Financial institutions

How Financial Institutions Can Manage Third-Party Risk in Large Non-Outsourcing Contracts

This represents a change in approach that requires financial institutions to consider the control frameworks they apply.

There are specific regulatory requirements for outsourcing. While these do not fully apply to material non-outsourcing contracts, such contracts are expected to include protections as strong as those provided in material outsourcing contracts.

There are several ways for financial institutions to apply flexibility in implementing third-party risk regulatory requirements in large non-outsourcing contracts.

Due diligence

Regulatory rule sets often establish general due diligence requirements. In an outsourcing context, to comply, financial institutions must obtain sufficient information to assess the business model, financial condition, ownership structure, expertise and reputation of the potential supplier. They should also assess its ability to provide the services and the financial, human and technological resources, and further review the vendor’s ICT, risk and security controls, as appropriate for the services to be provided.

The due diligence must also be comprehensive enough to determine whether any outsourcing arrangements the provider has entered into or may enter into could adversely affect the financial institution’s important business services.

In the important context of non-outsourcing, the Prudential Regulatory Authority (PRA) in particular will expect financial institutions to adopt the same approach. However, in this context, financial institutions may adjust their pre-contraction processes where appropriate, i.e. where certain aspects of the process would be inappropriate due to the nature of the services the third party will be providing.

For example, if the third party does not process critical data, regulatory references to obtaining “data dictionaries” through due diligence may not be appropriate. On the other hand, where the market expects the type of service provided to conform to a recognized industry standard, failure to obtain confirmation that the supplier meets that standard may be considered a breach. regulatory due diligence requirements.

Service levels

Regulatory rule sets tend not to dictate what form service levels should take in large outsourcing contracts. Generally, however, they set out a few broad guiding principles.

One principle requires financial institutions to include both “qualitative” and “quantitative” performance criteria in their material outsourcing arrangements. Another requires that service level regimes allow for “timely monitoring” and allow for “corrective action” to be taken where service levels are not met.

Service levels are expected to be defined in all major non-outsourcing contracts. In particular, where services enable or form part of the provision of a significant business service, they will need to include effective performance criteria to support the impact tolerance measures required by the Financial Conduct Authority’s (FCA) Operational Resilience Frameworks ) and PRA.

Nor is it common for regulatory rule sets to dictate the form that corrective action should take when service level failures are identified. Typically, in an outsourcing context, service levels can be supported by service credit schemes, rectification plan measures and, where applicable, rights of intervention.

In the context of large non-outsourcing contracts, this will be a relationship that is either not continuous or recurring, or involves services that the financial institution would not normally be expected to undertake itself. For these types of relationships, actions to correct service level failures can take a very different form and focus more on relationship escalation procedures and other basic governance agreements.

Data Security

Financial regulators’ approach to transferring data to third parties is increasingly consistent between outsourcing and not outsourcing. Generally, financial institutions will need to “define, document and understand their respective responsibilities and those of the service provider” and implement appropriate security measures, whether or not an agreement is classified as an outsourcing.

This applies to the provider’s processing of personal and non-personal data. The inclusion of data security requirements in financial regulatory rule sets would be largely redundant if they were intended solely to protect personal data, the security of which is largely covered by the GDPR and other privacy laws. data.

The appropriate security measures will depend on the context and should be assessed on a case-by-case basis. In many circumstances where critical data is processed, the assessment may require a review of the vendor’s encryption controls, including those relating to access to encryption keys, and confirmation of its ability to remove all data from its supplier and that of its subcontractors. , output local.

Audit, access and cooperation with regulators

For material outsourcing contracts, the basic audit rights requirement requires that the financial institution retain the ability to request additional, appropriate and proportionate information if such a request is justified from a social point of view. legal, regulatory or risk management. Financial institutions should also retain the right to conduct on-site audits at their discretion.

Group audit certifications and agreements can reduce the practical need to exercise the right to perform on-site audits. However, they cannot be used as the basis for concluding a major outsourcing agreement that does not include the right to carry out an on-site audit.

In large non-outsourcing contracts, there is often no firm requirement for audits except that provided by the UK GDPR. The GDPR requires personal data processors to authorize and assist in audits and inspections conducted by or on behalf of data controllers.

For material non-outsourcing contracts, we generally expect audit rights to apply consistently to meet broader risk control expectations. However, in some contexts, this may be limited to requirements to provide reasonably requested information, or be tied to a subset of relevant services.


Third-party risk regulatory frameworks often include detailed rules for outsourcing. For hardware outsourcing, the PRA, for example, requires financial institutions to only agree to outsourcing if the subcontractor complies with all relevant contractual obligations and grants contractual rights of access, audit and information equivalent to those granted by the supplier. .