SS2/21 Outsourcing and third party risk management

Supervisory Statement 2/21
Published on 29 March 2021

This Supervisory Statement (SS) sets out the Prudential Regulation Authority’s (PRA) expectations of how PRA-regulated firms should comply with regulatory requirements and expectations relating to outsourcing and third party risk management.

The aims of this SS are to:

  • complement the requirements and expectations on operational resilience [in the PRA Rulebook; SS1/21 ‘Operational resilience: Impact tolerances for important business services’; and the Statement of Policy (SoP) ‘Operational resilience’]; 
  • ‘facilitate greater resilience and adoption of the cloud and other new technologies’ as set out in the Bank of England (the Bank)’s response to the ‘Future of Finance’ report; and
  • implement the:
  • European Banking Authority (EBA) ‘Guidelines on outsourcing arrangements’ (EBA Outsourcing GL). This SS clarifies how the PRA expects banks to approach the EBA Outsourcing GL in the context of its requirements and expectations. In addition, certain chapters in this SS expand on the expectations in the EBA Outsourcing GL, for instance Chapters 7 (Data security) and 10 (Business continuity and exit plans).
  • relevant sections of the EBA ‘Guidelines on ICT and security risk management’ (EBA ICT GL).

This SS is relevant to all:

  • UK banks, building societies, and PRA-designated investment firms;
  • insurance and reinsurance firms and groups in scope of Solvency II, including the Society of Lloyd’s and managing agents; and 
  • UK branches of overseas banks and insurers (hereafter third-country branches). 

Some of the requirements and expectations referred to in this SS also apply to credit unions and non-directive firms (NDFs). 

Current version

Published 29 March 2021. Effective from 31 March 2022.

- following PS7/21 ‘Outsourcing and third party risk management'

Future version

Published on 15 November 2024. Effective from 31 December 2024.