Are You Ready for the PRA’s New Guidelines on Outsourcing and Third-Party Risk Management?

5 minute read

February 2022

The clock’s ticking. 

If you’re a financial services institution regulated by the Prudential Regulatory Authority, any third-party outsourcing agreements you enter into after 31 March 2022 — that’s less than two months away — will have to comply with their new outsourcing and third-party risk management guidelines. 

And you’ll have to revise agreements you already have in place to make them compliant at the ‘first appropriate contractual renewal or revision point‘. Even if that’s before the deadline. 

So what’s changing from 31 March? 

And what do you need to do to make sure you’re ready?

The PRA Outsourcing Guidelines: An Overview

The PRA’s guidelines make six key changes to the current outsourcing rules. 

They explain what outsourcing is… and isn’t

The guidelines say that while, as a rule, any arrangement where a third-party handles activities you’d otherwise do in-house is considered outsourcing, buying the following usually isn’t:

  • Hardware, software, and other tech products, including the design and build of on-premises platforms
  • ‘Off the shelf’ machine learning models, including training models and data libraries 
  • Insurance aggregators and delegated underwriting 
  • Cloud storage

That said, the PRA still expects the firms it regulates to assess such arrangements — usefully called ‘non-outsourcing third-party arrangements’ — for materiality.

They explain how you should assess ‘materiality’ 

Speaking of materiality, the guidelines set out a number of criteria you must take into account when assessing how much risk an outsourcing agreement poses to your firm, customers, and other stakeholders. 

These include the size and complexity of the outsourced activity, whether it’s connected to one of your regulated activities, and the potential impact should something go wrong, including how easily you could take the activity in-house.

They develop the rules around concentration risk

The current rules already require you to have measures in place to manage concentration risk: the risk of relying too heavily on a single supplier or small group of related suppliers. 

But the guidelines make it clear you should also take fourth-party dependencies — situations where suppliers aren’t connected but depend on the same subcontractor — into account. 

They make a list of clauses every outsourcing contract must include

Because outsourcing agreements can put firms, customers, and even the financial system at risk if they go awry, the PRA expects them to be airtight. To that end, the guidelines list a number of clauses your outsourcing agreement should have if the activity is ‘material’. 

ProcessUnity’s white paper, The PRA’s Outsourcing and Third-Party Risk Management Guidelines: Everything you need to know to prepare fo the changes ahead, walks you through these clauses in detail, so you can better understand their relevance to your firm.

They explain when you should notify the PRA

Is a supplier unable or unwilling to include certain terms required by the guidelines in your contract? You’ll need to tell the PRA. 

There’s also an obligation to notify the PRA:

  • Before you sign or ‘significantly change’ a material agreement
  • If you entered ‘critical or important’ outsourcing arrangements from 31 March 2021 onwards and they aren’t compliant by 31 March 2022

They set clearer — and fairer — expectations around compliance

You’ll be pleased to hear that, while every PRA-regulated firm has to comply with the guidelines, the proportionality principle applies. 

If you’re a systemically important institution, the PRA will hold you to a higher standard and your obligations will be more onerous than those of smaller firms carrying out less complex activities. 

Preparing For The PRA Guidelines: 4 Steps You Should Take If You’re In Scope

Rather than reinvent the wheel, the PRA’s guidelines build on current rules. So many of the issues they address will be familiar to most regulated firms.  

That said, because all ‘material’ outsourcing agreements must comply by 31 March 2022 — or, for agreements already in force, at the earliest available opportunity — you can’t afford to be complacent. 

Over the past few years, the PRA has fined firms millions of pounds for outsourcing failures. Which makes it likely they’ll take compliance with these guidelines very seriously. 

So what steps should you take to make sure you’re on top of things ahead of the deadline? 

Put a robust assessment process in place

You’ll need to assess materiality every time you negotiate a new outsourcing agreement or an existing one is up for renewal. So developing a robust process that works at scale is crucial. 

A well-defined, repeatable framework for assessing materiality will speed up approvals and help you make sure all your agreements are compliant.

Take steps to minimise risks

While functions can be outsourced, accountability can’t. Ultimately, your firm is responsible for outsourced activities. Which is why you need to conduct thorough due diligence and monitor vendors on an ongoing basis. 

ProcessUnity Vendor Risk Management makes this simple and effortless.

The platform is pre-loaded with template questionnaires you can start using straight away. Or, alternatively, you can import your custom criteria. Each vendor is assigned a risk score based on their answers, allowing you to see at a glance which vendors require more in-depth due diligence. 

You’ll also get access to extensive libraries of test procedures you can use for on-site assessments, and other tools for ongoing vendor monitoring. 

Have a Plan B

What will happen should an outsourcing arrangement go awry? Do you have a plan for bringing it back in house, or a provider who can take over?

The guidelines stress that fall-back plans should cover two key scenarios. One where issues like a major data breach make it impossible for the third-party provider to continue, and one where the agreement is terminated on notice, for example because you aren’t happy with the level of service. 

Automate what you can

From vendor selection to contract management, technology can help you stay in control of your outsourcing arrangements, with less effort. 

Case in point, alongside due diligence, risk assessments, and on-site testing, ProcessUnity Vendor Management can also: 

  • Create PRA-compliant contracts in just a few clicks 
  • Keep track of dates when contracts are up for review 
  • Handle other aspects of monitoring, including evaluating performance and documenting and tracking service issues or disagreements 

Find out more about how you can get compliant with the PRA’s guidelines in time for the 31 March 2022 deadline in ProcessUnity’s whitepaper: The PRA’s outsourcing and third-party risk management guidelines: everything you need to know.

The PRA Guidelines Are Coming Into Force 

Are you ready to comply?

With ProcessUnity Vendor Risk Management, you can streamline your firm’s outsourcing and third-party risk management, save time, and prove compliance on demand. 

Which means you can tackle the PRA’s new guidelines — and any other regulatory changes — with confidence. 

Want to find out more?

Book a free ProcessUnity Vendor Risk Management demo today

Related Articles

About Us

ProcessUnity is a leading provider of cloud-based applications for risk and compliance management. The company’s software as a service (SaaS) platform gives organizations the control to assess, measure, and mitigate risk and to ensure the optimal performance of key business processes. ProcessUnity’s flagship solution, ProcessUnity Vendor Risk Management, protects companies and their brands by reducing risks from third-party vendors and suppliers. ProcessUnity helps customers effectively and efficiently assess and monitor both new and existing vendors – from initial due diligence and onboarding through termination. Headquartered outside of Boston, Massachusetts, ProcessUnity is used by the world’s leading financial service firms and commercial enterprises. For more information, visit www.processunity.com.