With the publication of final policy statements there is a clear message that firms must look externally at third party relationships as part of their Operational Resilience framework. The requirements are designed to promote stronger and more effective governance of Operational Resilience as well as increase co-operation between market participants.
An operationally resilient firm must have a comprehensive understanding and mapping of the resources that support their business services. This includes those outsourced and third-party services over which the firm may not have direct control.
This requires a move away from traditional analysis of process and control failures. Instead of risk management in silos, firms must take an external review of potential threats and how these could impact broader stakeholders. Firms need to consider clients, industry players and regulators as well as any cross border threats and impacts.
The PRA outlined its approach to outsourcing and third party risk management in PS7/21. It builds upon existing requirements set out in the PRA Rulebook as well as Guidelines issued by European bodies including the European Banking Authority (EBA) and the European Insurance European Insurance and Occupational Pensions Authority (EIOPA). PRA expects firms to assess the materiality and risks of all third party arrangements using all relevant criteria irrespective of whether such arrangements fall within the definition of outsourcing.
Meanwhile the FCA reminded firms of their current obligations under Principles 3 and 11 as well as MiFID II, SYSC 8 and 13. Firms must manage their affairs in a prudent manner and avoid undue operational risk. FCA repeated PRA’s guidance that firms should follow the EBA Guidelines
The FCA’s cross-sector survey from 2017-18 provides some context for consideration.
The cross sector survey identified a number of weaknesses:
Concentration risk, where the sector is reliant on a small number of key suppliers, which could prove difficult to substitute.
Technology advancements are beneficial, but develop so quickly that it may be difficult to maintain an understanding of the risks posed
Lack of oversight of supplier relationships, where firms need to understand the arrangements in place as well as any related subcontracting to third parties and the creation of long and complex chains.
Lack of governance where firms fail to understand risks and monitor the effectiveness of controls.
What should firms do?
All firms within the scope must identify their third party relationships. The SS2/21 sets out that firms should assess the materiality and risks of all third party arrangements using all relevant criteria.
Firms need to identify (a) third party relationships and (b) those deemed to be material outsourcing arrangements and complete the following steps:
Demonstrate that they are following the relevant rules and guidance within their firms
Assess any third party arrangements and identify those that meet the definition of outsourcing
Apply regulatory obligations appropriate to the risk management of third party relationships (outsourced or not)
Apply the rules and guidance through the extended supply chain
Where a third party uses sub-contractors, regulated firms are expected to ensure that the third party has the ability and capacity on an ongoing basis to appropriately oversee any material sub-outsourcing in line with the firm’s outsourcing policy. This includes establishing that the service provider has in place robust testing, monitoring and control over its sub-outsourcing.
Collation and analysis of such data should enable a firm to determine that third parties will not limit a firm’s ability to remain with its impact tolerance for an Important Business Service.
The PRA has indicated that it does not expect firms to directly monitor fourth parties in all circumstances. However, when entering into a material outsourcing agreement, firms should consider the potential impact of large, complex sub-outsourcing chains on their operational resilience. Banks should keep a register of all outsourcing arrangements with similar requirements for Insurers.
Firms should note that the PRA is planning a follow-up consultation setting out detailed proposals for an online portal. Firms would submit certain information on their outsourcing and third party arrangements, or a subset, such as those deemed material.
Governance and Risk Management:
Final policies and statements have repeated the message that regulated firms retain full responsibility and accountability for discharging all their regulatory responsibilities. Firms cannot delegate any part of this responsibility to a third-party. This oversight and accountability is aligned with the Senior Managers & Certification Regime. Boards must understand the risks posed from third party arrangements and consider the impact upon their important business services.
Another important aspect of governance relates to organisations which may have intra-group outsourcing. In some cases this might include cross-border outsourcing to parent companies outside the UK. These relationships are subject to the same requirements as outsourcing to an external third-party and are not to be treated as being inherently less risky. Firms may consider the extent to which they can exert influence and the control they have over their third-parties, where those parties are members of the same group.
Given the above, firms cannot fail to see the potential impacts of outsourcing and other third-party service provision upon their Operational Resilience.
Ruleguard hosts regular events on a variety of topics including Operational Resilience: an Overview. Please click here.
How Ruleguard can help you:
Ruleguard can help firms to collate third party information in one secure environment and facilitate management information and provide reassurance to the Board. Get in touch with the Ruleguard team to learn more.
Tel: 020 3965 2166 or firstname.lastname@example.org
Contact the author
Head of Client Regulation| Ruleguard