The PRA’s supervisory statement
The Prudential Regulation Authority (PRA) has published a supervisory statement (SS) on outsourcing and third-party risk management. The SS complements and strengthens the PRA’s requirements and expectations regarding operational resilience.
The SS also aims to implement the European Banking Authority Guidelines (EBA Guidelines) on outsourcing arrangements that came into force on 30 September 2019, with a view to all existing arrangements becoming compliant with the EBA Guidelines by 31 December 2021. The PRA’s SS offers clarification on how it expects banks to approach the EBA Guidelines.
Due to come into effect on Thursday 31 March 2022, the SS is relevant to all UK banks, building societies, PRA-designated investment firms, insurers and UK branches of overseas banks and insurers. Accordingly, it aims to promote consistency among banks and insurers.
The PRA Rulebook defines ‘outsourcing’ as “an arrangement of any form between a firm and a service provider, whether a supervised entity or not, by which that service provider performs a process, a service or an activity, whether directly or by sub-outsourcing, which would otherwise be undertaken by the firm itself”. The PRA emphasises that firms should apply adequate governance and controls to all third-party arrangements, irrespective of whether they fall under the definition of outsourcing. Firms should pay particular attention to those arrangements that can impact their statutory objectives, such as those that support the provision of important business services or carry a high level of risk.
The SS sets out how PRA-regulated firms should comply with requirements and expectations:
- On governance, including under the Senior Managers and Certification Regime and record keeping.
- On how the principle of proportionality applies, in particular to intragroup outsourcing and to ‘non-significant firms’, where ‘significant’ firms are those with a supervisory contact who has indicated they are impact category 1 or 2 (paragraph 3.9 of the SS).
- During the pre-outsourcing phase.
- Prior to the outsourcing agreement being signed, firms are expected to:
- Determine the materiality of their outsourcing and third-party arrangements, including notification to the PRA where required
- Perform due diligence on all potential service providers
- Perform risk assessments irrespective of materiality