Clifford Chance

The PRA's latest consultation paper on outsourcing and third-party risk management (CP 30/19, the "CP") belongs to a suite of recent proposals aimed at strengthening operational resilience in the financial services industry and modernising the regulatory framework on outsourcing.

Financial institutions are increasingly taking advantage of sophisticated cyber solutions and cloud outsourcing platforms – and these proposals highlight the need for insurers to engage and invest in the technical side of outsourcing oversight as part of any digital transformation strategy.

The CP and accompanying draft supervisory statement were published on 5 December 2019 and apply to all UK-established (re)insurers, UK branches of overseas (re)insurers, Lloyd's and its managing agents. They build on several UK and EU initiatives to tackle technology risk, namely the European Banking Authority ("EBA") Guidelines on Outsourcing Arrangements, the European Insurance and Occupational Pensions Authority ("EIOPA") draft guidelines on outsourcing to cloud service providers and the EBA Guidelines on ICT and Security Risk Management (which apply from 30 June 2020).

The CP is split into chapters which cover a range of topics – from data security to business continuity, governance, audit and information rights. The PRA's underlying message is clear – namely that outsourcing is no "easy fix" and a robust framework must exist to manage third-party dependencies, so firms can continue delivering critical business services during operational disruptions. The proposals:

• require more oversight over sub-outsourced service providers to counteract risks inherent in large sub-outsourcing chains and/or complex interdependencies between firms and service providers;
• require a firm's outsourcing exit plan to account for so-called "stressed exits" – focusing on business continuity, termination rights, data security and off-boarding of data;
• introduce governance and book-keeping measures to enhance existing requirements, including a new requirement to maintain an outsourcing register; and
• provide much-needed guidance on the proportionality principle used when applying the rules to intra-group outsourcing.

The CP, if implemented as currently drafted, may require firms to consider a number of issues.

The spotlight on sub-outsourcings raises questions around how control and responsibility for sub-outsourcing will be allocated between firms and service providers. Firms will likely need to identify clear contractual and operational responsibilities to demonstrate compliance with the regulatory requirements.

The CP presents additional challenges when considered alongside the requirements of the operational resilience proposals, such as the obligation to conduct mapping exercises to identify vulnerabilities in the delivery of important business services. For firms that use third parties to deliver key business services, it may be challenging to test how successfully such third parties will react to incidents.

Relevant stakeholders can comment on the CP until the consultation process closes on 3 April 2020. Whilst the proposals are yet to be finalised, they are consistent with the Regulators’ stated view that operational resilience is now a priority equivalent in significance to financial stability. Firms could therefore benefit from thinking about how to comply with these proposals early on.

This article first appeared in Insurance Day