Rapid digital transformation and evolving consumer expectations are driving financial firms around the world to adopt a range of emerging technologies from external suppliers. But what happens if a third-party provider of a business-critical application is acquired or becomes insolvent?
Regulations from the PRA are requiring financial firms to take a more proactive approach to ensuring business continuity in such situations. This includes the development of stressed exit plans that can ensure a smooth transition to an alternative provider while minimizing downtime and disruption.
Part of ensuring the resilience of financial software is making plans on how to transition to another supplier or system should their current contract come to an end or be terminated. The PRA has therefore set regulations that require firms to have measures in place for such eventualities.
A stressed exit is when the contract is ended due to the failure or insolvency of the service provider, and therefore is more unexpected than a non-stressed exit, which could be due to commercial, performance or strategic reasons.
Stressed exit strategies form an important part of a firm's business continuity plans, and must include testing and documentation to achieve compliance with PRA regulations . This aims to ensure the firm’s continued provision of important business services that are provided by third parties, limiting the impact of disruption on the business, it’s customers, and the wider financial market as a whole.
Support from independent software resilience providers such as NCC Group can help financial firms to comply with the latest PRA regulations and ensure business services can continue with minimal disruption following a stressed exit.
Below is a list of SS2/21 extracts related to exit plans, along with how NCC Group solutions support compliance.
Chapter 10: Business Continuity and Exit Plans
For each material outsourcing arrangement, the PRA expects firms to develop, maintain, and test a business continuity and a documented exit strategy for both stressed (eg following the failure or insolvency of the service provider) and non-stressed exits (eg through a planned and managed exit due to commercial, performance, or strategic reasons).
The PRA’s primary focus when it comes to business continuity plans and exit strategies is on the ability of firms to deliver important business services provided or supported by third parties in line with their impact tolerances in the event of disruption.
In material cloud outsourcing arrangements, the PRA expects firms to assess the resilience requirements of the service and data that are being outsourced. For critical applications, the PRA may expect a firm to adopt one or more of the most resilient options available to maximise the chances to maintain its resilience in the event of a serious outage.
Software Escrow Agreements enable compliance with the PRA’s expectations on firms to implement business continuity plans to anticipate, withstand and recover from disruption.
Our Software Escrow Agreements can be attached to the licensing agreement and ensure the legal right to access the material behind business-critical applications allowing for the continued use of the service or technology.
NCC Group’s Escrow as a Service (EaaS) Agreements and Verification options are designed to ensure the resilience and long-term continuity of outsourced cloud services. Our EaaS Agreements can support compliance with recommendations to develop and implement business contingency plans and exit strategies for cloud-hosted third-party applications. And, our EaaS Verification options support compliance with recommendations to test the effectiveness of the business continuity strategy.
Chapter 10: Stressed Exits
Firms’ exit plans should cover stressed exits and be appropriately documented and tested as far as possible. The PRA does not prescribe or have a preferred form of exit in stressed scenarios as long as the outcome of the exit ensures the continued provision by the firm of important business services provided or supported by third parties.
The PRA advises that firms should also actively consider temporary measures that can help ensure the ongoing provision of important business services following a stressed exit (e.g. software escrow arrangements), allowing for continued use of a service or technology for a transitional period following termination.
Our Software Escrow Agreements provide assurance of the long-term continuity of third-party services ensuring firms have the legal right to access a copy of the source code behind business-critical applications.
Our Software Escrow Verification options provide a higher level of assurance by enabling firms to test business continuity plans and document the steps involved and resources required to rebuild the source code into the working application.
Together these services minimise the impact of downtime or disruption and enable firms to ensure the continuity and quick recoverability
of critical third-party services as expected by the PRA.
Chapter 10: Governance of business continuity plans and exit plans
The PRA expects firms to develop their business continuity and exit plans, in particular for stressed exits, during the pre-outsourcing phase once they have determined that a planned outsourcing arrangement is material (ie the failure, of the services which would cast serious doubt upon the firm’s continuing satisfaction or compliance with the Fundamental Rules.
Once an outsourcing arrangement has been implemented, firms should test their business continuity and exit plans on a risk-based approach. Where possible and relevant, this testing should align to, support, or even be a component of firms’ scenario testing.
As per the PRA’s guidelines, we recommend firms consider how they will ensure the continuity of outsourced operations before entering an arrangement and look to implement Software Resilience solutions during the contract negotiation stage. NCC Group SAST (Static Application Security Testing) Services provide a detailed report of security vulnerabilities within a software application. Applying this level of testing before procurement can prevent security vulnerabilities being embedded in the business infrastructure. Ongoing testing is advised, particularly following updates to the software, to ensure security is maintained.
