Prudential Regulation Authority Rulebook

14.1

For the purposes of this Chapter, an operational function is regarded as critical or important if a defect or failure in its performance would materially impair the continuing compliance of a credit union with the conditions and obligations of its authorisation or its other obligations under the regulatory system, or its financial performance, or the soundness or the continuity of its regulated activities.

14.2

Without prejudice to the status of any other function, the following functions will not be considered critical or important for the purposes of this Chapter:

1. (1) the provision to the credit union of advisory services, and other services which do not form part of the regulated activities of the credit union, including the provision of legal advice to the credit union, the training of personnel of the credit union, billing services and the security of the credit union’s premises and personnel; and
2. (2) the purchase of standardised services, including market information services and the provision of price feeds.

14.3

If a credit union outsources critical or important operational functions or any regulated activities, it remains fully responsible for discharging all of its obligations under the regulatory system and must comply, in particular, with the following conditions:

1. (1) the outsourcing must not result in the delegation by senior personnel of their responsibility;
2. (2) the relationship and obligations of the credit union towards its members under the regulatory system must not be affected;
3. (3) the conditions with which the credit union must comply in order to be authorised, and to remain so, must not be undermined; and
4. (4) none of the other conditions subject to which the credit union’s authorisation was granted must be removed or modified.

14.4

A credit union must exercise due skill and care and diligence when entering into, managing or terminating any arrangement for the outsourcing to a service provider of critical or importantoperational functions or of any regulated activities, including considering any risk arising from the arrangement in the context of other risks.

14.5

A credit union must in particular take the necessary steps to ensure that the following conditions are satisfied:

1. (1) the service provider must have the ability, capacity, and any authorisation required by law to perform the outsourced functions, services or activities reliably and professionally;
2. (2) the service provider must carry out the outsourced services effectively, and to this end the credit union must establish methods for assessing the standard of performance of the service provider;
3. (3) the service provider must properly supervise the carrying out of the outsourced functions, and adequately manage the risks associated with the outsourcing;
4. (4) appropriate action must be taken if it appears that the service provider may not be carrying out the functions effectively and in compliance with applicable laws and regulatory requirements;
5. (5) the credit union must retain the necessary expertise to supervise the outsourced functions effectively and to manage the risks associated with the outsourcing, and must supervise those functions and manage those risks;
6. (6) the service provider must disclose to the credit union any development that may have a material impact on its ability to carry out the outsourced functions effectively and in compliance with applicable laws and regulatory requirements;
7. (7) the credit union must be able to terminate the arrangement for the outsourcing where necessary without detriment to the continuity and quality of its provision of services to members;
8. (8) the service provider must co-operate with the PRA in connection with the outsourced activities;
9. (9) the credit union, its auditors and the PRA must have effective access to data related to the outsourced activities, and the PRA must be able to exercise this right of access;
10. (10) the service provider must protect any confidential information relating to the credit union and its members; and
11. (11) the credit union and the service provider must establish, implement and maintain a contingency plan for disaster recovery and periodic testing of backup facilities where that is necessary having regard to the function, service or activity that has been outsourced.

14.6

A credit union must ensure that the respective rights and obligations of the credit union and of the service provider are clearly allocated and set out in a written agreement.