Operational Resilience: PRA CP 29/19 and FCA CP19/32

Modern City

2 January 2020

Changes proposed to Outsourcing rules as part of Operational Resilience consultations 

The PRA and FCA issued a joint consultation paper on operational resilience and the PRA has issued a further consultation on outsourcing:

PRA CP 29/19 Operational Resilience: Impact tolerances for important business services

PRA CP30/19 Outsourcing and third party risk management

FCA CP19/32 Outsourcing and operational resilience



The PRA’s consultation paper is stated to reflect a world-wide approach to supervisory authorities updating their rules, guidance, and supervisory practices on outsourcing and third party risk, due to firms’ evolving practices, including use of the Cloud. The period for consultation has been extended to 1 October 2020, in view of the impact of Covid-19, so any changes are unlikely to take place until 2021. That time is going to be needed because there are a few things you will want to start preparing for now.



Whilst most of the draft rules contain mostly developments to, or updates of existing requirements as opposed to wholesale changes, the PRA and FCA want to be more prescriptive on:

How materiality is assessed, by the use of common criteria

Due diligence and risk assessment

Intra group outsourcing

Your outsourcing policy, by itemising minimum contents, including governance

The written agreement with the service provider, by itemising minimum contents, including data security, access, audit and information rights, sub-outsourcing and business continuity and exit strategies.



If you are dual regulated then you will also be expected to maintain an Outsourcing Register-a list of all your outsourcing arrangements (distinguishing between material and non-material): a format with guidance notes is included as the Appendix to the PRA draft supervisory statement in CP30/19. The FCA says they will consult on requiring an outsourcing register at some point in the future.



Redrafting policies usually takes firms 4-6 months from start to finish, and pick any time frame for re-papering agreements because reaching agreement always takes time. So if you do outsource, or plan to do so in future then a quick check of what you might need to do could save you considerable effort in future.

regulatory consulting companies     fca compliance procedures     financial services compliance consultants     regulatory compliance consulting firms  skilled person

©2020 by Leaman Crellin Limited