BoE issues guidance on outsourcing and third-party risk management for CCPs
09 February 2023 UK
Image: AdobeStock/William
The Bank of England has released a supervisory statement on outsourcing and third-party risk management for UK central counterparties.
This provides guidance on how the Bank of England (BoE) requires clearing houses to fulfil their regulatory requirements, building on the risk guidance provided in the Principles for Financial Market Infrastructures (PFMI) and the UK implementation of the European Market Infrastructure Regulation (EMIR).
These requirements also reinforce the 鈥楤ank of England policy on Operational Resilience of FMIs鈥 published in March 2021.
CCPs are given 12 months from today to be compliant with the requirements in the SS.
This will apply to existing outsourcing arrangements, which must be reviewed and updated by 9 February, and to any new outsourcing contracts which must be compliant by the same date.
The content of the supervisory statement (SS) provides few surprises and broadly aligns with accepted industry best practice in providing oversight of outsourcing arrangements and other third-party service provision, along with principles specified in the Prudential Regulatory Authority SS2/21, 鈥淥utsourcing and Third-party Risk Management鈥.
The BoE requires CCPs to evaluate the risks presented by all third-party arrangements, regardless of whether this falls within its specified definition of outsourcing.
鈥淐CPs, as risk managers, should apply adequate governance, risk management and controls to manage the risks arising from all their third-party arrangements that could pose a threat to the safety and efficiency of clearing services thereby impacting financial stability,鈥 says the BoE.
The Bank reflects on situations where a CCP relies on the services of 鈥渃ritical third parties鈥 鈥 those service providers where the continuous, secure and efficient delivery of their services to CCPs is critical to the operation of the CCP 鈥 and requires that the CCP implement proportionate, risk-based suitable controls to ensure resilience and continuity.
The BoE's expectations pertain to services that are outsourced to external providers and to those supplied by other divisions within the firm.
鈥淚ntragroup outsourcing is not inherently less risky than outsourcing to third parties outside a CCP鈥檚 group and is subject to the same requirements,鈥 it says. 鈥淐CPs should have due regard to the level of control and influence over the entity that is providing the outsourced service and comply with the expectations in the SS in a proportionate manner.鈥
The SS lays down guidance for due diligence on service providers and for other requirements during the pre-outsourcing phase. It also defines requirements for record keeping and risk audits. The BoE requires written agreements to be in place for all critical outsourcing arrangements, particularly in the areas of data security, business continuity and exit strategies, use of sub-outsourcing arrangements, along with access, audit and information rights.
As part of ensuring effective governance of an outsourcing arrangement, the Bank expects CCPs to define, document, and understand their own responsibilities and those of third parties. In the case of cloud computing, the term commonly used to help CCPs and cloud providers understand their respective obligations is the 鈥榮hared responsibility model鈥.
鈥淐CPs act as risk managers and should therefore understand the nature and scope of outsourcing among their participants, including how the use of new technologies, such as the cloud, may introduce new, or increase existing, systemic risks,鈥 says the supervisory statement.
More broadly, the BoE requires CCPs to identify their important business services and to document the people, processes, technology, facilities, and information required to deliver each of these services, including any reliance placed on supply chains or sub-outsourcing arrangements.
The CCP must set an 鈥渋mpact tolerance鈥 for each important business service, setting this at a level where any further disruption would pose a 鈥渟ignificant impact鈥 to CCPs users and the market it services.
鈥淐CPs must take all reasonable actions to ensure it remains within its impact tolerance for each important business service in the event of an extreme but plausible disruption to its operations,鈥 says the BoE.
This provides guidance on how the Bank of England (BoE) requires clearing houses to fulfil their regulatory requirements, building on the risk guidance provided in the Principles for Financial Market Infrastructures (PFMI) and the UK implementation of the European Market Infrastructure Regulation (EMIR).
These requirements also reinforce the 鈥楤ank of England policy on Operational Resilience of FMIs鈥 published in March 2021.
CCPs are given 12 months from today to be compliant with the requirements in the SS.
This will apply to existing outsourcing arrangements, which must be reviewed and updated by 9 February, and to any new outsourcing contracts which must be compliant by the same date.
The content of the supervisory statement (SS) provides few surprises and broadly aligns with accepted industry best practice in providing oversight of outsourcing arrangements and other third-party service provision, along with principles specified in the Prudential Regulatory Authority SS2/21, 鈥淥utsourcing and Third-party Risk Management鈥.
The BoE requires CCPs to evaluate the risks presented by all third-party arrangements, regardless of whether this falls within its specified definition of outsourcing.
鈥淐CPs, as risk managers, should apply adequate governance, risk management and controls to manage the risks arising from all their third-party arrangements that could pose a threat to the safety and efficiency of clearing services thereby impacting financial stability,鈥 says the BoE.
The Bank reflects on situations where a CCP relies on the services of 鈥渃ritical third parties鈥 鈥 those service providers where the continuous, secure and efficient delivery of their services to CCPs is critical to the operation of the CCP 鈥 and requires that the CCP implement proportionate, risk-based suitable controls to ensure resilience and continuity.
The BoE's expectations pertain to services that are outsourced to external providers and to those supplied by other divisions within the firm.
鈥淚ntragroup outsourcing is not inherently less risky than outsourcing to third parties outside a CCP鈥檚 group and is subject to the same requirements,鈥 it says. 鈥淐CPs should have due regard to the level of control and influence over the entity that is providing the outsourced service and comply with the expectations in the SS in a proportionate manner.鈥
The SS lays down guidance for due diligence on service providers and for other requirements during the pre-outsourcing phase. It also defines requirements for record keeping and risk audits. The BoE requires written agreements to be in place for all critical outsourcing arrangements, particularly in the areas of data security, business continuity and exit strategies, use of sub-outsourcing arrangements, along with access, audit and information rights.
As part of ensuring effective governance of an outsourcing arrangement, the Bank expects CCPs to define, document, and understand their own responsibilities and those of third parties. In the case of cloud computing, the term commonly used to help CCPs and cloud providers understand their respective obligations is the 鈥榮hared responsibility model鈥.
鈥淐CPs act as risk managers and should therefore understand the nature and scope of outsourcing among their participants, including how the use of new technologies, such as the cloud, may introduce new, or increase existing, systemic risks,鈥 says the supervisory statement.
More broadly, the BoE requires CCPs to identify their important business services and to document the people, processes, technology, facilities, and information required to deliver each of these services, including any reliance placed on supply chains or sub-outsourcing arrangements.
The CCP must set an 鈥渋mpact tolerance鈥 for each important business service, setting this at a level where any further disruption would pose a 鈥渟ignificant impact鈥 to CCPs users and the market it services.
鈥淐CPs must take all reasonable actions to ensure it remains within its impact tolerance for each important business service in the event of an extreme but plausible disruption to its operations,鈥 says the BoE.
← Previous regulation article
Changing nature of liquidity risk may amplify market shocks, says ESMA
Changing nature of liquidity risk may amplify market shocks, says ESMA
NO FEE, NO RISK
100% ON RETURNS If you invest in only one securities finance news source this year, make sure it is your free subscription to Securities 麻豆影视传媒 Times
100% ON RETURNS If you invest in only one securities finance news source this year, make sure it is your free subscription to Securities 麻豆影视传媒 Times
