Skip to navigation Skip to main content Skip to footer

01 August 2023

PRA SS2/21 Compliance Checklist: 9 Steps


The failure of Silicon Valley Bank and the buyout of Credit Suisse earlier this year highlighted the importance of third-party risk management and resilience within your supply chain and tech stack. As a leader in venture debt, providing loans to many tech start-ups and scale-ups, SVB’s failure had a huge impact on tech companies and the customers they service.

Bank failures and similar events could ultimately lead to supplier failure, service deterioration, and concentration risk among those who rely on the software provided by fintech firms. The regulations set out by the Prudential Regulatory Authority (PRA), Supervisory Statement 2/21, express the importance of addressing these risks.

The PRA SS2/21 regulations require financial firms to be proactive in ensuring the continuity of critical services and maintaining operational resilience. Whether these critical services are delivered by traditional on-premise software applications or cloud-based services, the regulations stress the importance of developing ‘demonstrably successful stressed exit plans’ to ensure a smooth transition to an alternative provider in the event of supplier failure.

Here are the 9 steps your organisation needs to take to become PRA SS2/21 compliant:

Step 1

Assign ownership of supplier failure, service deterioration and concentration risk so that it sits separately from cyber security and at the highest level possible.

Step 2

Write specific supplier failure, service deterioration and concentration risk policies, standards, and procedures.

Step 3

Review all service license agreements for material suppliers to insert obligations for “demonstrably successful stressed exit plans”.

Step 4

Identify reluctance/inability to accommodate stressed exit plans early and encourage co-operation with your material service suppliers.

Step 5

Prioritise cloud-based software as the indirect relationship with the cloud provider can present a lag in detection of financial instability within the SaaS provider.

Step 6

Ensure the requirement for “demonstrably successful stressed exit plans” are inserted into your procurement processes at the earliest stage possible.

Step 7

Check intragroup outsourcing arrangements and ask for their successful stressed exit plans.

Step 8

Ask all material suppliers for details of their material suppliers and subsequent stressed exit plans.

Step 9

Add supplier failure, service deterioration and concentration risk to existing operational resilience scenario tests.

The mistake is often made to include supplier failure risk within the wider remit of cyber security, however as cyber security is not the main cause of supplier failure this means that the risk can go unmanaged with damaging results. By introducing the obligation to develop “demonstrably successful stressed exit plans”, organisations can ensure Independent Service Providers cooperate in order to meet the regulation requirements.


How can organisations document and test business continuity and exit plans?

We are seeing an increasing number of global regulators name software escrow as a viable proportional component of the temporary stages of stressed exit plans. When it comes to managing third-party risk and putting in place legally-binding agreements with suppliers, escrow agreements are a tried and tested method recognised as a key practical solution.

The PRA advises regulated firms to actively consider measures that can help ensure the ongoing provision of important business services following a disruption and/or stressed exit (e.g., software escrow arrangements), allowing for continued use of a service or technology for a transitional period following termination (10.16).

Software escrow agreements combined with escrow verification provides firms with the legal and technical assurance to bring an important service back in-house or the necessary materials to migrate to another service provider to rebuild the outsourced service should disruption occur. These services minimise the impact of downtime or disruption and enable firms to ensure the continuity and quick recoverability of critical third-party services as expected by the PRA.

PRA Compliance Guide

Download the guide to learn more about the PRA SS2/21 requirements and how to ensure compliance.

What's inside:

  • An overview of the the Bank of England's Prudential Regulatory Authority SS2/21 outsourcing & third-party risk management requirements.
  • Guidance for vendor assessments and improving the resilience of third-party contracts.
  • Guidance for documenting and testing business continuity and stressed exit plans for critical or important business services.


Escode PRA Compliance Guide 1

Interested in learning more about our Software Escrow Services?

Skip to navigation Skip to main content Skip to footer