Prudential Regulation Authority Rulebook

3.1

Firms should meet the expectations in this SS in a manner appropriate to: their size and internal organisation; the nature, scope, and complexity of their activities; and the criticality or importance of the outsourced function, in line with the principle of proportionality.

3.2

Proportionality and the materiality of outsourcing arrangements (see Chapter 5) are separate but complementary concepts, and firms should consider the links between the two. Proportionality focuses on the characteristics of a firm, including its systemic significance. ‘Materiality’ assesses the potential impact of a given outsourcing or third party arrangement on a firm’s safety and soundness, including: its operational resilience; its ability to comply with legal and regulatory obligations; the risk that firms’ ability to meet these obligations could be compromised if the arrangement is not subject to appropriate controls and oversight; and (for insurers) its ability to provide an appropriate degree of protection for those who are or may become policyholders. Proportionality and materiality can change over time and firms should reassess both as appropriate.

3.3

Intragroup outsourcing is subject to the same requirements and expectations as outsourcing to service providers outside a firm’s group and should not be treated as being inherently less risky.

3.4

Although intragroup outsourcing is subject to the same requirements as outsourcing to service providers outside a firm’s group, in line with Articles 31(4) of MODR and Article 274(2) of the Solvency II Delegated Regulation, firms may comply with some of these requirements proportionately depending on their level of ‘control and influence’ over the entity that is providing the outsourced service.

3.5

Control and influence may vary depending on the characteristics of a group. For instance, a firm that outsources to a subsidiary may have greater control and influence than one that outsources to its parent company. The following factors may also be relevant when determining the level of control and influence:

• the group’s governance structure, including the level of connectivity between the firm’s and group’s boards, board committees, executive committees, internal control functions and/or other relevant functions (eg technology);
• the allocation of senior management functions (SMFs) and responsibilities throughout the group;
• the ability of a firm to alter its intragroup outsourcing arrangements and/or influence their terms and conditions to ensure they meet its UK regulatory obligations and manage relevant firm and UK-specific risks; and
• the consistency and robustness of group wide standards controls, policies, and procedures, (eg on business continuity).

3.6

Depending on its level of control and influence in respect of intragroup outsourcing arrangements, a firm may, for example:

• adjust its vendor due diligence, although firms should still carefully assess whether a potential service provider that is part of its group has the ability, capacity, resources, and appropriate organisational structure to support the performance of the outsourced function or third party service;
• if a UK consolidated group is entering into a material outsourcing arrangement that covers the entire group or multiple firms in it, a single notification may be enough to meet its obligations under Rule 2.31(e) in the Notifications Part of the PRA Rulebook, provided that it lists all the individual firms that will receive the relevant material outsourcing service;
• rely on the group’s potentially stronger negotiating and purchasing power to enter into group-wide arrangements with external third parties;
• adapt certain clauses in outsourcing agreements (a written agreement is always required – even in intragroup arrangements; see Chapter 6);
• rely on group policies and procedures as long as they comply with their UK legal and regulatory obligations and allow them to manage relevant risks, (eg group cyber-security or data protection policies, such as binding corporate rules for international data transfers);
• rely on a centralised group process for overseeing external third party service providers, including the exercise of access, audit, and information rights, provided that this process appropriately takes into account and documents any legal entity-specific risks and allows for legal entity-specific risk mitigation where necessary; and
• rely on business continuity, contingency, and exit plans developed at group level, provided that they adequately safeguard their operational resilience.

3.7

Where relevant, firms may be able to leverage compliance with existing requirements in other areas of regulation to help meet their regulatory obligations in respect of their intragroup outsourcing arrangements. For instance, for some banks, intragroup outsourcing arrangements may be subject to the requirements in Operational Continuity Chapter 4 and Chapters 9 and 12 in the Ring-Fenced Bodies Part of the PRA Rulebook. Compliance with these requirements may also mean those banks meet certain expectations in this SS in respect of intragroup outsourcing arrangements (for instance, in respect of business continuity and exit plans (see Chapter 10)). The PRA also expects firms to consider whether they can leverage elements of their operational continuity in resolution (OCIR) record-keeping to identify and document their intragroup dependencies, as long as relevant information is clear and readily available to the PRA upon request.^[23]

3.8

Firms may also leverage their end-to-end mapping of important business services under Chapter 4 of the Operational Resilience – CRR Firms and Operational Resilience – Solvency II Parts of the PRA Rulebook to document and map their intragroup and other dependencies.

3.9

The PRA Rulebook does not define a ‘significant’ firm and it is for firms to determine their own significance. For the purposes of this SS, firms with a supervisory contact who has indicated they are impact category 1 or 2 should consider themselves ‘significant’. This approach is consistent with the definitions of ‘significant firm’ in:

• ‘The PRA’s approach to banking supervision’ and ‘The PRA’s approach to insurance supervision’ (‘PRA Approach Documents’);^[24]
• the EBA Outsourcing GL and EBA Governance GL;^[25] and
• for Solvency II insurers, SS10/16 ‘Solvency II: Remuneration requirements’.^[26]

3.10

‘Non-significant’ firms may meet certain expectations in this SS in a proportionate manner. The PRA’s supervisory scrutiny of firms’ outsourcing arrangements may also reflect their significance.

3.11

The PRA recognises that new and growing firms frequently tend to rely more extensively on outsourcing and third party products and services given the benefits they can bring in terms of lower barriers to entry, cost savings, and in some cases increased operational resilience.^[27] However, to meet the Threshold Conditions on an ongoing basis, all firms must retain appropriate non-financial resources, including to effectively oversee these outsourced and third party services (see Chapter 4).

3.12

An example of a function that non-significant firms can outsource is internal audit. Firms that elect to do so are not required to have an individual approved as the Head of Internal Audit Senior Management Function (SMF5) under the SM&CR, but must allocate a Prescribed Responsibility for overseeing the provision of the outsourced internal audit function to another existing SMF (see Allocation of Responsibilities 4.2(3) (banks) and Insurance – Allocation of Responsibilities 3.3 (insurers)).

3.13

While all firms should have appropriate non-financial resources to oversee their outsourcing arrangements, individuals across business lines and internal control functions responsible for doing so in non-significant firms may be less specialised and have general responsibility for areas such as compliance, IT, or risk management. Likewise, although non-significant firms’ outsourcing policies should include the minimum requirements outlined in Chapter 4, the length and complexity of their policies may reflect the complexity, materiality, and number of the firm’s outsourcing relationships.

3.13

Although all firms are in principle able to use the access, audit, and information-gathering tools highlighted in Chapter 7, including third party certification and pooled audits, these tools may be particularly useful for non-significant firms as a means of mitigating the cost and resource implications of conducting individual onsite audits. However, non-significant firms should still be satisfied that whichever method they use allows them to meet their individual legal and regulatory obligations, and align to their risk appetite.

3.15

Outsourcing arrangements by UK branches of third-country firms (third-country branches) are subject to the requirements in Chapter 7 of the Internal Governance of Third Country Branches Part of the PRA Rulebook (banks) and Conditions Governing Business Chapter 7 (insurers).

3.16

Since Friday 1 January 2021, the parts of the PRA Rulebook referred to in paragraph 3.15 apply to UK branches of European Economic Area (EEA) firms that were previously operating in the UK under passporting.

3.17

While the PRA’s application of outsourcing requirements and expectations on third-country branches diverges from the approach set out in the EBA Outsourcing GL, which do not treat the provision of services by EU firms to their branches in the EEA as ‘outsourcing’, it is justified by the:

• importance of effective risk management and controls in all third-country branches deemed to be systemic due to their potential impact on financial stability in the UK; and
• need to treat all third-country branches consistently.

3.18

At a minimum, the PRA expects third-country branches to have:

• a clear, documented list of their intragroup outsourcing arrangements, which should identify those deemed material;
• documented written agreements, such as service level agreements, for all intragroup outsourcing arrangements (in particular those deemed material), setting out expected service levels and key performance indicators (KPIs);
• appropriate monitoring and oversight of their intragroup outsourcing arrangements, including appropriate visibility of the whole firm's or parent's material sub-outsourced service providers and supply chain by internal control functions and, if applicable, other areas such as technology;
• effective processes and mechanisms for escalating concerns, issues, and regulatory feedback relating to their intragroup outsourcing arrangements to the whole firm or group.

3.19

The PRA recognises the need to apply the expectations in this SS proportionately to third-country branches. In addition to the guidance on intragroup arrangements in paragraph 3.5, third-country branches can rely on:

• due diligence, materiality assessments, and risk assessments of third-parties outside their group undertaken by and on behalf of the whole firm provided that they take into account their UK regulatory obligations (see Chapter 5);
• contractual arrangements between third parties outside their group and the whole firm or group (see Chapter 6);
• audits of external third party service providers performed by or on behalf of the whole firm or group as long as they provide them with appropriate assurance and information to comply with their UK regulatory obligations; and/or
• firm or group-wide business continuity plans and exit strategies. Systemic wholesale branches should, however, take reasonable steps to develop local business continuity, contingency planning, and exit strategies (if available) covering any activities or services which they provide that could impact UK financial stability.