The PRA expect UK Financial Services firms to have robust continuity measures in place for “important business services” and specifically stipulate that any material cloud outsourcing arrangement must adopt the highest of resiliency options.
Free Guide
Providing you with the necessary materials to engage with an alternative third-party to rebuild an outsourced SaaS application.
The PRA states that it expects firms to assess the materiality and risks of third-party arrangements, irrespective of whether they fall within the usual definition of “outsourcing”.
We recommend you review your current third-party software portfolio with risk assessment tools or work with an independent specialist to assess potential risks associated with any extensive reliance your firm may have on one service provider.
Think about the size and complexity of the business areas that could be affected by disruption to this outsourced function.
Would an interruption in service stop you from complying with the guidelines?
Would it impact your financial performance? Would you still be able to perform the activities of your core business lines?
PRA SS2/21 stipulates that in scope firms will need to maintain an up-to-date register of outsourcing relationships, distinguishing between those that are material (or high risk) and those that are not.
Any applications that are deemed as material must have an exit plan, which means you should categorize the materiality of third parties based upon the role they perform in supporting critical business services.
This will allow you to prioritize the highest-risk vendors and focus your efforts where they are needed most. This way you’ll immediately reduce the greatest risks to your organization should you experience a stressed exit.
Wayne Scott, our Regulatory Compliance lead, explains what is meant by a stressed exit.
Once you’ve established which services are most critical to your business, you’ll then need to conduct proper due diligence on any potential service provider.
A superficial evaluation is not sufficient to proactively assess and mitigate risk - so make sure your due diligence practices reflect the materiality and risk assessment from the previous steps. For material (or high risk) outsourcing your due diligence process should address:
It’s important to remember that signing a contract with a third-party vendor doesn’t mean that responsibility and accountability has been outsourced to the third party as well.
That’s why we recommend you develop an onboarding process for any new third-party software providers. This will ensure any future applications you add to your software estate have a demonstrably working stressed exit plan in place as soon as they are procured, rather than at go live.
The PRA expects you to demonstrate that you can retain flexibility to deliver important business services when disruption occurs. When building your stressed exit plan make sure it is comprehensive, well documented and where possible, regularly tested.
We recommend implementing software resilience measures such as Escrow agreements and Verification to help protect outsourced software and ensure compliance with PRA guidelines.
Software Escrow Agreements combined with Escrow Verification provides firms with the legal and technical assurance to bring an important service back-in house or the necessary materials to migrate to another service provider to rebuild the outsourced service should disruption occur.
Head of Product & Solution Architecture, Jamie Mackay, explains how Software Escrow can be used to meet PRA SS2/21 requirements.
Ongoing vendor monitoring throughout the life of a third-party relationship is critical. Engagements with third parties do not end after the assessment phase – or after your stressed exit plans have been built.
Continually review and revise your due diligence activities, procurement policies as well as both material and non-material applications as the business, and any third-party relationships, evolve.
Identify any current non-material services which have the potential to become a material service overtime and make sure these are built into your stressed exit plan to avoid having to adapt when new issues arise.
If you would like more information on how your organization can improve its approach to PRA compliance, reach out to our technical and legal experts today.
Interested in learning more?