Outsourcing and third-party risk management in a pandemic

Simmons & Simmons partners Rosali Pretorius, Hinal Patel, James Cotter and associate Rebecca Heller report on the firm’s recent virtual roundtable – which discussed a PRA consultation paper on outsourcing and third-party risk management, and lessons that can be learned from operating in the current much-altered conditions.

The roundtable, conducted under the Chatham House Rule with several market participants and financial regulators, took place on 5 May.

Participants discussed a consultation paper on outsourcing and third-party risk management issued by the UK’s Prudential Regulation Authority (PRA) in December. The paper is still open for consultation responses until October after the regulator extended the consultation period in March.

The PRA extended the consultation for two reasons. Firstly, individuals in firms who were most likely to be feeding into the response to the paper were also likely to be responsible for, or at the very least heavily involved in, the firm’s direct response to the pandemic.

Secondly, extending the consultation period allows firms to share learnings from their response to the pandemic with the PRA and flag issues that they experienced during this time. In addition to the proposals in the consultation paper, it is likely that firms’ experience of dealing with the pandemic will inform the final supervisory statement.

Although the key driver for the consultation paper was operational resilience, participants noted that the financial resilience of third parties is a key element in the current crisis and should not be overlooked. Particularly, there is a danger of third-party suppliers running out of money due to the protracted nature of the pandemic.

A specific issue relates to access and audit rights. In the current situation, firms are concerned with monitoring critical third-party service providers’ continuity plans and performance. These service providers are, in turn, focusing on navigating the challenges created by the pandemic. The proposals in the PRA paper, for instance on pooled audits and third-party certification, might helpfully serve as a forum for firms to share emerging solutions on how to secure and exercise effective and proportionate access and audit rights in these scenarios.

The pandemic has also heightened the acceleration towards technological solutions and participants said there is a need to have a regulatory discussion that considers the impact of this acceleration on financial stability and concentration risk.

The consultation’s expanded time frame offers firms the opportunity to share how they managed governance in practice for the purpose of the Senior Managers and Certification Regime (SMCR) and governance arrangements, and what they would look to put in place going forward. As noted in the 3 April Joint PRA/FCA statement on the application of the SM&CR during COVID-19, the PRA does not require or expect firms to designate a single senior management function (SMF) to be responsible for all aspects of their response to covid-19.


Outsourcing agreements and covid-19

Participants in the roundtable discussed a variety of issues arising out of outsourcing agreements during the crisis, including data security concerns arising as service provider staff accessing sensitive data move to working from home.

Another issue that has been prevalent, particularly with offshore contact centres in jurisdictions such as India, has been where service providers have been invoking force majeure clauses unless the service levels and data security requirements can be relaxed.

Participants also raised record-keeping, warning that it risked being overlooked as service providers and firms have needed to respond and adapt quickly, implementing alternative ways of working, and prioritising service continuity.

Looking ahead, demand for flexible working means that there will be an acceleration towards cloud adoption. In many respects, this is positive from an operational resilience perspective as it should put firms in a stronger position for future disruption events.

When it comes to sub-outsourcing, there is a recognition in the market, and by regulators, that supply chain management is difficult and that it cannot be effectively managed by contractual means. However, there do need to be contractual safeguards in place to manage the risks.

Third parties, access and audit rights

Firms are having challenging discussions with vendors in relation to audit rights and access rights. Therefore, clarity from the PRA as to what they expect to see in relation to access and audit rights would be very welcome. There was discussion that perhaps this should go beyond a contractual right and instead key service providers could be subject to regulation in relation to this.

Firms are also considering issues around concentration risk and critical third parties in order to feed into the consultation responses. A trilateral dialogue with the PRA which involves these critical third-party service providers would be a useful exercise.

Global regulatory consistency

Regulators around the world, including in Singapore, the United States and Europe, are engaging with one another to inform their supervisory approach and policies. The European Commission is also consulting on a potential direct oversight framework for critical technology providers to financial institutions. There have also been interactions with global standard-setting bodies, such as Basel and the Financial Stability Board. Participants said the UK’s evolving policy on operational resilience and third-party risk management could provide thought leadership.

Shared services companies

The discussion referenced the Financial Stability Board (FSB) guidance on using intragroup shared service companies as a mechanism to facilitate operational continuity in resolution. It was noted that there were certain power dynamics in the group context: in most cases where a subsidiary is providing services to a parent company, the ability to control and influence decisions of a parent company can be limited. On the other hand, where a parent is receiving services from a subsidiary the control is absolute. Where services are provided by a third-party service provider, the power dynamic is more horizontal, which is preferable from an operational resilience perspective.

Data localisation

The granularity of data localisation arrangements has been the subject of global discussion. Firms should be looking to balance the risks and rewards of having their data stored or transferred through multiple locations. Factors that may impact a firm’s risk-based decision include the legal, political and regulatory environment in their home and other jurisdictions, versus the potential resilience advantages of having their data dispersed across geographies.

Outsourcing register

The discussion identified the need to move away from existing narrow definitions of ‘outsourcing’ – ideally firms should be looking to understand the risks associated with all relevant third party arrangements with a potential impact on their safety and soundness, and not just those within the definition of “material outsourcing”. Participants noted that a more holistic approach towards third-party risk management had been taken by the G7 in its Fundamental Elements on Third Party Cyber Risk Management in the Financial Sector, and by the EBA in its recent ICT Guidelines on Outsourcing. Rather than focusing on the definitions, firms should take into account the materiality of their third-party relationships, also taking into account the principle of proportionality.

In terms of a threshold for determining when to include a third party on the Register, being too prescriptive on this could leave blind spots. Instead firms should be looking to focus on materiality, rather than a set threshold.

Lessons learned

Firms are looking to engage proactively with the consultation paper and to draw upon lessons learned from the pandemic to inform their response. This will ensure that the resulting supervisory statement is an accurate reflection of the industry’s views and experiences.

This article is adapted for GBRR from one originally published on Simmons & Simmons’ website here.

Get unlimited access to all Global Banking Regulation Review content