In the last edition of ‘A Guide to TPRM Regulation: Part 1’. I discussed how organisations are relying more and more on third-party providers to transform their businesses and gain a competitive advantage in their respective industries, which gives rise to a variety of Financial and Non-Financial risks.
I also provided an overview of the regulatory requirements that organisations need to keep in mind when Planning, Evaluating and Selecting a third-party supplier.
Continuing this theme, in part 2 of the series I will provide a broad overview of the regulations that are applicable to the Contracting and Onboarding phase of the third-party life cycle and provide key actions that organisations need to take to achieve compliance with the regulations.
During the contracting and onboarding phase, the PRA and FCA require firms:
To have a written agreement in place for material outsourcing and non-outsourcing arrangements and to include relevant clauses to be able to manage and monitor risks comprehensively.
To ensure that the respective rights and obligations of the firm and of the service provider are clearly allocated and set out in a written agreement under a shared responsibility model.
To treat intragroup outsourcing to the same requirements and expectations as outsourcing to service providers outside a firm’s group and not treated as being inherently less risky. The firm may also consider the extent to which it has the ability to influence the actions, where the service provider is a member of the same group.
To be able to terminate the arrangement for the outsourcing where necessary without detriment to the continuity and quality of its provision of services.
To ensure that contractual agreements don't impede or limit the regulator’s ability to supervise the firm’s outsourcing ability, functions or services and where required, make available on request all information necessary to enable the supervision of compliance of the outsourced activity.
Where a material outsourcer or third-party is unable to or unwilling to include certain terms within the agreement that reflect the firm’s obligations, the firm is required to make the PRA aware of this.
To revisit contracts for third parties to meet operational resilience requirements such as including impact tolerances for important business services.
Firms to include conditions enabling the regulators to assess the effectiveness of service providers' business continuity plans.
Firms also need to ensure that they have the following in place prior to onboarding, if it’s not already in place:
FourthLine’s team of third-party risk management specialists can support your firm across all stages of the third-party lifecycle, including the alignment of regulatory requirements and integration with BCM and resilience frameworks.