PRA’s statement provides greater clarity on outsourcing

The PRA have released a Supervisory Statement on Outsourcing and Third Party Risk which will provide useful guidance to firms in an area of significant scrutiny and concern. 

According to the regulator the statement aims to complement the requirements and expectations on operational resilience to ‘facilitate greater resilience and adoption of the cloud and other new technologies’, implementing the EBA’s outsourcing and IT guidelines. The statement: SS2/21 Outsourcing and third party risk management is relevant for UK banks, building societies, and PRA-designated investment firms, but some requirements are also applicable to other firms. 

In general, the statement provides greater clarity on outsourcing, particularly in relation to areas such as  cloud based services, and other technology solutions. It also aligns the PRA’s approach to outsourcing with the recently published operational resilience requirements 

From an international perspective, the PRA’s expectations are now aligned to the EBA guidelines on outsourcing arrangements and reflect wider standards. 

Outsourcing and managing third party risk is an area of significant regulatory scrutiny and concern, where in the past firms have sometimes struggled with the interpretation and application of the requirements. The new statement provides helpful guidance to firms in understanding and meeting their expectations. In particular, providing expanded detail on the requirements for non-outsourcing 3rd party arrangements (3rd party dependencies). Again, there’s a clear read across with the objectives of the operational resilience requirements. 

The PRA’s document also reinforces the point (if that were needed) that intragroup outsourcing is subject to the same requirements and expectations as outsourcing to service providers outside a firm’s group and should not be treated as being inherently less risky. 

Finally, the statement underlines the responsibilities of Board to ensure good oversight.  

In our survey last year, nearly 80% of compliance professionals had not considered the EBA’s outsourcing guidelines, despite the FCA making it clear that they should be reflected in firms’ outsourcing frameworks. This new statement should help clarify what is expected and put in place the appropriate controls. 


How we can help 

We can provide specialist regulatory advice on managing the risks of outsourcing and using third parties. With our friends at Orpheus we can also help you meet the expectation to review third party ICT arrangements  – including with a free online cybersecurity review 


Want more insights like this?

Join our mailing list