A Guide to TPRM Regulation (Part 2) Contracting & Onboarding

 

In the last edition of ‘A Guide to TPRM Regulation: Part 1’. I discussed how organisations are relying more and more on third-party providers to transform their businesses and gain a competitive advantage in their respective industries, which gives rise to a variety of Financial and Non-Financial risks.

I also provided an overview of the regulatory requirements that organisations need to keep in mind when Planning, Evaluating and Selecting a third-party supplier.

Continuing this theme, in part 2 of the series I will provide a broad overview of the regulations that are applicable to the Contracting and Onboarding phase of the third-party life cycle and provide key actions that organisations need to take to achieve compliance with the regulations.

Regulation Summary: Contracting and Onboarding

During the contracting and onboarding phase, the PRA and FCA require firms:

  • To have a written agreement in place for material outsourcing and non-outsourcing arrangements and to include relevant clauses to be able to manage and monitor risks comprehensively. 

  • To ensure that the respective rights and obligations of the firm and of the service provider are clearly allocated and set out in a written agreement under a shared responsibility model.

  • To treat intragroup outsourcing to the same requirements and expectations as outsourcing to service providers outside a firm’s group and not treated as being inherently less risky. The firm may also consider the extent to which it has the ability to influence the actions, where the service provider is a member of the same group.

  • To be able to terminate the arrangement for the outsourcing where necessary without detriment to the continuity and quality of its provision of services.

  • To ensure that contractual agreements don't impede or limit the regulator’s ability to supervise the firm’s outsourcing ability, functions or services and where required, make available on request all information necessary to enable the supervision of compliance of the outsourced activity.

  • Where a material outsourcer or third-party is unable to or unwilling to include certain terms within the agreement that reflect the firm’s obligations, the firm is required to make the PRA aware of this.

  • To revisit contracts for third parties to meet operational resilience requirements such as including impact tolerances for important business services.

Firms to include conditions enabling the regulators to assess the effectiveness of service providers' business continuity plans.

Timeline expectations from the regulators

  • 31 March 2022 -Compliance with the expectations in this SS
  • Outsourcing arrangements entered on or after 31 March 2021 should meet the expectations in this SS by 31 March 2022
  • Firms should seek to review and update legacy outsourcing agreements entered before Wednesday 31 March 2021 at the first appropriate contractual renewal or revision point to meet the expectations in this SS as soon as possible on or after Thursday 31 March 2022

Key actions for firms to take:

  • Establish processes to feed due diligence and risk assessment results into contractual clauses and create a tailored service agreement incl. service standards, breach notifications, operational resilience requirements (BCP, ITDR, impact tolerances), notifications, audit rights etc.
  • Defined governance and oversight standards, with specified roles and responsibilities.
  • Development of, and agreement with third-parties on critical and non-critical service levels including risk thresholds and key performance and risk and control indicators.
  • Build a template or a checklist to ensure regulatory compliance for material contracts (both third-party and intra-group).
  • Develop a contract framework for material non-outsourced third-parties to achieve equivalent contractual controls to those that apply to material outsourced third-parties.
  • Review, identify and ensure legacy material outsourcing contracts include SS2/21 requirements.
  • Ensure material outsourcing arrangements post-March 2021 incorporate the SS2/21 requirements.
  • Establish a process to notify the regulators when a material outsourced party is unwilling to agree to meet the regulatory requirements.

Firms also need to ensure that they have the following in place prior to onboarding, if it’s not already in place:

  • A comprehensive inventory of identified third and fourth parties.
  • Ensure exit plan(s) are documented.

How can FourthLine help 

FourthLine’s team of third-party risk management specialists can support your firm across all stages of the third-party lifecycle, including the alignment of regulatory requirements and integration with BCM and resilience frameworks. 

Please click here to enquire about our TPRM high-impact review.

Download our comprehensive TPRM Technical paper here>

 

 

Topics: Investment & Asset Management, Insurance Sector, Retail Finance

October 25, 2022
Talk to an expert

Hussain Hidari
Written by Hussain Hidari

Hussain has over 8 years of experience in risk management. This includes 1 and a half years in IT Risk in the Insurance sector and 7 years in Retail Banking, areas including Supplier Management, Operational Risk, Service Delivery & IT Governance. His areas of expertise include IT Risk and Governance, Operational and Third-Party Risk Management.

More interesting insights

CONTACT US

0203 800 1099

enquiries@thefourthline.co.uk

FourthLine Ltd
4th Floor, Arkwright House
Parsonage Gardens
Manchester
M3 2LF

Company Number: 6952875

VAT Number: 981375491

CONNECT WITH US

fl-connect-icon
Stay up to date with industry news, specialist sector themed events and webinars.

fl-linkedin-icon  fl-twitter-icon  fl-facebook-icon

 

Copyright © 2019, Fourthline. All Rights Reserved.