Author: AxiomHQ – axiomhq.com
Both the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) require firms to identify and manage their risks. Over the years we’ve seen both regulators focus on outsourced and third-party arrangements. Current efforts to build a more resilient financial services sector continue this theme both in the UK and overseas.
The regulators have been clear that operational resilience requires firms to adopt an holistic view of their operations.
In May 2021, Deputy CEO of the PRA, Lyndon Nelson delivered a speech focusing on the outcomes of the operational resilience work, where he stated:
One of the benefits of not being prescriptive and following an outcomes-based approach is that firms do not waste time. This way of thinking applies to other policies such as outsourcing and the use of third parties – we want firms to show us that they understand their risks and spend their energy and resources addressing them.
(May 2021, Deputy CEO of the PRA, Lyndon Nelson)
Firms have a variety of stakeholders including investors, employees, regulators, government, society and customers. The aim of building a resilient financial services sector requires thought to be given to the inter-firm dependencies.
Firms cannot afford to work in silos as building a more robust financial services sector needs wider consideration.
As alluded to earlier, the financial services sector already has existing requirements relating to outsourced arrangements. In addition to the overarching Principles for Businesses, there are also specific rules set out in PRA’s Supervisory Statements and Outsourcing part of the PRA rulebook as well as FCA’s outsourcing chapters in the Senior Managers Systems and Controls sourcebook.
Third Party Arrangements:
We tend to refer to outsourcing arrangements in a general manner. Outsourcing is usually where firms could conduct an activity inhouse but choose to contract with another organisation to leverage their expertise or manage costs and resources. In regulatory terms, it is usually the material outsourcing parties that gain attention.
However, it is possible to have key third-party relationships that may not be classified as outsourcing for example, arrangements between firms and financial market infrastructures, or strategic partnerships with non-financial third parties. These third-party providers could support the delivery of important business services.
The focus for regulated firms now is to ensure that they identify these relationships and manage the associated third-party risks to their operational resilience frameworks.
Whilst this may sound obvious, from FCA’s own research, it appears that not all firms have thought about this. FCA’s survey findings indicated 50% of firms surveyed did not have a comprehensive list of their third-party providers. (See our Blog Operational Resilience: Is Outsourcing on your Radar?)
Points for firms to note include that:
- The new operational resilience rules are meant to complement existing requirements.
- Firms are reminded of their accountability regarding any outsourced or third-party arrangements.
This links with the regulatory focus on governance and accountability within firms and the basis for the Senior Managers and Certification Regime (SM&CR).
Steps for consideration:
Managing exposure to external risks requires collaboration and early engagement. Firms need to identify (a) third party relationships and (b) those deemed to be material outsourcing arrangements and complete the following steps:
- Demonstrate that they are following the relevant rules and guidance within their firms
- Assess any third-party arrangements and identify those that meet the definition of outsourcing
- Apply regulatory obligations appropriate to the risk management of third-party relationships (outsourced or not)
- Apply the rules and guidance through the extended supply chain
Assessing Third Party Arrangements:
As part of the Operational Resilience workstreams, firms will have identified their important business services. Further consideration is needed to:
- Assess due diligence process for third party providers to align with materiality and risk assessment. Ensure this process also includes any sub-contracted providers
- Manage relationship with the providers by clear ownership of the relationship, good and open dialogue
- Review the outcome of any monitoring or audits. Address any weaknesses and consider lessons from past events
- Maintain an issues log and report accurate and timely data to management
Firms will need to think about the specifics of the operational resilience. Maintaining a good dialogue with third parties is key to better understanding of their perception of operational resilience and how it affects both parties. Early engagement benefits firms’ understanding of what each other is doing and helps coordinate work to avoid duplicating efforts or avoid delays where there might be dependencies.
Regulated firms face the challenges of gaining assurance from outsourced and third-party arrangements. For some firms, this will mean that they need to explain the regulatory requirements to non-financial providers.
PRA’s guidance on legacy outsourcing agreements is that those entered into prior to 31 March 2021, need to be reviewed and updated at the first appropriate contractual renewal point or as soon as possible on or after 31 March 2022.
Looking further afield, we need to consider what is happening in other jurisdictions that might impact regulated entities.
Earlier in July, the US banking regulators issued its proposed guidance for public comment on third party risk management. Its proposals are similar to the UK. Highlighting the need for: risk identification; governance and oversight of third parties; due diligence on third parties; contractual arrangements; ongoing monitoring and contingency planning to terminate relationships.
EBA Guidelines are echoed in the PRA’s supervisory statements relating to third party risk management. Principle 5 states:
Principle 5: Banks should manage their dependencies on relationships, including those of, but not limited to, third parties or intragroup entities, for the delivery of critical operations.
EBA also encourages risk assessment and due diligence of third-party providers and requires banks to verify that the provider has at least equivalent level of operational resilience to safeguards a bank’s critical operations. It too encourages contingency and exit planning.
Early engagement is required by firms, not just to identify and review their third-party arrangements, but to discuss vulnerabilities in processes. Building a good relationship with third parties will help with contractual renegotiations. IT also aids understanding of impacts upon their Important Business Services and identifies collective actions to respond to any issues.
Axiom HQ is hosting a series of webinars on the theme of Operational Resilience. To be added to our mailing list click here.
See our blog page for further articles on this topic.