Join our webinar on Thursday 15 July 2021 (12.00 – 13.00 BST) to hear our technology & outsourcing specialists talk about the top 5 trends they have been seeing in respect of outsourcing and third party technology contracts in the financial services sector.
1. Regulatory scope
The type of contracts in scope for more detailed analysis and negotiation has been expanded following the PRA's approach in its supervisory statement (SS2/21) on outsourcing and third party risk management. Suppliers continue to argue that certain technology products and services they are providing are not within scope of the outsourcing definition, but this has less weight now that the PRA's focus is on ensuring suitable controls for material arrangements more generally, not just outsourcing arrangements.
2. Service levels
We find there is often a debate about whether the SLAs and KPIs are contractually binding or just targets, with suppliers arguing that the EBA Guidelines on outsourcing arrangements state that the agreement only has to set out the agreed service levels (and not an obligation to achieve them). However, this needs to be seen in the context of wider operational resilience requirements; in particular, how can a financial services firm remain within its impact tolerances without appropriate contractually binding obligations to meet key service levels such as availability or response / resolution times?
3. Data and security
Some suppliers continue to deal with this as part of their personal data provisions, whereas contractual protections need to cover data more broadly than just personal data. Further, we often see suppliers offer information security standards as part of the tender process, but these do not then always form part of the proposed contractual document set. We are also seeing increased focus on understanding the security arrangements subcontractors have in place and where data is being stored, transferred and accessed.
4. Audit rights
Suppliers continue to resist onsite audit rights and customer penetration testing rights. Although the PRA expects underlying contractual rights to conduct an onsite audit, the PRA's acknowledgement of the challenges in certain scenarios (e.g. cloud solutions hosted in multi-tenant data centres) has helped to drive compromise positions more in line with what suppliers are willing to provide (e.g. agreeing to results of penetration testing carried out by the supplier or an independent third party in place of a right for the customer to carry out the penetration testing).
We are seeing increased focus on managing risk further down the supply chain, including fourth and fifth party risk management of material subcontractors. The flow down of obligations (especially audit rights) to subcontractors remains a key obstacle but it looks like there is starting to be more recognition from suppliers that visibility and oversight of the supply chain play a key role for financial services customers in achieving compliance.
We will also touch briefly on business continuity and exit but, for now, watch out for our next Insight on operational resilience!