Hampden & Co / BANKING / PRA SS1/21

Building a Stressed Exit Plan for a UK Private Bank's Critical Payment Technology Supplier

8 weeks from instruction.

The challenge

From Relationship to Readiness: Building a Stressed Exit Plan for a UK Private Bank's Critical Payment Technology Supplier

Hampden and Co Bank is a UK private bank serving high-net-worth individuals and their families, authorised and regulated by the Prudential Regulation Authority and the Financial Conduct Authority. The bank's Important Business Services include making outbound payments, lending drawdown, card purchasing, and receiving payments to account all of which carry a material dependency on Bottomline Technologies, a financial technology provider engaged since February 2015 for payment screening, payment services, and treasury-related solutions. The relationship with Bottomline Technologies represented a material outsourcing arrangement under PRA SS2/21 and FCA SYSC. The bank's third-party and outsourcing programme had experienced delays in delivering the annual programme of framework activities, including the development of a structured, evidence-generating exit plan for its most critical payment technology supplier. The gap between the regulatory requirement and the bank's documented readiness position was material: no formal stressed exit plan existed for Bottomline Technologies, and no monitoring framework had been established to detect early indicators of supplier distress or failure. The bank's Head of Resilience and Risk identified that the absence of a credible, structured exit plan represented a direct supervisory risk. The PRA's expectations under SS2/21 are explicit firms must be able to demonstrate that they can execute an orderly exit from a material outsourcing arrangement and, critically, that they have identified and tested their readiness to manage a stressed exit where normal transition timelines cannot be assumed. FourthLine was engaged to assess the relationship, identify the scenarios that could trigger a stressed exit, and produce a regulator-ready exit plan that the bank's senior management and SMF24 holder could stand behind.

 

What FourthLine delivered

  • Structured review of the Bottomline Technologies material outsourcing arrangement: services provided, IBS dependencies, contractual terms, and fourth-party concentration risk. 

  • Four material risk scenarios identified and risk-rated, covering technology failure, cyber attack, data breach, and supplier financial distress. Scenarios calibrated to IBS impact and likelihood. 

  • Amber and red monitoring thresholds designed and assigned across financial stability, operational performance, cyber and information security, and regulatory compliance indicators. 
  • Assessment of available contractual levers including step-in rights, documentation escrows, IP rights, key personnel clauses, termination-for-cause provisions, and transitional support obligations. 

  • Role-assigned response structure mapped to exit scenarios. Crisis governance structure, escalation protocols, and senior management accountability (SMF24) defined for each scenario. 

  • Remediation actions across operational readiness, supplier monitoring, and contract management workstreams. Actions assigned to named owners with target completion dates and priority classification 

The engagement produced the foundational exit planning infrastructure the bank had not previously had: a structured, evidence-generating document covering the scenarios that could force a stressed exit from its most critical payment technology supplier, the contractual tools available to manage that transition, and the governance and operational readiness framework required to execute it under pressure. 
 
The most significant operational outcome was the establishment of a calibrated monitoring framework: amber and red thresholds designed to provide the bank's executive and board with structured early warning of deterioration in the Bottomline Technologies relationship, ensuring that the decision to invoke the exit plan could be taken with appropriate lead time rather than in reaction to a crisis. Combined with the contractual gap analysis, this gave the bank's SMF24 holder a defensible position on the firm's TPRM readiness for the first time.
 
The engagement also established the evidence base needed to support the bank's next annual contract negotiation with Bottomline Technologies, providing a structured articulation of the contractual protections required and the gaps that needed to be closed before the renewed agreement could be considered operationally adequate from a resilience perspective.
The firm entered its PRA supervisory meeting with a complete, evidenced operational resilience programme. The board evidence pack provided the regulator with the documentary record it requested on day one of the review. 
Hampden & Co Bank
View Case Study

Start with a Diagnostic Assessment

A structured 4–6 week assessment of your Banking firm's operational resilience position against PRA and FCA requirements. Fixed fee: £15k–£25k. Board-ready gap report delivered within 6 weeks

Book a scoping call with Kieran