Eversheds Sutherland Financial Services: EBA Outsourcing Guidelines Webinar

• Global

• Financial services and markets regulation
• Technology
• Financial services
• Financial services - Digital Financial Services

27-10-2020

Introduction

On 9 September 2020, Eversheds Sutherland hosted a webinar to discuss the PRA’s consultation paper on outsourcing and third party risk management, which was published on 5 December 2019 (the “consultation paper”).

The webinar was led by Simon Gamlin, Partner and Head of the Technology Group at Eversheds Sutherland, and Simon was joined by Orlando Fernandez, (Senior Technical Specialist in the Governance Remuneration and Controls team in the Bank of England’s Prudential Policy Directorate); Lizzie Gilbert (Senior Associate in the Governance Remuneration and Controls team in the Bank of England’s Prudential Policy Directorate); Ian Burgess (Director at UK Finance); and Eve England (Partner in the Eversheds Sutherland Financial Institutions Group).

Overview

The panel provided their individual insights on the consultation paper, and addressed specific questions raised by the attendees around subjects such as the scope of application beyond material outsourcings and how firms should approach third party risk management more generally in the wider context of achieving sector wide operational resiliency.

Orlando Fernandez and Lizzie Gilbert provided delegates with an overview of the consultation paper’s primary objectives for:

• complementing the UK’s evolving framework on operational resilience;

• addressing a number of the recommendations in the Future of Finance Report, which contained recommendations on the sustainable and safe adoption of cloud computing;

• being cognisant of the perils of regulatory fragmentation with an increasingly complex regulatory regime; and

• providing a one stop source of reference on the PRA’s regulatory framework on outsourcing.

Ian Burgess identified UK Finance members’ interests in understanding the following areas:

• how the consultation paper links with the operational resilience consultation papers and EBA guidelines;

• the recent BCBS publication;

• definitions and scope in areas such as “materiality”, “proportionality”, the definition of outsourcing and the difference between sub-outsourcing and sub-contracting; and

• how the consultation paper could be applied to non-category one firms, (those which are not multi-national banks who do not have the scale or material impact on financial services and do not have the same coverage with the large technology providers).

Eve England identified that the wholesale increase in technology procurements has placed particular pressure on in-house legal teams, raising specific challenges around how to assess, and more importantly, documenting compliance with an increasingly complex regulatory regime.

Summary of key issues and themes discussed

The following represents an overview of the key issues and themes discussed by the panel during the session:

1. Examples of good practices in the management of third party risk

The panel identified that one of the key drivers to success in managing third party risks is where firms successfully adopt an holistic approach to their third party programmes, avoiding operating in silos. It was also noted that having “living” business contingency and exit plans that are regularly refreshed, updated and tested, was critical to supporting firms to focus on foreseeing risks in the context of the firm’s impact tolerances. It is not about ensuring perfection after an operational outage, but identifying how services can be delivered

2. How regulators can help firms to manage the increasingly complex and overlapping regulatory regime applicable to outsourcing and third party activity

The PRA is mindful of the practical challenges of potential regulatory fragmentation in the area of outsourcing and third-party risk management and tries to promote greater consistency and the dissemination of best regulatory practice in its engagement with international standard-setting bodies (e.g. BCBS, FSB).

In respect of the proposed definition and regulatory approach to “outsourcing” and third-party risk management the PRA’s consultation proposes that firms should appropriately manage the risks in all third-party arrangements that can impact their operational resilience, irrespective of whether they meet the existing definition of “outsourcing”, which may not necessarily capture all relevant this-party arrangements. The concepts of “materiality” and “proportionality” should ideally be applied to all third-party arrangements. However it does not necessarily follow that firms should manage their material “outsourcing” and “other third-party” arrangements identically. Tailored, equivalent and proportionate approaches might be more appropriate and the PRA would welcome practical examples of these approaches in firms’ responses to its consultation.

3. Remediating contracts and assessing the wider commercial arrangement

The remediation of contracts subject to enhanced compliance requirements, such as the EBA Guidelines will extend beyond the contractual terms. Firms will also need to consider whether the commercial package of the agreement also provides sufficient comfort and recourse should any service issues arise.

Firms must consider what rights of redress the firm has, and what controls are in place to help it manage and appropriately supervise the service provider’s performance. Such remediation will inevitably involve an holistic review across the entire commercial agreement and to give the firm the opportunity to fully assess the risks associated with these arrangements so that it can either limit its exposure or otherwise tolerate and document any residual risk.

4. The regulator’s approach to concentration risk

Having visibility on a firm’s third party dependencies early on will help the PRA to identify cross-sector vulnerabilities and to mitigate any identifiable risk areas.

In respect of sub-contracting, direct contractual dependencies between institutions and providers are increasing, but so too are the indirect dependencies. For example, in SaaS arrangements. Having visibility on the different concentrations, direct and indirect, is a key focus area for regulators, but there are inevitable challenges where many service providers are unwilling to disclose relevant interdependencies.

5. Challenges of reconciling the EBA and consultation paper requirements particularly on audit, sub-outsourcing and exit in relation to cloud

In terms of the different categorisation of different contracting models, this is one of the examples of why the definition of outsourcing is not always helpful. The legalistic view when looking at the EBA guidelines is that all cloud arrangements are treated as outsourcing. A preferable approach is to focus on the “materiality” of cloud, arrangements and implement appropriate controls without unduly focusing on whether a given arrangement meets the existing definition of “outsourcing” or not.

This approach will drive an elevation in governance and resiliency standards across the industry, and regulators will look to firms for evidence of how technological advances, for example, could be used to facilitate better ways of ensuring compliance across these areas in the future.

Concluding remarks

The panel reflected that firms are facing increasing challenges in navigating and demonstrating compliance with an increasingly complex regulatory regime, and encouraged all delegates encouraged to submit their responses to the consultation paper by the 1 October 2020 closing date.

Read about part two of our outsourcing webinar series here, on the PRA's March 2021 Supervisory Statement.