UK Bank of England finalises policy on FMI outsourcing and third party risk management | Hogan Lovells

What are the BoE requirements and expectations for outsourcing and third party risk management for FMIs?

The Policy Statement sets out the Bank of England’s (BoE) requirements and expectations in relation to outsourcing and third party risk management in response to FMIs’ evolving business models and industry practices that place increasing reliance on services and technologies provided by third parties. The expectations and requirements are intended to align with and complement the regulatory framework on operational resilience for FMIs published in March 2021 and the supervisory expectations in relation to material outsourcing to the public cloud set out in the BoE’s letters to FMIs in September 2021.

The BoE expects FMIs to ensure greater resilience when adopting the cloud and other new technologies as set out in the BoE’s response to the 2019 Future of Finance (FoF) report.  The BoE set up the Future of Finance project in May 2018 to look at how financial services might evolve over the next decade and the impact of this on the sector. Huw van Steenis led this research and the report and the BoE’s response to it was published on 20 June 2019.

The annex to the Policy Statement contains links to the following materials that set out the PRA’s policy in this area for each type of FMI.  The final supervisory statements and the Code of Practice explain how the BoE expects FMIs to comply with the range of requirements and expectations on outsourcing and third party risk management throughout the lifecycle of their outsourcing arrangements

Each of the supervisory statements applying to each type of FMI takes on a similar format as further detailed below.

Supervisory statement on outsourcing and third party risk management: CCPs

The CCP Supervisory Statement is relevant to all BoE supervised CCPs and UK entities which are planning to apply to the BoE for authorisation as a UK CCP pursuant to UK EMIR. It explains the BoE’s supervisory approach to outsourcing and third party risk management, which is relevant to many areas of a CCP’s operations. It provides guidance as to how the BoE expects CCPs to meet their regulatory obligations and sets out more specific requirements and expectations for CCPs than is contained within the CPMI-IOSCO Principles for Financial Market Infrastructure (PFMI), UK EMIR and relevant technical standards. In particular:

• Chapter 2 elaborates on the definition of ‘third party’ and ‘outsourcing’, and sets out the expectations for managing the risks arising from all third party dependencies that can pose a threat to the safety and efficiency of the CCP thereby impacting financial stability. It also elaborates on the expectation for CCPs to have a sufficient understanding on the risks to clearing services when participants outsource to the cloud.

• Chapter 3 clarifies how the principle of proportionality applies to the expectations in particular to intragroup outsourcing.

• Chapter 4 sets out the BoE’s expectations on governance and accountability, risk management and record keeping.

• Chapter 5 sets out the BoE’s expectations for CCPs during the pre-outsourcing phase. It addresses the criticality and risk assessments of their outsourcing and other third party arrangements (including notification to the BoE where required), and CCPs’ due diligence on third parties.

• Chapter 6 lists the areas that the BoE expects written agreements relating to critical outsourcing arrangements to address as a minimum. The following four areas are then examined in detail in Chapters 7–10:

  • data security;

  • access, audit, and information rights;

  • sub-outsourcing; and

  • business continuity and exit strategies.

Supervisory statement on outsourcing and third party risk management: CSDs

The CSD Supervisory Statement is relevant to all BoE supervised CSDs and UK entities which are planning to apply to the BoE for authorisation as a UK CSD pursuant to UK CSDR.

CSDs’ reliance on third parties, in particular through outsourcing arrangements, is well established, and is already subject to existing regulatory requirements and PFMI, with which the BoE expects CSDs to have regard. This includes the authorisation requirement set out in Article 19 of the onshored UK CSDR (Regulation (EU) No 909/2014) on central securities depositories, where the outsourcing relates to the delivery of core services as defined in Section A of the Annex as well as other detailed onshored requirements as contained in relevant technical standards. CSDs are also expected to have due regard to the BoE’s policy on operational resilience.

The CSD Supervisory Statement provides guidance as to how the Bank expects CSDs to meet their regulatory obligations and sets out more specific requirements and expectations for CSDs than is contained within the PFMI, UK CSDR and relevant technical standards. In particular:

• Chapter 2 elaborates on the definition of ‘third party’ and ‘outsourcing’, and sets out the expectations for managing the risks arising from all third party dependencies that can pose a threat to the safety and efficiency of the CSD thereby impacting financial stability. It also elaborates on the expectation for CSDs to have a sufficient understanding on the risks to settlement services when participants outsource to the cloud.

• Chapter 3 clarifies how the principle of proportionality applies, in particular, to intragroup outsourcing.

• Chapter 4 sets out the BoE’s expectations on governance and accountability, risk management and record keeping.

• Chapter 5 sets out the BoE’s expectations for CSDs during the pre-outsourcing phase. It addresses the criticality and risk assessments of their outsourcing and other third party arrangements (including notification to the BoE where required), and CSDs’ due diligence on third parties.

• Chapter 6 lists the areas that the BoE expects written agreements relating to critical outsourcing arrangements to address as a minimum. The data security, access, audit and information rights, sub-outsourcing and business continuity and exit strategies are then examined in detail in Chapters 7–10.

Supervisory statement on outsourcing and third party risk management: RPSOs and SSPs

The RSPOs and SSPs Supervisory Statement applying to RPSOs under section 184 of the Banking Act 2009 (the Act) and SSPs under section 206A of the Act. The ‘Outsourcing and third party risk management: recognised payment system operators and specified service providers’ part of the Code of Practice (CoP) published under section 189 of the Act only applies to relevant RPSOs and SSPs.

In respect of a RPSO or SSP that is incorporated outside of the UK, the BoE will determine on a case-by-case basis whether this RPSO or SSP will be subject to the BoE’s requirements and expectations, taking into account factors such as systemic importance in the UK and the extent to which the local (home-country) regulatory and supervisory framework delivers an equivalent outcome in terms of outsourcing and third party risk management.

The RPSO/SSP Supervisory Statement explains the BoE’s supervisory approach to outsourcing and third party risk management, which is relevant to many areas of a RPSO’s and SSP’s operations. It also provides guidance as to how the Bank expects RPSOs and SSPs to meet their regulatory obligations under the code and sets out more specific requirements and expectations for RPSOs and SSPs than is contained within the Principles for Financial Market Infrastructures (PFMI). In particular:

• Chapter 2 elaborates on the definition of ‘third party’ and ‘outsourcing’ in the outsourcing and third party risk management part of the CoP, and sets out the expectations for managing the risks arising from all third party dependencies that can pose a threat to the safety and efficiency of the payment system, thereby impacting financial stability. It also elaborates on the requirement for RPSOs to have a sufficient understanding of the risks to the end-to-end flow of the payments across the payment system when participants outsource their payment connectivity to the cloud.

• Chapter 3 clarifies how the principle of proportionality applies, in particular, to intragroup outsourcing.

• Chapter 4 sets out the BoE’s expectations on governance and accountability, risk management and record keeping.

• Chapter 5 sets out the expectations for RPSOs and SSPs during the pre-outsourcing phase. It addresses the criticality and risk assessments of their outsourcing and other third party arrangements (including notification to the BoE where required), and RPSOs’ and SSPs’ due diligence on third parties.

• Chapter 6 lists the areas that the BoE expects written agreements relating to critical outsourcing arrangements to address as a minimum. The following four areas are then examined in detail in Chapters 7–10 including requirements on data security, access, audit and information rights, sub-outsourcing and business continuity and exit strategies.

Has the BoE taken into account international developments on outsourcing and third party risk management in developing its policy?

Supervisory authorities around the world are also updating their rules, expectations, guidance and supervisory practices on outsourcing and third party risk management. In developing this policy, the BoE states that it took account of:

Does the Policy Statement detail feedback from the previous Consultation Papers?

Due to the similarities between the proposals in the previous consultation papers and the policy documents attached to those consultation papers, the BoE thought it useful to address the feedback from the three consultations in the Policy Statement.  The BoE details the 15 responses it received to the three consultation papers in sections 2-12 of the Policy Statement.  Responses were from a range of stakeholders, including FMIs and/or their parent companies, trade associations, third party service providers and FMI participants (eg clearing members). Respondents were generally supportive of the overall direction of the proposals, and welcomed the BoE’s efforts to clarify regulatory expectations and requirements and bolster the operational resilience of FMIs.

Next steps: when do the requirements and expectations come into effect? 

FMIs must comply with the expectations set out in the relevant supervisory statement by 9 February 2024. Relevant RPSOs and SSPs must also comply with the requirements in the CoP by this date. Outsourcing arrangements entered into on or after 8 February 2023 must meet the expectations in the relevant supervisory statement and (where relevant) the CoP by 9 February 2024. FMIs should seek to review and update legacy outsourcing agreements entered into before 8 February 2023 at the first appropriate contractual renewal or revision point to meet the expectations in the relevant supervisory statement as soon as possible on or after 9 February 2023.