Prudential Regulation Authority Rulebook

1.1

This Supervisory Statement (SS) sets out the Prudential Regulation Authority’s (PRA) expectations of how PRA-regulated firms should comply with regulatory requirements and expectations relating to outsourcing and third party risk management. In particular:

• Chapter 2 elaborates on the definition of ‘outsourcing’ in the PRA Rulebook. It also notes that there are arrangements between firms and third parties that fall outside this definition (‘third party arrangements’) and are consequently outside of the scope of existing requirements on outsourcing and some of the detailed expectations in this SS. However, these third party arrangements are still subject to the PRA Fundamental Rules and other PRA requirements and expectations on business continuity, governance, operational resilience, and risk management (including but not limited to cyber risk).
• Chapter 3 clarifies how the principle of proportionality applies to the expectations in this SS. In particular, to intragroup outsourcing and to ‘non-significant firms’ (as defined in paragraph 3.9 of this SS).
• Chapter 4 sets out the PRA’s expectations on governance, including under the Senior Managers and Certification Regime (SM&CR), and record keeping.
• Chapter 5 sets out the PRA’s expectations for firms during the pre-outsourcing phase. It addresses the materiality and risk assessments of their outsourcing and other third party arrangements (including notification to the PRA where required), and firms’ due diligence on third parties.
• Chapter 6 lists the areas that the PRA expects written agreements relating to material outsourcing to address as a minimum. The following four areas are then examined in detail in Chapters 7–10:
  • data security (Chapter 7);
  • access, audit, and information rights (Chapter 8);
  • sub-outsourcing (Chapter 9); and
  • business continuity and exit strategies (Chapter 10).

1.2

This SS is relevant to all:

• UK banks, building societies, and PRA-designated investment firms (hereafter banks);
• insurance and reinsurance firms and groups in scope of Solvency II, including the Society of Lloyd’s and managing agents (hereafter insurers); and
• UK branches of overseas banks and insurers (hereafter third-country branches). Entities in scope of this SS are collectively referred to as ‘firms’.

1.3

Some of the requirements and expectations referred to in this SS also apply to credit unions and non-directive firms (NDFs). In particular, paragraph 1.8, the requirements in Table 2; paragraphs 5.11–5.12; and the PRA statutory powers and requirements in Tables 6 and 7. The remaining expectations in this SS do not apply to credit unions and NDFs.

1.4

Firms are expected to comply with the expectations in this SS by Thursday 31 March 2022. Outsourcing arrangements entered into on or after Wednesday 31 March 2021 should meet the expectations in this SS by Thursday 31 March 2022. Firms should seek to review and update legacy outsourcing agreements entered into before Wednesday 31 March 2021 at the first appropriate contractual renewal or revision point to meet the expectations in this SS as soon as possible on or after Thursday 31 March 2022.

1.5

The aims of this SS are to:

• ‘facilitate greater resilience and adoption of the cloud and other new technologies’ as set out in the Bank of England (the Bank)’s response to the ‘Future of Finance’ report;

• complement the requirements and expectations on operational resilience in the PRA Rulebook; SS1/21 ‘Operational resilience: Impact tolerances for important business services’; and the Statement of Policy (SoP) ‘Operational resilience’; and^[1]

• implement the:

  • European Banking Authority (EBA) ‘Guidelines on outsourcing arrangements’ (EBA Outsourcing GL).^[2] This SS clarifies how the PRA expects banks to approach the EBA Outsourcing GL in the context of its requirements and expectations. In addition, certain chapters in this SS expand on the expectations in the EBA Outsourcing GL, for instance Chapters 7 (Data security) and 10 (Business continuity and exit plans); and^[3]

  • relevant sections of the EBA ‘Guidelines on ICT and security risk management’ (EBA ICT GL).^[4]

1.6

In line with the Statement of Policy (SoP) ‘Interpretation of EU Guidelines and Recommendations: Bank of England and PRA approach after the UK’s withdrawal from the EU’,^[5] the PRA has not formally implemented the following Guidelines, which came into force after the implementation period:

• European Insurance and Occupational Pensions Authority (EIOPA) ‘Guidelines on outsourcing to cloud service providers’ (EIOPA Cloud GL);^[6]
• EIOPA ‘Guidelines on information and communication technology security and governance’ (EIOPA ICT GL);^[7]
• European Securities and Markets Authority (ESMA) ‘Guidelines on outsourcing to cloud service providers’ (ESMA Cloud GL);^[8]

1.7

However, the PRA took these draft Guidelines into consideration when developing its policy and considers that the expectations in this SS are at least equivalent to them in effectiveness and substance. The PRA sought to avoid undue divergences from the draft Guidelines referred to in paragraph 1.5, but it followed its own approach where it deemed it to be beneficial, or to advance the PRA’s statutory objectives. In particular, this SS complements and strengthens the PRA’s requirements and expectations on operational resilience and aims promotes consistency among banks and insurers. The SS should be the primary source of reference for UK firms when interpreting and complying with PRA requirements on outsourcing and third party risk management. Firms with operations in both the UK and the EU should comply with applicable Guidelines in respect of their EU operations.

1.8

To ensure a consistent approach across PRA-regulated firms, the expectations in this SS apply to all forms of outsourcing and, where indicated, other non-outsourcing third party arrangements entered into by firms. In addition, this SS includes specific examples, references, and chapters (eg Chapter 7) which aim to address the specific characteristics of cloud usage and set out conditions that can help give firms assurance and deploy it ‘in a safe and resilient manner’.^[9] In developing the expectations in this SS, including in relation to cloud usage, the PRA has taken into account international standards including but not limited to the:

• Basel Committee on Banking Supervision (BCBS) [draft] ‘Principles for operational resilience’ (BCBS Operational Resilience Principles);^[10]
• Financial Stability Board (FSB) ‘Effective Practices for Cyber Incident Response and Recovery’ (FSB Effective Practices);^[11]
• ‘G-7 Fundamental Elements for Third Party Cyber Risk Management in the Financial Sector’ (G-7 Third-Party Elements);^[12] and
• International Organisation of Securities Commissions’ (IOSCO) [draft] ‘Principles on Outsourcing’.^[13]

1.9

To promote clarity and certainty, this SS references other regulatory requirements that govern outsourcing (and in some cases other third party arrangements) by firms. Firms are required to comply with the obligations in these sources. This SS should therefore be read alongside and interpreted consistently with all relevant sources of law, including those in Tables 1 and 2 below.

Table 1: Existing requirements and expectations on outsourcing for banks and insurers^[14]

1.10

The PRA considers that the expectations in the SS are compatible with all relevant Financial Conduct Authority (FCA) rules and guidance for dual-regulated firms, including on operational resilience. The FCA’s rules and guidance on outsourcing and third party risk management are substantively aligned to the equivalent PRA requirements and expectations in Tables 1 and 2, and are set out mainly in the Systems and Controls (SYSC) Sourcebook of the FCA Handbook^[20] (in particular SYSC8 (banks) and SYSC13.9 (insurers)), as well as in FCA ‘Finalised Guidance 16/5: Guidance for firms outsourcing to the ‘cloud’ and other third party IT services’, where applicable.^[21]

1.11

Although the majority of the detailed expectations in this SS do not apply to credit unions and NDFs, the PRA expects credit unions and NDFs to manage their outsourcing and third party arrangements prudently in a manner consistent with the PRA’s objectives. The PRA will consider the extent to which they have done so when assessing their compliance with the requirements in Table 2.

Table 2: Requirements and expectations on outsourcing for credit unions and non-directive firms