Menu Close

PRA statement – Outsourcing and third-party risk management

PRA statement – Outsourcing and third-party risk management

Background

  • On 29 March 2021, the Prudential Regulation Authority (PRA) issued a Supervisory Statement SS2/21 titled “Outsourcing and third party risk management”
  • https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/outsourcing-and-third-party-risk-management-ss
  • This Supervisory Statement (SS) sets out the Prudential Regulation Authority’s (PRA) expectations of how PRA-regulated firms should comply with regulatory requirements and expectations relating to outsourcing and third party risk management.
  • This SS is relevant to all UK banks, building societies; PRA-designated investment firms; insurance and reinsurance firms and groups in scope of Solvency II, including the Society of Lloyd’s and managing agents
  • This SS is also relevant to UK branches of overseas banks and insurers (hereafter referred to as third-country branches)
  • Some of the requirements and expectations referred to in this SS also apply to credit unions and non-directive firms (NDFs)

Impacts

The aims of this SS are to:

  • complement the requirements and expectations on operational resilience [in the PRA Rulebook; SS1/21 ‘Operational resilience: Impact tolerances for important business services’; and the Statement of Policy (SoP) ‘Operational resilience’];
  • ‘facilitate greater resilience and adoption of the cloud and other new technologies’ as set out in the Bank of England (the Bank)’s response to the ‘Future of Finance’ report; and
  • implement the:
    • European Banking Authority (EBA) ‘Guidelines on outsourcing arrangements’ (EBA Outsourcing GL). This SS clarifies how the PRA expects banks to approach the EBA Outsourcing GL in the context of its requirements and expectations. In addition, certain chapters in this SS expand on the expectations in the EBA Outsourcing GL, for instance Chapters 7 (Data security) and 10 (Business continuity and exit plans).
    • relevant sections of the EBA ‘Guidelines on ICT and security risk management’ (EBA ICT GL).

Timeline with relevant dates to be logged on regulatory calendar

  • The requirements within this SS are effective from 31 March 2022

Next steps

All firms must take actions to comply by the effective date of 31 March 2022.

If anyone has specific questions or needs any advice, contact our specialists.