5 behaviours a U.K Financial Service company needs to exhibit to meet the PRA SS2_21 Outsourcing Regulations from March 2022

5 behaviours a U.K Financial Service company needs to exhibit to meet the PRA SS2_21 Outsourcing Regulations from March 2022

It’s taken a couple of years but the EBA Outsourcing regulations have now been interpreted by the PRA, along with a few other changes and distilled down in the Supervisory Statement SS2/211 that was released earlier this year and comes into effect 31st of March 2022.

At its heart the aims of the Supervisory Statement (SS) is to:

● complement the requirements and expectations on operational resilience [in the PRA Rulebook; SS1/21 ‘Operational resilience: Impact tolerances for important business services’; and the Statement of Policy (SoP) ‘Operational resilience’];

● ‘facilitate greater resilience and adoption of the cloud and other new technologies as set out in the Bank of England (the Bank)’s response to the ‘Future of Finance’ report; and

● implement the:

○ European Banking Authority (EBA) ‘Guidelines on outsourcing arrangements’ (EBA Outsourcing GL). This SS clarifies how the PRA expects banks to approach the EBA Outsourcing GL in the context of its requirements and expectations. In addition, certain chapters in this SS expand on the expectations in the EBA Outsourcing GL, for instance, Chapters 7 (Data security) and 10 (Business continuity and exit plans).

○ relevant sections of the EBA ‘Guidelines on ICT and security risk management (EBA ICT GL).

Understood, but who are the companies that need to be concerned by this and put measures in place to ensure compliance post-March 2022. These regulatory changes are relevant to all:

● UK banks, building societies, and PRA-designated investment firms;

● insurance and reinsurance firms and groups in scope of Solvency II, including the Society of Lloyd’s and managing agents; and

● UK branches of overseas banks and insurers (hereafter third-country branches).

Ok so we understand when this is going to happen, who will be expected to comply but not really what it will entail. Hopefully, this whitepaper can at least provide you with a summary and accelerated understanding about the regulatory changes and also the type of digital platform and processes that you will need in place already to be able to handle this scope and demonstrate that you, as an organisation, have taken reasonable steps to demonstrate compliance in the spirit of the regulatory changes that this represents.