Guidance

SS2/21 – Outsourcing and third party risk management

Chapter

Pre-outsourcing phase

Printed on: 01/11/2024

Rulebook at: 31/03/2022

5

Pre-outsourcing phase

5.1

The PRA expects firms to:

  • determine the materiality of every outsourcing and third party arrangement;
  • perform appropriate and proportionate due diligence on all potential service providers; and
  • assess the risks of every outsourcing arrangement irrespective of materiality.
  • 31/03/2022

Materiality assessment

Definition

5.2

The PRA Rulebook defines ‘material outsourcing’ as the outsourcing of ‘services of such importance that weakness, or failure, of the services would cast serious doubt upon the firm's continuing satisfaction of the threshold conditions or compliance with the Fundamental Rules’.[35]

  • 35. See the Notifications 2.3(e) Part of the PRA Rulebook.
  • 31/03/2022

5.3

Materiality should be read as incorporating the concept of a ‘critical or important operational function’ in relevant retained EU legislation. The requirements in Article 31 of MODR or Article 274(5) of the Solvency II Delegated Regulation apply only to the outsourcing of critical or important operational functions.

  • 31/03/2022

5.4

This SS uses ‘material outsourcing’ instead of ‘critical or important’ for clarity and to help firms avoid confusion with different but partly overlapping terms that exist in financial regulation, such as ‘critical function’ or ‘critical service’ in an OCIR context. For all intents and purposes, the PRA considers that a ‘material outsourcing’ arrangement encompasses a ‘critical or important outsourcing’ arrangement in relevant retained EU legislation. Moreover, the criteria that firms should take into account when identifying ‘material outsourcing’ arrangements is substantively aligned to the criteria for identifying ‘critical or important outsourcing arrangements’ under the EBA Outsourcing GL with a few justified exceptions, such as those that reference the PRA’s requirements on operational resilience (see paragraphs 5.115.13 below).

  • 31/03/2022

5.5

If a firm outsources services to which OCIR applies, this arrangement will generally constitute ‘material outsourcing’. However, outsourcing and non-outsourcing third party arrangements that are not within scope of OCIR might still be ‘material outsourcing’ if they could affect the PRA’s objectives outside of an OCIR context. Examples may include outsourcing arrangements involving personal or sensitive data or carrying high reputational risk.

  • 31/03/2022

5.6

Although the term ‘material outsourcing’ in the PRA Rulebook is limited to outsourcing arrangements, the concept of materiality itself and the criteria in this chapter apply to all third party arrangements. Firms should determine the materiality of all third party arrangements using all relevant criteria in this chapter.

  • 31/03/2022

5.7

As the definition of materiality is tied to an individual firm’s ability to meet the Threshold Conditions on an ongoing basis and comply with the Fundamental Rules, materiality should be assessed at an individual firm level. Where a group or parent company assesses the materiality of an outsourcing arrangement on the group as a whole, individual firms may rely on information and findings from the group-wide assessment. However, each firm should also take reasonable steps to come to an informed view as to the materiality of the arrangement on it as an individual firm.

  • 31/03/2022

Timing and frequency of materiality assessments

5.8

Firms are responsible for assessing the materiality of their outsourcing and third party arrangements. Materiality may vary throughout the duration of an arrangement and should therefore be (re)assessed:

  • prior to signing the written agreement;
  • at appropriate intervals thereafter, eg during scheduled review periods;
  • where a firm plans to scale up its use of the service or dependency on the service provider; and/or
  • if a significant organisational change at the service provider or a material sub-outsourced service provider takes place that could materially change the nature, scale, and complexity of the risks inherent in the outsourcing arrangement, including a significant change to the service provider’s ownership or financial position.
  • 31/03/2022

5.9

Where a firm expects an outsourcing or third party arrangement to become material in the future, it should take reasonable steps to ensure that it can comply with all applicable expectations for material outsourcing arrangements in Chapters 6 to 10 on or before the materiality threshold is crossed. If a non-material outsourcing or third party arrangement becomes material due to a severe but plausible scenario, such as a pandemic, firms should consider whether additional measures to safeguard their operational resilience are warranted, such as revisions to contractual provisions.

  • 31/03/2022

Criteria for assessing materiality

5.10

Firms should develop their own processes for assessing materiality as part of their outsourcing or third party risk management policy (see Chapter 4). However, to ensure consistency across firms’ assessments, the PRA expects firms to take into account certain criteria, as set out below.

  • 31/03/2022

Criteria that will generally render an outsourcing arrangement automatically material

5.11

Consistent with the definition of ‘material outsourcing’ in the PRA Rulebook and, where applicable, the criteria in the EBA Outsourcing GL, a firm should generally consider an outsourcing or third party arrangement as material where a defect or failure in its performance could materially impair the:

  • financial stability of the UK;
  • firms’:
    • ability to meet the Threshold Conditions;
    • compliance with the Fundamental Rules;
    • requirements under ‘relevant legislation’ and the PRA Rulebook;[36]
    • safety and soundness, including its:
      • financial resilience, ie assets, capital, funding, and liquidity; or
      • operational resilience, ie its ability to continue providing important business services;
    • for insurers only, the:
      • ability to provide an appropriate degree of protection for those who are or may become policyholders in line with the PRA’s statutory objectives; and
      • requirement not to undermine the ‘continuous and satisfactory service to policyholders’ in line with Conditions Governing Business 7.2.
    • OCIR and if applicable, resolvability.
  • 36. Relevant legislation’ has the same meaning as in the Information Gathering Part of the PRA Rulebook.
  • 31/03/2022

5.12

The PRA also expects firms to classify an outsourcing arrangement as material if the service being outsourced involves an:

  • entire ‘regulated activity’, eg portfolio management; [37] or
  • ‘internal control’ or ‘key function’, unless the firm is satisfied that a defect or failure in performance would not adversely affect the relevant function.[38] [39]
  • 37. See also paragraphs 62 and 63 of the EBA Outsourcing Guidelines regarding the outsourcing of entire regulated (banking) activities to service providers located outside the EEA.
  • 38. For full definition, see ‘internal controls’ in the Glossary Part of the PRA Rulebook.
  • 39. Key function holder means any person who is responsible for discharging a key function.
  • 31/03/2022

Other materiality criteria to take into account

5.13

The PRA expects firms to have regard to all applicable criteria in Table 5 below, both individually and in conjunction, when assessing the materiality of an outsourcing or third party arrangement not otherwise covered by paragraphs 5.8 and 5.9. Although in practice many material outsourcing and third party arrangements involve ICT products or services (eg cloud), the presence of a given ICT product or service does not, in itself, automatically render an outsourcing arrangement material.

  • 31/03/2022

Table 5: Materiality criteria
Direct connection to the performance of a regulated activity.
Size and complexity of relevant business area(s) or function(s).
The potential impact of a disruption, failure, or inadequate performance on the firm’s:
  • business continuity, operational resilience, and operational risk, including:
    • conduct risk;
    • ICT risk;[40]
    • legal risk; and
    • reputational risk.[41]
  • ability to:
    • comply with legal and regulatory requirements;
    • conduct appropriate audits of the relevant function, service, or service provider; and
    • identify, monitor, and manage all risks.
  • obligations under
    • the PRA Rulebook;
    • the protection of data and the potential impact of a confidentiality breach or failure to ensure data availability and integrity of the institution or payment institution and its clients, including but not limited to GDPR and the Data Protection Act 2018.
  • counterparties, customers, or policyholders.
  • early intervention, recovery and resolution planning, OCIR, and resolvability.
The firm’s ability to scale up the outsourced service.
Ability to substitute the service provider or bring the outsourced service back in-house, including estimated costs, operational impact, risks, and timeframe of an exit in stressed and non-stressed scenarios.
  • 40. As defined in the EBA ‘Guidelines on ICT and security risk management’.
  • 41. In line with the definition of ‘operational risk’ in the PRA Rulebook, insurers should consider reputational risks in addition to and separately from operational risk.
  • 31/03/2022

Notification to the PRA

5.14

Notifications 2.3(1)(e) requires all PRA-regulated firms, including credit unions and NDFs, to notify the PRA when ‘entering, or significantly changing a material outsourcing arrangement’. The PRA expects these notifications to be made before entering into the outsourcing arrangement. The PRA also expects firms to submit these notifications before an outsourcing arrangement that was not initially deemed material is expected or planned to become so (see paragraph 5.5). The PRA will consider the timeliness of these notifications when assessing firms’ compliance with Fundamental Rule 7.

  • 31/03/2022

5.15

The PRA expects firms to assess the materiality of planned outsourcing arrangements sufficiently early to notify the PRA if required, and to:

  • provide additional information if requested to do so; and
  • implement follow-up action if appropriate, which may involve a firm:
    • enhancing its due diligence, governance, or risk management, and delaying entering into the agreement until it does so; or
    • reviewing the written agreement to ensure it complies with their regulatory obligations and risk management expectations (see Chapter 6). In some circumstances, it might be appropriate to make a notification before a final provider has been selected. An example of this is if a firm is planning a major migration programme and is still trying to select a provider from a shortlist.
  • 31/03/2022

5.16

The PRA expects notifications of material outsourcing to include, at least, the information in paragraph 54 of the EBA Outsourcing GL.

  • 31/03/2022

5.17

Although Notifications 2.3(1)(e) only apply to material outsourcing arrangements, material non-outsourcing third party arrangements may constitute ‘information of which the PRA would reasonably expect notice’ within the meaning of Fundamental Rule 7 and Senior Manager Conduct Rule/Conduct Standard 4.[42] Consequently, the PRA expects firms to bring these arrangements to its attention in a similar manner and timeframe to that set out in paragraphs 5.145.16. Firms may elect to develop a single internal framework for notifying the PRA of material outsourcing and material non-outsourcing third party arrangements to the PRA.

  • 42. Senior Manager Conduct Standard/Rule 4: You must disclose appropriately any information of which the FCA or the PRA would reasonably expect to have notice.
  • 31/03/2022

Due diligence

5.18

The PRA expects firms to conduct appropriate due diligence on the potential service provider before entering into an outsourcing arrangement, and to identify a suitable alternative or back-up providers where available. If no alternative or back-up providers for a material outsourcing arrangement are available, firms should consider alternative business continuity, contingency planning, and disaster recovery arrangements to ensure they can continue providing relevant important business within their impact tolerances in the event of material disruption at their chosen service provider (see Chapter 10).

  • 31/03/2022

5.19

In the case of material outsourcing, the PRA expects firms’ due diligence to consider the potential providers’:

  • business model, complexity, financial situation, nature, ownership structure, and scale;
  • capability, expertise, and reputation;
  • financial, human, and technology resources;
  • ICT controls and security; and
  • sub-outsourced service providers, if any, that will be involved in the delivery of important business services or parts thereof.
  • 31/03/2022

5.20

The due diligence should also consider whether potential service providers:

  • have the authorisations or registrations required to perform the service;
  • comply with GDPR, the Data Protection Act, and other applicable legal and regulatory requirements on data protection;
  • can demonstrate certified adherence to recognised, relevant industry standards;
  • can provide, where applicable and upon request, relevant certificates and documentation (eg data dictionaries); and
  • have the ability and capacity to provide the service that the firm needs in a manner compliant with UK regulatory requirements (including in the event of a sudden spike in demand for the relevant service, for instance as a result of a shift to remote working during a pandemic). A ‘general’ track-record of previous performance may not be sufficient evidence by itself.
  • 31/03/2022

Risk assessment

5.21

In line with Risk Control 3.4(2) and Risk Management 3.1, firms should, in a proportionate manner, assess the potential risks of all third party arrangements, including outsourcing arrangements, regardless of materiality. As part of the risk assessment, the PRA expects firms to consider:

  • operational risks based on an analysis of severe but plausible scenarios, for instance a breach or outage affecting the confidentiality and integrity of sensitive data and/or availability of service provision (see Chapter 10); and
  • financial risks, including the potential need for the firm to provide financial support to a material outsourced or sub-outsourced service provider in distress or take over its business, including as a result of an economic downturn (‘step-in’ risk).[43]
  • 31/03/2022

5.22

The PRA expects firms to carry out risk assessments in the circumstances referred to in paragraph 5.6 and also if they consider that there may have been a significant change to an outsourcing arrangement’s risks due to, for instance, a serious breach/continued breaches of the agreement or a crystallised risk.

  • 31/03/2022

5.23

A firm’s risk assessment should balance any risks that the outsourcing arrangement may create or increase against any risks it may reduce or enable the firm to manage more effectively (for instance, a firm’s resilience to disruption). The assessment should also take into account existing or planned risk mitigation, eg staff procedures and training.

  • 31/03/2022

Firm or group-wide concentration risk

5.24

The PRA expects firms and groups to periodically (re)assess and take reasonable steps to manage:

  • their overall reliance on third parties; and
  • concentration risks or vendor lock-in at the firm or group, due to:
    • multiple arrangements with the same or closely connected service providers;
    • fourth party/supply chain dependencies, for instance, where multiple otherwise unconnected service providers depend on the same sub-contractor for the delivery of their services;
    • arrangements with service providers that are difficult or impossible to substitute; and/or
    • concentration of outsourcing and other third party dependencies in a close geographical location, such as one jurisdiction. This type of concentration may arise even if a firm uses multiple, unconnected third party service providers, for instance, a business process outsourcing or offshoring hub.
  • 31/03/2022