On 14 April 2022, the Bank of England (BoE) published three consultation papers on "Outsourcing and third party risk management" applicable to Financial Market Infrastructures (FMIs). FMIs are the networks that allow financial transactions to take place by providing the clearing, settlement and recording of financial transactions. FMIs include payment network providers like Visa, MasterCard, BACS and LINK. A full list of FMIs can be found here.

There are three Consultation Papers, containing draft Supervisory Statements, with proposals applicable to:

  • central counterparties (CCP Paper);
  • central securities depositaries (CSD Paper); and
  • recognised payment system operators and specified service providers (RPSO & SSPs Paper), which is provided alongside a draft outsourcing and third party risk management chapter of the Code of Practice for recognised payment system operators.

The FMI Supervisory Statements are not binding, but they will provide FMIs with guidance on how the BoE intends to assess compliance with outsourcing and third party risk management.

Draft Supervisory Statements

Each Consultation Paper has appended to it a draft Supervisory Statement (a FMI Supervisory Statement) that explains the BoE’s supervisory approach to outsourcing and third party risk management, and sets out the BoE's expectations on how firms should comply with these regulatory requirements.

Each FMI Supervisory Statement contains provisions dealing with:

  • definitions of "third party" and "outsourcing" and outlining the scope (chapter 2);
  • proportionality (chapter 3);
  • governance and record-keeping (chapter 4);
  • pre-outsourcing phase (chapter 5);
  • outsourcing agreements (chapter 6);
  • data security (chapter 7);
  • access, audit and information rights (chapter 8);
  • sub-outsourcing (chapter 9); and
  • business continuity and exit plans (chapter 10).

Notably, these chapters cover the same ground as the Prudential Regulatory Authority (PRA) supervisory statement "Outsourcing and third party risk Management" (SS2/21), which many firms in the financial services sector have had to comply with since 31 March 2022.1

Contractual Requirements

Chapter 6 of each FMI Supervisory Statement contains detailed requirements for provisions which FMIs must include in their "critical" outsourcing contracts. These cover a wide range of matters, such as service levels, audit, sub-contracting and cooperation with regulators. The requirements are largely the same as those specified in SS2/21, save for the following differences:

  • SS2/21 applies to "material" contracts, whereas the FMI Supervisory Statements refer to "critical" contracts. Third parties are considered "critical" if the continuous, secure and efficient delivery of the services may be critical to the operations of the FMI. This is, in practice, consistent with the definition of "material" in SS2/21;
  • the FMI Supervisory Statements have introduced a new requirement that written agreements for critical outsourcing arrangements must set out the extent to which the provision of each important business service of the firm is dependent on the third party2. This is clearly intended to implement the BoE's approach to operational resilience (firms must now identify their important business services, set impact tolerances for the maximum tolerable disruption and carry out mapping and testing to a level of sophistication necessary to do so). However, it is not clear how the BoE expects this to be achieved in practice. FMIs will be reluctant to set out an exhaustive list of every dependency on their third party suppliers in the contract, but a broad statement that the FMI is dependent on the services as a whole may not be sufficient;
  • the FMI Supervisory Statements require detailed consideration of the business continuity plans, including requiring the consideration of the recovery time and recovery point objectives.3 Similarly, where the SS2/21 requires both parties to take "reasonable" steps to develop a business continuity plan4, the FMI Supervisory Statements require such steps to also be "proportionate";5
  • the SS2/21 requirement to reference the BoE's resolution powers under BRRD is not included in the FMI Supervisory Statements (as it is not relevant to FMIs). Instead, the FMI Supervisory Statements require the FMI to include a much broader, unqualified, contractual obligation on the service provider to cooperate with the BoE, without any reference to the scope or purpose of this cooperation. This will no doubt lead to service providers seeking to limit the scope of the obligation in their contracts and the FMIs being unsure if such limitation is permitted by the FMI Supervisory Statements;6 and
  • in the RPSO & SSPs Papers only, there is a firm obligation to include the specified mandatory termination rights and exit plans (in SS2/21 and the other FMI Supervisory Statements, these need to be included only "where relevant")7.

Non-outsourcing and third party contracts

The FMI Supervisory Statements make clear the BoE expects FMIs to assess the risks of all third party arrangements, irrespective of whether they fall within the definition of "outsourcing"8. This is notable, as SS2/21 takes an arguably softer approach, requiring a proportional approach for non-outsourcing contracts and allowing more scope for judgment. In practice, while the contractual requirements at Chapter 6 (described above) are stated to apply to "critical outsourcing" arrangements, FMIs will need to take a largely similar approach for non-outsourcing agreements.

The FMI Supervisory Statements are also very clear that they apply equally to intra-group arrangements.

Timescales

The consultations close to responses on 14 July 2022 and the BoE proposes to publish its final policies in the second half of 2022, followed by sufficient time for implementation.9

Firms should ensure they respond to these consultations so that their voices are heard, particularly as the responses provide firms with an opportunity to address the concerns they may have in implementing the requirements.

In part, these Consultation Papers complement the suite of Operational Resilience policies published by the BoE in March 2021 and the suite of letters concerning material outsourcing to the public cloud published by the BoE in September 2021. This reflects the high regulatory priority of operational resilience and a concern for regulators to ensure risks arising from the failure of third party service providers are carefully managed. With the EU’s Digital Operational Resilience Act (DORA) on track to be agreed before the summer, this will continue to be a regulatory focus area for all participants in the financial service sector for the foreseeable future.

In many cases, FMIs will already have been directly, or indirectly (via contractual flow-down requirements), required to comply with the EBA Outsourcing Guidelines and/or SS2/21 from 31 March 2022. To the extent this is true, becoming compliant with the FMI Supervisory Statements will not be a huge additional effort. However, the hardening of the position on non-outsourcing agreements potentially brings a large number of additional contracts into scope for review. While many of the contractual requirements would be included in a well-drafted agreement in any case, some specific requirements around audit, regulatory cooperation and dependencies will go significantly further than is typical in an unregulated contract.

In practice, the steps to be followed by FMIs to achieve compliance with the FMI Supervisory Statements will be very similar to those required for previous outsourcing regulations (see our previous article on the five steps to deliver a remediation project here). Following the passing of the SS2/21 deadline on 31 March 2022, FMIs will be able to hire experts with hands-on and recent experience of delivering complex remediation projects.