As we approach the 31st March 2022, many firms will be asking themselves, have we done enough on Operational Resilience to satisfy the Prudential Regulatory Authority (PRA) and Financial Conduct Authority (FCA)? In March 2021, the PRA supplemented the Operational Resilience requirements with Supervisory Statement (SS2/21) on the importance of managing Outsourcing and third-party arrangements. This article looks at SS2/21 including its scope, aims, the key requirements and what firms need to do to ensure they are compliant.
Outsourcing and Third Party Arrangements – Scope and Objectives
SS2/21 applies to insurance and reinsurance firms and groups in scope of Solvency II, including the Society of Lloyd’s and managing agents (hereafter “(re)insurers”). FCA solo regulated firms should be aware of the work, particularly where they might be considered to be an outsourced provider of services to a PRA regulated firm.
The PRA have two main objectives in requiring (re)insurers to look at their outsourcing and third-party arrangements. These are to:
- facilitate greater resilience and adoption of the cloud and other new technologies as set out in the Bank of England (the Bank)’s response to the ‘Future of Finance’ report, where they have specifically stated an intent to facilitate “firms’ use of technology, like the cloud, to increase their operational resilience”; and
- complement the requirements and expectations on operational resilience in the PRA Rulebook; SS1/21 ‘Operational resilience: Impact tolerances for important business services’; and the Statement of Policy (SoP) ‘Operational resilience’.
SS2/21 – The Requirements
Firstly, lets define what Outsourcing is. The PRA Rulebook defines ‘Outsourcing’ as:
“an arrangement of any form between a (re)insurer and a service provider, whether a supervised entity or not, by which that service provider performs a process, a service, or an activity, whether directly or by sub-outsourcing, which would otherwise be undertaken by the firm itself.”
The PRA’s overarching aim is for (re)insurers to apply adequate governance and controls to all third-party dependencies that can impact its statutory objectives. The PRA defines a ‘third party’ as:
“an organisation that has entered into a business relationship or contract with a firm to provide a product or service”
Before an outsourcing or third party arrangement can be established the PRA will expect (re)insurers to:
- determine the materiality of every outsourcing and third-party arrangement;
- perform appropriate and proportionate due diligence on all potential service providers; and
- assess the risks of every outsourcing arrangement irrespective of materiality.
Materiality Assessment
The PRA Rulebook defines ‘material outsourcing’ as the outsourcing of:
“service of such importance that weakness, or failure, of the services would cast serious doubt upon the firm’s continuing satisfaction of the threshold conditions or compliance with the Fundamental Rules.”
(Re)insurers should determine the materiality of all third-party arrangements and are required to (re)assess the materiality of their outsourcing and third-party arrangements:
- prior to signing the written agreement;
- at appropriate intervals thereafter, e.g., during scheduled review periods;
- where a firm plans to scale up its use of the service or dependency on the service provider; and/or,
- if a significant organisational change at the service provider or a material sub-outsourced service provider takes place that could materially change the nature, scale, and complexity of the risks inherent in the outsourcing arrangement, including a significant change to the service provider’s ownership or financial position.
The PRA has left it to (re)insurers to develop their own processes for assessing materiality as part of their outsourcing or third-party risk management policy. However, to ensure consistency across (re)insurers’ assessments, the PRA expects (re)insurers to take into account certain criteria. The criteria that will generally render an outsourcing arrangement material is where a defect or failure in its performance could:
- affect its ability to meet the Threshold Conditions;
- affect its general safety and soundness (financial resilience, assets, capital, funding, or liquidity);
- impact on its overall operational resilience;
- mean that it fails to provide an appropriate degree of protection for those who are or may become policyholders; and
- undermine the continuous and satisfactory service to policyholders.
Supplementing these key areas, (re)insurers will need to develop an internal assessment to determine what outsourcing and third-party arrangements meet the definition of ‘material’. There will not be a one size fits all approach, however key considerations are:
- the (re)insurer’s ability to meet its Legal and Regulatory requirements;
- conduct risk;
- ICT risk;
- legal risk;
- business continuity and disaster recovery.
These considerations are more in line with what the FCA would expect, but there could be many more depending on the scale and the complexity of the outsourcing or third-party arrangement.
Due Diligence
The PRA expects (re)insurers to conduct appropriate due diligence on the potential service provider before entering into an outsourcing arrangement, and to identify a suitable alternative or back-up providers where available. If no alternative or back-up providers for a material outsourcing arrangement are available, (re)insurers should consider alternative business continuity, contingency planning, and disaster recovery arrangements to ensure they can continue providing relevant important business services within their impact tolerances in the event of material disruption to their chosen service provider. In the case of material outsourcing, the PRA expects (re)insurers due diligence to consider the potential providers’:
- business model (level of complexity, ability to scale);
- financial situation (is the service provider financially stable);
- expertise and reputation;
- ICT controls and security;
- sub-outsourced service providers (if any).
Whether the outsourced activity is considered ‘material’ or not, the due diligence should consider whether potential service providers:
- have the authorisations or registrations required to perform the service;
- can comply with GDPR, the Data Protection Act, and other applicable legal and regulatory requirements on data protection;
- have the ability and capacity to provide the service that the (re)insurer requires in line with UK requirements.
Risk Assessment
After, or as a part of the due diligence, the PRA expects (re)insurers to assess the potential risks of all third-party arrangements, including outsourcing arrangements, regardless of materiality. As part of the risk assessment, the PRA expects (re)insurers to consider:
- operational risks based on an analysis of severe but plausible scenarios;
- financial risks, including the potential need for a (re)insurer to provide financial support to an outsourced or sub-outsourced service provider;
- the impact of a significant change to an outsourcing agreement (Operational Resiliance);
- the validity of the existing risk mitigation practices (Staff awareness and training).
The PRA expects (re)insurers to periodically (re)assess and take reasonable steps to manage:
- their overall reliance on third parties; and
- concentration risks or vendor lock-in at the firm or group, due to:
- multiple arrangements with the same or closely connected service providers;
- fourth party/supply chain dependencies, for instance, where multiple otherwise unconnected service providers depend on the same sub-contractor for the delivery of their services;
- arrangements with service providers that are difficult or impossible to substitute; and/or
- concentration of outsourcing and other third-party dependencies in a close geographical location, such as one jurisdiction. This type of concentration may arise even if a firm uses multiple, unconnected third-party service providers, for instance, a business process outsourcing or offshoring hub.
Written Agreement
Once the (re)insurer has completed its materiality assessment, due diligence, and risk assessment the next stage will be to put in place a written agreement to outline the outsourcing arrangements. Where there is a master service agreement that allows (re)insurers to add or remove certain services, each outsourced service should be appropriately documented, although not necessarily in a separate agreement. (Re)insurers will need to ensure written agreements for non-material outsourcing arrangements include appropriate contractual safeguards to manage and monitor relevant risks. Regardless of materiality (re)insurers should ensure that outsourcing agreements do not impede or limit the PRA’s ability to effectively supervise the firm or outsourced activity, function, or service.
Material outsourcing agreements between the (re) insurer and the service provider should set out:
- a clear description of the outsourced function, including the type of support services to be provided;
- the start date, next renewal date, end date, and notice periods regarding termination for the service provider and the (re)insurer;
- the governing law of the agreement;
- the parties’ financial obligations;
- whether the sub-outsourcing of a material function or part thereof is permitted and, if so, under which conditions;
- the location(s) where the service will be provided, and/or where relevant data will be kept, processed, or transferred, including the possible storage location;
- provisions regarding the accessibility, availability, integrity, confidentiality, privacy, and safety of relevant data;
- the right of the firm to monitor the service provider’s performance on an ongoing basis (this may be by reference to KPIs);
- the agreed service levels, which should include qualitative and quantitative performance criteria and allow for timely monitoring, so that appropriate corrective action can be taken if these service levels are not met;
- the reporting obligations of the service provider to the firm, including a requirement to notify the firm of any development that may have a material or adverse impact on the service provider’s ability to effectively perform the material function in line with the agreed service levels and in compliance with applicable laws and regulatory requirements;
- insurance cover requirements for the service provider;
- the requirements for both parties to implement and test business continuity plans (Impact tolerances and Important Business Services must be considered under Operational Resiliance);
- provisions to ensure that data owned by the firm can be accessed promptly in the case of the insolvency, resolution, or discontinuation of business operations of the service provider;
- the obligation of the service provider to co-operate with the PRA and the Bank, as resolution authority, including persons appointed to act on their behalf;
- termination rights and exit strategies covering both stressed and non-stressed scenarios.
Oversight
Once the written agreement is in place, the focus moves to using the service provider. When using the Service Provider, a key area of focus is data. ‘Data’ includes firm sensitive, and transactional data. It may also cover open-source data (e.g., from social media) collected, analysed, and transferred for the purposes of providing financial services as well as the systems used to process, transfer, or store data.
Where a material outsourcing or third-party agreement involves the transfer of or access to data, the PRA expects (re)insurers to:
- classify relevant data based on its confidentiality and sensitivity;
- identify potential risks relating to the relevant data and their impact (legal, reputational, etc.);
- agree an appropriate level of data availability, confidentiality, and integrity; and
- if appropriate, obtain appropriate assurance and documentation from third parties on the provenance or lineage of the data to satisfy themselves that it has been collected and processed in line with applicable legal and regulatory requirements.
While the PRA does not prescribe a specific taxonomy for data classification, it expects (re)insurers to implement appropriate, risk-based technical and organisation measures to protect different classes of data (e.g., confidential, client, personal, sensitive, transaction). As part of their due diligence and risk assessment in the pre-outsourcing phase, (re)insurers should identify whether their data could be processed in any jurisdictions that are outside their risk tolerance and, if so, bring this to the attention of the third party when negotiating the contractual arrangement in order to discuss adequate data protection and risk mitigation measures.
The PRA expects (re)insurers to implement robust controls for data-in-transit, data-in-memory, and data-at-rest. Depending on the materiality and risk of the arrangement, these controls may include a range of preventative and detective measures, including but not necessarily limited to:
- configuration management;
- encryption and key management;
- identity and access management, which should include stricter controls for individuals whose role can create a higher risk in the event of unauthorised access, (e.g., systems administrators);
- the ongoing monitoring of ‘insider threats’, (i.e., employees at the firm and at the third party who may misuse their legitimate access to firm data for unauthorised purposes maliciously or inadvertently).
(Re)insurers will need to be clear on how data intergrity and data security will be maintained. This should be covered in the written agreement and should be closely monitored by (re)insurers on an ongoing basis. One of the aims of SS2/21 was to ‘facilitate greater resilience and adoption of the cloud and other new technologies’ as set out in the Bank of England’s response to the ‘Future of Finance’ report’.
The (re)insurer is responsible for what’s in the cloud and the cloud service provider is responsible for the provision of the cloud. (Re)insurers need to remain responsible for:
- correctly identifying and classifying data in line with their legal and regulatory obligations and adopting a risk-based approach to the location of data;
- configuration and monitoring of their data in the cloud to reduce security and compliance incidents;
- cloud service providers assume responsibility for the infrastructure running the outsourced service, e.g., data centres, hardware, software etc; and
- (re)insurers and service providers share other responsibilities depending on the service model, e.g., Infrastructure as a service (IaaS), Platform as a service (PaaS), Software as a service (SaaS), etc.
Sub-Outsourcing
The PRA expects (re)insurers to assess the relevant risks of sub-outsourcing before they enter into an outsourcing agreement. It is important that (re)insurers have visibility of the supply chain, and that service providers are encouraged to facilitate this by maintaining up-to-date lists of their sub-outsourced service providers. The PRA expects (re)insurers to pay particular attention to the potential impact of large, complex suboutsourcing chains on their operational resilience, including their ability to remain within impact tolerances during operational disruption. (Re)insurers should also consider whether extensive sub-outsourcing could compromise their ability to oversee and monitor an outsourcing arrangement.
(Re)insurers should only agree to material sub-outsourcing if:
- the sub-outsourcing will not give rise to undue operational risk for the firm; and
- the sub-outsourced service providers undertake to:
- comply with all applicable laws, regulatory requirements, and contractual obligations; and
- grant the firm, and PRA access to audit.
(Re)insurers should ensure that the service provider has the ability and capacity on an ongoing basis to appropriately oversee any material sub-outsourcing in line with the firm’s relevant policy or policies. If the proposed material sub-outsourcing could have significant adverse effects on a material outsourcing arrangement or would lead to a substantive increase of risk, the (re)insurer should exercise its right to object to the material sub-outsourcing and/or terminate the contract.
Business Continuity and Exit Plans
For each material outsourcing arrangement, the PRA expects (re)insurers to develop, maintain, and test a:
- business continuity plan; and
- documented exit strategy, which should cover and differentiate between situations where a firm exits an outsourcing agreement:
- in stressed circumstances, (e.g., following the failure or insolvency of the service provider (stressed exit); and
- through a planned and managed exit due to commercial, performance, or strategic reasons (non-stressed exit).
The PRA’s primary focus when it comes to business continuity plans and exit strategies is on the ability of (re)insurers to deliver important business services provided or supported by third parties in line with their impact tolerances in the event of disruption. (Re)insurers should implement and require service providers in material outsourcing arrangements to implement appropriate business continuity plans to anticipate, withstand, respond to, and recover from severe but plausible operational disruption.
(Re)insurers should begin to develop their business continuity and exit plans, in particular for stressed exits, during the pre-outsourcing phase once they have determined that a planned outsourcing arrangement is material. Doing so will enable them to:
- use the due diligence process to identify potential alternative or back-up service providers;
- estimate the cost, resourcing, and timing implications of the proposed business continuity or exit plan in both stressed and non-stressed scenarios as part of the risk assessment;
- identify data they may need to access, recover, or transfer as a priority in a disruption or stressed exit; and
- define the key KPIs and key risk indicators which, if breached, may trigger an exit (both stressed and non-stressed).
(Re)insurers should assign clear roles and responsibilities for business continuity and exit plans. Subject to proportionality, they may establish cross-disciplinary teams to develop, document, test, and execute their business continuity and exit plans, especially in stressed scenarios.
Conclusion
We have focused heavily on the PRA requirements for (re)insurers when entering, monitoring, and leaving an outsourced or third-party arrangement. The PRA have been prescriptive on what they want, (re)insurers need to determine their in-house assessment of materiality and ensure that they have everything they need in place to meet the PRA requirements.
As we set out at the beginning of this article, one of the aims of SS2/21 is to complement the PRA requirements and expectations on Operational Resilience (SS1/21). When a (re)insurer is considering an outsourcing or third-party arrangement, the due diligence (including an assessment on materiality) will need to cover the possible effects the outsourced activity could have on operational resilience. An outsourced activity that meets the definition of ‘Material Outsourcing’ is more likely to have a damaging effect on the (re)insurer if it is not carried out as required. (Re)insurers will need to be mindful of this – the PRA considers outsourcing and third-party management as a key element of the wider Operational Resilience piece. (Re)insurers will need to ensure they have undertaken the appropriate due diligence on their service providers before entering into an arrangement and maintain oversight of their performance throughout the duration of the arrangement. The oversight will need to include regular reporting (MI) from the service Provider to the (re)insurer to ensure the arrangement is working as intended.
By the 31st March 2022, contracts between (re)insurers and service providers that were entered into post 31st March 2021, must meet the new requirements set out in this article. (Re)insurers should seek to review and update legacy outsourcing agreements entered into before Wednesday 31st March 2021 at the first appropriate contractual renewal or revision point to meet the expectations of the PRA as soon as possible on or after Thursday 31st March 2022. For (re)insurers who have a business model that supports the use of a large number of outsourced providers, upgrading their governance of outsourced providers will be a big task. (Re)insurers should focus on the outsourcing arrangements that were entered into after the 31st March 2021, as the PRA expect them to be the first to meet the new requirements. Once this has been completed (re)insurers will need to allocate further resource to legacy contracts that will need to meet the new requirements when they are renewed after 31st March 2022. The process of upgrading the contracts will require stakeholders from vendor management, the business, legal and compliance to ensure the contracts reflect the new PRA requirements.
Further work is also expected in relation to outsourcing, with the PRA planning to consult during 2022 on setting up an online outsourcing register that dual-regulated (re)insurers would need to populate with information on their outsourcing and third-party arrangements. The Bank of England, PRA, and FCA also plan to publish a joint Discussion Paper in 2022, to inform potential future regulatory proposals in relation to critical third-party service providers in light of (re)insurers increasing reliance on such entities. It is clear that this is an area that the UK regulators want to focus on, so we expect further changes in due course.
If you have any questions about the way your firm should be managing outsourcing and third-party agreements, please do contact any member of the team in complete confidence.