The PRA’s Supervisory Statement on outsourcing arrangements is due later this year. We outline how it should help organisations construct outsourcing policies and arrangements which reflect their risk profile and business model.
Regulation of outsourcing in the financial services sector has changed considerably in the last few years. Not only have the sources of rules and guidance multiplied, but they’ve become more sector-specific. We now have a stew of both EU and UK rules and guidance, some replacing old rules and some complementing them. Examples are:
- articles 30 and 31 of the MiFID Org Reg1 set out requirements for banks, building societies and MiFID investment firms when outsourcing “critical or important” operational functions;
- many of the SYSC 8 provisions that firms previously followed (such as SYSC 8.1.8R) now only apply to UCITS investment firms;
- the European Banking Authority (EBA) Guidelines on Outsourcing (EBA/GL/2019/02) came into effect on 30 September 2019, and apply to banks, building societies, MiFID investment firms, payment institutions2 and e-money institutions. Although tending to focus on outsourcing of critical or important functions, they also contain provisions intended to apply to outsourcing generally. Moreover, they integrate the EBA’s previous recommendation on outsourcing to cloud service providers;
- the draft European Insurance and Occupational Pensions Authority Guidelines on Outsourcing to Cloud Service Providers, applicable to insurers; and
- the PRA (CP29/19) and FCA (CP19/32) consultation papers on operational resilience, both of which were published in December 2019 and touch on outsourcing
Why does the MiFID Org Reg apply to banks and building societies?
The term “MiFID Org Reg” is a bit misleading. Although MiFID focuses on investment activities, various “Level 2 measures” also apply. One of these is the MiFID Org Reg. Although the Reg refers to “investment firms”, it explains that this includes Credit institutions, i.e. banks and building societies. This approach reflects how the PRA and FCA group banks, building societies and various types of investment firms (including MiFID investment firms) under the umbrella term “common platform firm”.
Aren’t the EBA Guidelines just “guidelines”? EBA Guidelines just “guidelines”?
It’s not that simple! Under Regulation (EU) 1093/2010 establishing the EBA, the EBA has the power to issue guidelines and recommendations. Competent authorities and financial institutions must make every effort to comply with these. The FCA and PRA have both indicated they intend to comply with the EBA Guidelines – hence the PRA consultation.
The PRA Consultation Paper
The latest addition to this stew is the PRA’s Consultation Paper 30/19 on outsourcing and third party risk management, also published in December 2019. This includes a draft Supervisory Statement (draft SS) which aims to take account of many of the rules and guidelines above.
Who does it affect?
The draft SS affects banks, building societies, MiFID investment firms, insurance and reinsurance firms who fall within the scope of the Solvency II Directive, and branches of overseas banks and insurers. A few proposals also apply to credit unions and non-directive firms.
The draft SS does not apply directly to payment or e-money institutions who don’t fall within the categories above. However, because the draft SS sets out the PRA’s thinking on some of the EBA Guidelines – which apply to payment and e-money institutions – we’d advise those institutions to read it also.
It goes without saying that if you provide outsourced services to any of the organisations above, then you should be aware of the PRA proposals because these could have an impact on your service agreements.
What does the draft SS do?
The draft SS sets out the PRA’s interpretation of key terms in outsourcing and its expectations for firms who outsource functions. It covers outsourcing of critical and important functions (which it calls “material” outsourcing), as well as outsourcing generally. The draft SS is broken down into ten chapters:
- Introduction: this includes useful tables itemising existing EU legislation/guidelines and PRA rulebook provisions that apply to outsourcing.
- This explores what outsourcing is (and gives examples of what it isn’t), which is useful when considering borderline cases.
- This considers the principle of proportionality and how this should be applied when determining how to meet the PRA’s expectations. The PRA explains how proportionality differs from materiality. There is also some useful guidance on intra-group outsourcing.
- This focuses on governance and record keeping, including the PRA’s expectations concerning board engagement in outsourcing and the minimum required content for an outsourcing policy. The PRA also proposes that firms maintain an “Outsourcing Register”, with details of all outsourcing arrangements (material and non-material).
- This covers the pre-outsourcing phase and expectations regarding due diligence, risk assessment and determining materiality. It also touches on ongoing risk assessment.
- This sets out areas that the PRA expects firms to cover (as a minimum) in written agreements for material outsourcing, with some additional guidance on non-material outsourcing agreements.
- This expands on the expectations relating to data security in the EBA Guidelines, including the shared responsibility model in Cloud outsourcing.
- This covers access, audit and information rights. There is some useful discussion on third party certificates and pooled audits. These could be attractive options for firms who have fewer resources to conduct their own audits.
- This covers sub-outsourcing, i.e. the ability of the service provider to sub-contract elements of the outsourced functions.
- This expands on expectations relating to business continuity and exit plans in the EBA Guidelines. This is often a tricky point in outsourcing arrangements, so the PRA’s analysis should help firms develop their outsourcing policy and also determine what needs to go into the outsourcing agreement.
Proportionality and Materiality explained
Proportionality comes up in the EBA Guidelines. It’s a recognition by the EBA that not all organisations are the same, and not all outsourcing activities are the same. The proportionality principle aims to ensure that governance is consistent with the individual risk profile, nature and business model of the organisation, and the scale and complexity of its activities.
Materiality, on the other hand, assesses the potential impact of the outsourcing arrangement on the organisation’s safety and soundness, including the organisation’s operational resilience.
What do you need to do?
The PRA consultation closes on 3 April 2020. The PRA intends to issue the final Supervisory Statement in the second half of this year, at the same time as the final policy on operational resilience.
If you’re affected by the MiFID Org Reg and EBA Guidelines, then you already know that any new outsourcing agreements need to take account of these. Moreover, affected firms must document existing outsourcing arrangements (except for outsourcing to Cloud service providers) in line with the EBA Guidelines by 31 December 2021 – or on renewal if earlier.
In this context, the draft SS is helpful in setting out the UK regulatory view on how to interpret and implement the MiFID Org Reg and EBA Guidelines.
Our advice to clients is to familiarise yourself with the draft SS and start taking account of it now when reviewing your existing outsourcing arrangements.
- The PRA consultation helps firms affected by the MiFID Org Reg and the EBA Guidelines understand how to interpret the rules and guidelines and apply these in practice
- It’s a useful tool when considering:
- whether outsourcing is material
- how to consider proportionality and outsourcing risk
- intra-group outsourcing
- governance and record keeping, including outsourcing policy
- pre-outsourcing diligence and risk assessment
- data security
- access, audit and information rights
- sub-outsourcing (ie. sub-contracting)
- business continuity and exit plans
- Banks, building societies, investment firms, insurers, payment institutions and e-money institutions should read it
Footnotes Materiality explained
1 Commission Delegated Regulation (EU) 2017/565.
2 Although not account information service providers, if this is their only activity: para.15 of the Background to the Guidelines.