PRA Consultation Paper On Outsourcing And Third Party Risk Management: CP30/19

Author:Mr Duncan Pithouse and Kit Burden
Profession:DLA Piper

In December 2019, the PRA issued Consultation Paper 30/19, the most significant shake up of the UK regulatory requirements applicable to outsourcing arrangements since the introduction of the MIFID requirements into UK law and regulation (via the associated SYSC requirements) in 2007. The Consultation Paper brings together, and takes into account, a wide range of requirements and expectations in relation to:

The EBA Guidelines on Outsourcing Agreements; the PRA's own Operational Resilience Consultation paper from earlier in 2019; suggestions from the Bank of England's "Future of Finance" Report relating to the adoption of cloud and new technologies; the EBA Guidelines on ICT and security risk management; Solvency II; the EIOPA guidelines on the System of Governance (EIOPA Government Guidelines); and the draft EOIPA Cloud Guidelines. Significantly, it creates a single regime for banks and insurers, who were previously subject to separate elements of the SYSC requirements.

The Consultation Paper applies to:

banks, building societies and PRA-designated investment firms; insurance and reinsurance firms and groups within the scope of Solvency II, including the Society of Lloyd's and managing agents; and branches of overseas banks and insurers. Many readers will be familiar with the requirements of the EBA's Guidelines on Outsourcing Arrangements and, specifically, the requirements to be addressed in the relevant outsourcing agreement itself. The Consultation Paper takes a similar approach setting out requirements with regards to pre-contract considerations, requirements relating to the ongoing management of outsourcing arrangements, together with specific provisions to be included in outsourcing agreements.

Significantly, the PRA's Consultation Paper contains subtle but important differences on a number of the key issues that have proven difficult to register and conclude in outsourcing contracts as a result of implementing the EBA Guidelines, especially around subcontracting and audit. Conversely, scope of the arrangements that could be considered to be "material" under the PRA's Consultation Paper is potentially much wider than under the EBA Guidelines, providing, therefore, for a broader class of outsourcing to be caught by the Consultation Paper, and the associated need to address the relevant requirements. These are explored in more detail below.

The Consultation Paper does create an opportunity for firms to put forward their views on whether the positions set out in it are likely to be viable and achievable in negotiations. The consultation closes on Friday 3 April 2020.

The following table sets out the key points relevant to outsourcing agreements in relation to both the existing EBA Guidelines on Outsourcing Agreement and the PRA's Consultation Paper.


EBA Guidelines on Outsourcing Agreements

PRA Consultation (CP30/19)

Key concepts

When does it come into force?

30 September 2019

Consultation open until 3 April 2020.

To whom does it apply?

Broadly: credit institutions meaning banks; MiFID investment firms; payment institutions and electronic money institutions.

Same as EBA but also insurance, reinsurance firms and groups within scope of Solvency II; and UK branches of overseas banks and insurers.

Does it cover intra group arrangements?

The guidelines apply to intra group arrangements.

Principles apply on same basis as if service provider was outside the group but requirements can be applied proportionately depending on level of "control and influence"exercised by customer. Outsourcing to an overseas intra group company needs to comply with UK legal and regulatory requirements.

To what does it apply?

Arrangements within the EBA's definition of "outsourcing": see definition below.

Arrangements within the PRA's definition of "outsourcing": see definition below.

How is "Outsourcing" defined?

A provider which "performs a process, a service or an activity that would otherwise be undertaken by the [customer] itself".

There should be some characteristic of recurrence or ongoing supply to help to distinguish the service from purchasing.

There is a list of arrangements that "as a general principle"would not be considered outsourcing.

PRA Handbook defines outsourcing as: "an arrangement of any form between a customer and a service provider, whether a supervised entity or not, by which that service provider performs a process, a service or an activity, whether directly or by sub outsourcing, which would otherwise be undertaken by the customer itself"[paragraph...

To continue reading