The Bank of England has released a supervisory statement on outsourcing and third-party risk management for UK central counterparties.
This provides guidance on how the Bank of England (BoE) requires clearing houses to fulfil their regulatory requirements, building on the risk guidance provided in the Principles for Financial Market Infrastructures (PFMI) and the UK implementation of the European Market Infrastructure Regulation (EMIR).
These requirements also reinforce the ‘Bank of England policy on Operational Resilience of FMIs’ published in March 2021.
CCPs are given 12 months from today to be compliant with the requirements in the SS.
This will apply to existing outsourcing arrangements, which must be reviewed and updated by 9 February, and to any new outsourcing contracts which must be compliant by the same date.
The content of the supervisory statement (SS) provides few surprises and broadly aligns with accepted industry best practice in providing oversight of outsourcing arrangements and other third-party service provision, along with principles specified in the Prudential Regulatory Authority SS2/21, “Outsourcing and Third-party Risk Management”.
The BoE requires CCPs to evaluate the risks presented by all third-party arrangements, regardless of whether this falls within its specified definition of outsourcing.
“CCPs, as risk managers, should apply adequate governance, risk management and controls to manage the risks arising from all their third-party arrangements that could pose a threat to the safety and efficiency of clearing services thereby impacting financial stability,” says the BoE.
The Bank reflects on situations where a CCP relies on the services of “critical third parties” — those service providers where the continuous, secure and efficient delivery of their services to CCPs is critical to the operation of the CCP — and requires that the CCP implement proportionate, risk-based suitable controls to ensure resilience and continuity.
The BoE's expectations pertain to services that are outsourced to external providers and to those supplied by other divisions within the firm.
“Intragroup outsourcing is not inherently less risky than outsourcing to third parties outside a CCP’s group and is subject to the same requirements,” it says. “CCPs should have due regard to the level of control and influence over the entity that is providing the outsourced service and comply with the expectations in the SS in a proportionate manner.”
The SS lays down guidance for due diligence on service providers and for other requirements during the pre-outsourcing phase. It also defines requirements for record keeping and risk audits. The BoE requires written agreements to be in place for all critical outsourcing arrangements, particularly in the areas of data security, business continuity and exit strategies, use of sub-outsourcing arrangements, along with access, audit and information rights.
As part of ensuring effective governance of an outsourcing arrangement, the Bank expects CCPs to define, document, and understand their own responsibilities and those of third parties. In the case of cloud computing, the term commonly used to help CCPs and cloud providers understand their respective obligations is the ‘shared responsibility model’.
“CCPs act as risk managers and should therefore understand the nature and scope of outsourcing among their participants, including how the use of new technologies, such as the cloud, may introduce new, or increase existing, systemic risks,” says the supervisory statement.
More broadly, the BoE requires CCPs to identify their important business services and to document the people, processes, technology, facilities, and information required to deliver each of these services, including any reliance placed on supply chains or sub-outsourcing arrangements.
The CCP must set an “impact tolerance” for each important business service, setting this at a level where any further disruption would pose a “significant impact” to CCPs users and the market it services.
“CCPs must take all reasonable actions to ensure it remains within its impact tolerance for each important business service in the event of an extreme but plausible disruption to its operations,” says the BoE.
