8

Access, audit, and information rights

Bank and PRA information gathering and investigatory powers

8.1

Independent of the expectations on access, audit, and information rights set out later in this chapter, the Bank and PRA have a range of statutory information-gathering and investigatory powers, some of which may apply directly to outsourced service providers as well as firms. The PRA expects firms to make service providers aware of the powers and requirements as set out in Tables 6 and 7 below, which are not exhaustive. However, failure to do so will not affect their applicability.

Table 6: Bank and PRA statutory information-gathering or investigatory powers
Firms
(All,
banks or insurers)[44]
Outsourcing
(all or material)
Statutory
Power
Description Directly
applicable to
service
providers as
well as firms?
(Yes or No)
All All Section 165A FSMA The PRA can require service providers to provide it with information it considers ‘is or might be, relevant to the stability of the UK financial system.’[45]
Yes
All All Section 166(7)(b) FSMA
Any entity which is providing or has provided services to a firm in relation to matters subject to a section 166 review must give the skilled person all such assistance as they may reasonably require.
Yes
All All Section 166(2)(b) FSMA
The PRA can require any member of the authorised person’s group to provide information or produce documents with respect to any matter.
No
Banks All

Section 3A of the Banking Act 2009

(see also sections 83ZA and 83ZB of the Banking Act 2009)

The Bank as a resolution authority can direct a firm to produce information that is relevant to the exercise of its stabilisation powers and to provide that information to the Bank.
No
Insurers All Section 165(7)(e) of FSMA
The PRA can require a person who provides any service to an insurer to provide specified documents or information.
Yes

Footnotes

Table 7: PRA rules on access, information, and audit rights
Firms Outsourcing PRA Rule Description Directly applicable to service providers as well as firms? (Yes or No)
Insurers All Conditions Governing Business 7.4

Service providers must co-operate with the PRA and, where relevant, any other supervisory authority of the firm in connection with the function or activity outsourced by the firm.

The firm, its auditors, the PRA and, where relevant, other supervisory authority of the firm must have effective access to data related to the functions or activities that have been outsourced.

No
All Material Information Gathering 2.2 and 3.3

Firms must take reasonable steps to ensure their suppliers under material outsourcing arrangements:

  • deal with the PRA in an open, co-operative and timely way in the discharge of the PRA’s functions under relevant legislation; and
  • permit any representative or appointee of the PRA to have access, with or without notice, during reasonable business hours, to any of its business premises, in relation to the discharge of the PRA’s functions under any relevant legislation in relation to the firm.
No

Non-material outsourcing arrangements

8.2

The PRA expects firms to adopt a risk-based approach to access, audit, and information rights in respect of non-material outsourcing arrangements. In doing so, they should take into account the arrangement’s riskiness and the likelihood of it becoming material in the future (see Chapter 5).

Material outsourcing arrangements

8.3

Building on Chapter 6, the PRA expects firms to take reasonable steps to ensure that written agreements for material outsourcing arrangements provide firms, firms’ auditors, the PRA, the Bank (as a resolution authority), and any other person appointed by firms or the Bank and PRA, with full access and unrestricted rights for audit and information to enable firms to:

  • comply with their legal and regulatory obligations; and
  • monitor the arrangement.

8.4

Access, audit, and information rights in material outsourcing arrangements should include where relevant:

  • data, devices, information, systems, and networks used for providing the outsourced service or monitoring its performance. This may include, where appropriate, the service provider’s policies, processes, and controls on data ethics, data governance, and data security;
  • the results of security penetration testing carried out by the outsourced service provider, or on its behalf, on its applications, data, and systems to ‘assess the effectiveness of implemented cyber and internal IT security measures and processes’;
  • company and financial information; and
  • the service provider’s external auditors, personnel, and premises.

8.5

The PRA considers that it is not sufficient for firms merely to negotiate adequate access, audit, and information rights; these must also be used when appropriate. The purpose of the rights outlined in this chapter is to support firms’ identification, assessment management, and mitigation of any identified risks relating to a material outsourcing arrangement. The appropriate exercise of these rights is key to providing the assurance that such an arrangement is being provided as agreed with the outsourced provider and in line with regulatory requirements.

Pooled audits and third party certificates and reports

8.6

The PRA expects firms to exercise their access, audit, and information rights in respect of material outsourcing arrangements in an outcomes-focused way, to assess whether the service provider is providing the relevant service effectively and in compliance with the firm’s legal and regulatory obligations and expectations, including as regards operational resilience.

8.7

Firms may use a range of audit and other information gathering methods, including:

  • offsite audits, such as certificates and other independent reports supplied by service providers; and
  • onsite audits, either individually or in conjunction with other firms (pooled audits).

8.8

Firms can choose any appropriate audit method as long as it enables them to meet their legal, regulatory, operational resilience, and risk management obligations. The level of assurance expected will, however, become more onerous depending on proportionality (ie whether the firm is significant (see Chapter 3)) and the materiality of the arrangement (see Chapter 5). For instance, a significant firm that outsources an important business service for which it has set a low impact tolerance should demand a higher level of assurance.

Third party certificates and reports

8.9

Certificates and reports supplied by service providers may help firms obtain assurance on the effectiveness of the service provider’s controls. However, in material outsourcing arrangements, the PRA expects firms to:

  • assess the adequacy of the information in these certificates and reports, and not assume that their mere existence or provision is sufficient evidence that the service is being provided in accordance with their legal, regulatory, and risk management obligations; and
  • ensure that certificates and audit reports meet the expectations in Table 8.

Table 8: Expectations for certificates and audit reports

Scope
  • Key systems and controls identified by the firm (eg applications, infrastructure, data centres, and processes).
  • Compliance with relevant requirements (eg PRA rules and EBA Outsourcing GL).
Content
  • Up-to-date information.
  • Reviewed regularly to reflect updates to the service provider’s controls, new or revised legal, regulatory requirements, or expectations and recognised standards.
  • Where available, the PRA encourages the use of online, real-time reporting tools.
Expertise, qualification, and skills
  • The auditing or certifying party and the person at the firm responsible for reviewing the certificate or report should have appropriate expertise, qualifications, and skills.
Process
  • Test the effectiveness of the service provider’s key systems and controls.
  • Be performed in line with recognised standards.

8.10

In material outsourcing arrangements, the PRA expects firms to retain the contractual rights to:

  • request additional, appropriate, and proportionate information if such a request is justified from legal, regulatory, or risk management perspectives; and
  • perform onsite audits (individual or pooled) at their discretion.

Onsite audits

8.11

Before an onsite audit, the PRA expects firms, individuals, and organisations acting on their behalf to:

  • provide reasonable notice to the service provider, unless this is not possible due to a crisis or emergency, or because it would defeat the purpose of the audit. Such notice should include the location and purpose of the visit and the personnel that will participate in the visit;
  • verify that whoever is performing the audit has appropriate expertise, qualifications, and skills; and
  • take care if undertaking an audit of a multi-tenanted environment, (eg a cloud data centre), to avoid or mitigate risks to other clients of the service provider in the course of the audit (eg availability of data, confidentiality, impact on service levels).

8.12

Certain types of onsite audit create may an unmanageable risk for the environment of the provider or its other clients, for example, by impacting service levels or the confidentiality, integrity, and availability of data. In such cases, the firm and the service provider may agree alternative ways to provide an equivalent level of assurance, for instance, through the inclusion of specific controls to be tested in a report or certification. The PRA expects that firms should retain their underlying right to conduct an onsite audit. For material outsourcing arrangements, the PRA would expect the firm to inform their supervisor if alternative means of assurance have been agreed.

Pooled audits

8.13

Pooled audits may be organised by groups of firms sharing one or more service providers or facilitated by the service providers. They may be performed by representatives of the participating firms or specialists appointed on their behalf. Pooled audits can be more efficient and cost effective for firms and less disruptive for service providers running multi-tenanted environments. They can also help spread costs and disseminate best industry practices with regard to audit methods among firms.

8.14

Where pooled audits lead to common, shared findings, the PRA expects each participating firm to assess what these findings mean for it individually, and whether they require any follow-up on their part.