimes fully come into force in 2025, although there are also milestone deadlines along the way.

At EU level, a draft regulation on digital operational resilience for the financial sector is currently undergoing negotiation. This draft regulation is likely to impose further requirements and potentially revise some existing ones.

These developments give suppliers good reason to get equipped to understand the changes to regulatory frameworks currently taking place. A detailed understanding of these changes will help suppliers put forward practical solutions to give their financial services customers comfort that services are compliant with regulation.

We are processing your request. \n Thank you for your patience. An unknown error occurred, please input and try again.