PRA published the policy statement PS7/21 that sets out the final supervisory statement SS2/21 on outsourcing and third-party risk management. Firms will be expected to comply with the expectations in SS2/21 by March 31, 2022. PS7/21 also contains feedback to responses to the consultation paper CP30/19, which was published in December 2019 and had set out proposals to modernize the regulatory framework on outsourcing and third-party risk management. PRA revised the policy in SS2/21 based on responses received to CP30/19; the revisions relate to the text on definition of outsourcing, proportionality, governance and record-keeping, pre-outsourcing phase, outsourcing agreements, data security, and business continuity and exit plans.
SS2/21 elaborates on the definition of outsourcing in the PRA Rulebook. It notes that there are arrangements between firms and third parties that fall outside this definition and are, consequently, outside the scope of the existing requirements on outsourcing and some of the detailed expectations in SS2/21. However, these third-party arrangements are still subject to the PRA Fundamental Rules and other PRA requirements and expectations on business continuity, governance, operational resilience, and risk management. SS2/21 clarifies the application of the principle of proportionality to intragroup outsourcing and to "non-significant firms." SS2/21 further sets out the expectations on governance, including under the Senior Managers and Certification Regime (SM&CR), and record keeping. SS2/21 also sets out expectations for firms during the pre-outsourcing phase and aims to:
- Complement the requirements and expectations on operational resilience, as set out in the PRA Rulebook, SS1/21, and statement of policy on operational resilience
- Facilitate greater resilience and adoption of the cloud and other new technologies, as set out in the response of BoE to the "Future of Finance" report
- Implement the EBA guidelines on outsourcing arrangements and clarify how PRA expects banks to approach the EBA Outsourcing Guidelines in the context of its requirements and expectations
- Implement the relevant sections of the EBA guidelines on information and communication technology and security risk management
Outsourcing arrangements entered into on or after March 31, 2021 should meet the expectations in SS2/21 by March 31, 2022. Firms should seek to review and update legacy outsourcing agreements entered into before March 31, 2021 at the first appropriate contractual renewal or revision point to meet the expectations in SS2/21 as soon as possible on or after March 31, 2022. SS7/21 is relevant to banks, building societies, and PRA-designated investment firms, insurance and reinsurance firms, groups in scope of Solvency II, including the Society of Lloyd’s and managing agents, and branches of overseas banks and insurers. Some content in SS2/21 is also relevant to credit unions and non-directive firms. The policy set out in PS7/21 has been designed in the context of the UK having left EU and the transition period having come to an end. Unless otherwise stated, any references to EU or EU-derived legislation refer to the version of the legislation that forms part of the retained EU law. PRA will keep the policy under review to assess whether any changes would be required due to changes in the UK regulatory framework.
Effective Date: March 31, 2022
Keywords: Europe, UK, Banking, Insurance, Proportionality, Operational Resilience, Third-Party Arrangements, Operational Risk, Outsourcing Risk, PRA
The Prudential Regulation Authority (PRA) published the final policy statement PS21/21 on the leverage ratio framework in the UK. PS21/21, which sets out the final policy of both the Financial Policy Committee (FPC) and PRA
The Consumer Financial Protection Bureau (CFPB) proposed to amend Regulation B to implement changes to the Equal Credit Opportunity Act (ECOA) under Section 1071 of the Dodd-Frank Act.
The Prudential Regulation Authority (PRA) decided to maintain, at the 2019 levels, the buffer rates for the Other Systemically Important Institutions (O-SII) for another year, with no new rates to be set until December 2023.
The Financial Stability Board (FSB) published a progress report on implementation of its high-level recommendations for the regulation, supervision, and oversight of global stablecoin arrangements.
In a letter to the authorized deposit taking institutions, the Australian Prudential Regulation Authority (APRA) announced an increase in the minimum interest rate buffer it expects banks to use when assessing the serviceability of home loan applications.
The Committee on Payments and Market Infrastructures (CPMI) and the International Organization of Securities Commissions (IOSCO) are consulting on the preliminary guidance that clarifies that stablecoin arrangements should observe international standards for payment, clearing, and settlement systems.
The European Banking Authority (EBA) and the European Insurance and Occupational Pensions Authority (EIOPA) have set out their respective work priorities for 2022.
The Malta Financial Services Authority (MFSA) updated the guidelines on supervisory reporting requirements under the reporting framework 3.0, in addition to the reporting module on leverage under the common reporting (COREP) framework.
The European Commission (EC) published the Implementing Decision 2021/1753 on the equivalence of supervisory and regulatory requirements of certain third countries and territories for the purposes of the treatment of exposures, in accordance with the Capital Requirements Regulation or CRR (575/2013).
EC published the Implementing Regulation 2021/1751, which lays down implementing technical standards on uniform formats and templates for notification of determination of the impracticability of including contractual recognition of write-down and conversion powers.