PRA issues finalised outsourcing supervisory statement

Out-Law News | 30 Mar 2021 | 9:24 am | 5 min. read

The Prudential Regulation Authority (PRA) in the UK does not expect banks and investment firms subject to its regulation to meet a 31 December 2021 deadline set by the European Banking Authority (EBA) for reviewing and updating outsourcing contracts.

The regulator confirmed the point as it issued a policy statement and associated finalised supervisory statement on outsourcing and third party risk management on Monday.

Instead, PRA-regulated institutions – which include UK banks, building societies and PRA-designated investment firms, as well as UK insurance and reinsurance firms and groups in scope of the Solvency II regime – will have additional time to comply with the PRA's own new supervisory statement.

The PRA's supervisory statement will begin to apply on 31 March 2022. The regulator expects outsourcing arrangements entered into on or after 31 March 2021 to be compliant with its new supervisory statement by that date, but has given firms additional time to review and update pre-existing legacy outsourcing agreements "at the first appropriate contractual renewal or revision point" so that they comply with the new supervisory statement "as soon as possible on or after Thursday 31 March 2022".

Dunn Yvonne_April 2020

Yvonne Dunn

Partner

Given other challenges that the sector has faced during the last 12 months, this will provide a welcome additional period for firms to get organised

The EBA outsourcing guidelines began to apply from 30 September 2019 to all new outsourcing arrangements entered into after that date. However, the EBA also set a hard deadline of 31 December 2021 for institutions to review and update the documentation for legacy outsourcing arrangements of critical or important functions – other than in respect of outsourcing arrangements to cloud service providers – that they had entered into prior to the new guidelines taking effect. The EBA's guidelines also require institutions to notify their national regulator if they are unable to meet that deadline, including the measures planned to complete the review or the possible exit strategy.

The PRA has now said, though, that it "considers that it is no longer proportionate for firms to make every effort to comply with the indicative timeline and process for reviewing their material (ie critical or important) legacy outsourcing arrangements" as set out by the EBA. Nor does it expect firms to inform it if they have not met the EBA's deadline. The EBA's deadline will continue to impact institutions regulated within the EU.

Financial services and technology law expert Yvonne Dunn of Pinsent Masons, the law firm behind Out-Law, said: "Financial institutions will be pleased to see the extension of the deadline for compliance with the EBA guidelines on outsourcing, since many of them felt unable to begin remediation exercises until the PRA’s outsourcing supervisory statement was published. Given other challenges that the sector has faced during the last 12 months, this will provide a welcome additional period for firms to get organised."

"The PRA has made this decision due to the disruption and reprioritisation caused by the Covid-19 pandemic and changes to the UK, EU, and global regulatory landscape in this area (some of which are still under development at the time of publication), and in consideration of responses to [the PRA's consultation on its outsourcing supervisory statement]," it said.

Out-Law has asked the Financial Conduct Authority (FCA) to clarify its position in respect of enforcing the EBA's review deadline.

Dunn Yvonne_April 2020

Yvonne Dunn

Partner

The PRA has listened to comments made in the consultation, and there are areas where it is trying to clarify obligations, to assist financial institutions  

The PRA said that its new supervisory statement "should be the primary source of reference for UK firms when interpreting and complying with PRA requirements on outsourcing and third party risk management". The statement addresses a wide-range of requirements that PRA-regulated businesses will have to meet when agreeing outsourcing contracts with third party providers. It addresses matters of governance and record keeping, the oversight of sub-outsourcing arrangements, expectations in relation to cybersecurity and rights of access, audit, and information, as well as business continuity and exit planning.

Yvonne Dunn of Pinsent Masons said the PRA's finalised supervisory statement contains some improvements on provisions that it had earlier drafted and consulted on.

"The PRA has listened to comments made in the consultation, and there are areas where it is trying to clarify obligations, to assist financial institutions," Dunn said.

"For example, it has provided that it does not expect financial firms to directly monitor fourth parties in all circumstances and it has dropped the assumption that all arrangements in a prudential context are automatically outsourcing. While it will not accept that intragroup arrangements should automatically be treated differently to external third party contracts, it does acknowledge areas where a proportionate approach can be taken, including in relation to contracting," she said.

While the PRA said it believes its finalised statement is "not materially divergent" from guidelines the EBA previously published on outsourcing or on ICT security and risk management, one area where there is a difference is where the PRA refers to 'material' outsourcings to mean what the EBA otherwise terms 'critical or important' outsourcings. As with the EBA's guidelines, institutions face additional regulatory requirements in respect of 'material' outsourcings.

One example of the additional regulatory obligations the PRA has set out in this regard are the expectations the regulator has set out in relation to the advance notification of material outsourcings to it.

Dunn said: "It is clear that the PRA wants to be in the loop as early as possible and it has even suggested that in some circumstances it may be appropriate to notify the regulator of a planned material arrangement before a final service provider has been selected. Financial institutions will need to consider this carefully in relation to the timetables they set for material outsourcings."

One area where the PRA diverges from the EBA outsourcing guidelines is in relation to the flowdown of obligations to sub-outsourcers. The EBA outsourcing guidelines require flowdown of audit rights and obligations to comply with applicable law to any sub-outsourcer of a critical or important function. However, the supervisory statement only requires flowdown in the context sub-outsourcing of a critical or important function where the sub-outsourcing itself is material. This is introducing an additional materiality threshold in relation to the sub-outsourcing itself..

Dunn said: "The introduction of this additional materiality threshold will cause debate with suppliers who already question flowdown provisions – it is questionable whether it adds much value, and whether in reality there would be many sub-outsourcers to whom a critical or important outsourced function is delegated who would not be material."

Scanlon Luke

Luke Scanlon

Head of Fintech Propositions

While institutions will need to ensure that the regulator has access to the encrypted data, they will not need to ensure it can access the encryption keys themselves

Luke Scanlon, also of Pinsent Masons, pointed to further changes made to the draft guidelines the PRA had consulted on. Two particular examples arise under the broad umbrella of cybersecurity.

Scanlon said: "First, with reference to its rights of audit and access, the PRA had previously intimated that it would require firms to ensure that any encryption keys necessary to access encrypted data were accessible to it. This spurred concern from some institutions that this would in itself represent a security vulnerability. The PRA has now confirmed, however, that while institutions will need to ensure that the regulator has access to the encrypted data, they will not need to ensure it can access the encryption keys themselves."

"Second, the PRA has confirmed that, in respect of material outsourcings, access, audit, and information rights extend, where relevant, to requiring institutions to ensure that third parties agree to share the results of security penetration testing they carry out or which are carried out on their behalf. In its draft guidelines, it had required that firms ensure they have a right, where relevant, to carry out such penetration testing themselves," he said.

The PRA also issued a policy statement and guidelines on operational resilience on Monday.