Operational resilience - outsourcing and third party risk management

On 5 May 2020, Simmons & Simmons hosted a virtual round table discussion with several market participants and financial regulators to discuss PRA consultation paper on outsourcing and third party risk management and lessons that can be learned from operating in the current much altered conditions. In this note, we set out key points arising out of the discussion.

COVID-19 related issues arising under outsourcing agreements:

• Force majeure clauses: service providers invoking force majeure clauses unless the service levels and data requirements can be relaxed. The issue has been most prevalent with offshore contact centres in jurisdictions such as India.

• Accessing sensitive data: as staff are required to work from home, data security has also been an issue.

• Record keeping: as service providers and firms have needed to respond and adapt quickly, implementing alternative ways of working, it has been important to prioritise service continuity. This can risk ancillary obligations, such as record keeping, being completely overlooked.

• Cloud adoption: looking ahead, demand for flexible working means that there will be an acceleration towards Cloud adoption. In many respects, this is positive from an operational resilience perspective as it should put firms in a stronger position for future disruption events.

The Consultation Paper (CP) and COVID-19:

• Extension of the consultation period for the CP: this was for two reasons: (1) individuals in firms who were most likely to be feeding in to the response to the CP were also likely to be responsible for or at the very least heavily involved in the firm’s direct response to the pandemic; and (2) extending the consultation period allows firms to share learnings from their response to the pandemic with the PRA and flag issues that they experienced during this time in their CP response. In addition to the proposals in the consultation paper, it is likely that firms’ experience of dealing with the pandemic will inform the final supervisory statement.

• Financial resilience: although the key driver for the CP was operational resilience, the financial resilience of third-parties is a key element in the current crisis and should not be overlooked. Particularly, there is a danger of third party suppliers running out of money due to the protracted nature of the pandemic.

• Access and audit rights: in the current situation, firms are concerned with monitoring continuity plans and performance of critical third party service providers. These service providers are in turn, focusing on navigating the challenges created by the pandemic. The proposals in the CP (e.g. on pooled audits and third-party certification) can helpfully serve as a forum for firms to share emerging solutions on how to secure and exercise effective and proportionate access and audit rights in these scenarios.

• Acceleration towards tech solutions: this has been heightened by the pandemic and there is a need to have a regulatory discussion that considers the impact of this acceleration on financial stability and concentration risk.

• SMCR and governance arrangements: as noted in the Joint PRA/FCA statement on the application of the SM&CR during COVID-19, the PRA do not require or expect firms to designate a single SMF to be responsible for all aspects of their response to COVID-19. The CP is an opportunity for firms to share how they have managed governance in practice and what they would look to put in place going forwards.

• Dialogue with firms: the CP is a good platform to facilitate discussion around what further guidance from regulators, firms would consider helpful.

Third Parties, access and audit rights

• Challenging discussions: firms are having challenging discussions with vendors in relation to audit rights and access rights. Therefore, clarity from the PRA as to what they expect to see in relation to access and audit rights would be very welcome. There was discussion that perhaps this should go beyond a contractual right and instead key service providers could be subject to regulation in relation to this.

• Concentration risk: firms are considering issues around concentration risk and critical third parties in order to feed into the CP responses. A trilateral dialogue with the PRA which involves these critical third party service providers would be a useful exercise.

Global regulatory consistency

• Layered approach: Regulators around the world (including in Singapore, USA and Europe) are engaging to inform the supervisory approach and policies. The European Commission is also consulting on a potential direct oversight framework for critical technology providers to financial institutions. There have also been interactions with global standard setting bodies such as Basel and the Financial Stability Board. The UK’s evolving policy on operational resilience and third-party risk management could provide thought leadership.

Sub-outsourcing

• There is a recognition in the market and by regulators, that supply chain management is difficult and that it cannot be effectively managed by contractual means. However there do need to be some contractual safeguards in place to manage the risks.

Shared services companies

• The discussion referenced the FSB guidance on using intragroup shared service companies as a mechanism to facilitate operational continuity in resolution. It was noted that there were certain power dynamics in the group context: where a subsidiary is providing services to a parent company – in most cases, the ability to control and influence decisions of a parent company can be more limited. On the other hand, where a parent is receiving services from a subsidiary the control is absolute. Where services are provided by a third party service provider, the power dynamic is more horizontal which is preferable from an operational resilience perspective.

Data localisation

• The granularity of data localisation arrangements is the subject of discussion at a global level. Firms should be looking to balance the risks and rewards of having their outsourced data and IT infrastructure stored or transferred through multiple locations. Factors that may impact a firm’s risk-based decision include the legal, political and regulatory environment in different jurisdiction versus the potential resilience advantages of having their data dispersed across geographies.

Outsourcing Register

• Difficulties with taxonomy: the discussion identified the need to move away from the existing narrow definitions of ‘outsourcing’ – ideally firms should be looking to understand the risks associated with all relevant third party arrangements with a potential impact on their safety and soundness not just those within the definition of “material outsourcing”. It was noted that a more holistic approach towards third-party risk management had been taken by the G7 in its Fundamental Elements on Third Party Cyber Risk Management in the Financial Sector and by the EBA in its recent ICT Guidelines. Rather than focusing on the definitions, firms should take into account the materiality of their third-party relationships, also taking into account the principle of proportionality.

• Threshold: in terms of a threshold for determining when to include a third party on the Register, being too prescriptive on this could leave blind spots. Instead firms should be looking to focus on materiality, rather than a set threshold.

Lessons learned

Firms are looking to engage pro-actively with the CP and to draw upon lessons learned from the pandemic to inform their response. This will ensure that the resulting supervisory statement is an accurate reflection of the industry’s views and experiences.

Simmons & Simmons is planning several roundtable discussions on the PRA and FCA consultation papers on operational resilience. If you would like to join the discussions, please feel free to reach out to the contacts listed on this article.

See our coronavirus (COVID-19) feature for more information generally on the possible legal implications of COVID-19.