United Kingdom (and EU regulation)

PRA Policy Statement on outsourcing and third party risk management

By Hannah McAslan (UK) and Hannah Meakin (UK) on March 30, 2021 Posted in Regulation and compliance, United Kingdom

On 29 March 2021, the PRA published Policy Statement 7/21: Outsourcing and third party risk management (PS7/21).

In PS7/21 the PRA provides feedback to responses to Consultation Paper 30/19: Outsourcing and third party risk management (CP30/19). It also contains the PRA’s final Supervisory Statement 2/21: Outsourcing and third party risk management (SS2/21).

In CP30/19, the PRA proposed to modernise its expectations relating to outsourcing and third party risk management, through a Supervisory Statement that would set out how the PRA expects firms to comply with the wide range of existing requirements in this area throughout the lifecycle of an arrangement. Having considered the responses to CP30/19, the PRA has made targeted revisions to the final policy making amendments to the final Supervisory Statement (SS2/21). In particular the PRA has:

made certain amendments to the definition of ‘outsourcing’ and the presumption that arrangements performed or provided in a prudential context should fall within it;
included additional examples of how proportionality can apply to intragroup arrangements and third country branches;
clarified that if a firm outsources a service within the scope of operational continuity in resolution requirements, this arrangement will generally constitute ‘material outsourcing’;
added additional guidance regarding the conduct of on-site audits; and
revised the guidance on data security so that it takes in account certain expectations set out in the European Banking Authority’s information and communication technology guidelines.

The PRA is also planning a follow-up consultation setting out detailed proposals for an online portal on which all firms would need to submit information on their outsourcing and third party arrangements. In the meantime, firms should continue to follow existing, relevant record-keeping requirements and expectations on outsourcing.

The PRA will expect firms to comply with the expectations set out in SS2/21 by 31 March 2022 which is in line with the timing of the PRA’s requirements and expectations on operational resilience as set out in Policy Statement 6/21: Operational resilience: Impact tolerances for important business services.

Outsourcing arrangements entered into on or after 31 March 2021 should meet the expectations in SS2/21 by 31 March 2022. Firms should seek to review and update legacy outsourcing agreements entered into before 31 March 2021 at the first appropriate contractual renewal or revision point to meet the expectations in SS2/21 as soon as possible on or after 31 March 2022.

To help save our clients time and resource when it comes to meeting the EBA Guidelines on Outsourcing, we have created the NRF Outsourcing toolkit which provides access to a number of key documents that will help them to carry out this exercise. We can also support your remediation work more generally, and have a range of options that we can deploy – from helping on an ad hoc basis to fully managing and running the remediation exercise overall. Find out more here, or contact Hannah McAslan for more information.