Outsourcing and Third Party Risk Management – the PRA's Supervisory Statements
After a period of some anticipation, the PRA has this week issued two new Supervisory Statements and associated policy statements, the first on Operational Resilience and the second on Outsourcing. The two Supervisory Statements are closely connected, and will both impose new obligations upon insurers and banks whilst also bringing the requirements of the EBA Guidelines on Outsourcing into effect for the purposes of the UK’s post-Brexit regulatory regime.
The Statements are detailed, and are accompanied by the PRA’s explanations as to how they reflected on the inputs of various market participants following a lengthy consultation process. Whilst many of the obligations imposed have been well signposted and/or are closely correlated to the obligations previously imposed by the EBA in any event, there are new requirements (particularly in relation to the identification of “severe but plausible” risk scenarios associated with important business services, for the purposes of the operational resilience assessment) and there are some detailed – and one assumes deliberate – deviations from the EBA requirements vis a vis the outsourcing provisions.
Banks, insurers and the organisations who provide services to them will all need to carefully consider the implications of these new Supervisory Statements, and plan who they are to comply with them.