Skip to navigation Skip to main content Skip to footer

05 April 2023

PRA SS2/21 Regulations: One Year On


On Thursday 30th March, we held our PRA SS2/21 Regulations: One Year On webinar. With professionals from a variety of financial institutions in attendance, our speakers Nicola Anderson, CEO of Fintech Scotland, and Wayne Scott NCC Group’s Regulatory Compliance Solutions Lead delivered an insightful discussion on the PRA SS2/21 Regulations currently impacting financial institutions and their vendors in the UK.

What we discussed 

  • The current financial landscape.
  • An overview of the Bank of England’s Prudential Regulatory Authority SS2/21 outsourcing & third-party risk management requirements.
  • The progress made over the last 12 months by financial institutions to become compliant including any lessons learnt.
  • Guidance for documenting and testing business continuity and stressed exit plans for critical or important business services.
  • What will the next year look like for the UK financial services industry; including any recommendations. 

The current financial landscape 

During the webinar, our speakers discussed the recent failure of Silicon Valley Bank and the buy-out of Credit Suisse Bank, reviewing the effects this has had on software vendors and the fintech community.

Given SVB’s involvement in funding many tech start-ups, Nicola explained how important SVB was to the fintech community. She added that a rapid solution was provided in the UK because of the co-operation between the UK tech community, Treasury, and regulators.

What may the bank’s failure have meant for these tech companies and the customers they provide software to?

Wayne outlined how these events demonstrated the importance of non-cyber risk mitigation and how these events could lead to supplier failure, service deterioration and concentration risk among the vendor’s customers.

It is important that these named risks within the PRA SS2/21 regulations are assigned ownership within the organisation, ensuring that they sit separately from cyber security and to the highest level possible.

The progress made over the past year

As we mark the first year of the 3-year transition period of the PRA SS2/21 Outsourcing and third-party risk management regulations, our speakers discussed the progress made by financial institutions to become PRA SS2/21 compliant.

PRA regulations require financial firms to be more proactive in ensuring business continuity. This includes the development of stressed exit plans that can ensure a smooth transition to an alternative provider while minimising downtime and disruption.

Wayne explained “Stressed exit plans are designed to mitigate against the ramifications of supply failure… allowing you to pull the management of a failed service in house or to another supplier”.

For business continuity plans to be compliant with PRA SS2/21 Regulation, it is necessary to evaluate and test the effectiveness of these stressed exit plans to make sure they are ‘demonstrably successful’.

Wayne explained that many material services have not been built with PRA SS2/21 regulations in mind. Due to this, many firms are currently redesigning both their deployment processes and their relationships with cloud providers. Inserting the obligation to develop “demonstrably successful stressed exit plans”. For PRA regulations to be met, it is crucial that Independent Service Providers cooperate.

The requirements set out by the Prudential Regulatory Authority does not require a new solution. Wayne stated, “We are seeing an increasing number of global regulators naming software escrow as a viable proportional component of the temporary stages of stressed exit plans.”

“An Escrow agreement establishes the legal rights to access important information, such as the source code, data and environment access credentials, which you wouldn’t normally have access to”.

A call for collaboration

Wayne outlined NCC Group’s aim to bridge the knowledge gap surrounding financial regulation and how software escrow and the services provided by its Software Resilience division can meet regulatory requirements. Creating partnerships with financial institutions and the fintech industry is necessary to achieve this. He explained how he would also like to see more engagement from cloud providers and critical third parties.  

Nicola gave details about the efforts FinTech Scotland has made to encourage collaboration across the industry. As we see an increasing number of fintech enterprises grow and develop, we are seeing more and more partnerships between firms form; with large financial institutions starting to integrate and consider fintech innovation.

Nicola discussed the value of partnerships and collaboration to the sector. Creating a collaborative environment will ensure the fintech community understands the upcoming regulatory requirements and what is required to meet compliance.

In light of the recent announcement that Fintech Scotland has received UK government funding to form a ‘Financial Regulation Innovation Lab’, Nicola described how this initiative will enable the industry to collaborate with the academics, entrepreneurs, and the regulators.

As the need for operational resilience increases, we will see more cross-sectional work and collaboration within the fintech community. This will help the sector evolve and meet regulatory requirements.

What to watch the full webinar? 

Fill in the form below to watch the webinar on-demand







Find out how software escrow services can support your business with becoming PRA SS2/21 Compliant.

Skip to navigation Skip to main content Skip to footer