Prudential Regulation Authority Rulebook

9.1

The EBA Outsourcing GL define ‘sub-outsourcing’ as ‘a situation where the service provider under an outsourcing arrangement further transfers an outsourced function to another service provider’, which may also include part of an outsourced function. The PRA Rulebook also explicitly acknowledges that a service provider may perform ‘a process, a service or an activity which would otherwise be undertaken by the firm itself […] directly or by sub-outsourcing’. Sub-outsourcing, which is also sometimes referred to as ‘chain’ outsourcing, can amplify certain risks in material outsourcing, including:

• limiting firms’ ability to manage the risks of the outsourcing arrangement, in particular, where there are large chains of sub-outsourced service providers spread across multiple jurisdictions; and
• giving rise to additional or increased dependencies on certain service providers, which the firm may be fully aware of or may not want.

9.3

The PRA expects firms to assess the relevant risks of sub-outsourcing before they enter into an outsourcing agreement. It is important that firms have visibility of the supply chain, and that service providers are encouraged to facilitate this by maintaining up-to-date lists of their sub-outsourced service providers.

9.4

The PRA expects firms to pay particular attention to the potential impact of large, complex sub-outsourcing chains on their operational resilience, including their ability to remain within impact tolerances during operational disruption. Firms should also consider whether extensive sub-outsourcing could compromise their ability to oversee and monitor an outsourcing arrangement.

9.5

Firms should assess whether sub-outsourcing meets the materiality criteria set out in Chapter 5, which includes the potential impact on the firm’s operational resilience and the provision of important business services. Firms should only agree to material sub-outsourcing if:

• the sub-outsourcing will not give rise to undue operational risk for the firm in line with Outsourcing 2.1(1) (banks) and Conditions Governing Business 7.2(2) (insurers); and
• sub-outsourced service providers undertake to:
  • comply with all applicable laws, regulatory requirements, and contractual obligations; and
  • grant the firm, Bank, and PRA equivalent contractual access, audit, and information rights to those granted to the service provider.

9.6

Firms should ensure that the service provider has the ability and capacity on an ongoing basis to appropriately oversee any material sub-outsourcing in line with the firm’s relevant policy or policies. This includes establishing that the service provider has in place robust testing, monitoring, and control over its sub-outsourcing.

9.7

If the proposed material sub-outsourcing could have significant adverse effects on a material outsourcing arrangement or would lead to a substantive increase of risk, the firm should exercise its right to object to the material sub-outsourcing and/or terminate the contract.

9.8

There may be situations where the same service provider has a direct contractual relationship with a firm and is also a sub-outsourced service provider to that firm. An example might be a firm that has an agreement with a cloud service provider that provides services to one or more software vendors used by that firm. In those situations, where appropriate, firms may leverage their direct contractual relationship with that service provider to assess its resilience in respect of all the services it relies on that provider for, including as a material sub-outsourced service provider.

9.9

In line with Chapter 6, the PRA expects written agreements for material outsourcing to indicate whether or not material sub-outsourcing is permitted, and if so:

• specify any activities that cannot be sub-outsourced;
• establish the conditions to be complied with in the case of permissible sub-outsourcing, including specifying that the service provider is obliged to oversee those services that it has sub-contracted to ensure that all contractual obligations between the service provider and the firm are continuously met;
• require the service provider to:
  • obtain prior specific or general written authorisation from the firm before transferring data (see Article 28 GDPR); and
  • inform the firm of any planned sub-outsourcing or material changes, in particular where that might affect the ability of the service provider to meet its responsibilities under the outsourcing agreement. This includes planned significant changes to sub-contractors and to the notification period. Firms should be informed sufficiently early to allow them to at least carry out a risk assessment of the proposed changes and object to them before they come into effect;
• ensure that, where appropriate, firms have the right to:
  • explicitly approve or object to the intended material sub-outsourcing or significant changes thereto; and
  • ensure that the firm has the contractual right to terminate the agreement in the case of specific circumstances, (eg where the sub-outsourcing materially increases the risks for the firm or where the service provider sub-outsources without notifying the firm).