Skip to navigation Skip to main content Skip to footer

23 February 2022

How to meet PRA Regulations when outsourcing IT: Verification is key to ensuring your stressed exit plans work

The Prudential Regulatory Authority (PRA) published its final Policy (PS7/21) and Supervisory Statement (SS2/21) focusing on mitigating third-party supplier risk to the Financial institutions trading within the UK. In this blog we look at what this means for those operating in the financial markets.

Singapore skyline

If you’ve been following this blog series, you’ll already be aware of the need to make stressed exit plans for your business-critical software in line with PRA guidance.

But creating a plan alone is not enough to achieve compliance. You also need to test if stressed exit plans would really work to effectively ensure business continuity should you ever need to execute them.

In this blog, we’ll explore how to verify stressed exit plans and what types of verification will work best for your business.



Verification tests your source code and material to ensure it is correct, complete and can be rebuilt into the working application, providing a higher level of resilience and business continuity assurance. Due to the PRA Regulations, the results of the verification must be presented to the regulator.

Working closely with regulators, financial institutions and FinTechs, NCC Group has developed solutions that support PRA-regulated firms in developing, testing and managing their stressed exit plans.

The most basic verification we offer is Entry Level Verification (ELV). This is the minimum level of verification we recommend for business-critical third-party on-premise software applications.

During an ELV exercise, an in-house consultant will witness and document the rebuild of the software from the source code into the working application within the software vendor’s environment.

In addition to the ELV, there are several other types of verification. Some, like User Assured Verification, are suitable if your stressed exit plan involves bringing the data, function or service back in house or onto your premises.

However, if your stressed exit plan involves contracting with an alternative third-party software supplier to rebuild and maintain the application in the event of supplier failure, then an Independent Build Verification (IBV) will suit you best. But how does it work?


Independent Build Verification

An IBV simulates the scenario of a release event where an in-scope firm would receive the source code and contract with a new third-party, enabling you to remain within impact tolerances in severe but plausible disruption scenarios.

During the exercise, a verification consultant performs an Entry Level Verification then simulates a release event:

  1. An ELV is performed to observe and document the rebuild of the software from the source code into the working application within the software supplier’s environment.
  2. The first stage verification report is used to recreate the build environment and set up a clean and secure environment (usually a virtual machine) in which to carry out the rebuild of the software.
  3. Our consultants copy the source code to the build environment and compile, link and build the executable version of the software.
  4. On completion of the build, the application is provided to the PRA-regulated firm to carry out appropriate testing to ensure key features are present.
  5. An IBV report is issued to all parties and provides detailed information on the key facts needed to enable an alternate support mechanism to be rapidly put in place should a release event occur. The report details the environment and configuration required along with the precise details of the complete build process.
  6. The virtual build machine, source code, documentation and any additional information is then placed in escrow at NCC Group’s secure deposit facility.


What are the benefits of Independent Build Verification?

  • Your company gains assurance that full documentation of the build process is stored with the source code and available for immediate use in a release event.
  • Protection against third-party disruption is provided, by ensuring that sufficient documentation of the process is in place to enable a rebuild of the application.
  • A technical report is provided to assist in identifying a suitable third-party to take over maintenance. This report contains details of the build, operational architecture and the technology stack required to rebuild the application.
  • Upon successful completion of an IBV, the regulated firm has the option to carry out the maintenance and support of business-critical applications in-house or engage with another software supplier.


To learn more about the PRA regulations and how you can support your customers with meeting the new requirements, download our solution guide. 

Looking to learn more about the regulations affecting the UK's financial institutions?

Watch our on-demand webinar: PRA SS2/21: One Year On

Skip to navigation Skip to main content Skip to footer