Compliance Briefing — March 31, 2021

Executive briefing: The Bank of England’s Prudential Regulation Authority (PRA) issued Supervisory Statement SS2/21 on 31 March 2021. Banks, insurers, and designated investment firms must upgrade outsourcing registers, resilience testing, and exit plans before the policy takes effect on 31 March 2022.

Key compliance checkpoints

• Comprehensive outsourcing register. Maintain a single inventory covering critical and important functions, sub-outsourcing, location, and data classifications.
• Contractual provisions. Ensure agreements provide audit access, data security, service continuity, and cooperation with UK regulators.
• Exit and contingency planning. Document tested exit strategies, fallback arrangements, and resolvability considerations for material services.

Operational priorities

• Gap remediation. Map existing policies to SS2/21 chapters, prioritising updates to cloud and third-party governance frameworks.
• Impact tolerances. Align outsourcing oversight with operational resilience requirements in the PRA Rulebook, ensuring consistent impact tolerance metrics.
• Board oversight. Establish board reporting on critical third-party concentration, control testing, and remediation progress.

Enablement moves

• Deploy vendor management tooling capable of capturing dependency, data residency, and subcontracting details required by SS2/21.
• Run joint resilience exercises with key providers to evidence recovery time objectives and communication channels.
• Integrate SS2/21 requirements into procurement checklists and due diligence questionnaires.

Sources

• PRA Supervisory Statement SS2/21
• Policy Statement PS7/21 on outsourcing and third-party risk management

Zeph Tech helps PRA-regulated firms industrialise outsourcing inventories, resilience testing, and contractual controls to meet SS2/21 requirements.