Banking on resilience: how to meet the PRA regulations when outsourcing IT
As Regulatory Compliance Solutions Lead at NCC Group, Wayne Scott works with regulators, financial institutions and fintechs to support regulatory compliance with software resilience services.
To meet the expectations of today’s digitally-focussed consumers, financial organisations are adopting new technologies at a faster rate than ever before. From rapidly scaling their processing capabilities to providing always-on banking services, the motivations for this adoption are vast. However, many firms lack the required in-house technical capabilities to support such software, and therefore turn to external providers and third-party vendors for support.
The Prudential Regulatory Authority Supervisory Statement 2/21
In response to this surge in dependence on third-party technology solutions, the Prudential Regulatory Authority (PRA) published its final Policy (PS7/21) and Supervisory Statement (SS2/21) focusing on mitigating third-party supplier risk to financial institutions trading within the UK.
The policy aims to improve the resilience of both firms and the wider financial sector against operational disruptions and consolidates the PRA’s requirements, facilitating greater resilience around the adoption of cloud and other new technologies.
So, what risks does the policy aim to mitigate?
For a long time, risk has been largely considered from a technical or cyber security-focused perspective. However, these regulatory changes broaden the scope of risk in line with the increasing number of third-party supplied services used by financial businesses.
According to the Bank of England, 40-90% of banks’ workloads globally could be hosted on public cloud or software-as-a-service within a decade. It’s therefore important to consider the impact on business continuity if one of those suppliers were to fail – and this remains a firm focus for financial regulators, both in the UK and around the world, including the Bank of England, the Financial Conduct Authority (FCA) and the PRA.
PRA SS2/21: What you need to know
The SS2/21 predominantly focusses on “important business services”, such as critical third-party applications, which, if disrupted, would impact the PRA’s objective of creating a more coherent regulatory landscape. As well as damaging a firm’s reputation, the PRA also considers the wider impact to financial stability of the UK.
As a result, the regulator makes it clear that firms should assess the materiality and risks of all third-party agreements. Although certain elements such as network controls, host infrastructure and physical security fall out of the control of firms, SS2/21 stipulates these firms are now responsible for assessing and taking reasonable steps to manage concentration risk and vendor lock-in.
This means ensuring that outsourcers have processes in place to anticipate, withstand and respond to disruption, and requires firms to identify dependencies and set impact tolerances which will require greater engagement with their vendors.
Key requirements to be considered
- Where arrangements are identified as being material or high risk, there should be “proportionate, risk-based, suitable controls” which are as robust as those which would apply to an outsourcing agreement of equivalent materiality or risk – putting service providers firmly under the microscope and therefore making them an integral element of the requirements set out in SS2/21.
- Once any impact tolerances have been set, firms will need to put in place whatever measures are required to ensure that they will not be breached in practice. Every firm must have a pre-developed “stressed exit plan” in place – meaning that they have measures to maintain business continuity should an IT failure occur within their supply chain. These plans must also be tested to ensure that they work, and the results of this must be presented to the regulator.
- Although the PRA does not mandate or favour the inclusion of any single resiliency option in outsourcing contracts, it is advised that all regulated entities ‘actively consider’ an Escrow Agreement when undertaking business continuity and exit planning.
Supporting firms with PRA compliance
Securing the source code of third-party software in escrow mitigates against the non-technical risks associated with using outsourced technology – often unforeseen challenges such as supplier failure, service deterioration and elements of concentration risk.
With the source code in escrow, it allows the financial institution to either bring the failed service back in house, or equips them with all the necessary tools required to pass the service to an alternative third-party to manage it on the company’s behalf – therefore providing a valuable resilience plan. And if the materials within escrow are validated through a verification process, the financial institution is able to use this as evidence that they have a successful stressed exit plan in place.
Over the past 30 years, NCC Group has been providing business continuity and software resilience solutions to the majority of the world’s largest financial institutions. Having a large presence in this sector has given us a strong insight into not only the internal policies and best practice with regards to business continuity, but also the rules and guidance imposed by financial regulators.
To learn more about the PRA regulations and how software resilience services can support businesses with meeting the new compliance requirements, you can watch this on-demand webinar PRA SS2/21 Regulations: Preparing your stressed exit plan.
Original article link: https://www.techuk.org/resource/banking-on-resilience-how-to-meet-the-pra-regulations-when-outsourcing-it.html
Latest News from
UK-Ukraine Digital Trade Agreement Signed24/03/2023 12:25:00
On 20 March, the UK and Ukraine signed a crucial Digital Trade Agreement.
Budget 2023 | Digitalisation of Trading Authorisations24/03/2023 09:15:00
Following techUK’s ongoing calls for greater Government support in streamlining digital customs facilitations and trade documentation processes, the Spring Budget 2023’s Business investment and tax policy provisions includes an important HMRC policy project; Modernising Authorisations (MA), delivery a digital platform for simplifying and streamlining customs and exercise authorisations for companies trading internationally
Latest UN climate report shows need for urgent action23/03/2023 12:25:00
The latest UN climate science report (called The Synthesis Report of the Sixth Assessment Report (AR6) makes for grim reading indeed.
JES Meeting Summaries | RASSO Tech Working Group | February, 202322/03/2023 13:15:00
Within February's Working Group meeting, members discussed the Police Digital Service's (PDS) technical workstreams and the Group's priorities members inputted their ideas towards
NCSC launches Cyber Aware Spring 2023 campaign21/03/2023 16:25:00
The National Cyber Security Centre (NCSC) is the UK’s technical authority on cyber security.
R&D Tax Credits in the Spring Budget 2023: What’s Happened and What’s Next21/03/2023 11:25:00
techUK has been advocating to defend, reform, and grow crucial R&D tax reliefs support for the tech sector, through working to reverse damaging cuts to SME R&D tax credits, advocating for the expansion of the definition of R&D and supporting prioritisation of stability in tax regimes to attract lasting investment.
AI Adoption in the UK: Putting AI into Action20/03/2023 10:25:00
Artificial intelligence (AI) is changing the face of the technological ecosystem and is unlocking unprecedented opportunities for innovation in the UK, as well as on the global stage
techUK recommendations accepted by Government in Sir Patrick Vallance Digital Technologies Review20/03/2023 09:15:00
The Government has accepted the recommendations of a review into Digital Technologies from the National Technology Advisor Sir Patrick Vallance, including a number of key asks from techUK members.
NHS Transformation Directorate publishes Who Does What framework17/03/2023 10:15:00
National Director for Transformation, Dr Tim Ferris, announced the publication of the Who Does What document at Digital Health Rewired this week, outlining how NHS England and Integrated Care Systems can best utilise digital technologies.