2
Definitions and scope
Outsourcing
2.1
The PRA Rulebook defines ‘outsourcing’ as ‘an arrangement of any form between a firm and a service provider, whether a supervised entity or not, by which that service provider performs a process, a service or an activity, whether directly or by sub-outsourcing, which would otherwise be undertaken by the firm itself’. This definition derives from Article 2(3) of MODR (Commission Delegated Regulation on organisational requirements and operating conditions) and Article 13(28) of Solvency II. In line with the EBA Outsourcing GL, when considering whether an arrangement with a third party falls within the definition of outsourcing, firms should consider whether the third party will perform the relevant function or service (or part thereof) on a recurrent or an ongoing basis.
- 31/03/2022
2.2
Existing requirements on outsourcing, including Articles 30–32 of MODR and Article 274 of the Solvency II Delegated Regulation, only apply to ‘outsourcing’ as defined in paragraph 2.1. They do not apply to other arrangements between firms and third parties which fall outside the definition of outsourcing. In line with the definition in the G7 Third Party Elements and EBA ICT GL, this SS defines a ‘third party’ as ‘an organisation that has entered into a business relationship or contract with a firm to provide a product or service’.
- 31/03/2022
Expectations for non-outsourcing third party arrangements
2.3
The PRA’s overarching aim is for firms to apply adequate governance and controls to all third party dependencies that can impact its statutory objectives. Examples include those that support the provision of important business services or carry a high level of risk. The [draft] BCBS Operational Resilience Principles refer to this principle as ‘third party dependency management’.
- 31/03/2022
2.4
The EBA Outsourcing GL provide examples of arrangements between banks and third parties which ‘as a general principle [banks] should not consider as outsourcing’ (hereafter referred to as ‘non-outsourcing third party arrangements’) (see paragraph 28 of the EBA Outsourcing GL). Non-outsourcing third party arrangements are not covered by the granular requirements applicable to outsourcing arrangements referred to in paragraph 2.2. Other examples of non-outsourcing third party arrangements may include but are not limited to:
- purchases of hardware, software, and other ICT products, such as:
-
- (a) the design and build of an on-premise IT platform;
- (b) the purchase of data collated by third party providers (data brokers), eg geospatial data or data from in-app device activity, social media, etc.; and
- (c) ‘off-the shelf’ machine learning models, including samples of the data used to train and test the models, open source software, and machine learning libraries developed by third party providers; and
- in the case of insurers, the use of aggregators, such as pricing comparison platforms, and delegated underwriting.
- 31/03/2022
2.5
As some non-outsourcing third party arrangements may also impact the PRA’s objectives, the PRA expects firms to assess the materiality and risks of all third party arrangements irrespective of whether they fall within the definition of outsourcing. Firms should use all relevant criteria in Chapter 5 in their assessments (however, some criteria may be inapplicable to certain non-outsourcing third party arrangements).
- 31/03/2022
2.6
Where a firm deems a non-outsourcing third party arrangement ‘material’ or ‘high risk’, it should implement proportionate, risk-based, suitable controls. These controls do not necessarily have to be the same as those that apply to outsourcing arrangements. However, the controls should be appropriate to the materiality and risks of the third party arrangement and as robust as the controls that would apply to outsourcing arrangements with an equivalent level of materiality or risk. It follows that firms should apply stricter controls to material, non-outsourcing third party arrangements than to non-material outsourcing arrangements.
- 31/03/2022
2.7
The PRA reminds firms that the following requirements apply to all third party arrangements irrespective of whether or not they fall under the definition of ‘outsourcing’:
- PRA Fundamental Rules 2, 3, 5 and 6, and 7;
- in the case of individuals, the PRA Conduct Rules/Insurance – Conduct Standards and Senior Manager Conduct Rules/Conduct Standards Parts of the PRA Rulebook;
- Rule 2 in the General Organisational Requirements Part of the PRA Rulebook (banks) and the Conditions Governing Business Part of the PRA Rulebook (insurers). In particular, the requirements on business continuity, contingency planning, and data protection;
- Rule 10 in the Internal Capital Adequacy Assessment Part of the PRA Rulebook (banks);
- the Risk Control Part of the PRA Rulebook (banks) and Conditions Governing Business 3 (insurers); and
- all relevant requirements in the Operational Resilience and Insurance – Operational Resilience Parts of the PRA Rulebook.
- 31/03/2022
2.8
In line with the expectations in Chapter 4 of this SS, firms may implement a holistic, single third party risk management policy covering outsourcing and non-outsourcing third party arrangements. Alternatively, they may have separate policies on each of those respective areas provided that they are aligned, consistent, effective, and suitably risk-based.
- 31/03/2022
Third party ICT arrangements
2.9
The following standards apply to all third party ICT arrangements:
- EBA ICT GL, including but not limited to Sections 3.2.3, 3.3.2, 3.4.5, and 3.7 (in particular, paragraph 86). These GL should be interpreted consistently with: the Operational Resilience/Insurance – Operational Resilience Parts, the expectations in this SS, and SS1/21; and
- relevant legal requirements and standards on ICT security (eg Cyber Essentials Plus) and data protection, including but not necessarily limited to General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
- 31/03/2022
2.10
The PRA also encourages firms to take into account global standards on ICT risk management, including but not necessarily limited to the toolkit in the FSB Effective Practices (in particular, paragraphs 13, 18, 19 and 20, 33 and 36), and the G7 Third party Elements.
- 31/03/2022
Third party arrangements subject to regulatory requirements
2.11
Certain arrangements among regulated financial institutions, including between firms that are not part of the same group and between firms and financial market infrastructures, do not fall within the definition of outsourcing in paragraph 2.1. These arrangements include clearing, settlement, custody services, and certain services provided by Lloyd’s of London, all of which are subject to specific regulatory requirements. For instance, custody services are regulated by the Client Assets Sourcebook in the FCA Handbook and Central Securities Depositories Regulation. They are also subject to the requirements in paragraph 2.7 of this SS.[22]
Footnotes
- 31/03/2022
2.12
While these arrangements do not fall under the definition of outsourcing, they are third party arrangements that can give rise to significant risks to the PRA’s objectives and should be subject to appropriate monitoring and risk-based controls. The PRA therefore expects firms that are parties to these arrangements, either as service providers or service recipients, to leverage applicable, existing regulatory requirements to manage relevant risks and promote an appropriate level of resilience.
- 31/03/2022