Outsourcing rules are contained in Chapter 14 of the PRA Rule Book. Where critical or important operational functions service are outsourced, controls should be in place to manage that service. In most cases where a credit union is relying on cloud based services – outsourcing rules apply, especially when a failure in the performance would materially impair the continuing compliance of the credit union.

It is up to each credit union to decide whether implementing automated lending constitutes outsourcing. Nevertheless, NestEgg has systems, policies and procedures to help its clients comply with outsourcing rules.

Section 14.5 of the rules state that a credit union must ensure that the conditions set out below (in italics) are satisfied.

The service provider must have the ability, capacity, and any authorisation required by law to perform the outsourced functions, services or activities reliably and professionally.

NestEgg provides is a data processor. The companies role and responsibilities are outlined in the data processing agreement in place with each client. Because of this the company is registered with the Information Commissioners Office. The company doesn’t require authorisation process credit applications on behalf of its clients. However it is authorised and regulated by the FCA as a Credit Information Services Provider and Broker.

The service provider must carry out the outsourced services effectively, and to this end the credit union must establish methods for assessing the standard of performance of the service provider.

NestEgg clients have access to a live uptime indicator. This shows the status of the NestEgg decision engine server day to day and for the previous year against a Service Level Agreement target of 99.9%. In addition, through its Client Success function, NestEgg reviews performance during regular meetings with clients to ensure that the decision engine is performing according to expectations and a credit union’s risk appetite. Adjustments to rules can be made, feature requests noted, and any performance issues are added to the production incident management system.

The service provider must adequately manage the risks associated with the outsourcing.

NestEgg has a comprehensive, pragmatic approach to risk identification, analysis and treatment. Ongoing review addresses risks arising from internal and external issues, including applicable legislation. A risks and treatment tool is used to map and treat risks and to evidence activity, with links back to the controls and policies which are then updated to address the risk threats and opportunities.

Appropriate action must be taken if it appears that the service provider may not be carrying out the functions effectively and in compliance with applicable laws and regulatory requirements.

NestEgg has monitoring systems to ensure services meet the specifications laid out in contracts. This is tracked in the company’s risk register relating to contractual requirements. A legislative risk register manages risks associated with regulation. affecting the business organisation are managed in a Legislative Risk Register.

The service provider must disclose to the credit union any development that may have a material impact on its ability to carry out the outsourced functions effectively.

NestEgg contracts provide for material disclosure of significant events.

The credit union must be able to terminate the arrangement for the outsourcing where necessary.

NestEgg operates on a 30-day rolling contract with no tie ins and long-term commitments. Credit unions can exit the contract at any time.

The credit union, its auditors and the PRA must have effective access to data related to the outsourced activities, and the PRA must be able to exercise this right of access.

NestEgg segregates client data. Access is provided through reporting and export of data, rather than direct access to systems.

The service provider must protect any confidential information relating to the credit union and its members.

NestEgg operates an Information Security Management System and is ISO27001 certified. Extensive policies and procedures cover all aspects of information security, including labelling, managing access and storage of confidential and sensitive information.

The credit union and the service provider must establish, implement and maintain a contingency plan for disaster recovery and periodic testing of backup facilities where that is necessary having regard to the function, service or activity that has been outsourced.

NestEgg’s business continuity plan (BCP) is a dynamic project to enable effective collaboration and coordination of work that may continue to evolve in times of crisis or disaster. A copy of the BCP plan is available on request. Business continuity is based on the probability of occurrence taking into account the confidentiality, integrity and availability of the information and assets. As part of the broader risk assessment, events that can cause interruptions to business processes are identified, along with the probability and impact of such interruptions and their consequences for information security. part of the BCP itself too.