Rules Navigator

BoE outlines supervisory approach to outsourcing

Photo: Getty Images

Thomas Hyrkiel

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

The BoE Supervisory Statement is a part of a wider trend of regulators scrutinising third party risks.

The Bank of England (BoE) has released a supervisory statement outlining the regulatory obligations of central securities depositories (CSDs).

The statement applies to “all forms of outsourcing”, but the inclusion of specific material targeted at cloud outsourcing makes it clear that this is a key area of concern for the regulator.

Similar to other regulators, the BoE includes a special category for outsourcing arrangements that are deemed critical – in other words those whose disruption could obstruct or stop the very operation of the CSD. The statement includes information on criticality criteria that should be employed to assess whether specific outsourcing arrangements fall into that category.

The BoE is adamant that having outsourcing arrangements cannot mean that management or the Board can somehow sidestep their regulatory obligations. The statement seeks to ensure that an adequate level of control, risk management and, ultimately, accountability is exercised by the regulated entity itself in connection with any outsourcing, but particularly in connection with those outsourcing arrangements that are deemed critical.

Third party risk management

The statement includes some specific expectations of board engagement with third party risk management including:

  • Setting the risk appetite and tolerance;
  • Bearing responsibility for the effective management of all risks including:
    • Identifying which outsourcing arrangements are critical;
    • Understanding those critical arrangements;
    • Ensuring that appropriate and effective risk management systems and strategies are in place; and
    • Risk mitigation, including stress testing and disruption event preparedness.

The statement also supplies a non-exhaustive list of outsourcing and third party risk management policies that should be implemented and regularly reviewed:

  • Business model and strategy;
  • Business continuity;
  • Conflicts of interest;
  • Data protection;
  • Information technology;
  • Cyber security;
  • Participant rule book or scheme rules;
  • Operational resilience; and
  • Risk management.

Concentration risk

The statement provides an outline of the content that should, at a minimum, be covered by an outsourcing risk management policy. The BoE expectations here include exit strategies that explicitly cater “for the unexpected termination of an outsourcing agreement (a stressed or unplanned exit)”.

It is also clear that the BoE, like other regulators, is concerned about concentration risk and the resulting systemic risk. In other words a situation in which a large third party, technically unregulated, may pose a threat to the stability of the entire system.

“It is also clear that the BoE, like other regulators, is concerned about concentration risk and the resulting systemic risk.”

Also covered is vendor due diligence, risk assessment and explicit requirements for outsourcing agreements. Data security, the regulators access and audity rights as well as sub-outsourcing and business continuity are also covered.

CSDs are expected to comply with the expectations outlined in the statement by February 9, 2024 for any outsourcing arrangements entered into after February 8, 2023. The regulator is offering some degree of flexibility in connection with outsourcing arrangements entered into before the 8 February, suggesting that the outsourcing agreements should be reviewed and updated “at the first appropriate contractual renewal or revision point”.

, , , ,

You may also like