Shearman & Sterling LLP | FinReg | UK Prudential Regulator Consults on Outsourcing and Third Party Risk Management Rules
Financial Regulatory Developments Focus
This links to the home page
Financial Regulatory Developments Focus
  • UK Prudential Regulator Consults on Outsourcing and Third Party Risk Management Rules

    The U.K. Prudential Regulation Authority is consulting on proposals for modernizing the regulatory framework on outsourcing and third party risk management by the financial services sector. The proposals are relevant to banks, building societies, PRA-designated investment firms, insurance and reinsurance firms and groups in scope of the Solvency II Directive as well as U.K. branches of overseas banks and insurers. Responses to the consultation should be submitted by April 3, 2020. The PRA aims to publish its final policy on the proposals in the second half of 2020.
    The PRA’s consultation is in response to the increasing reliance by firms on technology provided by third party providers, which creates risks around matters such as data security, the capacity of firms to fully understand the nature of the risks that using such technology may generate and the monopolization of the market by a small number of third party service providers which may make exiting such arrangements problematic. The PRA’s proposals relate to:
    • Governance: boards and senior management should not be able to outsource their responsibilities and should remain responsible for key decisions regarding the firm’s outsourcing arrangements;
    • Record-keeping: firms will, from December 31, 2021, be expected to maintain an up-to-date register of information on their outsourcing arrangements;
    • Due-diligence and risk assessment: firms should determine the materiality of each outsourcing arrangement that they enter into, perform appropriate due diligence on their proposed service providers and conduct a risk assessment in respect of all outsourcing arrangements; and
    • Outsourcing agreements: outsourcing agreements should be in written form and should cover data security, access, audit and information rights, sub-outsourcing and business continuity and exit plans, the details of which are discussed further in the consultation paper.

    View the PRA's consultation paper on outsourcing and third party risk management.
    Return to main website.