Guidance

SS2/21 – Outsourcing and third party risk management

Chapter

Outsourcing agreements

Printed on: 08/09/2024

Rulebook at: 31/03/2022

6

Outsourcing agreements

6.1

In line with Article 31(3) of MODR (banks) and 274(3)(c) of the Solvency II Delegated Regulation (insurers), all outsourcing arrangements must be set out in a written agreement.

  • 31/03/2022

6.2

Where there is a master service agreement that allows firms to add or remove certain services, each outsourced service should be appropriately documented, although not necessarily in a separate agreement.

  • 31/03/2022

6.3

Firms should ensure that written agreements for non-material outsourcing arrangements include appropriate contractual safeguards to manage and monitor relevant risks. Moreover, regardless of materiality, firms should ensure that outsourcing agreements do not impede or limit the PRA’s ability to effectively supervise the firm or outsourced activity, function, or service.

  • 31/03/2022

Material outsourcing agreements

6.4

Written agreements for material outsourcing should set out at least:

  • a clear description of the outsourced function, including the type of support services to be provided;
  • the start date, next renewal date, end date, and notice periods regarding termination for the service provider and the firm;
  • the governing law of the agreement;
  • the parties’ financial obligations;
  • whether the sub-outsourcing of a material function or part thereof is permitted and, if so, under which conditions;
  • the location(s), ie regions or countries, where the material function or service will be provided, and/or where relevant data will be kept, processed, or transferred, including the possible storage location, and a requirement for the service provider to give reasonable notice to the firm in advance if it proposes to change said location(s);
  • provisions regarding the accessibility, availability, integrity, confidentiality, privacy, and safety of relevant data (see Chapter 7);
  • the right of the firm to monitor the service provider’s performance on an ongoing basis (this may be by reference to KPIs);
  • the agreed service levels, which should include qualitative and quantitative performance criteria and allow for timely monitoring, so that appropriate corrective action can be taken if these service levels are not met;
  • the reporting obligations of the service provider to the firm, including a requirement to notify the firm of any development that may have a material or adverse impact on the service provider’s ability to effectively perform the material function in line with the agreed service levels and in compliance with applicable laws and regulatory requirements;
  • whether the service provider should take out mandatory insurance against certain risks and, if applicable, the level of insurance cover requested;
  • the requirements for both parties to implement and test business contingency plans. For the firm, these should take account of their impact tolerances for important business services. Where appropriate, both parties should commit to take reasonable steps to support the testing of such plans;
  • provisions to ensure that data owned by the firm can be accessed promptly in the case of the insolvency, resolution, or discontinuation of business operations of the service provider;
  • the obligation of the service provider to co-operate with the PRA and the Bank, as resolution authority, including persons appointed to act on their behalf (see Chapter 8, including the section on the Bank’s and PRA’s information gathering and investigatory powers);
  • for banks, a clear reference to the Bank’s resolution powers, especially under sections 48Z and 70C-D of the Banking Act 2009 (implementing Articles 68 and 71 of Directive 2014/59/EU (BRRD)), and in particular, a description of the ‘substantive obligations’ of the written agreement in the sense of Article 68 of that Directive);
  • the rights of firms and the PRA to inspect and audit the service provider with regard to the material outsourced function (see Chapter 8);
  • if relevant:
    • appropriate and proportionate information security related objectives and measures, including requirements such as minimum ICT security requirements, specifications of firms’ data lifecycles, and any requirements regarding to data security (see Chapter 7), network security, and security monitoring processes; and
    • operational and security incident handling procedures, including escalation and reporting; and
  • termination rights and exit strategies covering both stressed and non-stressed scenarios, as specified in Chapter 10. As in the case of business contingency plans, both parties should commit to take reasonable steps to support the testing of firms’ termination plans. Firms may elect to limit contractual termination rights to situations such as:
    • material breaches of law, regulation, or contractual provisions;
    • those that create risks beyond their tolerance; or
    • those that are not adequately notified and remediated in a timely manner.
  • 31/03/2022

6.5

If an outsourced service provider in a material outsourcing arrangement is unable or unwilling to contractually facilitate a firm’s compliance with its regulatory obligations and expectations, including those in paragraph 6.4, firms should make the PRA aware of this.

  • 31/03/2022