Supporting compliance for outsourcing rules

Outsourcing rules are contained in Chapter 14 of the PRA Rule Book. In short, where an important operational function is outsourced, additional controls should be in place to manage that service.

In most cases where a credit union is relying on cloud-based services – outsourcing rules apply. As organisations rely more than ever on the cloud, a failure, for example, in being able to access data held off-site can be catastrophic.

It is up to each credit union to decide whether implementing automated lending constitutes outsourcing. Nevertheless, NestEgg has systems, policies and procedures to help its clients comply with outsourcing rules.

Information security

It should come as no surprise it’s critical that service providers protect confidential information.

NestEgg isISO27001 certified. Importantly, this certification independently verifies that NestEgg follows information security best practices with our technology, people and processes. Therefore, extensive policies and procedures cover all aspects of information security, including labelling, managing access and storage of confidential and sensitive information. NestEgg and its clients sign a data processing agreement that clearly sets out mutual responsibilities.

Effective delivery

The PRA expects that outsourced provider carry out the services effectively. Credit unions must establish methods for assessing standards of performance.

NestEgg clients will soon have access to a live uptime indicator. This shows the status of the NestEgg decision engine server in line with Service Level Agreements.

Additionally, through its Client Success function, NestEgg hosts regular client meetings to ensure the decision engine is performing according to expectations and is aligned with a credit union’s risk appetite. Adjustments to rules can be made, feature requests noted, and any performance issues are added to an incident management system.

Managing risks

The PRA also expects service providers to manage the risks associated with the outsourcing.

NestEgg has a comprehensive, pragmatic approach to risk identification, analysis and treatment. Ongoing review addresses risks arising from internal and external issues, including regulatory requirements. Tools are used to map and treat risks and to evidence activity.

Business continuity

The PRA expects service providers to implement and maintain a contingency plan for disaster recovery. Backup facilities should be tested.

NestEgg’s Business Continuity Plan (BCP) is a dynamic project enabling effective collaboration and coordination of work that may evolve in times of crisis or disaster. Business continuity is based on the probability of occurrence taking into account the confidentiality, integrity and availability of the information and assets. NestEgg regulatory tests BCP events, with six scenarios last reviewed in October 2022.

Easy exit

The credit union must be able to terminate the arrangement for the outsourcing where necessary.

NestEgg operates on a 30-day rolling contract. No tie ins. No long-term commitments. As a result, credit unions can exit the contract easily.

Supporting compliance

A range of policies and procedures cover critical areas of compliance for credit unions. Responsible lenders can trust NestEgg to support their compliance obligations be it outsourcing, information security, data protection and assessing credit worthiness.

Read more about out popular decision engine and check out our blog for the latest thinking and insights.

 

About Adrian Davies

Adrian is a co-founder at NestEgg. He is an alternative finance and credit union expert with extensive experience of start-ups, business development, IT, Target Operating Models and regulatory compliance. Adrian has 20 years’ experience in the responsible lending sector, supporting credit unions with innovative ideas so they can grow and meet service user needs.