There are two primary financial regulators in the UK, with the Financial Conduct Authority (FCA) being the better-known. However, the Prudential Regulation Authority (PRA) is just as important for finance organisations. It sets out rules and requirements that everyone, from banks and insurers to investment funds, must meet.
So, what is the Prudential Regulation Authority, and what does it do exactly? While it’s typically discussed as a distinct entity, the PRA is part of the Bank of England. It aims to guarantee that all organisations in this sector can demonstrate operational resilience in the face of the various risks they face.
One way the PRA promotes stability in the financial market is by requiring firms to have appropriate resources to withstand a variety of disruptive scenarios. This is because the Prudential Regulation Authority was created specifically in response to the 2007 financial crisis. The concept that banks could be ‘too big to fail’ and require bailouts from the public purse caused controversy at the time, and so a compliant PRA business plan must prevent this possibility from arising again.
In addition to insisting that finance firms have adequate capital and liquid assets to survive disasters, the PRA emphasises overarching operational resilience and continuity of core services. Customers should not experience any complications if a bank or insurer they rely on encounters some form of disruption, whatever that might be.
Around 1,500 organisations are supervised by and subject to the PRA's rules and guidelines. Non-compliance can result in increased scrutiny from regulators, fines, and reputational damage.
GUIDE
Learn how Software Escrow supports compliance with PRA SS2/21 outsourcing and third-party risk management regulatory requirements.
Operational Risk Management
Understanding risks and acknowledging incidents isn’t enough. Firms must actively identify, monitor, and prevent threats across IT systems, processes, and supply chains. Internal and external failures must be addressed, with vulnerabilities managed to ensure operational resilience.
Business Continuity Planning
The PRA requires financial firms to have practical, tested plans that enable them to maintain or quickly resume services during disruption. These plans must meet defined impact tolerances and demonstrate the ability to operate under stress, not just on paper but in real-world conditions.
Management of Outsourced Relationships
The PRA mandates that firms remain accountable for outsourced services and ensure their providers meet resilience standards. Contracts must guarantee ongoing access to essential services even if the third-party supplier suffers disruption, insolvency, or other critical failures.
Governance
Strong governance is at the heart of PRA compliance, requiring firms to implement a clear structure of responsibility. Senior leaders must be accountable for managing operational risks, ensuring that oversight, control, and mitigation efforts are clearly defined and enforced.
SS2/21 emphasises that firms must actively assess and manage third-party risks, ensuring their vendors are stable, resilient, and meet performance expectations. Software escrow strengthens this process by securing access to critical software in case a vendor fails, helping firms manage risk and maintain operations without disruption while meeting due diligence requirements.
SS2/21 stresses the importance of contracts that clearly outline SLAs, termination clauses, and exit strategies. Software escrow agreements strengthen these contracts by ensuring firms can access key software if a vendor fails or breaches their agreement, protecting operations and allowing for a painless transition if one becomes necessary.
SS2/21 requires firms to control data and systems, even when outsourcing to the cloud. Escrow as a Service (EaaS) guarantees firms can access and restore cloud environments and critical data if their provider faces issues, ensuring continuity and compliance with regulatory expectations in cloud outsourcing scenarios.
SS2/21 demands continuous monitoring of third-party providers and regular testing of contingency plans. Software escrow verification helps meet this need by confirming that software is always up-to-date and ready for deployment, making it easy to test recovery plans and facilitating business continuity if a vendor fails.
SS2/21 requires firms to demonstrate they are correctly managing third-party risks. Software escrow agreements provide clear, verifiable documentation that confirm access to critical software if needed. Software escrow verification testing ensures this software is up-to-date and deployable, providing a solid foundation for audit readiness and regulatory compliance.
Join 14,000 customers in 135+ countries
Software escrow agreements secure access to critical software and source code, ensuring firms can maintain operations and meet PRA SS2/21 requirements for clear contractual exit strategies. Learn more.
Regular software escrow verification confirms that the deposited software is up-to-date and deployable, supporting PRA SS2/21 mandates for testing contingency and exit plans. Learn more.
Our SaaS Escrow solution, EaaS, provides firms with access and recovery options for cloud-based services, helping meet PRA SS2/21 cloud outsourcing and operational resilience requirements. Learn more.
“Being proactive and placing security and resilience at the start of any development means that we can confidently explore ideas and push boundaries, safe in the knowledge that we are managing any risk associated with our software supply chain responsibly”.
Andy Ellis
Head of NatWest Ventures
Book a call to learn how Software Escrow supports compliance with PRA SS2/21 requirements.
