Recognised CPD Badge (transparent) 24 (1)
Both the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) require firms to identify and manage their risks. Over the years we’ve seen both regulators focus on outsourced and third party arrangements. Current efforts to build a more resilient financial services sector continue this theme both in the UK and overseas.


The regulators have been clear that operational resilience requires firms to adopt an holistic view of their operations. 

In May 2021, Deputy CEO of the PRA, Lyndon Nelson delivered a speech focusing on the outcomes of the operational resilience work, where he stated:

Firms have a variety of stakeholders including investors, employees, regulators, government, society and customers. The aim of building a resilient financial services sector requires thought to be given to the inter-firm dependencies.

Firms cannot afford to work in silos as building a more robust financial services sector needs wider consideration.

As alluded to earlier, the financial services sector already has existing requirements relating to outsourced arrangements. In addition to the overarching Principles for Businesses, there are also specific rules set out in PRA’s Supervisory Statements and Outsourcing part of the PRA rulebook as well as FCA’s outsourcing chapters in the Senior Managers Systems and Controls sourcebook. 

Third Party Arrangements:

We tend to refer to outsourcing arrangements in a general manner. Outsourcing is usually where firms could conduct an activity inhouse, but choose to contract with another organisation to leverage their expertise or manage costs and resources. In regulatory terms, it is usually the material outsourcing parties that gain attention. 

However, it is possible to have key third party relationships that may not be classified as outsourcing for example, arrangements between firms and financial market infrastructures, or strategic partnerships with non-financial third parties. These third party providers could support the delivery of important business services.

The focus for regulated firms now is to ensure that they identify these relationships and manage the associated third party risks to their operational resilience frameworks.

Whilst this may sound obvious, from FCA’s own research, it appears that not all firms have thought about this. FCA’s survey findings indicated 50% of firms surveyed did not have a comprehensive list of their third party providers. (See our Blog Operational Resilience: Is Outsourcing on your Radar?)

Points for firms to note include that: 

  • The new operational resilience rules are meant to complement existing requirements.
  • Firms are reminded of their accountability regarding any outsourced or third-party arrangements. 

This links with the regulatory focus on governance and accountability within firms and the basis for the Senior Managers and Certification Regime (SM&CR). 

Steps for consideration:

Managing exposure to external risks requires collaboration and early engagement. Firms need to identify (a) third party relationships and (b) those deemed to be material outsourcing arrangements and complete the following steps: 

  • Demonstrate that they are following the relevant rules and guidance within their firms
  • Assess any third party arrangements and identify those that meet the definition of outsourcing
  • Apply regulatory obligations appropriate to the risk management of third party relationships (outsourced or not)
  • Apply the rules and guidance through the extended supply chain 

Assessing Third Party Arrangements: 

As part of the Operational Resilience workstreams, firms will have identified their important business services. Further consideration is needed to: 

  • Assess due diligence process for third party providers to align with materiality and risk assessment. Ensure this process also includes any sub-contracted providers
  • Manage relationships with the providers by clear ownership of the relationship, with good, open communication
  • Review the outcome of any monitoring or audits. Address any weaknesses and consider lessons from past events
  • Maintain an issues log and report timely and accurate data to management 

Firms will need to think about the specifics of the operational resilience. Maintaining a good dialogue with third parties is key to better understanding their perception of operational resilience and how it affects both parties. Early engagement benefits firms’ understanding of what each other is doing and helps coordinate work to avoid duplicating efforts or avoid delays where there might be dependencies.

Regulated firms face the challenges of gaining assurance from outsourced and third party arrangements. For some firms, this will mean that they need to explain the regulatory requirements to non-financial providers. 

Legacy Contracts: 

PRA’s guidance on legacy outsourcing agreements is that those entered into prior to 31 March 2021, need to be reviewed and updated at the first appropriate contractual renewal point or as soon as possible on or after 31 March 2022. 

International Approaches: 

Looking further afield, we need to consider what is happening in other jurisdictions that might impact regulated entities.

Earlier in July, the US banking regulators issued its proposed guidance for public comment on third party risk management. Its proposals are similar to the UK. Highlighting the need for: risk identification; governance and oversight of third parties; due diligence on third parties; contractual arrangements; ongoing monitoring and contingency planning to terminate relationships. 

EBA Guidelines are echoed in the PRA’s supervisory statements relating to third party risk management. Principle 5 states: 

Principle 5: Banks should manage their dependencies on relationships, including those of, but not limited to, third parties or intragroup entities, for the delivery of critical operations. 

EBA also encourages risk assessment and due diligence of third party providers and requires banks to verify that the provider has at least equivalent level of operational resilience to safeguards a bank’s critical operations. It too encourages contingency and exit planning. 

Action required:

Early engagement is required by firms, not just to identify and review their third party arrangements, but to discuss vulnerabilities in processes. Building a good relationship with third parties will help with contractual renegotiations. It also aids understanding of impacts upon Important Business Services and identification of collective actions to respond to any issues. 

For further information, why not get in touch?


Ruleguard hosts regular webinars on various subjects, including Operational Resilience. To read more click here. 

Additional reading:

See our blog page for further articles on this topic.

How Ruleguard can help you:

Ruleguard can help firms to collate third party information in one secure environment and facilitate management information and provide reassurance to the Board. Get in touch with the Ruleguard team to learn more. 

Tel: 020 3965 2166 or hello@ruleguard.com

Contact the author


Head of Client Regulation| Ruleguard