Outsourcing and third party risk management Supervisory Statement: recognised payment system operators and specified service providers

The Prudential Regulation Authority (PRA) of the Bank of England has issued a new Supervisory Statement addressed at recognized payment system operators (RPSO) and specified service providers (SSPs) as regards the PRA’s expectations concerning „outsourcing and third party risk management“.
The statement thereby sets out expectations in the following areas, among others:
– Governance, oversight and documentation which includes, among other aspects, the documentation and continuous recording of existing outsourcing arrangements or the assignment of responsibilities among Board members and „regular“ staff;
– Pre-outsourcing analysis and due diligence which pertains – among others – to the identification of the criticality of an (upcoming) outsourcing arrangement and an analysis of the risks involved in a possible outsourcing arrangement (e.g. concentration risk, operational risk);
– Key contractual elements which are those terms and provisions that must be an integral part of the outsourcing service agreement. Such elements will strongly depend upon the criticality of the service provided by a third party service provider as outlined in the Supervisory Statement;
– Information security which includes the development of policies with respect to data classification (e.g. critical / non-critical) and location and the monitoring of compliance;
– Exit strategies pertaining to the development of policies to enable a firm to terminate orderly – or in the case of mal-performance of the third party service provider – disorderly the outsourcing arrangement without material business interruption.
The Supervisory Statement also covers access and audit issues such as the need to have the cloud service audited and reported on on a regular basis (and naturally include corresponding provisions in the outsourcing agreement) and notification requirements in case the outsourcing service provider supplements material business functions of the firm. Finally, a paragraph is dedicated to the issue of „Sub-outsourcing“ to ensure that firms include specific dos and don’ts in their outsourcing agreements regarding sub-outsourcing and the monitoring of such.