4
Governance and record-keeping
4.1
This chapter sets out the PRA’s expectations on:
- board engagement on outsourcing;
- allocation of responsibilities;
- outsourcing and the SM&CR;
- outsourcing policies; and
- record-keeping, in particular regarding the Outsourcing Register.
- 31/03/2022
4.2
In this chapter, the term ‘board’ encompasses the terms ‘governing body’ and ‘management body’ in the PRA Rulebook, and refers to the board of directors or equivalent body in a firm.
- 31/03/2022
Governance
Board engagement on outsourcing
4.3
- 31/03/2022
4.4
Firms’ boards should:
- set ‘the control environment throughout the firm, including the appetite and tolerance levels in respect of outsourcing’ and third party risk management;
- ‘bear responsibility for the effective management of all risks to which the firm is exposed’, including by:
- appropriately ‘identifying and [having an] understanding of the firm’s reliance on critical service providers’; and
- ensuring that the firm has ‘(from board level downwards) appropriate and effective risk management systems and strategies in place to deal with outsourced service providers’.[28]
In line with SS5/16 ‘Corporate governance: Board responsibilities’, the PRA expects management information on outsourcing provided to the board to be clear, consistent, robust, timely, and well-targeted, and to contain an appropriate level of technical detail to facilitate effective oversight and challenge by the board.[29]
Footnotes
- 28. These principles were outlined in Final Notice, R. Raphaels & Sons, 29 May 2019: https://www.bankofengland.co.uk/news/2019/may/fca-and-pra-jointly-fine-raphaels-bank-1-89m-for-outsourcing-failings.
- 29. July 2018: https://www.bankofengland.co.uk/prudential-regulation/publication/2016/corporate-governance-board-responsibilities-ss.
- 31/03/2022
Shared responsibility model
4.5
As part of ensuring effective governance of an outsourcing arrangement, the PRA expects firms to define, document, and understand their and the service provider’s respective responsibilities. In the case of cloud computing, the term commonly used to help firms and cloud providers understand their respective obligations is the ‘shared responsibility model’.
Table 5 sets out an example of how the shared responsibility model operates in the case of data outsourced to cloud service providers.
- 31/03/2022
Table 3: The shared responsibility model in cloud outsourcing
Cloud service providers tend to operate under the 'shared responsibility model' whereby:
|
Footnotes
- 30. As defined in the EBA Outsourcing Guidelines.
- 31/03/2022
Empty shells
4.6
Firms should avoid becoming ‘empty shells’ that are incapable of meeting the Threshold Conditions. The following Threshold Conditions are particularly relevant:
- being capable of being effectively supervised by the PRA;
- the ‘suitability’ Threshold Condition in Sections 4E (Part 1A) (insurers) and 5E (Part 1E) (banks) of FSMA. This should include retaining a clear and transparent organisational framework and structure; and
- conducting their business in a prudent manner, including having appropriate non-financial (as well as financial) resources. Further guidance on the PRA’s approach to the Threshold Conditions is set out in paragraph 21 of ‘The PRA’s approach to banking supervision’ and paragraph 25 of ‘The PRA’s approach to insurance supervision’ (together, the ‘Approach Documents’).[31]
- 31/03/2022
Outsourcing and the SM&CR
4.7
Allocation of Responsibilities 4.1(21) (banks) and Insurance – Allocation of Responsibilities 3.1(A3)(12) (insurers) require firms to allocate a Prescribed Responsibility for a firm’s regulatory obligations in relation to outsourcing to an SMF.
- 31/03/2022
4.8
The PRA generally expects but does not require this Prescribed Responsibility to be allocated to (one of) the individuals performing the Chief Operations Senior Management Function (SMF24) if a firm has one or more individuals performing that SMF. As noted in SS28/15 for banks and SS35/15 for insurers, the SMF24 can be split among more than one individual in certain circumstances. SMF24s may also be responsible for other areas or activities relevant to the expectations in this SS, such as the firm’s information security policy.
- 31/03/2022
4.9
Firms should interpret this Prescribed Responsibility as encompassing the firm’s overall framework, policy, and systems and controls relating to outsourcing. Responsibility for individual outsourcing arrangements may still lie with relevant business lines or other areas of the firm. The free text section of the relevant SMF’s Statement of Responsibilities should describe this responsibility in an appropriate level of detail, in line with SS28/15.
- 31/03/2022
Outsourcing policy
4.10
Firms’ boards should approve, regularly review, and implement a written outsourcing policy. As noted in Chapter 2 of this SS, firms may apply this policy or parts thereof to all third party arrangements. This policy should align to and draw upon other relevant firm policies and strategies. For instance:
- business model and strategy;
- business continuity;
- conflicts of interest;
- data protection;
- ICT;
- information and cyber security;
- operational resilience;
- OCIR;
- (if applicable) ring-fencing; and
- risk management.
- 31/03/2022
4.11
Firms should make outsourced and third party providers aware of relevant internal policies, including those on outsourcing, ICT, information security, or operational resilience. Where firms’ policies include confidential or sensitive information, firms can omit or redact it and only share those sections relevant to the performance of the outsourced or third party service. Sharing these policies with third party service providers does not dilute firms’ responsibilities in terms of managing their outsourcing and third party arrangements, but can help third party service providers get a better understanding of firms’ regulatory obligations and other relevant aspects such as their risk tolerance and expected service levels.
- 31/03/2022
4.12
As discussed further in Chapter 10, firms’ business continuity plans under General Organisational Requirements 2.5 and 2.6 (banks) and Conditions Governing Business 2.6 (insurers) should take into account:
- the possibility that the quality of the provision of material outsourced services deteriorates to unacceptable levels;
- the potential impact of the insolvency or other failure of the service provider or the failure of the service (see Chapter 10); and
- where relevant, political and other risks in the service provider’s jurisdiction.
- 31/03/2022
4.13
There is no ‘one-size-fits-all’ template for firms’ outsourcing policies, and the policy does not have to be contained in a single document. Firms and groups are responsible for developing and maintaining a policy that is appropriate to their complexity, organisational structure, and size (see Chapter 3).
- 31/03/2022
4.14
The outsourcing policy should be principles-based and may be supported by detailed procedures developed, approved, and maintained below board level. However, it should be sufficiently detailed to provide adequate guidance for firms’ staff on how to apply its requirements in practice. At a minimum, it should cover the areas in Table 4.
- 31/03/2022
Table 4: Contents of the outsourcing policy
General |
|
Pre-outsourcing & on-boarding |
|
Oversight |
Procedures for the ongoing assessment of service providers’ performance, including where appropriate:
|
Termination | Exit strategies and termination processes, including a requirement for a documented exit plan for material outsourcing arrangements where such an exit is considered possible, explicitly catering for the unexpected termination of an outsourcing agreement (a stressed or unplanned exit), and taking into account possible service interruptions (and the firm’s impact tolerance for important business services)(see Chapter 10). |
Footnotes
- 32. See paras. 50–51 of the EBA Outsourcing Guidelines in respect of the role of the internal audit function in particular.
- 33. See paras 45-47 of the EBA Outsourcing Guidelines.
- 31/03/2022
Record-keeping
4.15
The PRA expects all firms to keep appropriate records of their outsourcing arrangements. The PRA considers that a firm, in complying with 2.3(1)(e) of the Notifications Part of the PRA Rulebook, would likely already have records of its material outsourcing arrangements for this purpose. The records should also be sufficient to enable the firm to fulfil the expectations concerning concentration risk set out in 5.24. Firms should also make any information on their outsourcing and third party arrangements of which the PRA would reasonably expect notice available to it in accordance with Fundamental Rule 7. The PRA may, if appropriate and justified, also request data on firms’ outsourcing arrangements under section 165 of FSMA.[34]
Footnotes
- 34. The PRA may exercise, under section 165A of the Financial Services and Markets Act 2000 (FSMA), the power to require certain persons to provide (i) specified information or information of a specified description; or (ii) specified documents or documents of a specified description, that it considers are, or might be, relevant to the stability of one or more aspects of the UK financial system (the financial stability information power).
- 31/03/2022
4.16
From Friday 31 December 2021, the EBA Outsourcing GL expect banks to maintain an up-to-date register of information on all their outsourcing arrangements, distinguishing between those which are material and those which are not (‘Outsourcing Register’). Banks are already expected to maintain a register of their cloud outsourcing arrangements (‘Cloud Register’) in line with the EBA Cloud Recommendations. Banks are expected to continue to maintain the Cloud Register until the Outsourcing Register subsumes it on Friday 31 December 2021.
- 31/03/2022