Modernising third party risk management with a PRAgmatic regulator
28 January 2020
Businesses must seize the opportunity to inform the Prudential Regulation Authority’s (PRA) upcoming policy on outsourcing and third party risk management. That was the clear message from our recent breakfast briefing with the regulator.
We brought representatives from our clients’ outsourcing, third party management, procurement and resilience functions to unpick the consultation paper with a senior PRA representative, and to air the likely practical challenges they will face in applying the proposed changes.
The use of third parties and outsourcing arrangements have been part of organisations’ operating models since the nineties, and continues to grow as technology firms, including cloud service providers, offer efficient ways of delivering services.
While the benefits of using specialist third party providers are appealing, they increase the points of potential failure across organisations, and can make oversight more complex. Regulatory scrutiny is increasing, with the European Banking Authority (EBA) taking the lead within Europe. The latest thinking in the UK has come through a PRA consultation paper (summarised here) which is generating a lot of debate and discussion.
While respecting Chatham House rules, a number of recurring themes stood out from our discussion. The PRA consultation reiterates to firms the importance of managing the risks for all third party arrangements, and not just outsourcing. This reminds us all that while outsourcing arrangements (and, in particular, material outsourcing arrangements) may require additional layers of scrutiny, there remains a fundamental need for strong risk management. Firms should think about the relevance of third parties to their businesses, the materiality of each third party, and a proportionate way to oversee them.
For many firms outsourcing doesn’t stop at third parties. Sub-outsourcing means there are often more complex chains of dependencies which lie beneath and firms are struggling to agree “how deep to go” in their risk assessment. There’s no right answer; firms will want to make sure they go into enough detail to have a view on potential weaknesses in their control environment, and any hidden concentration risks.
Record keeping is a core focus of the oversight of third party arrangements, for both businesses and regulators. The EBA has mandated an outsourcing register for banks to complete by the end of 2021. A common approach across firms would help with the identification of systemic risks so the PRA is investigating the practicalities of centralising this activity through an online portal.
Since the introduction of the Senior Managers Regime, the question of individual accountability raises its head with any proposed change in policy. That applies in this context as firms will wish to review how prescribed responsibilities are allocated for managing outsourcing arrangements, third parties more generally and broader operational resilience. This is something SMF24s are grappling with right now.
The PRA encourages firms to engage with the consultation either directly or through industry bodies.
The resilience of the overall financial system is a responsibility shared by firms and regulators, and the robust management of third parties and outsourcing arrangements is a key part of that.
Firms have until 3 April 2020 to provide feedback on the PRA consultation, while not losing sight of the EBA deadline of the end of 2021 for all existing outsourcing arrangements to be compliant.
Remember the PRA approach applies more broadly than the EBA guidelines, with PRA-designated investment firms, insurers, reinsurers, and third country branches also in scope. We have the expertise to help you work through the implications for your firm so I’d encourage you to reach out to me or the team if you need support.