An increasing ‘good practice’ is to operate a single, common materiality and risk-orientated control framework for all third-party arrangements – both outsourcing and non-outsourcing.
A single framework is not mandatory but it will drive consistency where required. It will also mitigate the risk of failing to implement suitable controls solely on the basis that an arrangement has not been classified as outsourcing – which we have often seen in the past. The regulators will not excuse a lack of appropriate controls on the basis that the contract was considered non-outsourcing and therefore outside the usual processes for mitigating outsourcing risk. Increasingly the regulators are asking for details on all “critical and important” supplies.
Risk categorisation decisions would certainly be influenced by whether an arrangement is an outsourcing. However, wider factors are relevant too. These will include whether the arrangement relates to important business services to which operational resilience obligations apply, as well as financial risk, data risk, compliance risk, and such like.
A single framework will reduce administrative burdens and potentially unexpected regulatory compliance gaps. It could include a single approach for conducting assessments of materiality and risk for contract classification purposes and the development of consistent regulatory compliance checklists, contractual provisions and processes for notifying the regulators of new and revised contracts.
The financial entity could also develop templates for material services and for non-material services and ignore whether the arrangement is an outsourcing or not.
Financial entities can use contract playbooks and guidelines to clarify that there is some opportunity for flexibility from a regulatory perspective for non-outsourcing arrangements. These tools could identify where there may be scope to agree deviations from the requirements that apply to outsourcings, depending on the subject matter and risk profile of the arrangement.
Financial entities could meet some resistance from suppliers in seeking to map SS 2/21 controls to non-outsourcing arrangements on the basis that the requirements are not as fixed as for outsourcing arrangements. However, it will be important for financial entities to make clear that it is for them as the regulated entities to answer to regulators and confirm that they have third-party contracts which appropriately address the risks. This does not mean that suppliers cannot meaningfully engage and help to shape controls for particular services, but it is ultimately the financial entities that need to be satisfied of the sufficiency of those controls.
Thought can also be given to how the SS2/21requirements can be applied to outsourcing and non-outsourcing arrangements with similar materiality and risk.
Broader rulesets need to be considered too
Managing risk in non-outsourcing third-party supply arrangements requires financial entities to look beyond just SS2/21.
A summary of the list of rules that banks and insurers may need to refer to and comply with are set out below.
