After a period of anticipation, the PRA has now issued (on 29 March 2021) two linked policy statements and associated Supervisory Statements, namely: a. Policy Statement (PS7/21) and Supervisory Statement (SS2/21) on Outsourcing and Third Party Risk Management; and b. Policy Statement (PS6/21), Supervisory Statement (SS1/21) and PRA Rules on Operational Resilience: Impact Tolerances for Important Business. These are the results of widespread consultation following the PRA’s Consultation Paper 30/19 in December 2019, and look to consolidate the PRA’s requirements regarding not just outsourcing arrangements but also other material service arrangements. Significantly, they will apply both to banks and insurers, and so help to create a more coherent and consistent regulatory landscape for financial services firms in the UK. They are also specifically geared to cope with the post Brexit landscape, and to enact those European requirements which will continue to be of relevance going forward (e.g. the EBA Guidelines on Outsourcing) whilst only “taking note” of those which will not (e.g. the EIOPA outsourcing guidelines and the ESMA guidelines on outsourcing to cloud service providers)….albeit that the PRA has stated that it anticipates that its requirements will be “at least equivalent” to those other European provisions. Looking at Operational Resilience and Supervisory Statement SS1/21 first, the requirements will be effective as from 31 March 2022. Firms must have a plan for compliance which is put in effect before this date, but the PRA recognises that the “full extent of sophistication” of mapping and scenario testing may not be completely in place by then. It appears that there may then be a further period to make any necessary progress to get any issues identified and bring recovery times back within the identified impact tolerances; the long stop date for this set at 31 March 2025. SS1/21 focusses upon “important business services” i.e. the services which, if disrupted, would impact the PRA’s objectives and thereby the public interest (and which could pose a threat to the firm’s safety or soundness or ultimately the financial stability of the UK). Policyholder protection is also a designated focus for insurers. The focus is accordingly away from individual systems, and towards continuity of services to end users. Specifically, it does not include internal services (such as HR) per se, i.e. on a standalone basis; the PRA is giving priority to those services which are outward facing. However, they say that if the internal services are part of the “chain” of activities which underpin an important business service, then they do need to be included in the firm’s mapping, testing and remediation plans. The key obligation is to identify all “severe but plausible” exposures in relation to the important business services, and to then set an “impact tolerance” in relation to each one, i.e. the maximum period or extent of disruption which would be bearable. Once these tolerances have been set, firms will need to put in place whatever measures are required in order to ensure that they will not be Outsourcing, Third Party Risk Management and Operational Resilience March 2021 DLA Piper 2 breached in practice. This is clearly a substantial exercise and one which will need to be put in train at an early stage. SS1/21 expressly cross refers to SS2/21 in terms of the need to include outsourcing arrangements within the risk mapping exercise, but SS2/21 itself goes further and looks to translate the EBA Guidelines on outsourcing into the UK regulatory regime. All outsourcing arrangements entered into on or after 31 March 2021 should comply with its requirements; legacy contracts are also to be reviewed and updated at “the first appropriate contractual renewal or revision point” so as to meet SS2/21 expectations “as soon as possible on or after 31 March 2022” (a welcome extension beyond the original December 2021 deadline envisaged by the EBA). Note therefore that legacy contracts might not need to be fully compliant as of 31 March 2022, come what may, which may be a relief to firms who are not as yet well advanced in their EBA remediation programmes. On the flip side, however, PRA has stated that it expects firms to assess the materiality and risks of ALL third party arrangements, irrespective of whether they fall within the usual definition of “outsourcing” (i.e. so as to include other forms of services arrangements, such as system implementation projects for example). Where such arrangements are identified as being material or high risk, there should be “proportionate, risk based, suitable controls” which are as robust as those which would apply to an outsourcing agreement of equivalent materiality or risk. A critical non outsourcing agreement may therefore have MORE stringent requirements than a less critical outsourcing arrangement. This has implications for those firms who are already part way through their EBA remediation programmes, as they may now need to bring into scope contracts which are not considered to be “outsourcing” arrangements, but where they would be considered by the PRA to be material to the firm’s operations. A good example would be a major IT/platform implementation project. SS2/21 generally mirrors the approach and terminology used by the EBA Guidelines, and focusses upon “material” outsourcing projects, i.e. those services of such importance that weaknesses or failures in relation to them would cast serious doubt upon the firm’s continued satisfaction of threshold conditions or compliance with the Fundamental Rules. The PRA has however clarified that this would also include services described elsewhere in EU legislation as “critical or important” functions. SS2/21 also contains certain subtle but potentially important deviations from some of the detailed requirements of the EBA Guidelines. For example: • Section 6.4 sets out the list of topics/headings which should be considered but without absolute prescription as to what the clauses should ultimately state. For example, it is said that firms “may” elect to limit contractual termination rights to situations such as “material” breaches of law, regulation or contractual provisions or risks beyond the firm’s tolerance. This appears to be materially more flexible than the equivalent EBA statement as to termination rights in section 13.4 of the EBA Guidelines. • Whilst the detail of the audit requirements appears to mirror that in the EBA Guidelines, an important difference is that SS2/21 states that the obligation upon the firm is to take “reasonable steps” to procure the inclusion of the relevant audit provisions in the final written agreement, rather than the outright obligation to “ensure” their inclusion, as appears in section 13.3 of the EBA Guidelines. It appears that the PRA will also be more amenable to the use of pooled audits than the EBA might be, in that there is no absolute requirement that firms retain the right to undertake Outsourcing, Third Party Risk Management and Operational Resilience March 2021 DLA Piper 3 individual audits, come what may (as whilst the right must be maintained to undertake additional information/audit access “where justified from legal, regulatory or risk management perspectives”, SS2/21 states that such additional audits can be individual OR pooled). • The restrictions regarding sub-outsourcing are applied to “material” sub-outsourcing (as per section 9) which helps resolve the doubt as to whether the EBA’s equivalent provisions were intended to apply to ALL sub-outsourcings, or only those of critical or important functions. There are at least no additional requirements beyond what the EBA Guidelines had envisaged, which will be a relief to those firms who are already some way in to their remediation programmes (albeit that – as noted above - they may now need to expand the scope of those programmes to cover services arrangements which are “material” but would not otherwise have been seen as a form of outsourcing). It is also worth noting that whilst SS2/21 will be the primary reference source for PRA requirements vis a vis outsourcing, the other existing regulations (et SYSC, MIFID II etc) also remain relevant and would need to be considered, albeit that they tend to be less prescriptive than the EBA Guidelines and now SS2/21 in any event. The key differences between the EBA Guidelines on Outsourcing Agreement and SS2/21 are set out below. ISSUE EBA GUIDELINES ON OUTSOURCING AGREEMENTS SUPERVISORY STATEMENT (SS2/21) ON OUTSOURCING AND THIRD PARTY RISK MANAGEMENT Key concepts When does it come into force? 30 September 2019 31 March 2022. Outsourcing arrangements entered into on or after Wednesday 31 March 2021 should meet the expectations in the SS by 31 March 2022. Outsourcing arrangements entered into before 31 March 2021 should be reviewed and updated at the “first appropriate contractual renewal or revision point” so as to meet the requirements of the SS as soon as possible on or after 31 March 2022. What does it implement? The EBA Guidelines on outsourcing arrangements and some elements of the EBA Guidelines on ICT and security risk management. What is the status of other applicable European guidelines / requirements? The PRA is not implementing the following: • EIOPA Guidelines on outsourcing to cloud service providers • EIOPA Guidelines on information and communication technology security and governance • ESMA Guidelines on outsourcing to cloud service providers. Outsourcing, Third Party Risk Management and Operational Resilience March 2021 DLA Piper 4 ISSUE EBA GUIDELINES ON OUTSOURCING AGREEMENTS SUPERVISORY STATEMENT (SS2/21) ON OUTSOURCING AND THIRD PARTY RISK MANAGEMENT The SS should be the primary reference point for UK firms when ascertaining the requirements of the PRA. Firms with operations in both the UK and the EU should comply with the applicable Guidelines in respect of their EU operations. The SS also sets out a range of other requirements (at both an European and UK level) that firms need to take into account and adhere to. To whom does it apply? Broadly: credit institutions meaning banks; MiFID investment firms; payment institutions and electronic money institutions. UK banks, building societies and PRA-designated investment firms, plus insurance, reinsurance firms and groups within the scope of Solvency II, including the Society of Lloyd’s and managing agents; and UK branches of overseas banks and insurers. Does it cover intra-group arrangements? The guidelines apply to intra-group arrangements. Principles apply on same basis as if service provider was outside the group but requirements can be applied proportionately depending on level of "control and influence" exercised by customer. Outsourcing to an overseas intra-group company needs to comply with UK legal and regulatory requirements. To what does it apply? Arrangements within the EBA's definition of "outsourcing": see definition below. Arrangements within the PRA's definition of "outsourcing": see definition below, together with some other third party arrangements How is "Outsourcing" defined? A provider which "performs a process, a service or an activity that would otherwise be undertaken by the [customer] itself". There should be some characteristic of recurrence or ongoing supply to help to distinguish the service from purchasing. There is a list of arrangements that "as a general principle" would not be considered outsourcing. The PRA Handbook defines outsourcing as: "an arrangement of any form between a customer and a service provider, whether a supervised entity or not, by which that service provider performs a process, a service or an activity, whether directly or by sub-outsourcing, which would otherwise be undertaken by the customer itself" . Consideration should be given to whether the third party will perform the relevant function or service on a recurrent or ongoing basis. The SS also provides that there are a number of arrangements which “as a general principle” should not be considered as outsourcing (known as “nonoutsourcing third party arrangements”). These are: • Purchase of hardware, software and other ICT products, including: – Design and build of an on-premise IT platform Outsourcing, Third Party Risk Management and Operational Resilience March 2021 DLA Piper 5 ISSUE EBA GUIDELINES ON OUTSOURCING AGREEMENTS SUPERVISORY STATEMENT (SS2/21) ON OUTSOURCING AND THIRD PARTY RISK MANAGEMENT – Purchase of data from third party providers – “off the shelf” machine learning models including samples of the data used to train and test the models, OSS and machine learning libraries developed by third party providers. In the case of insurers, the use of aggregators, and delegated underwriting. How is cloud treated? It is not automatically deemed as a form of outsourcing. There is some specific guidance to help firms to deploy cloud “in a safe and resilient manner”. In particular, the SS recognises the shared responsibility model in respect of data outsourced to the cloud; whereby: • the firm is responsible for what is in the cloud and the service provider is responsible for the cloud; • firms are responsible for identifying and classifying data in line with regulatory obligations, and for configuration and monitoring of the data to reduce security and compliance incidents; and • cloud service providers assume responsibility for the infrastructure running the outsourced service e.g. data centres, hardware, software etc.