SS2/21 Outsourcing and third party risk management - Bank of ...

This Supervisory Statement (SS) sets out the Prudential Regulation Authority's (PRA) expectations of how PRA-regulated firms should comply ... Ouruseofcookies Weusenecessarycookiestomakeoursitework(forexample,tomanageyoursession).We’dalsoliketousesomenon-essentialcookies(includingthird-partycookies)tohelpusimprovethesite.Byclicking‘Acceptrecommendedsettings’onthisbanner,youacceptouruseofoptionalcookies. Necessarycookies Analyticscookies   Yes Yes Acceptrecommendedcookies Yes No Proceedwithnecessarycookiesonly Necessarycookies Necessarycookiesenablecorefunctionalityonourwebsitesuchassecurity,networkmanagement,andaccessibility.Youmaydisablethesebychangingyourbrowsersettings,butthismayaffecthowthewebsitefunctions. Analyticscookies Weuseanalyticscookiessowecankeeptrackofthenumberofvisitorstovariouspartsofthesiteandunderstandhowourwebsiteisused.FormoreinformationonhowthesecookiesworkpleaseseeourCookiepolicy. Skiptomaincontent Home Prudentialregulation SS2/21Outsourcingandthirdpartyriskmanagement SS2/21Outsourcingandthirdpartyriskmanagement SupervisoryStatement2/21 Publishedon 29March2021 ThisSupervisoryStatement(SS)setsoutthePrudentialRegulationAuthority’s(PRA)expectationsofhowPRA-regulatedfirmsshouldcomplywithregulatoryrequirementsandexpectationsrelatingtooutsourcingandthirdpartyriskmanagement. TheaimsofthisSSareto: complementtherequirementsandexpectationsonoperationalresilience[inthePRARulebook;SS1/21‘Operationalresilience:Impacttolerancesforimportantbusinessservices’;andtheStatementofPolicy(SoP)‘Operationalresilience’];  ‘facilitategreaterresilienceandadoptionofthecloudandothernewtechnologies’assetoutintheBankofEngland(theBank)’sresponsetothe‘FutureofFinance’report;and implementthe: EuropeanBankingAuthority(EBA)‘Guidelinesonoutsourcingarrangements’(EBAOutsourcingGL).ThisSSclarifieshowthePRAexpectsbankstoapproachtheEBAOutsourcingGLinthecontextofitsrequirementsandexpectations.Inaddition,certainchaptersinthisSSexpandontheexpectationsintheEBAOutsourcingGL,forinstanceChapters7(Datasecurity)and10(Businesscontinuityandexitplans). relevantsectionsoftheEBA‘GuidelinesonICTandsecurityriskmanagement’(EBAICTGL). ThisSSisrelevanttoall: UKbanks,buildingsocieties,andPRA-designatedinvestmentfirms; insuranceandreinsurancefirmsandgroupsinscopeofSolvencyII,includingtheSocietyofLloyd’sandmanagingagents;and  UKbranchesofoverseasbanksandinsurers(hereafterthird-countrybranches).  SomeoftherequirementsandexpectationsreferredtointhisSSalsoapplytocreditunionsandnon-directivefirms(NDFs).  Future version Published29March2021.Effectivefrom31March2022. SupervisoryStatement2/21–March2021(PDF)OPENSINANEWWINDOW -following PS7/21‘Outsourcingandthirdpartyriskmanagement'.  ConvertthispagetoPDF Otherprudentialregulationreleases PrudentialRegulation//PRARegulatoryDigest 01April2022 PRARegulatoryDigest-March2022 PRARegulatoryDigest-March2022 PrudentialRegulation//Discussionpaper 31March2022 DP1/22–Theprudentialliquidityframework:... DP1/22–Theprudentialliquidityframework:Supportingliquidassetusability PrudentialRegulation//Policystatement 25March2022 PS3/22|CP1/22-FinancialServicesCompensation... PS3/22|CP1/22-FinancialServicesCompensationScheme–ManagementExpensesLevyLimit2022/23 PrudentialRegulation//Letter 24March2022 LetterfromSamWoods‘Existingorplanned... LetterfromSamWoods‘Existingorplannedexposuretocryptoassets’ ViewmoreOtherprudentialregulationreleases Backtotop Giveyourfeedback Wasthispageuseful? Yes,itwasuseful Yes No,itwasn'tuseful No PageUrlIsMobileBrowserIPAddressOperatingSystem Thanks! Wouldyouliketogivemoredetail? PressSpacebarorEntertoselect Whatdidyouthinkofthispage? Addyourdetails...PageUrlIsMobileBrowserOperatingSystem Pleaseprovethatyou'renotarobot: