Outsourcing & Third-party Risk Management – PRA expectations formalised in new statements

On the same day as the Prudential Regulation Authority published their Operational Resilience Policy and Supervisory Statements, the regulator made it a double-header with identical publications for Outsourcing & Third-Party Risk Management.

Insights on the Operational Resilience publications are provided in a separate blog, however due to the interconnects between components and the complementary approach we do recommend reading both as a pair.

Scope, definition, and timelines

The PRA’s Outsourcing & Third-Party Risk Management (O&TPRM) requirements are relevant to all UK Banks, Building Societies, PRA-designated Investment Firms, Solvency II Firms, and Third-country branches.

The PRA Rulebook defines ‘outsourcing’ as ‘an arrangement of any form between a firm and a service provider, whether a supervised entity or not, by which that service provider performs a process, a service or an activity, whether directly or by sub-outsourcing, which would otherwise be undertaken by the firm itself’.

The PRA also highlight firms should differentiate between a one-off product or service purchase and outsourcing performed on an ongoing or continuous basis.

As with operational resilience, the PRA has given firms a year to meet the expectations of their Supervisory Statement, with the compliance deadline being 31 March 2022.

Highlights of key requirements for firms

Outsourcing agreements

  • All outsourcing arrangements must be set out in a written agreement
  • Under a Master Service Agreement (MSA), each outsourced service should be appropriately documented
  • Written agreements for non-material arrangements should still include contractual safeguards to manage risks, whilst allowing the PRA appropriate access to supervise both the firm and function

Data security

Firms must:
  • classify relevant data based on their confidentiality and sensitivity;
  • identify potential risks relating to the relevant data and their impact (legal, reputational, etc.);
  • agree an appropriate level of data availability, confidentiality, and integrity; and
  • if appropriate, obtain appropriate assurance and documentation from third parties on the provenance or lineage of the data to satisfy themselves that it has been collected and processed in line with applicable legal and regulatory requirements.


  • Firms must assess the relevant risks of sub-outsourcing before they enter into an outsourcing agreement. It is important that firms have visibility of the supply chain, and that service providers are encouraged to facilitate this by maintaining up-to-date lists of their sub-outsourced service providers.
  • Firms should assess whether sub-outsourcing is materially important, which includes the potential impact on the firm’s operational resilience and the provision of important business services.
  • Firms should ensure that the service provider has the ability and capacity on an ongoing basis to appropriately oversee any material sub-outsourcing in line with the firm’s relevant policy or policies.

Business continuity & exit plans

For each material outsourcing arrangement, firms should develop, maintain, and test a business continuity plan and documented exit strategy, which should cover and differentiate between situations where a firm exits an outsourcing agreement:

  • in stressed circumstances, (e.g., following the failure or insolvency of the service provider (stressed exit)); and
  • through a planned and managed exit due to commercial, performance, or strategic reasons (non-stressed exit).

Access, audit and information rights

  • Firms must take reasonable steps to ensure that written agreements for material outsourcing arrangements provide them, their auditors, the PRA, the BoE, and any other person appointed by firms or the Bank and PRA, with full access and unrestricted rights for audit.
  • Firms must exercise their access, audit, and information rights in respect of material outsourcing arrangements in an outcomes-focused way, to assess whether the service provider is providing the relevant service effectively and in compliance with the firm’s legal and regulatory obligations and expectations, including as regards operational resilience.


  • Firms should meet the PRA’s expectations in a manner appropriate to their size and internal organisation; the nature, scope, and complexity of their activities; and the criticality or importance of the outsourced function.
  • Proportionality and materiality can change over time and firms should reassess both as appropriate.
  • Intragroup outsourcing is subject to the same requirements and expectations as outsourcing to service providers outside a firm’s group and should not be treated as being inherently less risky.

Next steps:

For further insights on operational resilience, go to our Operational Resilience micro-site


Topics: Featured, Risk Management, Insurance, Banking, Professional Services, Flexible, Talent Solutions, operational resilience

March 30, 2021
Talk to an expert

Ross Molyneux
Written by Ross Molyneux

Ross specialises in risk management and regulation. He has worked extensively across non-financial and financial risk management engagements in his time in consulting in both the UK and New Zealand.