Skip to navigation Skip to main content Skip to footer

27 June 2022

UK Prudential Regulation Authority SS2/21 Compliance

The UK Prudential Regulation Authority Supervisory Statement SS2/21 sets out outsourcing and third-party risk management expectations for UK firms, read on to learn how you can comply.

PRA SS2/21 Deadline: Compliance with outsourcing and third party risk management regulations

Read on to learn everything you need to know about the UK Prudential Regulation Authority Outsourcing and Third Party Risk Management Supervisory Statement SS2/21 and ensure compliance by 31 March 2022 when the new policy comes into effect.

Download Compliance Guide

UK Prudential Regulation Authority SS2/21 Compliance Checklist

The time has now come for firms to define their list of material and non-material outsources, set impact tolerances for each one and start building out their stressed exit plans.

No matter what stage you are at in your journey to PRA compliance, our final checklist will make sure you are ready for the impending changes.

Assess the risks of ALL third-party arrangements

The PRA states that it expects firms to assess the materiality and risks of third-party arrangements, irrespective of whether they fall within the usual definition of “outsourcing”.

We recommend you review your current third-party software portfolio with risk assessment tools or work with an independent specialist to assess potential risks associated with any extensive reliance your firm may have on one service provider. Think about the size and complexity of the business areas that could be affected by disruption to this outsourced function. Would an interruption in service stop you from complying with the guidelines?

Would it impact your financial performance? Would you still be able to perform the activities of your core business lines?

Categorise Third-party Dependencies on Criticality and Concentration Risk

SS2/21 stipulates that in scope firms will need to maintain an up-to-date register of outsourcing relationships, distinguishing between those that are material (or high risk) and those that are not.

Any applications that are deemed as material must have an exit plan, which means you should categorise the materiality of third parties based upon the role they perform in supporting critical business services. This will allow you to prioritize the highest-risk vendors and focus your efforts where they are needed most. This way you’ll immediately reduce the greatest risks to your organization should you experience a stressed exit.

Carry out Supplier Risk Assessment & Due Diligence

Once you’ve established which services are most critical to your business, you’ll then need to conduct proper due diligence on any potential service provider. A superficial evaluation is not sufficient to proactively assess and mitigate risk - so make sure your due diligence practices reflect the materiality and risk assessment from the previous steps. For material (or high risk) outsourcing your due diligence process should address:

  • Whether the software provider has the ability, capacity, resources, organisational structure and authorisation to reliably deliver the service.
  • The software providers ability to meet standards of service quality, security and reliability for the length of the contract.
  • Any sub-contracting or additional party collaboration that might be required, along with any risks these additional relationships may bring.
  • Any potential conflicts of interest.

Immediately Revisit Procurement Procedures

It’s important to remember that signing a contract with a third-party vendor doesn’t mean that responsibility and accountability has been outsourced to the third party as well. That’s why we recommend you develop an onboarding process for any new third-party software providers. This will ensure any future applications you add to your software estate have a demonstrably working stressed exit plan in place as soon as they are procured, rather than at go live.

Document & Test Business Continuity & Exit Plans

The PRA expects you to demonstrate that you can retain flexibility to deliver important business services when disruption occurs. When building your stressed exit plan make sure it is comprehensive, well documented and where possible, regularly tested. It should include the objectives of the strategy, an analysis of the potential business impact, the success criteria for migration and indicators that can be used to classify an unacceptable service level and therefore constitute as an exit.

Continual Monitoring

Ongoing vendor monitoring throughout the life of a third-party relationship is critical. Engagements with third parties do not end after the assessment phase – or after your stressed exit plans have been built. Continually review and revise your due diligence activities, procurement policies as well as both material and non-material applications as the business, and any third-party relationships, evolve. Identify any current non-material services which have the potential to become a material service overtime and make sure these are built into your stressed exit plan to avoid having to adapt when new issues arise.

The imminent deadline for banks to comply with the guidelines is by no means an endpoint to compliance. Rules and guidelines around third-party outsourcing will continue to evolve over time and banks will need to remain proactive in ensuring their systems comply with the different requirements.
If you would like more information on how your organisation can improve its approach to PRA compliance before the March deadline, you can reach out to our experts here.

Interested in learning more?

Download Compliance Guide     Get in touch

Skip to navigation Skip to main content Skip to footer