{"id":5323,"date":"2022-02-10T08:17:07","date_gmt":"2022-02-10T08:17:07","guid":{"rendered":"https:\/\/www.icsr.co.uk\/?p=5323"},"modified":"2022-05-23T13:26:56","modified_gmt":"2022-05-23T13:26:56","slug":"outsourcing-and-third-party-arrangements-creating-resilience-in-your-operational-processes","status":"publish","type":"post","link":"https:\/\/www.icsr.co.uk\/outsourcing-and-third-party-arrangements-creating-resilience-in-your-operational-processes\/","title":{"rendered":"Outsourcing and Third-Party Arrangements \u2013 Creating Resilience In Your Operational Processes"},"content":{"rendered":"
[et_pb_section fb_built=”1″ admin_label=”section” _builder_version=”3.22″][et_pb_row _builder_version=”4.9.4″ _module_preset=”default”][et_pb_column type=”4_4″ _builder_version=”4.9.4″ _module_preset=”default”][et_pb_text admin_label=”Intro” _builder_version=”4.9.4″ _module_preset=”default”]<\/p>\n
As we approach the 31st<\/sup> March 2022, many firms will be asking themselves, have we done enough on Operational Resilience to satisfy the Prudential Regulatory Authority (PRA) and Financial Conduct Authority (FCA)? In March 2021, the PRA supplemented the Operational Resilience requirements with Supervisory Statement (SS2\/21) on the importance of managing Outsourcing and third-party arrangements<\/a>. This article looks at SS2\/21 including its scope, aims, the key requirements and what firms need to do to ensure they are compliant.<\/p>\n SS2\/21 applies to insurance and reinsurance firms and groups in scope of Solvency II, including the Society of Lloyd\u2019s and managing agents (hereafter \u201c(re)insurers\u201d). FCA solo regulated firms should be aware of the work, particularly where they might be considered to be an outsourced provider of services to a PRA regulated firm.<\/p>\n The PRA have two main objectives in requiring (re)insurers to look at their outsourcing and third-party arrangements. These are to:<\/p>\n Firstly, lets define what Outsourcing is. The PRA Rulebook defines \u2018Outsourcing\u2019 as:<\/p>\n \u201can arrangement of any form between a (re)insurer and a service provider, whether a supervised entity or not, by which that service provider performs a process, a service, or an activity, whether directly or by sub-outsourcing, which would otherwise be undertaken by the firm itself.\u201d<\/p>\n<\/blockquote>\n The PRA\u2019s overarching aim is for (re)insurers to apply adequate governance and controls to all third-party dependencies that can impact its statutory objectives. The PRA defines a \u2018third party\u2019 as:<\/p>\n “an organisation that has entered into a business relationship or contract with a firm to provide a product or service\u201d<\/p>\n<\/blockquote>\n Before an outsourcing or third party arrangement can be established the PRA will expect (re)insurers to:<\/p>\n The PRA Rulebook defines \u2018material outsourcing\u2019 as the outsourcing of:<\/p>\n “service of such importance that weakness, or failure, of the services would cast serious doubt upon the firm’s continuing satisfaction of the threshold conditions or compliance with the Fundamental Rules.\u201d<\/p>\n<\/blockquote>\n (Re)insurers should determine the materiality of all third-party arrangements and are required to (re)assess the materiality of their outsourcing and third-party arrangements:<\/p>\n The PRA has left it to (re)insurers to develop their own processes for assessing materiality as part of their outsourcing or third-party risk management policy. However, to ensure consistency across (re)insurers\u2019 assessments, the PRA expects (re)insurers to take into account certain criteria. The criteria that will generally render an outsourcing arrangement material is where a defect or failure in its performance could:<\/p>\n Supplementing these key areas, (re)insurers will need to develop an internal assessment to determine what outsourcing and third-party arrangements meet the definition of \u2018material\u2019. There will not be a one size fits all approach, however key considerations are:<\/p>\n These considerations are more in line with what the FCA would expect, but there could be many more depending on the scale and the complexity of the outsourcing or third-party arrangement.<\/p>\n The PRA expects (re)insurers to conduct appropriate due diligence on the potential service provider before entering into an outsourcing arrangement, and to identify a suitable alternative or back-up providers where available. If no alternative or back-up providers for a material outsourcing arrangement are available, (re)insurers should consider alternative business continuity, contingency planning, and disaster recovery arrangements to ensure they can continue providing relevant important business services within their impact tolerances in the event of material disruption to their chosen service provider. In the case of material outsourcing, the PRA expects (re)insurers due diligence to consider the potential providers’:<\/p>\n Whether the outsourced activity is considered \u2018material\u2019 or not, the due diligence should consider whether potential service providers:<\/p>\n After, or as a part of the due diligence, the PRA expects (re)insurers to assess the potential risks of all third-party arrangements, including outsourcing arrangements, regardless of materiality. As part of the risk assessment, the PRA expects (re)insurers to consider:<\/p>\n The PRA expects (re)insurers to periodically (re)assess and take reasonable steps to manage:<\/p>\n Once the (re)insurer has completed its materiality assessment, due diligence, and risk assessment the next stage will be to put in place a written agreement to outline the outsourcing arrangements. Where there is a master service agreement that allows (re)insurers to add or remove certain services, each outsourced service should be appropriately documented, although not necessarily in a separate agreement. (Re)insurers will need to ensure written agreements for non-material outsourcing arrangements include appropriate contractual safeguards to manage and monitor relevant risks. Regardless of materiality (re)insurers should ensure that outsourcing agreements do not impede or limit the PRA\u2019s ability to effectively supervise the firm or outsourced activity, function, or service.<\/p>\n Material outsourcing agreements between the (re) insurer and the service provider should set out:<\/p>\n Once the written agreement is in place, the focus moves to using the service provider. When using the Service Provider, a key area of focus is data. \u2018Data\u2019 includes firm sensitive, and transactional data. It may also cover open-source data (e.g., from social media) collected, analysed, and transferred for the purposes of providing financial services as well as the systems used to process, transfer, or store data.<\/p>\n Where a material outsourcing or third-party agreement involves the transfer of or access to data, the PRA expects (re)insurers to:<\/p>\n While the PRA does not prescribe a specific taxonomy for data classification, it expects (re)insurers to implement appropriate, risk-based technical and organisation measures to protect different classes of data (e.g., confidential, client, personal, sensitive, transaction). As part of their due diligence and risk assessment in the pre-outsourcing phase, (re)insurers should identify whether their data could be processed in any jurisdictions that are outside their risk tolerance and, if so, bring this to the attention of the third party when negotiating the contractual arrangement in order to discuss adequate data protection and risk mitigation measures.<\/p>\n The PRA expects (re)insurers to implement robust controls for data-in-transit, data-in-memory, and data-at-rest. Depending on the materiality and risk of the arrangement, these controls may include a range of preventative and detective measures, including but not necessarily limited to:<\/p>\n (Re)insurers will need to be clear on how data intergrity and data security will be maintained. This should be covered in the written agreement and should be closely monitored by (re)insurers on an ongoing basis. One of the aims of SS2\/21 was to \u2018facilitate greater resilience and adoption of the cloud and other new technologies\u2019 as set out in the Bank of England\u2019s response to the \u2018Future of Finance\u2019 report\u2019.<\/p>\n The (re)insurer is responsible for what\u2019s in the cloud and the cloud service provider is responsible for the provision of the cloud. (Re)insurers need to remain responsible for:<\/p>\n The PRA expects (re)insurers to assess the relevant risks of sub-outsourcing before they enter into an outsourcing agreement. It is important that (re)insurers have visibility of the supply chain, and that service providers are encouraged to facilitate this by maintaining up-to-date lists of their sub-outsourced service providers. The PRA expects (re)insurers to pay particular attention to the potential impact of large, complex suboutsourcing chains on their operational resilience, including their ability to remain within impact tolerances during operational disruption. (Re)insurers should also consider whether extensive sub-outsourcing could compromise their ability to oversee and monitor an outsourcing arrangement.<\/p>\n (Re)insurers should only agree to material sub-outsourcing if:<\/p>\n (Re)insurers should ensure that the service provider has the ability and capacity on an ongoing basis to appropriately oversee any material sub-outsourcing in line with the firm\u2019s relevant policy or policies. If the proposed material sub-outsourcing could have significant adverse effects on a material outsourcing arrangement or would lead to a substantive increase of risk, the (re)insurer should exercise its right to object to the material sub-outsourcing and\/or terminate the contract.<\/p>\n For each material outsourcing arrangement, the PRA expects (re)insurers to develop, maintain, and test a:<\/p>\n The PRA\u2019s primary focus when it comes to business continuity plans and exit strategies is on the ability of (re)insurers to deliver important business services provided or supported by third parties in line with their impact tolerances in the event of disruption. (Re)insurers should implement and require service providers in material outsourcing arrangements to implement appropriate business continuity plans to anticipate, withstand, respond to, and recover from severe but plausible operational disruption.<\/p>\n (Re)insurers should begin to develop their business continuity and exit plans, in particular for stressed exits, during the pre-outsourcing phase once they have determined that a planned outsourcing arrangement is material. Doing so will enable them to:<\/p>\n (Re)insurers should assign clear roles and responsibilities for business continuity and exit plans. Subject to proportionality, they may establish cross-disciplinary teams to develop, document, test, and execute their business continuity and exit plans, especially in stressed scenarios.<\/p>\n We have focused heavily on the PRA requirements for (re)insurers when entering, monitoring, and leaving an outsourced or third-party arrangement. The PRA have been prescriptive on what they want, (re)insurers need to determine their in-house assessment of materiality and ensure that they have everything they need in place to meet the PRA requirements.<\/p>\n As we set out at the beginning of this article, one of the aims of SS2\/21 is to complement the PRA requirements and expectations on Operational Resilience (SS1\/21)<\/a>. When a (re)insurer is considering an outsourcing or third-party arrangement, the due diligence (including an assessment on materiality) will need to cover the possible effects the outsourced activity could have on operational resilience. An outsourced activity that meets the definition of \u2018Material Outsourcing\u2019 is more likely to have a damaging effect on the (re)insurer if it is not carried out as required. (Re)insurers will need to be mindful of this – the PRA considers outsourcing and third-party management as a key element of the wider Operational Resilience piece. (Re)insurers will need to ensure they have undertaken the appropriate due diligence on their service providers before entering into an arrangement and maintain oversight of their performance throughout the duration of the arrangement. The oversight will need to include regular reporting (MI) from the service Provider to the (re)insurer to ensure the arrangement is working as intended.<\/p>\n By the 31st<\/sup> March 2022, contracts between (re)insurers and service providers that were entered into post 31st<\/sup> March 2021, must meet the new requirements set out in this article. (Re)insurers should seek to review and update legacy outsourcing agreements entered into before Wednesday 31st<\/sup> March 2021 at the first appropriate contractual renewal or revision point to meet the expectations of the PRA as soon as possible on or after Thursday 31st<\/sup> March 2022. For (re)insurers who have a business model that supports the use of a large number of outsourced providers, upgrading their governance of outsourced providers will be a big task. (Re)insurers should focus on the outsourcing arrangements that were entered into after the 31st<\/sup> March 2021, as the PRA expect them to be the first to meet the new requirements. Once this has been completed (re)insurers will need to allocate further resource to legacy contracts that will need to meet the new requirements when they are renewed after 31st<\/sup> March 2022. The process of upgrading the contracts will require stakeholders from vendor management, the business, legal and compliance to ensure the contracts reflect the new PRA requirements.<\/p>\n Further work is also expected in relation to outsourcing, with the PRA planning to consult during 2022 on setting up an online outsourcing register that dual-regulated (re)insurers would need to populate with information on their outsourcing and third-party arrangements. The Bank of England, PRA, and FCA also plan to publish a joint Discussion Paper in 2022, to inform potential future regulatory proposals in relation to critical third-party service providers in light of (re)insurers increasing reliance on such entities. It is clear that this is an area that the UK regulators want to focus on, so we expect further changes in due course.<\/p>\n [\/et_pb_text][et_pb_text admin_label=”Conclusion” _builder_version=”4.9.4″ _module_preset=”default”]<\/p>\n If you have any questions about the way your firm should be managing outsourcing and third-party agreements, please do contact any member of the team<\/a> in complete confidence.<\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”1_4,1_4,1_2″ _builder_version=”4.9.4″ _module_preset=”default”][et_pb_column type=”1_4″ _builder_version=”4.9.4″ _module_preset=”default”][et_pb_image src=”https:\/\/www.icsr.co.uk\/wp-content\/uploads\/2020\/04\/Nicky-Hasler-social-media.png” alt=”Nicky Hasler” title_text=”Nicky Hasler” url=”https:\/\/www.icsr.co.uk\/our-team\/nicky-hasler-consultant\/” admin_label=”NH Image” _builder_version=”4.9.4″ _module_preset=”default” hover_enabled=”0″ sticky_enabled=”0″][\/et_pb_image][\/et_pb_column][et_pb_column type=”1_4″ _builder_version=”4.9.4″ _module_preset=”default”][et_pb_text _builder_version=”4.9.4″ _module_preset=”default”]<\/p>\n Senior ConsultantOutsourcing and Third Party Arrangements \u2013 Scope and Objectives<\/h2>\n
\n
SS2\/21 – The Requirements<\/h2>\n
\n
\n
\n
Materiality Assessment<\/h3>\n
\n
\n
\n
\n
Due Diligence<\/h3>\n
\n
\n
Risk Assessment<\/h3>\n
\n
\n
\n
Written Agreement<\/h3>\n
\n
Oversight<\/h3>\n
\n
\n
\n
Sub-Outsourcing<\/h3>\n
\n
\n
Business Continuity and Exit Plans<\/h3>\n
\n
\n
\n
Conclusion<\/h2>\n
Nicky Hasler<\/h2>\n
ICSR<\/p>\n