Outsourcing Consultation Paper

[Ambra Piszczek]

Thisdiscussion paper considers regulatory and supervisory issues relating to outsourcing and third-party relationships. It will facilitate a discussion on current regulatory and supervisory approaches to the management of outsourcing and third-party risks.

There is a common concern about the possibility of systemic risk arising from concentration in the provision of some outsourced and third-party services to financial institutions. These risks may become higher as the number of financial institutions receiving critical services from a given third party increases. Where there is no appropriate mitigant in place, a major disruption, outage or failure at one of these third parties could create a single point of failure with potential adverse consequences for financial stability and/or the safety and soundness of multiple financial institutions. Given the cross-border nature of this dependency, supervisory authorities and third parties could particularly benefit from enhanced dialogue on this issue.

This consultation paper seeks feedback on a proposed Notice to Banks on Management of Outsourced Relevant Services. MAS also intends to mirror requirements of this notice for Merchant Banks in a Notice to Merchant Banks on Management of Outsourced Relevant Services.

On 9 November 2020, the FSB published a Regulatory and Supervisory Issues Relating to Outsourcing and Third-Party Relationships: Discussion paperdiscussion paper for public consultation on Regulatory and Supervisory Issues Relating to Outsourcing and Third-Party Relationships[/intlink]. The FSB received 39 responses from a wide range of stakeholders including banks, insurers, asset managers, financial market infrastructures (FMIs), third-party service providers, industry associations, public authorities, and individuals. The FSB also held a virtual outreach meeting in late February 2021, attended by around 200 participants.

The European Insurance and Occupational Pension Authority (EIOPA) launched a consultation on guidelines on outsourcing to cloud service providers. These guidelines shall provide guidance to market participants on how the outsourcing provisions set forth in the Directive 2009/138/EC, in the Commission's Delegated Regulation 2015/35 and in EIOPA's Guidelines on System of Governance need to be applied in the case of outsourcing to cloud service providers. The consultation is open until Monday, 30 September 2019.

On 14 April 2022, the Bank of England (BoE) published three consultation papers on "Outsourcing and third party risk management" applicable to Financial Market Infrastructures (FMIs). FMIs are the networks that allow financial transactions to take place by providing the clearing, settlement and recording of financial transactions. FMIs include payment network providers like Visa, MasterCard, BACS and LINK. A full list of FMIs can be found here.

Chapter 6 of each FMI Supervisory Statement contains detailed requirements for provisions which FMIs must include in their "critical" outsourcing contracts. These cover a wide range of matters, such as service levels, audit, sub-contracting and cooperation with regulators. The requirements are largely the same as those specified in SS2/21, save for the following differences:

The FMI Supervisory Statements make clear the BoE expects FMIs to assess the risks of all third party arrangements, irrespective of whether they fall within the definition of "outsourcing"8. This is notable, as SS2/21 takes an arguably softer approach, requiring a proportional approach for non-outsourcing contracts and allowing more scope for judgment. In practice, while the contractual requirements at Chapter 6 (described above) are stated to apply to "critical outsourcing" arrangements, FMIs will need to take a largely similar approach for non-outsourcing agreements.

Firms should ensure they respond to these consultations so that their voices are heard, particularly as the responses provide firms with an opportunity to address the concerns they may have in implementing the requirements.

In many cases, FMIs will already have been directly, or indirectly (via contractual flow-down requirements), required to comply with the EBA Outsourcing Guidelines and/or SS2/21 from 31 March 2022. To the extent this is true, becoming compliant with the FMI Supervisory Statements will not be a huge additional effort. However, the hardening of the position on non-outsourcing agreements potentially brings a large number of additional contracts into scope for review. While many of the contractual requirements would be included in a well-drafted agreement in any case, some specific requirements around audit, regulatory cooperation and dependencies will go significantly further than is typical in an unregulated contract.

In practice, the steps to be followed by FMIs to achieve compliance with the FMI Supervisory Statements will be very similar to those required for previous outsourcing regulations (see our previous article on the five steps to deliver a remediation project here). Following the passing of the SS2/21 deadline on 31 March 2022, FMIs will be able to hire experts with hands-on and recent experience of delivering complex remediation projects.

The Prudential Regulation Authority (PRA) is responsible for the prudential supervision of around 1,500 financial institutions, including banks, insurance companies, building societies, credit unions, and certain large investment firms. As a prudential regulator, the PRA has a general objective to promote the financial soundness of the firms it regulates.

The Financial Conduct Authority (FCA) has responsibility for business supervision of all financial services firms, which includes nearly 60,000 businesses. The FCA has prudential supervision for 49,000 firms and is also responsible for supervising outsourcing arrangements established by firms not supervised by the PRA.

In July 2016, the FCA published the FG 16/5 Guidance for firms outsourcing to the cloud and other third-party IT services intended to help firms authorized under the Financial Services and Markets Act 2000 (FSMA) oversee all aspects of their outsourcing arrangements. This guidance was subsequently updated to take account of more recent regulatory developments, such as the implementation of the European Banking Authority (EBA) Guidelines on outsourcing arrangements (EBA/GL/2019/02) which was enacted in September 2019. The current version of the FCA guidance was published in September 2019 following this development.

In December 2019, the PRA published a consultation paper CP30/19 Outsourcing and third-party risk management, which takes into account both the EBA Guidelines on outsourcing arrangements and the European Insurance and Occupational Pensions Authority (EIOPA) Guidelines on outsourcing to cloud service providers. In March 2021, the PRA published a policy statement PS7/21 Outsourcing and third-party risk management that provides feedback to CP30/19 responses and contains the PRA's final Supervisory Statement SS2/21 Outsourcing and third-party risk management.

Supervisory Statement SS2/21 sets out the PRA's expectations of how PRA-regulated firms should comply with regulatory requirements and expectations relating to outsourcing and third-party risk management. Firms are expected to comply with the expectations in SS2/21 by 31 March 2022.

There are additional requirements and guidelines that financial institutions in the United Kingdom should be aware of when moving to the cloud, including the FSMA, Senior Management Arrangements, Systems, and Controls Sourcebook (SYSC) in the FCA Handbook, the European Banking Authority (EBA) Final Report on Recommendations on Outsourcing to Cloud Service Providers EBA/REC/2017/03, and others.

Changes were made to the Banking Act in 2020 that contemplate MAS would issue revised outsourcing notices that would mandate banks' compliance with a range of requirements, including certain matters currently covered by the MAS Guidelines on Outsourcing, and more. At the time of writing, those notices have not yet been issued, so the contemplated changes are not in effect.

In December 2020, MAS issued a consultation paper on a proposed notice to banks on managing outsourced relevant services, which expressly includes public cloud services as relevant services. The proposals are still at the consultation stage.

The PRA states in PS7/21 that it received general support for the proposals in its consultation paper of December 2019 (CP30/19) and responses focused on specific areas for which the PRA has made targeted revisions to its final policy:

The emergence of "digital assets" or "crypto assets" continues to be a growing area of interest for regulators globally. Innovations like distributed ledger technology (DLT) and crypto assets are relatively new and are transforming the landscape of the financial industry. Interest in crypto assets among investors, governments and regulators globally has increased significantly since the creation of bitcoin in 2008 and continues to grow. Early in 2018, at its peak, the total value of crypto assets was estimated, by one source, at more than US$800 billion.1 While the value has since fallen, trading volumes remain significant. Today, there are over 2000 crypto assets2 that may be traded for government-issued currencies or other types of crypto assets on over 200 platforms3 that facilitate the buying and selling or transferring of crypto assets (Platforms). Many of these Platforms operate globally and without any regulatory oversight.

Although DLT may provide benefits, global incidents point to crypto assets having heightened risks related to loss and theft as compared to other assets. Regulators around the world are currently considering important issues surrounding the regulation of crypto assets including the appropriate regulation of Platforms. The Canadian Securities Administrators (the CSA) and the Investment Industry Regulatory Organization of Canada (IIROC, and together with the CSA, we), have been engaged with regulators globally, through IOSCO and other innovation initiatives, to seek input on a variety of regulatory approaches that exist in this area.

3a8082e126