Prudential Regulation Authority Rulebook

4.1

This chapter sets out the PRA’s expectations on:

• board engagement on outsourcing;
• allocation of responsibilities;
• outsourcing and the SM&CR;
• outsourcing policies; and
• record-keeping, in particular regarding the Outsourcing Register.

4.2

In this chapter, the term ‘board’ encompasses the terms ‘governing body’ and ‘management body’ in the PRA Rulebook, and refers to the board of directors or equivalent body in a firm.

4.3

Boards and senior management, in particular individuals performing SMFs, cannot outsource their responsibilities. Firms that enter into outsourcing arrangements remain fully accountable for complying with all their regulatory obligations. This is a key principle underlying all requirements and expectations regarding outsourcing and non-outsourcing third party arrangements, including the expectations in this SS.

4.4

Firms’ boards should:

• set ‘the control environment throughout the firm, including the appetite and tolerance levels in respect of outsourcing’ and third party risk management;
• ‘bear responsibility for the effective management of all risks to which the firm is exposed’, including by:
  • appropriately ‘identifying and [having an] understanding of the firm’s reliance on critical service providers’; and
  • ensuring that the firm has ‘(from board level downwards) appropriate and effective risk management systems and strategies in place to deal with outsourced service providers’.^[28]

In line with SS5/16 ‘Corporate governance: Board responsibilities’, the PRA expects management information on outsourcing provided to the board to be clear, consistent, robust, timely, and well-targeted, and to contain an appropriate level of technical detail to facilitate effective oversight and challenge by the board.^[29]

4.5

As part of ensuring effective governance of an outsourcing arrangement, the PRA expects firms to define, document, and understand their and the service provider’s respective responsibilities. In the case of cloud computing, the term commonly used to help firms and cloud providers understand their respective obligations is the ‘shared responsibility model’.

Table 5 sets out an example of how the shared responsibility model operates in the case of data outsourced to cloud service providers.

Table 3: The shared responsibility model in cloud outsourcing

Cloud service providers tend to operate under the 'shared responsibility model' whereby:  the firm is responsible for what’s in the cloud and the cloud service provider is responsible for the provision of the cloud; firms remain responsible for correctly identifying and classifying data in line with their legal and regulatory obligations, and adopting a risk based approach to the location of data. They also remain responsible for configuration and monitoring of their data in the cloud to reduce security and compliance incidents; Cloud service providers assume responsibility for the infrastructure running the outsourced service, eg data centres, hardware, software etc.; and firms and service providers share other responsibilities depending on the service model, eg Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS), etc.[30]

4.6

Firms should avoid becoming ‘empty shells’ that are incapable of meeting the Threshold Conditions. The following Threshold Conditions are particularly relevant:

• being capable of being effectively supervised by the PRA;
• the ‘suitability’ Threshold Condition in Sections 4E (Part 1A) (insurers) and 5E (Part 1E) (banks) of FSMA. This should include retaining a clear and transparent organisational framework and structure; and
• conducting their business in a prudent manner, including having appropriate non-financial (as well as financial) resources. Further guidance on the PRA’s approach to the Threshold Conditions is set out in paragraph 21 of ‘The PRA’s approach to banking supervision’ and paragraph 25 of ‘The PRA’s approach to insurance supervision’ (together, the ‘Approach Documents’).^[31]

4.7

Allocation of Responsibilities 4.1(21) (banks) and Insurance – Allocation of Responsibilities 3.1(A3)(12) (insurers) require firms to allocate a Prescribed Responsibility for a firm’s regulatory obligations in relation to outsourcing to an SMF.

4.8

The PRA generally expects but does not require this Prescribed Responsibility to be allocated to (one of) the individuals performing the Chief Operations Senior Management Function (SMF24) if a firm has one or more individuals performing that SMF. As noted in SS28/15 for banks and SS35/15 for insurers, the SMF24 can be split among more than one individual in certain circumstances. SMF24s may also be responsible for other areas or activities relevant to the expectations in this SS, such as the firm’s information security policy.

4.9

Firms should interpret this Prescribed Responsibility as encompassing the firm’s overall framework, policy, and systems and controls relating to outsourcing. Responsibility for individual outsourcing arrangements may still lie with relevant business lines or other areas of the firm. The free text section of the relevant SMF’s Statement of Responsibilities should describe this responsibility in an appropriate level of detail, in line with SS28/15.

4.10

Firms’ boards should approve, regularly review, and implement a written outsourcing policy. As noted in Chapter 2 of this SS, firms may apply this policy or parts thereof to all third party arrangements. This policy should align to and draw upon other relevant firm policies and strategies. For instance:

• business model and strategy;
• business continuity;
• conflicts of interest;
• data protection;
• ICT;
• information and cyber security;
• operational resilience;
• OCIR;
• (if applicable) ring-fencing; and
• risk management.

4.11

Firms should make outsourced and third party providers aware of relevant internal policies, including those on outsourcing, ICT, information security, or operational resilience. Where firms’ policies include confidential or sensitive information, firms can omit or redact it and only share those sections relevant to the performance of the outsourced or third party service. Sharing these policies with third party service providers does not dilute firms’ responsibilities in terms of managing their outsourcing and third party arrangements, but can help third party service providers get a better understanding of firms’ regulatory obligations and other relevant aspects such as their risk tolerance and expected service levels.

4.12

As discussed further in Chapter 10, firms’ business continuity plans under General Organisational Requirements 2.5 and 2.6 (banks) and Conditions Governing Business 2.6 (insurers) should take into account:

• the possibility that the quality of the provision of material outsourced services deteriorates to unacceptable levels;
• the potential impact of the insolvency or other failure of the service provider or the failure of the service (see Chapter 10); and
• where relevant, political and other risks in the service provider’s jurisdiction.

4.13

There is no ‘one-size-fits-all’ template for firms’ outsourcing policies, and the policy does not have to be contained in a single document. Firms and groups are responsible for developing and maintaining a policy that is appropriate to their complexity, organisational structure, and size (see Chapter 3).

4.14

The outsourcing policy should be principles-based and may be supported by detailed procedures developed, approved, and maintained below board level. However, it should be sufficiently detailed to provide adequate guidance for firms’ staff on how to apply its requirements in practice. At a minimum, it should cover the areas in Table 4.

Table 4: Contents of the outsourcing policy

General	The responsibilities of the board, including its involvement, as appropriate, in decisions about material outsourcing. The involvement of business lines, internal control functions, and other individuals (in particular, SMFs) in respect of outsourcing arrangements.[32] Links to other relevant policies (see paragraph 4.8). Documentation and record-keeping. Procedures for the identification, assessment, management, and mitigation of potential relevant conflicts of interest.[33] Business continuity planning (BCP) (see paragraph 4.10). Differences, if any, between the approach to: intragroup outsourcing vs outsourcing to external service providers; material vs non-material outsourcing; outsourcing to service providers regulated or overseen by the Bank, PRA, or FCA vs unregulated service providers; and outsourcing to service providers in specific jurisdictions outside the UK.
Pre-outsourcing & on-boarding	The processes for vendor due diligence and for assessing the materiality and risks of outsourcing arrangements (including notification to the PRA where required). Responsibility for signing-off new outsourcing arrangements, in particular material outsourcing arrangements.
Oversight	Procedures for the ongoing assessment of service providers’ performance, including where appropriate: day-to-day oversight, including incident reporting, periodic performance assessment against service level agreements, and periodic strategic assessments; being notified and responding to changes to an outsourcing arrangement or service provider (eg to its financial position, organisational or ownership structures, or sub-outsourcing); independent review and audit of compliance with legal and regulatory requirements and policies; and renewal processes.
Termination	Exit strategies and termination processes, including a requirement for a documented exit plan for material outsourcing arrangements where such an exit is considered possible, explicitly catering for the unexpected termination of an outsourcing agreement (a stressed or unplanned exit), and taking into account possible service interruptions (and the firm’s impact tolerance for important business services)(see Chapter 10).

4.15

The PRA expects all firms to keep appropriate records of their outsourcing arrangements. The PRA considers that a firm, in complying with 2.3(1)(e) of the Notifications Part of the PRA Rulebook, would likely already have records of its material outsourcing arrangements for this purpose. The records should also be sufficient to enable the firm to fulfil the expectations concerning concentration risk set out in 5.24. Firms should also make any information on their outsourcing and third party arrangements of which the PRA would reasonably expect notice available to it in accordance with Fundamental Rule 7. The PRA may, if appropriate and justified, also request data on firms’ outsourcing arrangements under section 165 of FSMA.^[34]

4.16

From Friday 31 December 2021, the EBA Outsourcing GL expect banks to maintain an up-to-date register of information on all their outsourcing arrangements, distinguishing between those which are material and those which are not (‘Outsourcing Register’). Banks are already expected to maintain a register of their cloud outsourcing arrangements (‘Cloud Register’) in line with the EBA Cloud Recommendations. Banks are expected to continue to maintain the Cloud Register until the Outsourcing Register subsumes it on Friday 31 December 2021.