The PRA has published a so-called Outsourcing and third party risk management part of the Code of Practice for RPSOs and SSPs which shall apply to all firms operating in the UK unless firms are located in a third country for which the Bank of England has determined equivalence as far as the rules and regulations of the third country regulatory authority for the supervision over the RPSOs or SSPs is concerned.
The Code sets out requirements upon RPSOs and SSPs prior to concluding any outsourcing arrangements and following any such agreement. The key obligations are briefly noted below:
(1) Governance requirements including the obligation of the Board to „approve, implement and regularly review a written outsourcing and third party risk management policy“ and keep records of any of the outsourcing arrangements;
(2) Pre-outsourcing obligations including the identification of the criticality of the service, due diligence as regards the outsourcing provider (screening of its capabilities), or the prior notification of the Bank of England as regards new outsourcing arrangements;
(3) Outsourcing agreement obligations such as the necessity to conclude any agreements in written form only, the necessity to include provisions as to possible audits of the third party service provider, or the need to include in the agreement provisions to require the service provider to get approval from the RPSO and SSP prior to the conclusion of any sub-outsourcing arrangements;
(4) Data security obligations including the necessity to „establish, implement and maintain appropriate measures“ to safeguard transferred data or access to transferred data and the need to require the third party service provider to implement robust oversight and control measures in this context; and
(5) Business continuity and exit plan requirements including the obligation to establish, maintain, test, and – if necessary – revise a business continuity plan and the obligation to maintain a so-called exit strategy which must cover both an orderly exit or an exit under „stressed conditions“.
—————————–
The new Code* will come into force on February 9, 2024.
Outsourcing and third party risk management part of the Code of Practice
ID
21770
Other Features
assessment
auditing
banks
compliance
cyber security
data protection
due diligence
financial stability
governance
outsourcing
payment services
process
re-outsourcing
reporting
risk
risk management
Date Published: 2023-02-08
Date Taking Effect: 2024-02-09
Regulatory Framework: Banking Act 2009
Regulatory Type: procedure
ID 26454
The Bank of England has launched a consultation on a proposed new statement of policy outl ...
ID 26408
The Prudential Regulation Authority (PRA) has published a press statement declaring the in ...
ID 26397
The Prudential Regulation Authority (PRA) has launched a new consultation (CP28/23) on the ...
ID 26373
The Prudential Regulation Authority (PRA) has issued a Policy Statement which responds to ...
You are on the training version of RISP core with limited functions and data.
Please subscribe to RISP core for professional or academic use. We supply free real time datasets for approved academic research; professional subscriptions start at 950€ plus VAT per annum.