New Workshop for Insurance Firms: Outsourcing & Third-party Risk Management

The deadline for compliance to the Prudential Regulation Authority's (PRA)  Outsourcing & Third-Party Risk Management policy is the 31st of March 2022.

The PRA’s Outsourcing & Third-Party Risk Management (O&TPRM) requirements are relevant to all PRA-regulated Insurance firms.

FourthLine has designed a Workshop specifically for in-scope Insurance firms to walk through the new outsourcing requirements and outline how the policy statement will impact insurers.

The new 90-minute workshop will be delivered online and is ideal for 6 to 10 delegates with responsibility for planning and implementing the new requirements.

PRA-regulated Insurance firms often outsource services or business functions to third parties.

However, it is important to note that regulated firms cannot outsource their regulatory responsibility.

Book a workshop here now

The PRA Rulebook defines ‘outsourcing’ as "an arrangement of any form between a firm and a service provider, whether a supervised entity or not, by which that service provider performs a process, a service or an activity, whether directly or by sub-outsourcing, which would otherwise be undertaken by the firm itself"

Highlights of key requirements for firms

Outsourcing agreements

  • All outsourcing arrangements must be set out in a written agreement
  • Under a Master Service Agreement (MSA), each outsourced service should be appropriately documented
  • Written agreements for non-material arrangements should still include contractual safeguards to manage risks, whilst allowing the PRA appropriate access to supervise both the firm and function

Data security

Firms must:
  • classify relevant data based on their confidentiality and sensitivity;
  • identify potential risks relating to the relevant data and their impact (legal, reputational, etc.);
  • agree on an appropriate level of data availability, confidentiality, and integrity; and
  • if appropriate, obtain appropriate assurance and documentation from third parties on the provenance or lineage of the data to satisfy themselves that it has been collected and processed in line with applicable legal and regulatory requirements.


  • Firms must assess the relevant risks of sub-outsourcing before they enter into an outsourcing agreement. It is important that firms have visibility of the supply chain, and that service providers are encouraged to facilitate this by maintaining up-to-date lists of their sub-outsourced service providers.
  • Firms should assess whether sub-outsourcing is materially important, which includes the potential impact on the firm’s operational resilience and the provision of important business services.
  • Firms should ensure that the service provider has the ability and capacity on an ongoing basis to appropriately oversee any material sub-outsourcing in line with the firm’s relevant policy or policies.

Business continuity & exit plans

For each material outsourcing arrangement, firms should develop, maintain, and test a business continuity plan and documented exit strategy, which should cover and differentiate between situations where a firm exits an outsourcing agreement:

  • in stressed circumstances, (e.g., following the failure or insolvency of the service provider (stressed exit)); and
  • through a planned and managed exit due to commercial, performance, or strategic reasons (non-stressed exit).

Access, audit and information rights

  • Firms must take reasonable steps to ensure that written agreements for material outsourcing arrangements provide them, their auditors, the PRA, the BoE, and any other person appointed by firms or the Bank and PRA, with full access and unrestricted rights for audit.
  • Firms must exercise their access, audit, and information rights in respect of material outsourcing arrangements in an outcomes-focused way, to assess whether the service provider is providing the relevant service effectively and in compliance with the firm’s legal and regulatory obligations and expectations, including as regards operational resilience.


  • Firms should meet the PRA’s expectations in a manner appropriate to their size and internal organisation; the nature, scope, and complexity of their activities; and the criticality or importance of the outsourced function.
  • Proportionality and materiality can change over time and firms should reassess both as appropriate.
  • Intragroup outsourcing is subject to the same requirements and expectations as outsourcing to service providers outside a firm’s group and should not be treated as being inherently less risky.

Next steps:

Find out more or book onto our Outsourcing & Third-party Risk Management workshop here>

For further insights on operational resilience, go to our Operational Resilience micro-site


Topics: Featured, Risk Management, Insurance, Professional Services, Flexible, SMCR, Learning, operational resilience, Third Party Risk Management

June 30, 2021
Talk to an expert

Jakes de Kock
Written by Jakes de Kock