Third Party and Outsourcing - The Perfect Storm

By Michael Faber

The change in thinking is here

The reliance on third parties within the finance sector has increased significantly over the last decade. Whilst historically finance sector firms were reluctant to have anything that wasn’t managed in-house, the advent of advanced technology and cloud-based solutions, together with the need for cost efficiencies resulted in a dramatic shift in thinking.

Given this significant uptake in the use of third party and outsourcing services, the associated risks that this brings has also increased, as has the concern of the financial sector regulators, illustrated by the reams of legislation and regulation recently published or upstream in consultation.

This insight looks to bring together several connected initiatives, each worthy of insights in their own right. We’ll be publishing our thoughts on each in due course.

Legislation and regulation a plenty

So, what has happened and is happening to laws and regulations that are influencing the way in which third party and outsourcing services should be entered in to and managed?

EBA Guidelines

The EBA Guidelines on Outsourcing Arrangements (EBA/GL/2019/02) are designed to strengthen financial institutions’ governance over their outsourcing arrangements. This allows regulators to supervise firms’ arrangements, including identifying and monitoring risk concentrations, particularly if these could cause a risk to the stability of the financial system.

The EBA guidelines apply to any outsourcing arrangements and define these as any service performed by a service provider that would otherwise be undertaken by the firm itself, including intra-group outsourcing.  

The implementation deadline for the EU was 31 December 2021, with UK regulators stating compliance for UK firms by 31 March 2022.

PRA SS2/21

The PRA’s supervisory statement SS2/21: Outsourcing and Third Party Risk Management includes the implementation of the EBA guidelines on outsourcing arrangements. It is also designed to complement the operational resilience regulations and to facilitate greater resilience overall. A key driver within the statement is associated with the identification of third party materiality.

As stated above, while the EU implementation timeframes for the EBA guidelines was 31 December 2021, this supervisory statement deadline was 31 March 2022, and we’ll cover this in more detail as a future insight.

DORA

The Digital Operational Resilience Act (DORA) is new EU legislation aimed at improving the resilience and security of the EU financial services sector. Whilst the focus of this act is somewhat wider than just third parties, articles 25-39 relate to the diligence on ICT third party risks and services, looking to ensure that equivalent risk management, controls, testing, and monitoring are in place for all third party providers related to services.

This includes engaging with ICT third party providers, using mapping and related registries to ensure all third party providers of services are complying with the resilience requirements.

The expectation is that DORA will be finally published between December 2022 and January 2023.

Financial Services & Markets Bill

This is an important piece of legislation that should create a more competitive UK financial services sector post Brexit, including greater powers for the regulators and setting out a framework for managing system risks posed by ‘Critical Third Parties’ (CTP’s).

The proposals include regulating cloud providers and other delegated ‘critical third parties’, with the HM Treasury having powers to categorise suppliers as ‘critical’, and the UK Finance Sector Regulators having powers to oversee these critical third party suppliers, which would be subject to new minimum resilience standards.

The Bill (146) is currently going through parliament having completed Commons Committee stage 3 in November 2022, going through House of Lords, then to final stage of Royal Assent.

PRA 3/22 & FCA 22/3

At the same time as the Financial Services and Markets Bill was put before Parliament, the FCA and PRA issued a joint discussion paper detailing how the regulators should use the statutory powers resulting from the Bill.

Once the Bill is formally made legislation, this will provide regulators significant powers over CTP’s, including providing information on incidents and any threats to the overall stability. Additional areas of scenario testing will be covered, with the possibility of sector specific testing in the future.

UK Finance survey findings

Following surveys conducted in July 2021 and March 2022 UK Finance have published their findings entitled PRA SS221 – The Compliance Journey. As mentioned, conducting a materiality assessment across third parties is a key focus. In the survey, mid-tier and small firms had more than 25% of their total engagements as material, while for large firms less than 15% of their total engagements as material.

Three key themes were identified in requirements for additional information from the larger service providers which were:

·      Business Continuity – demonstration of resiliency

·      Written agreement - agreeing additional contractual provisions including information and audit rights

·      Sub outsourcing – demonstrate resilience in their supply chain

Of some concern was the response from 75% (24) of the survey participants expecting up to 10% of the external vendors would not comply with the Business Continuity or contract changes.

Lastly, regarding compliance readiness, only 31% (10) of firms in the survey were on track for full compliance by 31 March 2022.

So, what should firms be focusing on now?

As stated at the start of this article there is an ever-increasing shift within the once traditional finance sector firms to now capitalise on the advancement in third party and outsourcing services, particularly with the advent of cloud based and software as a service offerings.

However, even with all these initiatives by governments and regulators aimed at improving the management of third party and outsourcing risks, a number of firms still lack a robust central control over third parties. It’s a subject that often falls in between two stools so to speak. We’re all familiar with the “anybody could have, somebody should have but nobody did” analogy. Contracts without SLAs, SLAs that don’t match the business requirements, we won’t bore you with more examples…

There is now more focus on looking towards fourth and fifth level parties (sub outsourcing) associated with a service agreement – how third parties manage their suppliers and understanding the impact this can have on the overall service.

This is a critical component on the resilience journey, and as indicated in the recent UK Finance survey findings, more work is required to comply with existing regulations, as well as those legislative and regulatory initiatives in the current pipeline.

Firms should be looking to mitigate the risk of harm to clients and markets. They could also recognise that having robust, and central third party risk management systems and controls in place can result in cost savings when reviewing and negotiating contracts, particularly for global firms.

If you would like to discuss this further, please get in touch, and look out for our more detailed insights on upcoming regulations and legislations, starting with DORA.

Previous
Previous

Digital Operational Resilience Act (DORA) - How prepared is your firm?

Next
Next

The Consumer Duty: is this a paradigm shift in consumer protection?