Outsourcing and Third-Party Risk Management

The PRA and FCA are changing their rules from 31 March 2022. They say that you have less than 12 months to identify “impact tolerances for the maximum tolerable disruption and carried out mapping and testing to a level of sophistication necessary to do so. Firms must also have identified any vulnerabilities in their operational resilience.


That quote is quite a mouthful of regulatory-speak which we will distil for you.


The regulators are updating their rules. They are doing this because there is a new world-wide approach to the regulation of outsourcing and third-party risk. These changes have come about because the way that regulated businesses operate has evolved since the rules were last changed including many businesses now using the Cloud.



New Labels: Outsourcing | Third-Party Risk Management | Important Business Services


The term “outsourcing” has existed for decades in various rulebooks. The new labels we’re being introduced to reflects that not every provision of services by a third party is outsourcing. Arrangements in scope of the “outsourcing” definition might include surveillance of e-communications or portfolio management.


More recently the regulators have used the label “third party risk management”. They use that label when they want to refer to arrangements that are not considered “outsourcing”, but which are subject to the general requirements about “outsourcing” arrangements such as governance, risk management, systems, and controls. Arrangements in scope of this definition might include purchase of goods from a third-party supplier such as procurement.


We now have the most recent new label “important business services”. By this the regulators mean services which, if disrupted, could cause “intolerable harm to the consumers of those services or pose a risk to market integrity”. These services could range from off the shelf software that enables you to communicate with your clients through to price feeds disruption to which could mean you are unable to continue valuing client portfolios.


By 31 March 2022, you need to identify your important business services.



What do I need to do?


First identify your important business services. Then you need to determine impact tolerances for those services. That means you need to work out how much disruption your business and its clients can tolerate. At what point does the disruption become too much to bear? That point is what the regulators are calling your impact tolerance.


Now you have that information you need to do some paperwork. This means documenting the people, processes, technology, facilities and information necessary to deliver those services.


With all that written up you need to come up with some scenario’s so that you can test whether all those people, processes, technologies etc can stay within the impact tolerance that you identified.


As you test your arrangements against your scenario’s you need to work out who you need to be talking to as a situation develops. You should also think about what you learn from your scenario testing and update your battle plan as you learn.


The idea is that having done all of this you will have a much clearer picture of what is likely to trigger major disruption to your business, where those pinch points are and how to tackle them.


You need to do all of that as soon as possible after 31 March 2022, and no later than 31 March 2025.



Other rule changes


Most of new rules are developments to, or updates of existing requirements, as opposed to wholesale changes, but you will find the new rules more prescriptive on:

  • How materiality is assessed by using common criteria

  • Due diligence and risk assessment

  • Intra group outsourcing

  • Your outsourcing policy, by itemising minimum contents, including governance

  • The written agreement with the service provider, by itemising minimum contents, including data security, access, audit and information rights, sub-outsourcing and business continuity and exit strategies.



Do we have to repaper?


Regulatory change projects that include repapering exercises can never start early enough because of the lead times in getting the other contracting party to agree and sign terms.


Start now by checking that you really can put your hands on a copy of the agreements in place with your service providers. We’ve had situations where the audit trail has let the firm down, the agreement itself is so old it adds very little, or the contracting parties were incorrect. Don’t make assumptions about what you do have, make the checks and get something in place if you find gaps.


Outsourcing arrangements that you agreed on or after 31 March 2021 need to meet the new rules by 31 March 2022. Any existing outsourcing agreements that you agreed before 31 March 2021 will need to be reviewed and updated at the first opportunity. Note that this timeline is longer than the deadlines set by the EBA and is likely to differ to the deadline that the FCA is going to set.


Remember that if any of your service providers say that they can or will not agree to agree with certain terms then you will have to notify the regulators.



PRA Outsourcing Portal \ Register


You are also expected to keep an Outsourcing Register. This is a list of all your outsourcing arrangements. You need to include details such as is the arrangement material or non-material. It should also include all your outsourcing to the Cloud.


Your register should be in place by 31 December 2021.


PRA is planning to create an online portal for firms it regulates. The idea being that if you are regulated by the PRA then you will have to send information about your outsourcing and third-party arrangements to PRA through an online portal.


More details to follow in a PRA consultation paper.



How we can help you


We provide how to guide's, checklists and training slides on Outsourcing which can be used as part of your preparation for the new regime and to check compliance against today's requirements.



Relevant Publications