Prudential Regulation Authority Rulebook

8.1

A third country branch should ensure that when relying on a third party for the performance of operational functions which are critical for the performance of its regulated activities, listed activities or ancillary services on a continuous and satisfactory basis, it takes reasonable steps to avoid undue additional operational risk.

8.2

A third country branch should not undertake the outsourcing of important operational functions in such a way as to impair materially:

• the quality of its internal control; and
• the ability of the appropriate regulator to monitor the branch’s compliance with all obligations under the regulatory system.

8.3

Internal Governance for Third Country Branches 2.1 requires a third country branch to have effective processes to identify, manage, monitor and report risks and internal control mechanisms. Except in relation to those functions described in 8.5, where a firm relies on a third party for the performance of operational functions which are not critical or important for the performance of relevant services and activities (see 8.1). On a continuous and satisfactory basis, it should take into account in a manner that is proportionate given the nature, scale and complexity of the outsourcing, the provisions in this section in complying with the rule.

8.4

An operational function is regarded as critical or important if a defect or failure in its performance would materially impair the continuing compliance of a third country branch with the conditions and obligations of its authorisation or its other obligations under the regulatory system, its financial performance, or the soundness or the continuity of its relevant services and activities.

8.5

Without prejudice to the status of any other function, the following functions should not be considered as critical or important for the purposes of this section:

• the provision to the branch of advisory services, and other services which do not form part of the relevant services and activities of the branch, including the provision of legal advice to the branch, the training of personnel of the branch, billing services and the security of the branch’s premises and personnel; and
• the purchase of standardised services, including market information services and the provision of price feeds.

8.6

The PRA expects a third country branch to exercise due skill, care and diligence when entering into, managing or terminating any arrangement for the outsourcing to a service provider of critical or important operational functions or of any relevant services and activities.

8.7

A third country branch should take the necessary steps to ensure that the following conditions are satisfied:

• the service provider should have the ability, capacity, and any authorisation required by law to perform the outsourced functions, services or activities reliably and professionally;
• the service provider should carry out the outsourced services effectively, and to this end the branch establishes methods for assessing the standard of performance of the service provider;
• the service provider should properly supervise the carrying out of the outsourced functions, and adequately manage the risks associated with the outsourcing;
• appropriate action should be taken if it appears that the service provider may not be carrying out the functions effectively and in compliance with applicable laws and regulatory requirements;
• the branch should retain the necessary expertise to supervise the outsourced functions effectively and to manage the risks associated with the outsourcing, and supervise those functions and manage associated risks;
• the service provider should disclose to the branch any development that may have a material impact on its ability to carry out the outsourced functions effectively and in compliance with applicable laws and regulatory requirements;
• the branch should be able to terminate the arrangement for the outsourcing where necessary without detriment to the continuity and quality of its provision of services to clients;
• the service provider should co-operate with the PRA and any other relevant competent authority in connection with the outsourced activities;
• the branch, its auditors, the PRA and any other relevant competent authority should  have effective access to data related to the outsourced activities, as well as to the business premises of the service provider; and the appropriate regulator and any other relevant competent authority must be able to exercise those rights of access;
• the service provider should protect any confidential information relating to the branch and its clients; and
• the branch and the service provider should establish, implement and maintain a contingency plan for disaster recovery and periodic testing of backup facilities where that is necessary having regard to the function, service or activity that has been outsourced.

8.8

A third country branch should ensure that the respective rights and obligations of the branch and the service provider are clearly allocated and set out in a written agreement.

8.9

If a third country branch and the service provider are members of the same group, the branch may, for the purposes of 8.6 to 8.8 and 8.10 and 8.11, take into account the extent to which the branch controls the service provider or has the ability to influence its actions.

8.10

A third country branch should make available on request to the PRA and any other relevant competent authority, all information necessary to enable the PRA and any other relevant competent authority to supervise the compliance of the performance of the outsourced activities with the requirements of the regulatory system.

8.11

A third country branch should notify the PRA when it intends to rely on a third party for the performance of operational functions which are critical or important for the performance of relevant services and activities on a continuous and satisfactory basis.