1

Introduction

1.1

This Supervisory Statement (SS) sets out the Prudential Regulation Authority’s (PRA) expectations of how PRA-regulated firms should comply with regulatory requirements and expectations relating to outsourcing and third party risk management. In particular:

  • Chapter 2 elaborates on the definition of ‘outsourcing’ in the PRA Rulebook. It also notes that there are arrangements between firms and third parties that fall outside this definition (‘third party arrangements’) and are consequently outside of the scope of existing requirements on outsourcing and some of the detailed expectations in this SS. However, these third party arrangements are still subject to the PRA Fundamental Rules and other PRA requirements and expectations on business continuity, governance, operational resilience, and risk management (including but not limited to cyber risk).
  • Chapter 3 clarifies how the principle of proportionality applies to the expectations in this SS. In particular, to intragroup outsourcing and to ‘non-significant firms’ (as defined in paragraph 3.9 of this SS).
  • Chapter 4 sets out the PRA’s expectations on governance, including under the Senior Managers and Certification Regime (SM&CR), and record keeping.
  • Chapter 5 sets out the PRA’s expectations for firms during the pre-outsourcing phase. It addresses the materiality and risk assessments of their outsourcing and other third party arrangements (including notification to the PRA where required), and firms’ due diligence on third parties.
  • Chapter 6 lists the areas that the PRA expects written agreements relating to material outsourcing to address as a minimum. The following four areas are then examined in detail in Chapters 7–10:

1.2

This SS is relevant to all:

  • UK banks, building societies, and PRA-designated investment firms (hereafter banks);
  • insurance and reinsurance firms and groups in scope of Solvency II, including the Society of Lloyd’s and managing agents (hereafter insurers); and
  • UK branches of overseas banks and insurers (hereafter third-country branches). Entities in scope of this SS are collectively referred to as ‘firms’.

1.3

Some of the requirements and expectations referred to in this SS also apply to credit unions and non-directive firms (NDFs). In particular, paragraph 1.8, the requirements in Table 2; paragraphs 5.115.12; and the PRA statutory powers and requirements in Tables 6 and 7. The remaining expectations in this SS do not apply to credit unions and NDFs.

1.4

Firms are expected to comply with the expectations in this SS by Thursday 31 March 2022. Outsourcing arrangements entered into on or after Wednesday 31 March 2021 should meet the expectations in this SS by Thursday 31 March 2022. Firms should seek to review and update legacy outsourcing agreements entered into before Wednesday 31 March 2021 at the first appropriate contractual renewal or revision point to meet the expectations in this SS as soon as possible on or after Thursday 31 March 2022.

1.5

The aims of this SS are to:

  • ‘facilitate greater resilience and adoption of the cloud and other new technologies’ as set out in the Bank of England (the Bank)’s response to the ‘Future of Finance’ report;

  • complement the requirements and expectations on operational resilience in the PRA Rulebook; SS1/21 ‘Operational resilience: Impact tolerances for important business services’; and the Statement of Policy (SoP) ‘Operational resilience’; and[1]

  • implement the:

    • European Banking Authority (EBA) ‘Guidelines on outsourcing arrangements’ (EBA Outsourcing GL).[2] This SS clarifies how the PRA expects banks to approach the EBA Outsourcing GL in the context of its requirements and expectations. In addition, certain chapters in this SS expand on the expectations in the EBA Outsourcing GL, for instance Chapters 7 (Data security) and 10 (Business continuity and exit plans); and[3]

    • relevant sections of the EBA ‘Guidelines on ICT and security risk management’ (EBA ICT GL).[4]

Footnotes

1.6

In line with the Statement of Policy (SoP) ‘Interpretation of EU Guidelines and Recommendations: Bank of England and PRA approach after the UK’s withdrawal from the EU’,[5] the PRA has not formally implemented the following Guidelines, which came into force after the implementation period:

  • European Insurance and Occupational Pensions Authority (EIOPA) ‘Guidelines on outsourcing to cloud service providers’ (EIOPA Cloud GL);[6]
  • EIOPA ‘Guidelines on information and communication technology security and governance’ (EIOPA ICT GL);[7]
  • European Securities and Markets Authority (ESMA) ‘Guidelines on outsourcing to cloud service providers’ (ESMA Cloud GL);[8]

1.7

However, the PRA took these draft Guidelines into consideration when developing its policy and considers that the expectations in this SS are at least equivalent to them in effectiveness and substance. The PRA sought to avoid undue divergences from the draft Guidelines referred to in paragraph 1.5, but it followed its own approach where it deemed it to be beneficial, or to advance the PRA’s statutory objectives. In particular, this SS complements and strengthens the PRA’s requirements and expectations on operational resilience and aims promotes consistency among banks and insurers. The SS should be the primary source of reference for UK firms when interpreting and complying with PRA requirements on outsourcing and third party risk management. Firms with operations in both the UK and the EU should comply with applicable Guidelines in respect of their EU operations.

1.8

To ensure a consistent approach across PRA-regulated firms, the expectations in this SS apply to all forms of outsourcing and, where indicated, other non-outsourcing third party arrangements entered into by firms. In addition, this SS includes specific examples, references, and chapters (eg Chapter 7) which aim to address the specific characteristics of cloud usage and set out conditions that can help give firms assurance and deploy it ‘in a safe and resilient manner’.[9] In developing the expectations in this SS, including in relation to cloud usage, the PRA has taken into account international standards including but not limited to the:

  • Basel Committee on Banking Supervision (BCBS) [draft] ‘Principles for operational resilience’ (BCBS Operational Resilience Principles);[10]
  • Financial Stability Board (FSB) ‘Effective Practices for Cyber Incident Response and Recovery’ (FSB Effective Practices);[11]
  • ‘G-7 Fundamental Elements for Third Party Cyber Risk Management in the Financial Sector’ (G-7 Third-Party Elements);[12] and
  • International Organisation of Securities Commissions’ (IOSCO) [draft] ‘Principles on Outsourcing’.[13]

1.9

To promote clarity and certainty, this SS references other regulatory requirements that govern outsourcing (and in some cases other third party arrangements) by firms. Firms are required to comply with the obligations in these sources. This SS should therefore be read alongside and interpreted consistently with all relevant sources of law, including those in Tables 1 and 2 below.

Table 1: Existing requirements and expectations on outsourcing for banks and insurers[14]

Banks Insurers
Commission Delegated Regulation (EU) 2017/565 of 25 April 2016 supplementing MiFID II as it forms part of retained EU law (MODR), Articles 30–32 Commission Delegated Regulation (EU) 2015/35 supplementing Solvency II as it forms part of retained EU law (Solvency II Delegated Regulation), Articles 274 and 294(8)
Outsourcing Part of the PRA Rulebook and Chapter 7 of the Internal Governance of Third-Country Branches Part of the PRA Rulebook Chapter 7 of the Conditions Governing Business Part of the PRA Rulebook
Chapters 4.1(21) (banks) of the Allocation of Responsibilities and 3.1(A3)(12) of the Insurance – Allocation of Responsibilities Parts of the PRA Rulebook Rule 3.1(12) of the Insurance – Allocation of Responsibilities Part of the PRA Rulebook
Chapter 2.3(1)(e) of the Notification Part of the PRA Rulebook Rule 2.3(1)(e) of the Insurance – Notification Part of the PRA Rulebook
Rules 2.2 and 3.3 of the Information Gathering Part of the PRA Rulebook Rules 2.2 and 3.3 of the Information Gathering Part of the PRA Rulebook
Rules 3.2 and 3.4 of the Operational Continuity Part of the PRA Rulebook Rules 2.5 and 4.1 of the Insurance – Operational Resilience Part of the PRA Rulebook
Rules 2.5 and 4.1 of the Operational Resilience Part of the PRA Rulebook EIOPA Guidelines on the System of Governance,[15]  Guidelines 14 and 60–64
Rules 10.1 and 10.2 of the Internal Capital Adequacy Assessment Part of the PRA Rulebook
EBA Outsourcing Guidelines
SS35/15 ‘Strengthening individual accountability in insurance’,[16]  paragraphs 2.22A, 2.22L, 2.31, 2.33, 2.37A, 2.37B, 2.40, 2.52, and 2.93
EBA ‘Guidelines on information and communications technology (ICT) and security risk management’
Chapters 9 and 12 of the Ring-Fenced Bodies Part of the PRA Rulebook (only applicable to ring-fenced bodies as defined in Section 417 of FSMA)
EBA ‘Guidelines on internal governance’ (EBA Governance GL)
EBA ‘Recommendations on outsourcing to cloud service providers’ (EBA Cloud Recommendations) until superseded by the EBA Outsourcing GL
SS28/15 ‘Strengthening individual accountability in banking’,[17] paragraphs 2.11G, 2.41A
SS21/15 ‘Internal governance’,[18] paragraphs 2.15, 2.23
SS9/16 ‘Ensuring operational continuity in resolution,’[19] paragraphs 2.1, 5.1, 5.10, 6.1, 8.2, 11.5, and Chapter 4.
PRA Statement of Policy (SoP) on Operational Resilience
SS29/19 ‘Operational resilience: Impact tolerances for important business services’

1.10

The PRA considers that the expectations in the SS are compatible with all relevant Financial Conduct Authority (FCA) rules and guidance for dual-regulated firms, including on operational resilience. The FCA’s rules and guidance on outsourcing and third party risk management are substantively aligned to the equivalent PRA requirements and expectations in Tables 1 and 2, and are set out mainly in the Systems and Controls (SYSC) Sourcebook of the FCA Handbook[20] (in particular SYSC8 (banks) and SYSC13.9 (insurers)), as well as in FCA ‘Finalised Guidance 16/5: Guidance for firms outsourcing to the ‘cloud’ and other third party IT services’, where applicable.[21]

Expectations for credit unions and non-directive firms (NDFs)

1.11

Although the majority of the detailed expectations in this SS do not apply to credit unions and NDFs, the PRA expects credit unions and NDFs to manage their outsourcing and third party arrangements prudently in a manner consistent with the PRA’s objectives. The PRA will consider the extent to which they have done so when assessing their compliance with the requirements in Table 2.

Table 2: Requirements and expectations on outsourcing for credit unions and non-directive firms

Credit Unions Non-Directive Firms
Fundamental Rules Fundamental Rules
Chapters 11, 13, 14, 15, 16, and 17 in the Credit Unions Part of the PRA Rulebook.
Chapters 2, 3, 4, 5, 6, 8, and 9 of the Non-Solvency II Firms – Governance Part of the PRA Rulebook
Information Gathering 2.2 and 3.3
Chapter 2 of the Non-Solvency II Firms – General Powers Part of the PRA Rulebook
Notifications 2.3(1)(e)
Information Gathering 2.2 and 3.3
Allocation of Responsibilities 5.2 (3),(4), and (6)
Notifications 2.3(1)(e)

Chapter 3.1(11) of the Large Non-Solvency II Firms – Allocation of Responsibilities

Non-Solvency II Firms - Allocation of Responsibilities 3.1(3) and (4)