In December 2019, the PRA issued Consultation Paper 30/19, the most significant shake up of the UK regulatory requirements applicable to outsourcing arrangements since the introduction of the MIFID requirements into UK law and regulation (via the associated SYSC requirements) in 2007. The Consultation Paper brings together, and takes into account, a wide range of requirements and expectations in relation to:

  • The EBA Guidelines on Outsourcing Agreements;
  • the PRA's own Operational Resilience Consultation paper from earlier in 2019;
  • suggestions from the Bank of England's "Future of Finance" Report relating to the adoption of cloud and new technologies;
  • the EBA Guidelines on ICT and security risk management;
  • Solvency II;
  • the EIOPA guidelines on the System of Governance (EIOPA Government Guidelines); and
  • the draft EOIPA Cloud Guidelines.

Significantly, it creates a single regime for banks and insurers, who were previously subject to separate elements of the SYSC requirements.

The Consultation Paper applies to:

  • banks, building societies and PRA-designated investment firms;
  • insurance and reinsurance firms and groups within the scope of Solvency II, including the Society of Lloyd's and managing agents; and
  • branches of overseas banks and insurers.

Many readers will be familiar with the requirements of the EBA's Guidelines on Outsourcing Arrangements and, specifically, the requirements to be addressed in the relevant outsourcing agreement itself. The Consultation Paper takes a similar approach setting out requirements with regards to pre-contract considerations, requirements relating to the ongoing management of outsourcing arrangements, together with specific provisions to be included in outsourcing agreements.

Significantly, the PRA's Consultation Paper contains subtle but important differences on a number of the key issues that have proven difficult to register and conclude in outsourcing contracts as a result of implementing the EBA Guidelines, especially around subcontracting and audit. Conversely, scope of the arrangements that could be considered to be "material" under the PRA's Consultation Paper is potentially much wider than under the EBA Guidelines, providing, therefore, for a broader class of outsourcing to be caught by the Consultation Paper, and the associated need to address the relevant requirements. These are explored in more detail below.

The Consultation Paper does create an opportunity for firms to put forward their views on whether the positions set out in it are likely to be viable and achievable in negotiations. The consultation closes on Friday 3 April 2020.

The following table sets out the key points relevant to outsourcing agreements in relation to both the existing EBA Guidelines on Outsourcing Agreement and the PRA's Consultation Paper.

Issue

EBA Guidelines on Outsourcing Agreements

PRA Consultation (CP30/19)

Key concepts

When does it come into force?

30 September 2019

Consultation open until 3 April 2020.

To whom does it apply?

Broadly: credit institutions meaning banks; MiFID investment firms; payment institutions and electronic money institutions.

Same as EBA but also insurance, reinsurance firms and groups within scope of Solvency II; and UK branches of overseas banks and insurers.

Does it cover intra group arrangements?

The guidelines apply to intra group arrangements.

Principles apply on same basis as if service provider was outside the group but requirements can be applied proportionately depending on level of "control and influence"exercised by customer. Outsourcing to an overseas intra group company needs to comply with UK legal and regulatory requirements.

To what does it apply?

Arrangements within the EBA's definition of "outsourcing": see definition below.

Arrangements within the PRA's definition of "outsourcing": see definition below.

How is "Outsourcing" defined?

A provider which "performs a process, a service or an activity that would otherwise be undertaken by the [customer] itself". 

There should be some characteristic of recurrence or ongoing supply to help to distinguish the service from purchasing. 

There is a list of arrangements that "as a general principle"would not be considered outsourcing.

PRA Handbook defines outsourcing as: "an arrangement of any form between a customer and a service provider, whether a supervised entity or not, by which that service provider performs a process, a service or an activity, whether directly or by sub outsourcing, which would otherwise be undertaken by the customer itself"[paragraph 2.1]. 

Additionally, there is an assumption that all activities, functions, services performed or provided by third parties in a "prudential context"are to be considered outsourcing.  All the requirements of the Consultation Paper/Supervisory Statement (which it would be, if adopted) should be applied, depending on the relevant materiality - see below.

What is the materiality threshold?

Uses the term "critical or important".

Certain requirements apply only to outsourcings that are critical or important.

Uses the term "material", leveraging the existing definition in the PRA Handbook.  Additionally, arrangements will be automatically material if the service being authorised involves an entire "regulated activity", eg deposit taking or effecting a contact of insurance as principal or an "internal control" or "key function" unless the firm is satisfied failure will not affect the relevant function.

Certain requirements only to apply outsourcings that are material.

Application of the proportionality principle

In applying the requirements, the institution should take into account the complexity of the outsourced functions, the risks arising from the outsourcing arrangement, the criticality or importance of the outsourced function and the political impact of the outsourcing on the continuity of their activities.

Firms are expected to meet the expectations in the CP/SS in a manner appropriate to their size and internal organisation and the nature, scope and complexity of their activities in line with the principle of proportionality.  Proportionality looks to the characteristics of the firm and its systemic importance; materiality is different: looking at the impact of the outsourcing of the regulated entity's operations.

The outsourcing agreement for critical or important (EBA) / material (PRA) functions should set out (the differences being emphasised (by us) in bold):

Services

A clear description of the outsourced function to be provided [75a].

A clear description of the outsourced function including the type of support services [6.5].

Dates

The start date end date and, where applicable, notice periods for both parties [75b].

The start date, next renewal date, end date and termination notice periods for both parties [6.5].

Law

Governing law [75c].

Court jurisdiction and governing law [6.5].

Charges

Financial obligations [75d].

Financial obligations [6.5].

Sub outsourcing

Whether the sub outsourcing of a critical or important function, or material parts thereof, is permitted and, if so, the conditions specified in s.13.1 that the sub outsourcing is subject to [75e].

Whether the sub outsourcing of a material function or part thereof, is permitted and, if so, under which conditions [6.5].

Location

The location(s) (i.e. regions or countries) where the critical or important function will be provided and/or where relevant data will be kept and processed, including a requirement to notify the customer if the provider proposes to change the location [75f].

The location(s) (ie regions or countries) where the material function or service will be provided and/or where relevant data will be kept and stored, processed or transferred, including a requirement for the provider to notify the customer in advance if the provider proposes to change the location [6.5].

Data

Where relevant, provisions regarding the accessibility, availability, integrity, privacy and safety of relevant data, in accordance with the requirement of section 13.2 of the Guidelines [75g].

 

Provisions regarding the accessibility, availability, integrity, confidentiality, privacy and safety of relevant data [6.5].

 

Performance monitoring

Customer's right to monitor performance on an ongoing basis [75h].

Customer's right to monitor performance on an ongoing basis (by reference to key performance indicators (KPIs)) [6.5].

Service Levels

Agreed service levels, which should include precise, quantitative and qualitative performance targets ... to allow timely monitoring so that appropriate corrective action can be taken without undue delay if the agreed service levels are not met [75i].

Agreed service levels, which should include qualitative and quantitative  performance criteria and allow for timely monitoring, so that appropriate corrective action can be taken if these service level are not met [6.5]. 

Reporting Obligations

Reporting obligations ... including provider communication of any development that may have a material impact on its ability to effectively carry out the critical or important function in line with the service levels, compliance with law and regulatory requirements and, as appropriate, obligations to submit reports of the provider's internal audit function [75j].

Reporting obligations ... including a requirement to notify the customer of any development that may have a material impact on the provider's ability to effectively perform the material function in line with the agreed service level and in compliance with applicable laws and regulatory requirements [6.5].

Insurance

Whether the provider should take mandatory insurance against certain risks and, if applicable, the level of insurance cover requested [75j].

Whether the provider should take out mandatory insurance against certain risks and, if applicable, the level of insurance cover requested [6.5].

Business Continuity

Requirements to implement, and also to test, business continuity plans [75l].

Requirements for both parties to implement and test business continuity plans, which should take account of firms' impact tolerances for important business services. This should include a commitment on both parties to support the testing of such plans [6.5].  

Continued access to data

Provisions to ensure that the customer's data can be accessed in case of provider insolvency, resolution or discontinuation of business operations [75m].

Provisions to ensure that the customer's data can be accessed promptly in case of provider insolvency, resolution or discontinuation of business operations [6.5]. 

Co operation

Obligation or provider to cooperate with regulators and resolution authorities, including others appointed by them [75n].

Obligation or the service provider to cooperate with the PRA and the Bank of England including others appointed by them [6.5].

BRRD

Clear reference to the national authority's powers, especially art. 68 + 71 BRRD and, in particular, a description of the "substantive obligations" of the contract in the sense of art.68 of the BRRD Directive [75o].

For banks, a clear reference to the Bank England's resolution powers especially under s.48Z and 70C D of the Banking Act 2009 (implementing a. 68 + 71 of the BRRD, and in particular a description of the "substantive obligations" of the written agreement in the sense of art. 68) [6.5].

Data security

Not included in the list of contractual requirements but the Guidelines do require that the service providers comply with appropriate IT security standards and "where relevant", the customer should define data and system security requirements within the Agreement and monitor compliance on an ongoing basis (s. 13.2)

If relevant:

  • appropriate and proportionate information security related objectives and measures including requirements such as minimum cybersecurity requirements, specifications of customer's data life cycle, and any requirements regarding to data security, network security and security monitoring processes; and
  • operational and security incident handling procedures including escalation and reporting.

Termination

The termination rights specified in s. 13.4 [75q]; see below 

Additionally, the institutions should have a documented exit strategy regarding critical or important functions, and develop comprehensive documentation and share appropriate, sufficiently tested exit plans.

Termination and exit strategies covering both stressed and non stressed scenarios (which themselves are described in more detail in the consultation paper).  Both parties should commit to take reasonable steps to support the testing of customer's termination plans.

Termination and exit1

Termination rights

The outgoing agreement should provide for the ability of the customer to terminate the outsourcing agreement in the case of:

 

Provider breach of law, regulation or contract [98a]

The Consultation Paper does not set out specific scenarios that should give rise to a right to terminate.  It does, however, contain significant requirements regarding planning for exits/terminations and plans to ensure continuity during an exit transition that will need to be taken into account in exit planning procedures.

 

Where impediments capable of altering the performance of the outsourced function are identified [78b]

 

 

Where there are material changes affecting the outsourcing arrangement or the provider (eg sub outsourcing or change of sub contractor) [98c]

 

 

where there are weaknesses regarding the management and security of confidential, personal or otherwise sensitive data or information [98d]; and

 

 

on the instruction by the regulator [98e].

 

Audit and Inspection

Audit

The customer should ensure the agreement provides that the initial audit function is able to review the outsourced function using a risk based approach. 

 

 

Where the outsourcing is of a critical or important function the agreement should ensure the customer, regulators, resolution authorities, and others appointed by the customer or regulator [87] are granted:

The regulated firm must take "reasonable steps to ensure" that the agreement provides customers, their auditors, the PRA and the Bank of England (as a resolution authority) and any other person appointed by the customer, PRA or Bank of England [8.3].

 

"full access to all relevant business premises (e.g. head offices and operation centres), including the full range of relevant devices, systems, networks, information and data used for providing the outsourced function, including related financial information, personnel and the service provider's external auditors" [87a]; and

The right to audit should include unrestricted access, audit and information rights to enable firms to comply with legal and regulatory obligations, and identify, monitor and manage risks relating to the arrangement which should include where relevant:

  • data, devices, information, systems and networks used for providing the outsourced service or monitoring its performance.  This should include, where relevant, the firms' ability to carry out security penetration testing on its applications, data and systems to "assess the effectiveness of implemented cyber and internal IT security measures and processes"
  • company and financial information; and
  • the provider's external auditors, personnel and premises. [8.4]

"unrestricted rights of inspection and auditing related to the outsourcing arrangement to enable them to monitor the outsourcing arrangement and to ensure compliance with all applicable regulatory and contractual requirements".

 

Sub-outsourcing

For sub outsourcing of critical or important / material functions the agreement should set out:

Permission

Whether or not the sub outsourcing of critical or important functions (or material parts) is permitted [76].

whether or not material sub outsourcing is permitted [9.8].

Which activities are excluded from sub outsourcing [78a].

any activities that cannot be sub outsourced [9.8].

Conditions

the conditions to be complied with in the case of sub outsourcing [78b].

the conditions to be complied with in the case of permissible sub outsourcing, including to [9.8]:

Oversight

that the provider is obliged to oversee those services that is has sub contracted2 to ensure that that the contractual obligations between the provider and customer are continuously met [78c].

that the provider is obliged to oversee those services that it has sub contracted3 to ensure that all contractual obligations between the provider and customer are continuously met [9.8].

Consent

that the provider must obtain prior specific or general written authorisation before sub outsourcing data [78d].

that the provider must to obtain prior specific or general written authorisation from the customer before transferring data (see art. 28 GDPR) and [9.8].

Prior notification

that the provider must notify the customer of planned or material changes to sub outsourcing (incl. changes of sub contractor or the notification period); and

the notice period to allow the customer to be able to carry out a risk assessment and object before changes come in effect [78e].

that the provider must inform the customer of any planned or material changes to sub outsourcing (incl. changes of sub contractor or the notification period); and

the notice period to allow the customer to be able to carry out a risk assessment and object before changes come in effect [9.8].

Right to object

ensure, where appropriate, that the customer has the right to object to intended sub outsourcing, or material changes, or that explicit approval is required [78f].

ensure that, where appropriate, customers have the right to:

explicitly approve or object to the intended sub outsourcing or material changes thereto: and [9.8].

Termination

ensure the customer has the contractual right to terminate for "undue" sub outsourcing [(NB. this means without advance notice or where the sub outsourcing materially increases risk)] [78g].

ensure the customer has the contractual right to terminate the agreement in the case of specific circumstances, eg where the sub outsourcing materially increases the risks for the customer or where the provider sub outsources without notifying the customer [9.8].

Firms should only agree to sub outsourcing if:

Compliance with Law and contract

the sub contractor undertakes to comply with all applicable laws, regulatory requirements and contractual obligations. [79a]

sub outsourcing service providers undertake to comply with all applicable laws, regulatory requirements and contractual obligations. [9.6]

Audit

the sub contractor must grant the customer and competent authority the same contractual rights of access and audit as those granted by the provider [79b].

sub outsourcing service providers undertake to grant the customer, Bank of England and PRA equivalent contractual access, audit and information rights to those granted by the provider [9.6]. 

Footnotes

1 . These EBA requirements read in standalone seem to apply to all outsourcings but, in fact, are requirements flowing from 75 q (critical or important outsourcing agreements).

2 . Note the change in terminology to sub contracting (not sub outsourcing).

3 . As the footnote above.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.