UK PRA publishes rules for outsourcing and third-party risk management

This week, the UK’s Prudential Regulation Authority (PRA) published its Supervisory Statement on outsourcing and third-party risk management.

The publication offers guidance for businesses across the banking and financial services sector on what they should do when outsourcing services and mitigating third-party risk.

This follows the Bank of England’s Consultation Paper 30/19 published in 2019, which set out the key considerations to take forward in the official guidance.

Within this Supervisory Statement, the PRA considers an escrow agreement as one of a number of relevant resiliency options for firms to consider when undertaking business continuity and exit planning.

While it does not mandate or favour a single resiliency option, the PRA encourages firms to explore appropriate and viable options which, the PRA states explicitly, “may include escrow”.

Commenting on this news, Simon Fieldhouse, global managing director – software resilience at NCC Group said:"NCC Group has long taken the view that software and technology escrow solutions offer legal and technical assurance to allow firms to adopt, innovate and manage third-party technologies with confidence.

"We are delighted that the PRA has explicitly included escrow agreements as a relevant resiliency option in outsourcing contracts, as proposed by our experts.

“However, the work doesn't stop here. We must continue to engage with regulators world-wide to encourage them to acknowledge escrow agreements as a mechanism that enable organisations to comply with third-party risk mitigation, outsourcing and business continuity requirements and as a way to operate and grow in a resilient, safe and secure way.

"We believe that awareness and education of operational resilience needs to improve and that regulators can play a role in supporting financial institutions in achieving resilience by design.”

The new regulation will come into play on Thursday 1 April and will affect all regulated entities, independent software vendors, and cloud suppliers. If you’d like to find out more about what’s next read our ‘Spotlight on’ piece here.