PRA issues finalised outsourcing supervisory statement

The regulator confirmed the point as it issued a policy statement and associated finalised supervisory statement on outsourcing and third party risk management on Monday.

Instead, PRA-regulated institutions – which include UK banks, building societies and PRA-designated investment firms, as well as UK insurance and reinsurance firms and groups in scope of the Solvency II regime – will have additional time to comply with the PRA's own new supervisory statement.

The PRA's supervisory statement will begin to apply on 31 March 2022. The regulator expects outsourcing arrangements entered into on or after 31 March 2021 to be compliant with its new supervisory statement by that date, but has given firms additional time to review and update pre-existing legacy outsourcing agreements "at the first appropriate contractual renewal or revision point" so that they comply with the new supervisory statement "as soon as possible on or after Thursday 31 March 2022".

Financial services and technology law expert Yvonne Dunn of Pinsent Masons, the law firm behind Out-Law, said: "Financial institutions will be pleased to see the extension of the deadline for compliance with the EBA guidelines on outsourcing, since many of them felt unable to begin remediation exercises until the PRA’s outsourcing supervisory statement was published. Given other challenges that the sector has faced during the last 12 months, this will provide a welcome additional period for firms to get organised."

"The PRA has made this decision due to the disruption and reprioritisation caused by the Covid-19 pandemic and changes to the UK, EU, and global regulatory landscape in this area (some of which are still under development at the time of publication), and in consideration of responses to [the PRA's consultation on its outsourcing supervisory statement]," it said.

Out-Law has asked the Financial Conduct Authority (FCA) to clarify its position in respect of enforcing the EBA's review deadline.

The PRA said that its new supervisory statement "should be the primary source of reference for UK firms when interpreting and complying with PRA requirements on outsourcing and third party risk management". The statement addresses a wide-range of requirements that PRA-regulated businesses will have to meet when agreeing outsourcing contracts with third party providers. It addresses matters of governance and record keeping, the oversight of sub-outsourcing arrangements, expectations in relation to cybersecurity and rights of access, audit, and information, as well as business continuity and exit planning.

Yvonne Dunn of Pinsent Masons said the PRA's finalised supervisory statement contains some improvements on provisions that it had earlier drafted and consulted on.

"The PRA has listened to comments made in the consultation, and there are areas where it is trying to clarify obligations, to assist financial institutions," Dunn said.

"For example, it has provided that it does not expect financial firms to directly monitor fourth parties in all circumstances and it has dropped the assumption that all arrangements in a prudential context are automatically outsourcing. While it will not accept that intragroup arrangements should automatically be treated differently to external third party contracts, it does acknowledge areas where a proportionate approach can be taken, including in relation to contracting," she said.

While the PRA said it believes its finalised statement is "not materially divergent" from guidelines the EBA previously published on outsourcing or on ICT security and risk management, one area where there is a difference is where the PRA refers to 'material' outsourcings to mean what the EBA otherwise terms 'critical or important' outsourcings. As with the EBA's guidelines, institutions face additional regulatory requirements in respect of 'material' outsourcings.

One example of the additional regulatory obligations the PRA has set out in this regard are the expectations the regulator has set out in relation to the advance notification of material outsourcings to it.

Dunn said: "It is clear that the PRA wants to be in the loop as early as possible and it has even suggested that in some circumstances it may be appropriate to notify the regulator of a planned material arrangement before a final service provider has been selected. Financial institutions will need to consider this carefully in relation to the timetables they set for material outsourcings."

One area where the PRA diverges from the EBA outsourcing guidelines is in relation to the flowdown of obligations to sub-outsourcers. The EBA outsourcing guidelines require flowdown of audit rights and obligations to comply with applicable law to any sub-outsourcer of a critical or important function. However, the supervisory statement only requires flowdown in the context sub-outsourcing of a critical or important function where the sub-outsourcing itself is material. This is introducing an additional materiality threshold in relation to the sub-outsourcing itself..

Dunn said: "The introduction of this additional materiality threshold will cause debate with suppliers who already question flowdown provisions – it is questionable whether it adds much value, and whether in reality there would be many sub-outsourcers to whom a critical or important outsourced function is delegated who would not be material."

Luke Scanlon, also of Pinsent Masons, pointed to further changes made to the draft guidelines the PRA had consulted on. Two particular examples arise under the broad umbrella of cybersecurity.

Scanlon said: "First, with reference to its rights of audit and access, the PRA had previously intimated that it would require firms to ensure that any encryption keys necessary to access encrypted data were accessible to it. This spurred concern from some institutions that this would in itself represent a security vulnerability. The PRA has now confirmed, however, that while institutions will need to ensure that the regulator has access to the encrypted data, they will not need to ensure it can access the encryption keys themselves."

"Second, the PRA has confirmed that, in respect of material outsourcings, access, audit, and information rights extend, where relevant, to requiring institutions to ensure that third parties agree to share the results of security penetration testing they carry out or which are carried out on their behalf. In its draft guidelines, it had required that firms ensure they have a right, where relevant, to carry out such penetration testing themselves," he said.

The PRA also issued a policy statement and guidelines on operational resilience on Monday.