On 5 December 2019, the PRA published Consultation Paper: Outsourcing and third party risk management (CP30/19). In CP30/19 the PRA sets out its proposals for modernising the regulatory framework on outsourcing and third-party risk management. The PRA’s proposals pursue the following objectives:

  • complement the policy proposals on operational resilience in Consultation Paper: Operational resilience: impact tolerances for important business services (CP29/19), which was published alongside CP30/19;
  • facilitate greater resilience and adoption of the cloud and other new technologies as set out in the Bank of England’s response to the ‘Future of Finance’ report published in June 2019;
  • implement the European Banking Authority’s (EBA) ‘Guidelines on Outsourcing Arrangements’. The draft supervisory statement appended to CP30/19 clarifies how the PRA expects banks to approach the EBA Outsourcing Guidelines in the context of its requirements and expectations. In addition, certain chapters in the draft supervisory statement elaborate on the expectations in these guidelines; and
  • take into account the European Insurance and Occupational Pensions Authority’s ‘Guidelines on Outsourcing to Cloud Service Providers’ and the EBA’s ‘Guidelines on Outsourcing to Cloud Service Providers’.

The deadline for comments to the consultation is 3 April 2020. The PRA intends to publish its final policy in the second half of 2020, in line with the final policy on operational resilience, with the implementation of the majority of the proposals shortly thereafter.