Outsourcing and third party risk management Supervisory Statement: central securities depositories

The Prudential Regulation Authority (PRA) of the Bank of England has issued a new Supervisory Statement addressed at central securities depositories (CSDs) as regards the PRA’s expectations concerning „outsourcing and third party risk management“.
The statement thereby sets out expectations in the following areas, among others:
– Governance, oversight and documentation which includes, among other aspects, the documentation and continuous recording of existing outsourcing arrangements or the assignment of responsibilities among Board members and „regular“ staff;
– Pre-outsourcing analysis and due diligence which pertains to the careful selection of a service provider and an analysis of the risks involved in a possible outsourcing arrangement (e.g. concentration risk, operational risk);
– Key contractual elements which are those terms and provisions that must be an integral part of the outsourcing service agreement;
– Information security which includes the development of policies with respect to data classification (e.g. critical / non-critical) and location and the monitoring of compliance; and
– Exit strategies pertaining to the development of policies to enable a firm to terminate the outsourcing arrangement without material business interruption.
The Supervisory Statement also covers access and audit issues such as the need to have the cloud service audited and reported on on a regular basis and notification requirements in case the outsourcing service provider supplements material business functions of the firm. Finally, a paragraph is dedicated to the issue of „Sub-outsourcing“ to ensure that firms include specific dos and don’ts in their outsourcing agreements regarding sub-outsourcing and the monitoring of such.