Support Centre

UK: PRA publishes policy statement on outsourcing and third-party risk management

The Prudential Regulatory Authority ('PRA') published, on 29 March 2021, a policy statement which provides feedback to responses to a consultation paper on outsourcing and third-party risk management, and contains the PRA's final supervisory statement on the matter. In particular, the policy statement highlights, among other things, that firms must implement effective risk-based controls of all third-party arrangements, irrespective of whether they fall within the definition of outsourcing.

Furthermore, the policy statement outlines that the PRA intends to publish a subsequent consultation setting out proposals for an online portal that banks and insurers would need to populate with information on their outsourcing and third-party arrangements, in order to have access to clear, consistent data from banks and insurers about their outsourcing and third-party dependencies, to identify, monitor, and manage systemic concentration risk. However, the policy statement clarifies that, until consultations on the online portal are finalised, firms should continue to meet existing record keeping requirements.

In addition, the policy statement establishes the firms' data security requirements, which include the fact that controls required will depend on the materiality and risk of the outsourcing arrangement, and that data protected by encryption should be provided to the PRA in an accessible format. Moreover, the policy statement highlights that the PRA expects firms to know the location of their data at all times, including when in transit and to implement appropriate, proportionate, and risk-based technical organisation measures to protect different classes of data.

Lastly, the policy statement notes that firms will be expected to comply with the expectations in the supervisory statement by Thursday 31 March 2022, and that the policy set out in the policy statement has been designed in the context of the UK having left the EU and the transition period having come to an end.

You can read the press release here and the policy statement here.