Outsourcing and operational resilience: Meeting FCA and PRA requirements by 31 March 2022 (and beyond)

In March this year, the FCA and PRA issued their finalised policies on operational resilience, outsourcing and third party risk management (our earlier post provides an introduction to these).  With the one year implementation period now in full flight (it runs 31 March 2021 until 31 March 2022), this post provides a reminder of the policy objectives, key dates and goals that firms should be working towards.

The policy objectives are effectively for firms to increase their resilience through an increased understanding of their own business and supply chains, and also by meeting new regulatory outsourcing requirements (these will differ depending on whether the firm is FCA regulated or dual regulated, i.e. also regulated by the PRA).  To this end, key dates and goals that firms need to have in their diaries are as follows:

  • By 31 March 2022 firms must have done the following:
    • For operational resilience: Mapped their important business services, set impact tolerances and identified vulnerabilities.
    • For outsourcings (including intra-group outsourcings): Met their relevant new outsourcing requirements (EBA guidelines on outsourcing or FG16/5 for FCA-regulated firms, SS2/21 for PRA-regulated firms and both for dual-regulated firms).  The date of 31 March 2022 is an extension to the original December 2021 EBA deadline and its status depends on the regulator.  It is a hard deadline for PRA-regulated outsourcings entered into on or after 31 March 2021 but is a softer deadline for “legacy” outsourcings (which must be remediated asap at the first appropriate contractual renewal or revision point).  The FCA takes a different approach and expects firms to inform it of all critical or important outsourcings which remain non-remediated by that date.
    • For non-outsourcing third party arrangements: Applied the new outsourcing requirements as proportionate to the materiality and risk of the engagement (potentially bringing new contracts into the scope of firms’ in-flight EBA remediation programmes).  Whilst there is greater emphasis on the management of non-outsourcing third party service providers in the PRA’s policy, it would seem sensible for firms that are only FCA regulated to also apply their relevant outsourcing requirements as proportionate, in order to meet the FCA’s wider rules and guidance on governance, risk management, systems and controls (especially given the joined-up approach taken by the FCA and PRA on their respective policies).
  • From 31 March 2025 firms must be able to ensure that they can remain within their set impact tolerances.

Whilst carrying out the above activities, firms will need to remain mindful of the relationship between operational resilience, outsourcings and third party risk management.  For example, when mapping important business services, firms will also need to map the tech that delivers these and address vulnerabilities in that context.  This may include taking into account other materials such as the van Steenis Future of Finance report and the Bank of England’s response to it (e.g. cloud adoption can reduce a firm’s costs whilst increasing security and flexibility, but there is a concentration risk and lack of substitutability).

Key roles for legal teams will include ensuring the timely remediation of existing contracts and precedents in line with the new outsourcing requirements, applying them to new contracts and providing input on operational resilience activities.

We have a range of great people and talented lawyers both here in the UK and the US who all share a common interest in this field.  To find out more about how we can use our extensive experience in this area to help you fulfil your plans, please get in touch.

Howard Duckworth