BoE has published its outsourcing and third party risk management policy for Financial Market Infrastructures (FMIs). The policy is set out across the following policy statements and documents:
- Policy Statement
- Code of Practice
- Supervisory Statement: central counterparties
- Supervisory Statement: central securities depositories
- Supervisory Statement: recognised payment system operators and specified service providers
The policy aims to facilitate greater resilience and adoption of the cloud and other new technologies, as well as to set out BoE’s requirements and expectations of FMIs.
In the Policy Statement, BoE provides information on the feedback it received in response to the three Consultation Papers which covered Central Counterparties, Central Securities Depositories, Recognised Payment System Operators and Specified Service Providers.
The outsourcing and third party risk management part of the Code of Practice sets out the definitions and applications relevant to outsourcing by Recognised Payment System Operators and Specified Service Providers (subject to these being incorporated in the UK or falling within a domestic supervisory regime, or otherwise being able to discharge their statutory requirements and supervisory functions).
The three Supervisory Statements – on central counterparties, central securities depositories and recognised system operators and specified service providers explain BoE’s approach to outsourcing and risk management, including by:
- Elaborating on the definitions of ‘third party’ and ‘outsourcing’;
- Clarifying how the principle of proportionality applies to expectations;
- Setting out BoE’s expectations on governance and accountability, risk management and record keeping, as well as expectations for the pre-outsourcing phase; and
- Addressing the areas in which BoE expects a written agreement: data security; access, audit and information rights; sub-outsourcing; and business continuity and exit strategies.
The Supervisory Statements examine in more details BoE’s expectations relating to: the pre-outsourcing phase; outsourcing agreements; data security; audit and information rights; sub-outsourcing; and business continuity and exit plans.
FMIs will be expected to comply with the requirements in the respective statements by 9 February 2024.