New Workshop for Insurance Firms: Outsourcing & Third-party Risk Management

Outsourcing agreements

• All outsourcing arrangements must be set out in a written agreement
• Under a Master Service Agreement (MSA), each outsourced service should be appropriately documented
• Written agreements for non-material arrangements should still include contractual safeguards to manage risks, whilst allowing the PRA appropriate access to supervise both the firm and function

Data security

• classify relevant data based on their confidentiality and sensitivity;
• identify potential risks relating to the relevant data and their impact (legal, reputational, etc.);
• agree on an appropriate level of data availability, confidentiality, and integrity; and
• if appropriate, obtain appropriate assurance and documentation from third parties on the provenance or lineage of the data to satisfy themselves that it has been collected and processed in line with applicable legal and regulatory requirements.

Sub-outsourcing

• Firms must assess the relevant risks of sub-outsourcing before they enter into an outsourcing agreement. It is important that firms have visibility of the supply chain, and that service providers are encouraged to facilitate this by maintaining up-to-date lists of their sub-outsourced service providers.
• Firms should assess whether sub-outsourcing is materially important, which includes the potential impact on the firm’s operational resilience and the provision of important business services.
• Firms should ensure that the service provider has the ability and capacity on an ongoing basis to appropriately oversee any material sub-outsourcing in line with the firm’s relevant policy or policies.

Business continuity & exit plans

For each material outsourcing arrangement, firms should develop, maintain, and test a business continuity plan and documented exit strategy, which should cover and differentiate between situations where a firm exits an outsourcing agreement:

• in stressed circumstances, (e.g., following the failure or insolvency of the service provider (stressed exit)); and
• through a planned and managed exit due to commercial, performance, or strategic reasons (non-stressed exit).

Access, audit and information rights

• Firms must take reasonable steps to ensure that written agreements for material outsourcing arrangements provide them, their auditors, the PRA, the BoE, and any other person appointed by firms or the Bank and PRA, with full access and unrestricted rights for audit.
• Firms must exercise their access, audit, and information rights in respect of material outsourcing arrangements in an outcomes-focused way, to assess whether the service provider is providing the relevant service effectively and in compliance with the firm’s legal and regulatory obligations and expectations, including as regards operational resilience.

Proportionality

• Firms should meet the PRA’s expectations in a manner appropriate to their size and internal organisation; the nature, scope, and complexity of their activities; and the criticality or importance of the outsourced function.
• Proportionality and materiality can change over time and firms should reassess both as appropriate.
• Intragroup outsourcing is subject to the same requirements and expectations as outsourcing to service providers outside a firm’s group and should not be treated as being inherently less risky.