"Firms should review their existing outsourcing arrangements and assess where any of those outsourced services would fall within scope of ‘important business services’."
Following the publication of the new rules by the FCA and PRA (in conjunction with the Bank of England) governing how regulated financial services businesses should manage their operational resilience, firms should be reviewing their business practices and identifying the areas in which they currently fall short. Outsourcings are very relevant to this analysis, not least because businesses generally have less oversight of the services being outsourced compared to the services they operate in-house. Despite or because of this, operational resilience, and outsourcing and third-party risk management, have significant degrees of overlap, with the PRA in particular expressly linking its policy and supervisory statements in respect of both.
We have therefore included below some of the key points that firms should consider when reviewing their outsourcing agreements from an operational resilience perspective in preparation for the impending 31 March 2022 deadline for identifying important business services. For a recap of the structure and key features of the new operation resilience rules generally, read our previous article on Financial Reporter here.
What are the requirements on regulated firms?
Firms are required to assess their important business services and set impact tolerances to mitigate against possible disruptive future events. The fact that important business services may be outsourced to third parties does not change the obligations on, or the fact that responsibility ultimately rests with, regulated firms. Instead, firms will be required to undertake the arguably more difficult task of conducting the same analysis for important business services that are outsourced, factoring in the additional risks present due to the fact that a third party is providing the service.
This may be challenging not simply due to the information mismatch between the parties, but also because outsourcing in the regulated space can raise more systemic risks that firms will need to consider (for example, if the outsourced service provider is a supplying a large number of regulated firms with the same or similar services).
Firms will therefore need to review the areas where potential important business services have been outsourced, and should assess the operational risks associated with those services and how well-placed the third-party providers are to manage those risks so that providers remain within the firm’s impact tolerances.
Additionally, outsourcing a new or existing service to a third-party service provider also triggers the requirement to review important business services (which would otherwise be required once a year), meaning that firms must monitor their outsourcing arrangements on an ongoing basis to ensure their operational resilience obligations continue to be met.
It should be noted that firms also have separate (contractual and wider) obligations relating to outsourcing and managing third-party risk that should also be considered, and where outsourced services relate specifically to important business services, both the outsourcing and operational resilience frameworks will apply.
What are some key operational risks relating to outsourced services?
• Technological complexity: Understanding the ins and outs of cloud storage, service delivery platforms or cyber controls (just by way of example) isn’t within everyone’s expertise. A lack of skilled resources can render it difficult for firms to adequately evaluate the performance of, and risks to, third-party providers and themselves as customers. Regardless, firms will need to be across the aspects of their business which are particularly at risk from a technological perspective and identify any deficiencies in their service providers’ ability to mitigate those risks.
• Concentration risk: In some areas of technology outsourcing, particularly in the cloud-based services market, there may only be a handful of large, unregulated service providers that provide services to a many regulated firms. Arrangements of this type can lead to greater systemic risk; one service provider is hit with operational disruption that then affects a large number of client firms. Substitutability is also important in this regard, as systemic risk only increases if firms cannot easily change service providers.
• Bargaining power: Smaller financial services firms may struggle to negotiate the necessary provisions within their outsourcing contracts to provide them with the rights they need to properly assess the effectiveness of their service providers from an operation resilience perspective and meet their own obligations. Additionally, large third-party service providers may be slow to respond to information requests or wholly unwilling to cooperate leaving firms further in the dark about their service provider’s systems and controls to manage operational risk.
• Sub-outsourcing: Where service providers sub-outsource aspects of their services, this can further impact on the visibility and oversight that regulated firms have over their outsourced services. This is particularly significant if firms lack the contractual protections in their agreements to manage the sub-outsourcing process. Where firms struggle to monitor these arrangements effectively, their operational risk increases.
As highlighted, where third-party service providers fail to effectively manage a disruptive event and keep within the recipient firm’s impact tolerances, the recipient firm itself remains ultimately accountable.
How can firms manage these risks effectively?
• Bolstering negotiation: Identifying important business services and understanding what a firm’s appropriate tolerances for disruption are can help to level the playing field when it comes to negotiating the necessary safeguards in outsourcing contracts. What may previously have been business continuity issues are now regulatory issues and firms can highlight these obligations and the measures they require of service providers to provide additional weight to their reasoning for requesting safeguard provisions. Examples of safeguards include adequate termination rights, information reporting and notification obligations and step-in rights or remediation procedures. Over time, service providers will also become more accustomed to the operational risk requirements of their clients, particularly in concentrated markets, so that standardised operational safeguards become commonplace. There will be a competitive advantage for those vendors that readily accommodate their regulated customers’ requests off the bat (in a standardised way which reflects their own business model/risk approach of course).
• Pooled audits: Where firms operate with a common service provider, they may be able to take advantage of undertaking audits in collaboration with other firms. This can be done through audits of premises at the same time or through an appointed third-party auditor (as has historically been the approach in relation to Sarbanes-Oxley compliance or security assessments of shared data centres). This allows firms to use audit resources more efficiently and decreases the organisational burden on both the clients and the service provider. For the financial services sector as a whole, pooled audits may also assist in the dissemination of best industry practices in relation to audit methods promoting effective governance more generally. However, firms must ensure that the relevant ‘auditor’ on which they wish to rely has appropriate and relevant skills and knowledge to perform the audits effectively and that the scope and content of the audit sufficiently covers the systems and controls relevant to that particular firm.
• Sub-outsourcing: Firms should ensure that they have specific contractual protections in relation to their service provider’s ability to sub-outsource any important services, requiring service providers to effectively monitor and control any lower tier sub-contractors. Firms should also retain a right to object to any material sub-outsourcing where it feels that its impact tolerances will not be maintained and adequate termination rights should risks materialise.
Firms will also likely be required to work more closely with third-party service providers than previously to ensure that they can conduct mapping and testing, and lessons learnt exercises effectively.
What should firms do next?
In light of the need to identify important business services, set impact tolerances, conduct mapping and testing and develop communications plans by 31 March 2022, firms should review their existing outsourcing arrangements and assess where any of those outsourced services would fall within scope of ‘important business services’. Firms should assess the maximum tolerable disruption in relation to these services, whether service providers have in place adequate systems and controls to continue service delivery in the event of disruption, and the adequacy of any existing contractual safeguards.
Firms should also consider whether they intend on outsourcing any new services so that these can be captured within the analysis above, and whether doing so will trigger an additional review.