Which institutions are impacted by the Outsourcing and Third-Party Risk Management obligations?

There are existing Outsourcing requirements for FCA-regulated firms set out in SYSC 8 and SYSC 13.9.
The new Outsourcing requirements from the PRA are more detailed and prescriptive compared to the FCAās ā however they are aligned (if firms comply with the PRA requirements, they should also be covering the FCAās requirements, except for FCA notifications).
The PRA policy statement places increased and more specific obligations on firms in terms of knowing their providers and where they are at on an ongoing basis.
These obligations will also be of interest to providers ā even if they are not regulated themselves ā but are supporting solo-or dual-regulated firms. For instance, providers need to be prepared to support firmsā operational resilience testing.
Have you read our responses behind other key questions? You can view them by clicking on the links to the pages below: