The regulatory news last week was dominated by the recently published operational resilience consultation papers, which our Director of Operational Resilience Andrew Rogan writes about here. However, at the same time the Prudential Regulation Authority (PRA) also published a consultation paper on outsourcing and third-party risk management (?outsourcing paper?), which includes a draft supervisory statement in the appendix. 

The timing of these papers is not a coincidence as the outsourcing and third-party risk management paper is intended to be read in conjunction with, and complements, the policy proposals in the operational resilience consultation papers. In addition, it comes just over a month after the publication of the Treasury Committee report on IT failures in the Financial Services Sector.

While less heralded than the operational resilience consultation papers, the outsourcing paper contains some important proposals that pursue the following objectives:

• To facilitate greater resilience and adoption of the cloud and other new technologies? as set out in the Bank of England's (the Bank's) response to the ?Future of Finance? report.   
• To implement the European Banking Authority (EBA) ?Guidelines on Outsourcing Arrangements? (EBA Outsourcing Guidelines). The draft supervisory statement clarifies how the PRA expects banks to approach the EBA Outsourcing Guidelines in the context of its requirements and expectations.

The outsourcing paper is relevant to UK banks, building societies and branches of overseas banks amongst other PRA designated firms and the draft supervisory statement outlines a number of important elements including, but not limited to:

• Defining the term ?outsourcing?, while noting that firms should start with the assumption that this should apply wherever a ?prudential context? exists with any activities, functions and services performed or provided by third parties.
• That firms should manage their outsourcing arrangements with a view to proportionality or in other words greater focus should be applied where there is the potential for systemic significance to occur within the sector.
• An expectation that appropriate governance and internal controls should exist to deal with third-party risks, including the application of the Senior Managers and Certification Regime.
• Guidance on appropriate levels of record-keeping and how to fill out the proposed Outsourcing Register (which will replace the Cloud Register in 2021).
• Written agreement for unrestricted access, audit and information rights for firms, the PRA and the Bank of England (if appropriate) where material outsourcing arrangements exist.
• Where there are material outsourcing arrangements, firms should have appropriate business continuity plans in place, and specifically in the case of material Cloud outsourcing arrangements firms must determine which of the available Cloud resiliency options are most appropriate for them.

The PRA's expectation is that the final policy from the outsourcing paper will be published in late 2020 with the implementation of the proposals shortly afterwards. UK Finance looks forward to working with members and the authorities to respond to the outsourcing paper prior to the deadline of 3 April 2020.

UK Finance and EY are running a free webinar to discuss the outsourcing paper on Monday 16 December. Join us as we discuss its implications and how this impacts firms.  Book your place on the webinar today.