Outsourcing and third party risk management have become focal points following the publication on 29 March 2021 of the Prudential Regulation Authority’s (PRA) Policy Statement PS7/21 and Supervisory Statement SS2/21. These documents establish new regulatory expectations for banks, investment firms, insurers, and third-country branches. Covering how they must manage outsourcing and third party risk management. As a specialist compliance consultancy, this article briefs our clients on the practical, immediate steps they should now begin taking.
PRA’s New Rules: What’s Changed?
The new requirements on outsourcing and third party risk management supplement operational resilience standards. They also reflect European guidance, such as the EBA Guidelines on Outsourcing. The new rules integrate lessons from recent market developments and legal best practice. The regime covers more than traditional outsourcing. It includes a broad range of ‘material’ third party arrangements that could affect financial stability. The key message is that banks and investment firms must judge and document the materiality and risks of every third party contract, regardless of outsourcing “label”. For material relationships, PRA now expects enhanced contractual controls. Including data security, audit, access rights, and robust exit strategies. Firms must maintain up-to-date registers of all outsourcing and high-risk third party arrangements.
Defining Material Outsourcing and Third Party Arrangements
The new rules expect you to treat any arrangement involving personal, confidential or sensitive data, cloud providers, or that support important business services as “material”. These contracts fall in-scope of the most stringent requirements. Oversight, due diligence, and notification to the PRA are required well before contracts are signed. Updating legacy agreements should be a short-term action point. The outsourcing and third party risk management framework sets proportionality and requires firms to reassess materiality when there is significant change in services or counterparties.
Key Compliance Steps for Banks and Investment Firms
These reforms mean firms must operationalise comprehensive outsourcing and third party risk management controls. Ranging from board-level oversight, keeping centralised registers, to detailed pre-contract due diligence and scenario-based exit planning. The direction is clear: if banks and investment firms want to benefit from cloud and third party service innovation, they must have demonstrably robust systems to address operational resilience. Expect further regulatory scrutiny once the final rules for outsourcing and third party risk management are in place.
How Leaman Crellin Can Help
Now is the time for boards and compliance teams to ensure policies, procedures and contracts are reviewed against the new standards. Especially before deadlines for compliance and prior to upcoming audits. If you require gap analysis, contractual reviews, training, or immediate project implementation support on these requirements, contact our boutique compliance team for expert, tailored advice.
