UK Finance engages with members to address outsourcing risk

The Financial Stability Board (FSB) has recently closed a consultation on Regulatory and Supervisory Issues Relating to Outsourcing and Third-Party Relationships (see here).  The consultation requested responses to four questions that relate to:

• the main challenges in identifying, managing and mitigating risks related to outsourcing and third-party relationships

• possible ways to address these challenges and mitigate related risks without unintentionally increasing risks, complexity or costs

• possible ways in which financial institutions, providers and supervisory authorities could collaborate to address these challenges on a cross-border basis

• lessons learnt from the Covid-19 pandemic regarding managing and mitigating risks in this area.

The consultation was accompanied by a useful discussion paper that provides helpful guidance on managing the challenges addressed in the consultation, including references to a wide range of international sources that illustrate the standards that apply in several jurisdictions.  The Prudential Regulation Authority (PRA) works closely with the FSB, which coordinates the work of national financial authorities and international standard-setting bodies at the international level.

UK Finance submitted a response recognising the views of members via the European Banking Federation. Below, we explore a few of the main issues raised in response to the questions.

Pressing concerns

1. Cross-border issues:  A consistent concern recognised by the discussion paper is the problems raised by (i) diverging standards/taxonomy/definitions across different regulators, and (ii) the changing regulatory landscape that requires responding to ongoing and evolving reforms and constant costly remediation, often without due regard for pre-existing standards. To address these issues, the discussion paper (reflecting the comments of UK Finance members) recognises that international regulators should collaborate for consistency in approaches and adopt flexibility in approaches to implementation. Flexibility in implementation will allow firms at different stages of the process to ensure resilience while adapting without the pressure of unnecessary tight deadlines that can result in oversights and errors. To combat the proliferation of ongoing requirements, firms can identify emerging consistent principles that apply across the international regulators, focusing on overarching principles rather than detailed terms (see further below) and engaging proactively with other stakeholders and regulators to air and alleviate concerns.
2. Concentration Risk: A further recurring concern is systemic instability due to common service providers used by (i) a single firm's group of branches/companies; and/or (ii) multiple firms/branches of different firms. This issue is also explored in other consultations, such as the EU's recent consultation on the proposed ?Digital Operational Resilience Act' (DORA) which aims to ensure that all participants in the financial system have the necessary safeguards in place to mitigate cyber-attacks and other risks. A frequent misassumption is that concentration risk is synonymous with cloud providers. In fact, as the Bank of England has acknowledged, there are recognised benefits of the cloud in strengthening resilience when adequately managed (following recommendations in the UK Future of Finance Report). Nonetheless, concentration risks due to limited providers for certain outsourcing needs remains a pressing issue that could cause significant systemic disruption if left unaddressed. Ways to alleviate again include global collaboration. The industry can also engage by information sharing, which should be facilitated by the Outsourcing Registers proposed by several national regulatory authorities including the PRA.

3. Focus on principle and pragmatism over prescription: ?Principle over prescription? can help to reduce complexity, risks and costs. Firms and regulators can focus on principles that guide the application of specific requirements to allow compliance that recognises the overriding purpose of regulations over adherence to strict rules. The FSB, reflecting the recent approach of the PRA, identifies important areas such as intra-group outsourcing and governance. This is where the principle of proportionality needs to be borne in mind by regulators. The use of principles shows that prescription is generally not appropriate since resilience and responsible outsourcing are ?outcomes? that can be achieved in a number of ways - one size does not fit all firms.

Further concerns identified by members and reflected in the discussion paper (among others) include reducing information barriers to allow sufficient insight of outsourcers? arrangements and systemic risks, difficulties defining the time to implement exit plans and assessing appropriate interim steps before executing exit arrangements, and facilitating adequate governance due to practical limits on the ability of senior management to oversee and identify risks.

On the horizon

In future blogs we will address the themes explored in this blog and other issues related to managing operational resilience and outsourcing risks. We also will provide additional guidance through webinars as part of the UK Finance Regulatory Roadmap. Please check the UK Finance website and daily news for further information due course.