PRA provides much needed guidance on outsourcing and third party service arrangements

On 29 March 2021, the PRA published its long awaited Supervisory Statement (SS2/21) (and associated Policy Statement (PS7/21)) on outsourcing and third party risk management.

PS7/21 provides the PRA's feedback to responses received to Consultation Paper (CP) 30/19 ‘Outsourcing and third party risk management’, and SS2/21 sets out the PRA’s supervisory expectations with respect to outsourcing arrangements. SS2/21 comes into effect on 31 March 2022. The PRA explicitly confirms firms do not need to work to the 31 December 2021 deadline in the EBA outsourcing guidelines or update the PRA of any contracts firms fail to remediate by 31 December 2021.

SS2/21 broadly keeps to the same obligations that are applicable to firms under the EBA Guidelines on Outsourcing. However, the PRA also states that it expects "material" non-outsourcing third-party agreements be subject to controls which are as robust as the controls that would apply to outsourcing arrangements with an equivalent level of materiality.

In addition to revised compliance timelines, SS2/21 also brings with it some much needed clarification on actions firms can take where a service provider cannot (for legitimate reasons) practically agree to the certain outsourcing requirements under the EBA's Outsourcing Guidelines.

In this briefing, we provide an overview of SS2/21 (also referred to as the "SS") and the PRA's expectations.

Who is impacted by SS2/21?

SS2/21 is relevant to:

• banks, building societies, PRA-designated investment firms (referred to in SS2/21 as "banks");
• Solvency II insurance and reinsurance firms ("insurers"); and
• branches of overseas banks and insurers ("third-country branches").

(together, "firms").

Parts of SS2/21 also impact credit unions and non-directive firms.

SS2/21 should be read alongside the EBA Guidelines on Outsourcing which remain effective. FCA solo-regulated firms are not in scope of the PRA's Supervisory Statement, and should continue to comply with the EBA Guidelines on Outsourcing, per the FCA's expectations.

When does SS2/21 come into force?

SS2/21 comes into effect on 31 March 2022. For agreements entered into on or after 31 March 2021, firms need to be compliant with the expectations in SS2/21 by 31 March 2022.

However, the PRA has provided additional time for legacy outsourcing and other in-scope third party agreements entered into prior to 31 March 2021. For legacy agreements, the PRA expects firms to review and update such agreements "at the first appropriate renewal date or revision point" of the agreement, even where that falls post-31 March 2022.

The PRA has confirmed that firms do not need to work to the 31 December 2021 deadline set out in the EBA Outsourcing Guidelines or update the PRA in relation to any contracts the firm fail to remediate by 31 December 2021.

What does this mean for in-scope firms?

A.   Primary source of reference

As mentioned above, SS2/21 should be read alongside the EBA Guidelines on Outsourcing which remain applicable and effective. The PRA explains that where it considered it justified to do so, it has elaborated on the EBA's Outsourcing Guidelines within the SS. The PRA considers its additional guidance results in clearer and more consistent policy.

The PRA states that the SS should be the primary source of reference for in-scope firms when interpreting and complying with PRA requirements on outsourcing and third-party risk management.

In our view, the PRA's guidance within the SS provides greater regulatory certainty and will help firms better navigate the requirements of the EBA Guidelines. This is particularly the case for areas which have traditionally been negotiation "pinch" points – see point ‎G below.

B.   Broader range of agreements in-scope

SS2/21 applies to all outsourcings but certain parts of the SS also apply to certain "non-outsourcing third party arrangements", which otherwise fall out of scope of the EBA Outsourcing Guidelines. Non-outsourcing third party arrangements include the purchases of hardware, software, and other ICT products, such as:

1. the design and build of an on-premise IT platform;
2. the purchase of data collated by third party providers (data brokers), e.g. geospatial data or data from in-app device activity, social media, etc.; and
3. ‘off-the shelf’ machine learning models, including samples of the data used to train and test the models, open source software, and machine learning libraries developed by third party providers.

The PRA expects firms to assess the materiality and risks of non-outsourcing third party arrangements as well as outsourcing arrangements. Where a firm deems a non-outsourcing third party arrangement "material" or "high risk" it should implement proportionate controls appropriate to the risk, and as robust as the controls that would apply to outsourcing arrangements with an equivalent level of materiality. These do not need to be the same as the controls which apply to outsourcing, but firms should apply stricter controls to "material" non-outsourcing third party arrangements than to non-material outsourcing arrangements.

C.   Additional clarification on what is a "material" outsourcing

The PRA categorises outsourcings based on whether or not they are "material" outsourcings. This is different to the categorisation terminology used in the EBA Outsourcing Guidelines and MiFID rules, which categorise using the concept "critical or important". However, in the SS the PRA confirms that its definition of a "material" outsourcing is substantively aligned with the criteria for a "critical or important" outsourcing under the EBA Guidelines, with a few exceptions. For example, a firm should generally consider an outsourcing or third party arrangement as material where a defect or failure in its performance could materially impair the:

1. Financial stability of the UK;

2. Firms':

a. ability to meet the Threshold Conditions;

b. compliance with the Fundamental Rules;

c. requirements under "relevant legislation" and the PRA Rulebook;

d. safety and soundness (including both financial and operational resilience);

e. operational continuity in resolution ("OCIR") and (if applicable) resolvability. This means that if a firm outsources a service to which OCIR applies, this will typically be a "material" outsourcing, but that not all material outsourcing will be in scope of OCIR (the Outsourcing SS makes clear that "critical services" in the OCIR context should not be confused with "material outsourcing").

SS2/21 also notes that although Notifications 2.3(1)(e) only applies to material outsourcing arrangements (as currently written), material non-outsourcing third-party arrangements may constitute information of which the PRA would reasonably expect notice and consequently the PRA expects firms to bring these arrangements to its attention in the same way it would material outsourcing arrangements.

Firms should ensure they have factored the PRA's criteria and expectations into their assessment process for determining the materiality of an outsourcing or third party arrangement.

D.   Further clarity on governance arrangements and expectations

The SS provides further clarity on the governance arrangements related to outsourcing and third-party arrangements, including under the Senior Managers and Certification Regime ("SMCR").

Specifically, in the SS the PRA confirms its expectations in respect of the following:

• board engagement on outsourcing;
• allocation of responsibilities and SMCR prescribed responsibilities;
• outsourcing policies; and
• recording keeping requirements, in particular the Outsourcing Register.

Firms should consider the PRA's statements on governance alongside current arrangements and practices to ensure they are compliant.

E.   Proportionality and intragroup arrangements

In the SS, the PRA has provided guidance on the application of the proportionality principle as well as the treatment of intragroup arrangements.

The PRA provides that firms should meet the expectations in the SS in a manner appropriate to their size and internal organisation; the nature, scope, and complexity of their activities; and the criticality or importance of the outsourced function, in line with the principle of proportionality.

The PRA clarifies that proportionality and materiality of outsourcing arrangements are separate, but complementary concepts and firms should consider the links between the two. Accordingly firms should ensure that they are not using the proportionality principle to 'downgrade' an arrangement from being 'material' to 'non-material'. The PRA also considers proportionality and materiality can change over time and considers firms should reassess both as appropriate.

The PRA also confirms that intragroup outsourcing is subject to the same requirements and expectations as outsourcing to service providers external to a firm's group, and should not, therefore, be treated as being inherently less risky. The PRA also confirms that a written agreement is always required – even in intragroup arrangements.

However, the PRA provides, in accordance with MiFID and Solvency II rules, firms may comply with some of the outsourcing requirements proportionately depending on their level of "control and influence" over the entity that is providing the outsourced service. The PRA goes on to provide further guidance regarding how the level of control and influence may be determined.

Depending on its level of control and influence in respect of intragroup outsourcing arrangements, a firm may, for example, adjust vendor due diligence processes, consolidate notifications to the PRA of material outsourcing into one notification, rely on a group member's stronger negotiating and purchase power to enter into group-wide arrangements with external third parties, and adapt certain clauses in written outsourcing agreements.

This guidance is useful for firms with intragroup outsourcing arrangements. It is recommended that firms seeking to rely on proportionality in group settings record or document their assessment as to "control and influence".

F.   Approaches to access, audit and information rights

The PRA expects firms to adopt a risk-based approach to access, audit, and information rights in respect of non-material outsourcing arrangements. In doing so, they should take into account the arrangement’s riskiness and the likelihood of it becoming material in the future. All relevant provisions in the EBA Guidelines on Outsourcing will continue to apply but SS2/21 appears to give greater flexibility to firms to interpret these in a manner proportionate to the materiality of the outsourcing.

SS2/21 still requires firms to ensure that they maintain equivalent access, audit and information rights as required under the EBA Guidelines on Outsourcing. However, it provides guidance to state that where an onsite audit may create an unmanageable risk for the environment of the service provider or its other clients (e.g. by impacting service levels or confidentiality of data), the firm and service provider may agree an alternative method to provide equivalent levels of assurance. This may include specific controls to be tested in a report or certification. The PRA does still expect firms to retain their underlying right to conduct an onsite audit.

G.   Clarification on key negotiation "pinch" points

SS2/21 confirms that where an outsourced service provider in a material outsourcing arrangement is unable or unwilling to contractually facilitate a firm's compliance with the requirements under SS2/21 (or other regulatory obligations and expectations), firms should make the PRA aware of this.

The implication is that firms may, in certain circumstances, agree to service agreements which do not fully meet the requirement mandated by SS2/21. However, it is unclear from the SS whether the firm is required to make the PRA aware of such an outcome before or after conclusion of the agreement.

In addition, in response to feedback that it is difficult for firms to conduct penetration ("PEN") testing on service providers, the PRA have included a clarification that access, audit and information rights in material outsourcing arrangements should include the results of PEN testing by the service provider. It is therefore implicit that the PRA accept that there will be cases where firms are not able to agree to conduct PEN testing on service providers themselves.

What do in-scope firms need to do?

A key points for firms in the short-term is that SS2/21 brings greater focus on material non-outsourcing third party arrangements, in stating that these should largely be treated in a similar way to equivalently categorised outsourcings. Firms should therefore review their processes to ensure that all material third party agreements are captured as potentially being in-scope of PRA's expectations in SS2/21, rather than only those agreements which amount to outsourcings.

Additionally, the change to the timeline is good news for firms, meaning that they no longer need to remediate existing outsourcing agreements by December 2021. However, in practical terms, firms will need to ensure that any outsourcing agreements entered into on or after 31 March 2021 meet the requirements in SS2/21, as these must be compliant by 31 March 2022. With respect to legacy agreements entered into before 31 March 2021, larger firms may consider proceeding with a structured remediation process, in order ensure all in-scope agreements are uplifted in line with the expectations set out in the SS. Firms that prefer to update agreements on a rolling basis at the "first appropriate renewal date or revision point" should consider whether they have in place processes which enable them to identify when that renewal or revision date will occur and to ensure that the necessary review and remediation does in fact take place at that time.

Firms should continue to notify the PRA ahead of entering into or significantly changing a material outsourcing arrangement, but should also remember the requirement to make the PRA aware of any instances where a third party service provider is unable or unwilling to include a required term within an outsourcing agreement.

Firms should also take into account the PRA's expectations regarding governance arrangements and ensure they have in place the necessary processes and procedures, including outsourcing policies and registers. In PS7/21, the PRA confirmed it intends to publish a subsequent consultation later this year setting out proposals for an online portal where firms would submit the data in their outsourcing registers, or parts thereof, to the PRA. In light of this, firms should consider whether internal records and registers are well-maintained, fit for purpose, and meet existing recording-keeping requirements and expectations within the EBA Outsourcing Guidelines.

Authors: Henry Glasford (Associate) and Vidhi Mahajan (Associate)