Many banks, insurers, investment firms and other financial service providers are regulated by the Prudential Regulatory Authority (PRA) whose supervisory statement on outsourcing and third party risk (SS2/21) includes rules details for contracts between PRA-regulated entities and their Suppliers. These rules come into effect on March 31, 2022.
SS2/21 sets out requirements that govern both outsourcing and other contracts. This is different from other regulatory regimes which tend to focus solely on outsourcing.
If a service provider provides services that are not generally considered outsourcing but are provided to customers regulated by the PRA, those services may still be covered by the PRA framework. The PRA expects controls over material non-outsourcing contracts to be “as robust” as those included in outsourcing contracts.
However, the extent to which the rules set out in SS2/21 apply to a contract is not the same for every contract. This will depend on whether the contract is for a tangible or intangible service. The level of risk associated with the contract will also be relevant in determining the extent to which it must comply with SS2/21.
Comply by when?
SS2/21 establishes different compliance timelines for new and existing contracts. Any contract concluded after March 31, 2021 will be considered a new contract and must comply with it by March 31, 2022.
“Old” contracts concluded before March 31, 2021 and which are not in conformity will have to be revised, but the date on which the modifications must be made is not fixed. The PRA has established that existing outsourcing contracts must be corrected “at the first appropriate contract renewal or revision…as soon as practicable on or after March 31, 2022”.
While this means these old contracts do not need to be reviewed until March 31, 2022, the PRA expects the financial services entities it regulates to put plans in place to review the contracts.” as soon as possible” from that date. Dated.
What changes can we expect to see in contracts?
The PRA aims to mitigate the risks associated with financial services entities depending on third parties for operational functions. SS2/21 includes a series of requirements for contracts aimed at addressing the risks of operational disruption and other supplier performance failures.
Service levels and corrective actions
Contracts will need to be reviewed to determine whether or not they include service levels which are precise quantitative and qualitative measures of performance. These measures will need to be underpinned by clear notification requirements for providers to enable financial services entities to monitor performance and take corrective action if agreed service levels are not met.
The PRA is concerned with geographic risks that can arise when services or data are provided or stored outside the UK. To comply with PRA requirements, financial services entities will need visibility into the regions or countries from which services and data are provided or stored and to be notified in advance of changes. at these locations.
Data and cybersecurity
Like regulators in other jurisdictions, the PRA “encourages” the financial services entities it regulates to “consider global standards for ICT risk management”. It focuses on the overall security environment of ICT vendors. It expects robust security controls to be in place for data in transit, data in memory, and data at rest, and for encryption keys to be secure wherever encryption is needed.
Audit, Access and Cooperation
The PRA expects financial services entities to retain “full access and unrestricted rights for audit and information”. The purpose of these rights is to enable the entity to comply with its legal and regulatory obligations and to monitor the service contract.
There are also wider obligations for the regulated entity to ensure that it can provide the PRA with all the information it needs. The PRA may require financial services entities to “provide information or produce material relating to any matter” and that suppliers to such entities provide directly to the PRA such information as it “considers relevant or likely to be relevant to the stability of the UK financial system”. ”.
Subcontracting and fourth party risk
The PRA is particularly concerned about the risks of long supply chains and has introduced specific expectations around approval processes and contractor visibility. These expectations include confirming that vendors have strong testing and monitoring agreements in place with their contractors and that they can provide assurance that the financial services entity, as a client of the vendor, and the PRA, as the client’s regulator, will have “equivalent contractual access, audit and information” to the contractor’s premises, systems and information.
Business Continuity and Operational Resilience
The focus is clearly not only on developing, but also on testing business continuity plans. The PRA wants to ensure that financial services entities and their suppliers have in place and are testing their own business continuity plans and are taking reasonable steps to support the testing of each other’s plans as appropriate.
Business continuity plans and testing should focus on the potential for severe disruptions to operations. Financial services entities will focus on the practical aspects of the extent to which business continuity measures put in place by their suppliers support their own compliance with broader impact tolerance and operational resilience requirements.
Termination and exit
Although the PRA has not generally prescribed the circumstances under which it expects financial services entities to terminate agreements with suppliers, it has set specific expectations for the termination of contracts in the event of failure of outsourcing. It expects these entities to terminate their contracts with suppliers if a subcontracting agreement materially increases the risk of the supplier agreement or if a new subcontracting begins without the entity having been informed beforehand. informed.
The PRA expects financial services entities to prepare for exits in stressful circumstances – for example, following the failure or insolvency of a supplier – as well as in non-stressful circumstances – where the relationship ends through a planned and managed process for business, performance or strategic reasons. As with business continuity plans, exit plans are expected to be tested.
Overlap with EBA and other frameworks
Regulatory compliance for financial services entities has become more complex in recent years. Not only do UK financial services entities need to consider the requirements of the PRA and the Financial Conduct Authority (FCA), where they do business in the EU, but also the regulatory frameworks put in place by the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA) may also be relevant.
In some EU countries, local regulators have also published their own locally applicable rules. Where this has occurred, additional requirements may also form part of the basis of change requests or terms of new contracts.
It is likely that operational resilience will continue to be a top concern for financial regulators in the years to come, which means that their suppliers and service providers should expect regulatory frameworks to impose new requirements on entities. regulated financial services companies and that some of these requirements will materialize – down to their contracts.
In the UK, the PRA and FCA schemes come into full effect in 2025, although there are also significant deadlines along the way.
At EU level, a draft regulation on digital operational resilience for the financial sector is currently under negotiation. This draft regulation is likely to impose new requirements and possibly revise some of the existing ones.
These developments give suppliers good reasons to equip themselves to understand the changes in the current regulatory frameworks. A detailed understanding of these changes will help providers provide practical solutions to reassure their financial services customers that services are compliant with regulations.