Compliance Briefing — March 31, 2021
The UK PRA’s Supervisory Statement SS2/21 set binding expectations for outsourcing and third-party risk, linking operational resilience mapping, contractual safeguards, and exit planning to enforcement starting in 2022.
On 29 March 2021 the UK Prudential Regulation Authority (PRA) published Policy Statement PS7/21 and the accompanying Supervisory Statement SS2/21, Outsourcing and third party risk management. The policy became effective on 31 March 2022, providing firms with a one-year implementation window to align contracts, governance, and controls. SS2/21 applies to UK banks, building societies, PRA-designated investment firms, and insurers, and sets detailed expectations for how firms must identify, assess, and manage outsourcing and third-party arrangements that support important business services.
SS2/21 complements the PRA’s operational resilience framework (Policy Statement PS6/21 and Supervisory Statement SS1/21), which requires firms to identify important business services and set impact tolerances. Outsourcing arrangements that underpin those services attract heightened scrutiny. The PRA clarified that even arrangements not traditionally labeled as outsourcing—for example, cloud infrastructure, data analytics platforms, or regtech services—may fall within scope if they involve the performance of functions that a firm would otherwise conduct itself.
Governance and risk management
The PRA expects boards to approve an outsourcing and third-party risk management strategy aligned with the firm’s business model and risk appetite. Firms must maintain a register of all outsourcing arrangements, identifying which support important business services and the criticality tier assigned to each provider. Responsibility for oversight should be clearly allocated to a senior management function (SMF), typically the Chief Operations (SMF24) or Chief Risk (SMF4) function, with reporting lines into the board risk committee.
Risk assessments must evaluate concentration risk, substitutability, data sensitivity, and geopolitical exposure. Firms should integrate outsourcing risk into enterprise risk management frameworks, linking it with operational resilience, ICT risk, and financial risk assessments. Internal audit is tasked with providing independent assurance over the effectiveness of outsourcing controls and adherence to SS2/21 expectations.
Pre-outsourcing due diligence and approvals
Before entering into or materially changing an outsourcing arrangement, firms must perform proportionate due diligence. SS2/21 lists mandatory evaluation areas: financial health of the provider, technical capability, control environment, data security measures, sub-outsourcing chains, location of data processing, and the provider’s ability to support resilience during severe but plausible scenarios. Firms must document assessments, including rationale for selecting a provider and mitigants for identified risks.
For material arrangements supporting important business services, boards or delegated senior managers should approve the contract. Firms must consider whether the arrangement could hinder compliance with regulatory obligations, impede effective supervision, or threaten resolvability. Where risks cannot be adequately mitigated, the PRA expects firms to decline or exit the arrangement.
Contractual requirements
SS2/21 prescribes clauses that firms should incorporate into outsourcing contracts:
- Access and audit rights. Contracts must grant the firm, its auditors, and regulators full access to data, premises, systems, and staff. For cloud providers, firms may use pooled audits or certifications if they meet the PRA’s conditions and retain fallback rights to individual audits.
- Data security and location. Agreements must specify data classification, encryption standards, and storage locations. Firms should ensure providers notify them of data breaches promptly and support compliance with GDPR and the UK Data Protection Act.
- Service levels and resilience. Contracts should include minimum service levels, incident notification timelines, recovery objectives, and requirements to participate in resilience testing. Providers must support firms in meeting impact tolerances set under SS1/21.
- Sub-outsourcing controls. Providers must obtain the firm’s consent before engaging sub-contractors for material functions, maintain inventories of sub-outsourcing, and flow down contractual obligations.
- Termination and exit. Agreements need robust exit rights, including assistance for orderly transfer, data portability, and destruction of confidential information. Firms should negotiate rights to extend services during transition periods.
Ongoing monitoring and resilience testing
Firms must monitor outsourcing arrangements throughout their lifecycle. SS2/21 encourages the use of key risk indicators covering service performance, incidents, compliance breaches, and financial health of providers. Governance forums should review monitoring reports regularly and escalate concerns to senior management.
Resilience testing must incorporate third-party scenarios. Firms should test their ability to operate within impact tolerances if a provider fails, considering manual workarounds, alternate suppliers, or recovery plans. Testing outcomes should feed into remediation plans and investment prioritization. The PRA expects firms to include critical third parties in operational resilience exercises and to coordinate with providers on joint testing where feasible.
Record keeping and documentation
SS2/21 requires firms to maintain a centralized register capturing key information: provider details, jurisdiction, service description, data classification, exit strategy, renewal dates, and criticality. The register must be available to the PRA on request. Firms should link the register with operational resilience mapping so that impact assessments automatically reflect outsourcing dependencies.
Documentation should include outsourcing policies, risk assessments, due diligence reports, contract inventories, incident logs, and post-incident reviews. Firms must also retain evidence of board approvals and senior manager attestations. The PRA highlighted that inadequate documentation was a recurring weakness observed during supervisory reviews.
Legacy arrangements and remediation timelines
Existing outsourcing contracts entered before 31 March 2021 do not need immediate remediation but must be updated at the earliest opportunity—for example, at renewal or when materially changed—and no later than the end of the first renewal cycle after 31 March 2022. Firms should prioritize remediating contracts supporting important business services or involving critical data.
The PRA expects firms to develop implementation plans detailing how they will review legacy contracts, schedule negotiations, and resource legal and procurement teams. Progress should be tracked through governance committees with escalation paths for slippage. Firms should inform supervisors if they encounter barriers, such as resistance from hyperscale cloud providers, and propose alternative mitigations.
Regulatory coordination and future developments
SS2/21 aligns with other regulatory initiatives, including the Bank of England, PRA, and FCA joint discussion paper on critical third parties and the UK’s participation in international standard-setting (e.g., Financial Stability Board discussions on outsourcing). Firms should monitor potential future requirements, such as designation of critical third parties subject to direct oversight, and the UK’s implementation of the Digital Operational Resilience Act (DORA) for cross-border groups.
By embedding SS2/21 requirements into procurement, risk management, and operational resilience programs, firms can demonstrate to the PRA that third-party arrangements are controlled, resilient, and compatible with supervisory expectations. Failure to comply could lead to Skilled Person reviews, capital add-ons, or restrictions on outsourcing arrangements.
Continue in the Compliance pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Third-Party Risk Oversight Playbook — Zeph Tech
Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.
-
Compliance Operations Control Room — Zeph Tech
Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.
-
SOX Modernization Control Playbook — Zeph Tech
Modernize Sarbanes-Oxley (SOX) compliance by aligning PCAOB AS 2201, SEC management guidance, and COSO 2013 controls with data-driven testing, automation, and board reporting.