On 8 February 2023, the Bank of England (BoE) published its policy on outsourcing and third party risk management for Financial Market Infrastructures (FMIs). The finalisation of this policy follows the BoE’s consultation in 2022.
The aims of the policy are to facilitate greater resilience and adoption of cloud and other technologies, set out the BoE’s requirements and expectations in relation to outsourcing and third party risk management in FMIs, and complement the BoE’s policy on FMI operational resilience.
The policy has been issued in the form of Supervisory Statements for central counterparties (CCPs), central securities depositories (CSDs), and recognised payment system operators (RPSOs) and specified service providers (SSPs), with each Supervisory Statement setting out the BoE’s requirements and expectations relating to FMIs’ outsourcing and third party risk management. The BoE has also issued an outsourcing and third party risk management part to be added to the Code of Practice applying to relevant RPSOs and SSPs.
A Policy Statement has also been issued which provides feedback to the responses received to the earlier consultations. The BoE states that it has made only minor changes to the Supervisory Statements and Code of Practice for RPSOs and SSPs from that consulted on.
FMIs will be expected to comply with the expectations in the relevant Supervisory Statement – and for RPSOs and SSPs, the requirements in the Code of Practice also – by 9 February 2024. Outsourcing arrangements entered into on or after 8 February 2023 should meet the expectations in the relevant Supervisory Statement and/or Code of Practice by 9 February 2024. FMIs should seek to review and update legacy outsourcing agreements entered into before 8 February 2023 at the first appropriate contractual renewal or revision point to meet the expectations in the relevant Supervisory Statement as soon as possible on or after 9 February 2023.