Introduction
This briefing considers how the UK’s proposed operational resilience regulatory framework will impact contractual relationships between regulated firms operating in the financial services sector and their service providers.
Background
Building upon the framework that was outlined in the July 2018 Discussion Paper ‘Building the UK Financial Sector’s Operational Resilience,’ published jointly by the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA), in December 2019, the regulators published a suite of documents seeking to embed that approach into policy (together the Proposals):
- The PRA’s consultation paper on outsourcing and third party risk management (CP30/19), which implements the European Banking Authority’s (EBA) Guidelines on Outsourcing Arrangements (EBA Outsourcing Guidelines); and
- The PRA’s and FCA’s consultation papers on operational resilience and impact tolerances for important business services (CP29/19 and CP19/32 respectively).
The way that parties providing important business services to regulated firms incorporate operational resilience considerations into their business is a key part of such firms’ ability to prevent, adapt, respond to, recover, and learn from operational disruption and to help ensure resilience.
Our recent client briefing and video explores some of the issues that regulated firms should consider in this context, including the identification of “important business services” and the activities regulated firms will be required to undertake in ensuring their operational resilience.
The regulatory landscape for sourcing and outsourcing in the financial services sector is becoming more complex. Financial services sector firms will be undertaking internal compliance projects to implement operational resilience, and as part of this, will no doubt be considering interactions with third party service providers. Lawyers, procurement and business representatives who negotiate service contracts on a daily basis all need to be familiar with the Proposals and their potential impact.
Operational resilience is not just an outsourcing issue
Consistent with the regulatory framework set out by the EBA, PRA and FCA, operational resilience needs to be considered in respect of arrangements with any third party supporting the delivery of an important business service, not only those considered to constitute outsourcing.
Third party arrangements
The PRA has provided examples of such third party arrangements, including:
- The sharing of data (including through application programming interfaces (APIs));
- The supply of off-the-shelf software and hardware; and
- The use of insurance data aggregators.
A regulated firm will therefore need to be cautious when assuming, in respect of a contract that is not on its face an “outsourcing”, that it is not actually subject to additional regulatory requirements. It is worth noting that to the extent the contract does not fall within the scope of the proposed outsourcing requirements, the regulatory requirements that apply may be less prescriptive.
Not all outsourcings will attract the additional controls contemplated by the proposed operational resilience requirements. For example, a regulated firm’s payroll function is unlikely to be assessed as an important business service for operational resilience purposes, but the outsourcing of this function will nevertheless be subject to the PRA’s outsourcing requirements. For these reasons, when drafting or negotiating a service contract, it is essential to have a clear understanding of:
- Where it fits in a firm’s wider operations; and
- How it has been classified in terms of the firm’s outsourcing and operational resilience framework (which are likely to be developed or refined as a result of the Proposals).
For completeness, it is worth noting that regulated firms subject to the Senior Managers & Certification Regime, are also expected to assign responsibility for the oversight of operational resilience (and with that oversight of outsourcing arrangements) to a senior manager. It is important to ensure that the relevant senior manager has appropriate oversight of service contracts.
Impact on service contracts
The Proposals do not introduce wholesale changes from a service contract perspective and the contractual protections that promote operational resilience objectives will be familiar to procurement lawyers and the procurement function (as well as to service providers).
However, regulated firms may, to the extent relevant and not already provided for, need to:
- Refine their outsourcing contracts in order to comply with the Proposals; and
- Introduce additional protections into third party contracts that are not technically speaking outsourcing contracts.
Specific contractual provisions
The Proposals may impact the way in which certain contractual protections are drafted and negotiated – for example:
- Business continuity and disaster recovery (BC/DR): the Proposals require firms to conduct operational resilience governance and systems and controls reviews on an ongoing basis. These will differ for each firm depending on its identification and mapping of important business services and the impact tolerances set for each one, but the need for service provider co-operation could well go beyond conducting an annual review and testing of a business continuity plan. BC/DR clauses also often place an express obligation on the service provider to implement its plans in the event of a disruption, but the operational resilience requirements take this a step further – firms are required to conduct “lessons learned” exercises in order to identify, prioritise and invest in their ability to respond to, and recover from, disruptions as effectively as possible. Where a service provider provides a key component of a business service, its participation in these exercises will be necessary to make them meaningful.
- Exit planning: the Proposals place the same weight on exit planning as they do on BC/DR arrangements, based on the assumption that where an exit goes wrong this can have equal potential for disruption as a “disaster” scenario. Ensuring robust exit and transition-out arrangements has been an important feature of outsourcing contracts historically. However, the Proposals introduce two new aspects to exit planning that are relevant to operational resilience:
a. Stressed and non-stressed exits: a firm’s exit strategy must differentiate between situations where a firm exits an outsourcing arrangement in stressed circumstances (e.g. following the failure or insolvency of a service provider) and non-stressed circumstances (e.g. a planned exit due to commercial, performance, or strategic reasons). More emphasis is placed on stressed exits, as these have a greater potential for disruption. Firms will need to consider whether there is a need to make this distinction contractually – this will depend in each case on the nature of the service and the activities required to migrate away from it.
b. Testing of exit plans: the PRA expressly requires firms to test their exit strategy. Whilst exit provisions in contracts may refer to regularly reviewing and updating exit plans, these generally do not contain testing requirements equivalent to those applicable to BC/DR plans. The need for service provider participation in these tests (and translating that into contractual obligations) will again be service-dependent.
Non-outsourcing cloud and software-as-a-service (or SaaS) contracts also often contain references to how customers can access or extract their data from the service on exit. Whilst the PRA’s exit requirements are framed specifically in relation to material outsourcings, firms should consider whether it is appropriate to apply the same principles to non-outsourcing contracts supporting important business services;
- Notifications and reporting: outsourcing contracts typically impose a range of notification obligations on service providers (e.g. for disasters, force majeure, security incidents and other events that could have a service impact). The Proposals require firms to have effective crisis communication measures in place to notify all internal and external stakeholders (including customers and supervisory authorities) in the event of an operational disruption or emergency. Firms may need to impose more specific contractual requirements on service providers regarding the channels and content of notifications (aligned with the firm’s own communication plans). Reporting obligations may also need to be extended to: (i) the service provider’s financial stability and events that could potentially change this; and (ii) reporting on concentration risk;
- Step-in rights/enhanced supervision/service remediation: while these concepts are common in outsourcings, the Proposals (and the EBA Outsourcing Guidelines for that matter) do not prescribe specific requirements in relation step-in rights, enhanced supervision, or service remediation procedures. These may, however, be crucial in promoting a firm’s operational resilience objectives for important business services, particularly where a service failure may affect a firm’s ability to stay within an impact tolerance but does not trigger business continuity or other measures. Step-in is typically resisted by service providers (and is often not practical to enforce), so firms may need to negotiate alternatives, such as enhanced supervision and robust remediation procedures;
- Inter-service provider co-operation: firms are required to consider the entire chain of activities which make up an important business service. Where inter-service provider co-operation is needed to achieve the firm’s operational resilience objectives, this may need to be contractually imposed in more detail than a general obligation to co-operate reasonably with the firm’s other service providers. Firms may need service providers to enter into operating level agreements with one another and to exchange information (even possibly confidential information) to facilitate operational resilience activities;
- Subcontracting: The Proposals require firms to “pay particular attention to the potential impact of large, complex chains of sub-outsourced service providers on their operational resilience (in particular, the end-to-end provision of important business services)”. Specific requirements are proposed for material outsourcing arrangements, but firms will need to consider the extent to which they are necessary for other service providers delivering important business services and the practicality of imposing them in each instance. Audit rights are a common example: SaaS providers (in both an outsourcing and non-outsourcing context) typically attempt to exclude underlying cloud infrastructure providers from audit requirements on the basis that they are unable to secure back-to-back audit rights. The PRA refers to the use of other methods, such as certificates and pooled audits, but makes it clear that firms must consider in each instance whether these methods provide the necessary levels of assurance; and
- Availability service levels: uptime service levels for SaaS and cloud services are often limited to the service being “available” for use, particularly if service providers’ standard definitions are used. These provisions should be assessed carefully, as availability may not be a sufficient commitment. As noted by the FCA, “a business service that is available but has compromised integrity [for example, as a result of a virus] is not remaining within the impact tolerance”.
The overarching message is that firms should consider how to apply operational resilience most appropriately for their business:
- Even where firms identify the same or similar important business services, they may comprise varying chains of activities based on each firm’s business model; and
- Reliance on service providers, the impact of activities performed by those service providers, and the interaction between activities performed by a firm and its various service providers will differ both between firms and within each firm for different business services.
Drafting challenges and solutions
The challenge for those drafting and negotiating service provider contracts is that standard clauses (whether in a template for a new contract or addendum to an existing contract) may be either impractical or insufficient to deal with the unique operational resilience requirements for a particular deal.
A solution could be to create different sets of clauses which are applied based on a risk assessment (similar to what some firms do for data protection). Document automation solutions that build more bespoke contracts based on answers to an initial questionnaire may become increasingly valuable in this context.
Guidance for service providers
Although the regulatory responsibility for operational resilience ultimately rests with a regulated firm, service providers need to understand the requirements and the impact they will have when engaging with firms operating in the financial services sector.
Service providers often make a policy decision not to accommodate a specific customer request in relation to, say, a matter such as business continuity on the basis that accommodating the specific client request would have an adverse operational and cost impact if the service provider similarly had to accommodate the requests of other customers (perhaps from different sectors) in the same way.
Revised negotiation positions in light of compliance requirements
In light of the Proposals, service providers:
- Are likely to face increased resistance to the common “one-size-fits-all” approach to their clients’ compliance requirements; and
- May need to find creative ways of working with regulated firms while continuing to protect their own business interests.
The Proposals on access, audit, and information rights are encouraging in this context. The draft supervisory statement:
- Refers to an outcomes-focused approach to assessing a service provider’s performance;
- Allows a regulated firm to choose any appropriate method, as long as it enables the firm to meet its regulatory, operational resilience and risk management obligations; and
- Specifically refers to certificates and pooled audits, which many service providers have already been offering.
The fact that such an approach is acknowledged at supervisory authority level may facilitate more constructive discussions between service providers and their regulated clients on these matters.
Confidentiality and intellectual property will also be a key topic. Technology service providers are particularly sensitive in this area and these issues will be at the forefront of discussions on collaboration and exchanging information with other service providers (in addition to compliance with competition laws).
The Proposals - next steps
In light of the challenges presented by COVID-19, the deadline for providing responses to the Proposals has been extended to October 1, 2020. There is an open question over whether there will be any significant changes to the FCA and PRA’s final policies as a result of the COVID-19 outbreak.