In the days before Brexit, the UK requirements on outsourcing were largely covered in EU legislation issued by the EU supervisory bodies. And currently, the European Banking Authority (EBA) Guidelines on outsourcing, has transitional provisions until 31 December 2021. The UK FCA notified the EBA of its intention to continue to comply with the EBA Guidelines back in 2019, which is important to note, because firms subject to the PRA’s SS will also be subject to the FCA’s requirements.
The new requirements have been triggered by firms increasingly relying on outsourced third-party technology, such as cloud outsourcing. However, it’s important to note that they apply beyond just cloud service. As practices change and evolve, they can create issues around how to manage the risks of such complex technologies including how to protect confidential and sensitive data, while making sure that it remains accessible to firms and regulators.
Requirements Avoid Single Point-of-Failure
The PRA is seeking to address, among other things, a concern that an overreliance by firms on a small number of dominant outsourced service providers, who are difficult to substitute, could result in a concentration risk. A major disruption at one of these service providers could create a single-point-of-failure with severe financial consequences.
Who does it apply to?
The regulations apply to banks, building societies, PRA-designated investment firms, insurance and reinsurance firms and groups within the scope for Directive 2009/138/EC (Solvency II), including the Society of Lloyds and managing agents, in addition to branches of overseas banks and insurers, collectively ‘firms’. This is a broader group of firms than the EBA guidelines so will potentially affect a wider base of outsourced service providers’ customers.
What are the key developments for firms to be aware of?
The proposals cover several areas from governance and record keeping to the approach to audits and sub-outsourcing – all of which are likely to impact the contractual requirements customers demand from their outsourced service providers. The DSS specifies all outsourcing arrangements would need to be set out in a written agreement.
Financial services organisations in the UK are trying to understand the regulation, interpret them and also identify how they can deliver these compliance guidelines within their organisation.
Manual Processing Means Compliance Difficulty
Due to the number of outsourcing contracts being used by financial services, organisations trying to address this issue through a manual process is going to be problematic. Many organisations use multiple systems, or spreadsheets to capture compliance information and have to manually check that contracts meet compliance rules retrospectively.
Hear how Danske Bank Used Compliance to Drive Better Practice
On 17th June, Ivalua, who already work with several financial services organisations across Europe, will be discussing the new requirements and how to meet them with Danske Bank. The bank recently used Ivalua technology to deliver compliance for outsourcing guidelines. And now it’s not only compliant, but has also used the compliance requirements to justify investment in a procurement transformation at the bank.