Which institutions are impacted by the Outsourcing and Third-Party Risk Management obligations?
There are existing Outsourcing requirements for FCA-regulated firms set out in SYSC 8 and SYSC 13.9.
The new Outsourcing requirements from the PRA are more detailed and prescriptive compared to the FCA’s – however they are aligned (if firms comply with the PRA requirements, they should also be covering the FCA’s requirements, except for FCA notifications).
The PRA policy statement places increased and more specific obligations on firms in terms of knowing their providers and where they are at on an ongoing basis.
These obligations will also be of interest to providers – even if they are not regulated themselves – but are supporting solo-or dual-regulated firms. For instance, providers need to be prepared to support firms’ operational resilience testing.
Have you read our responses behind other key questions? You can view them by clicking on the links to the pages below: