Intelectual Property (IP)

Prudential Regulation Authority SS2/21 Compliance Checklist | NCC Group

Editorial Staff 4 min read

What is SS2/21 outsourcing and third-party risk management?

The PRA expect UK Financial Services firms to have robust continuity measures in place for “important business services” and specifically stipulate that any material cloud outsourcing arrangement must adopt the highest of resiliency options.

Free Guide

PRA Outsourcing regulations: Solutions to support compliance

Providing you with the necessary materials to engage with an alternative third-party to rebuild an outsourced SaaS application.

Download Now

1. Assess the risks of ALL third-party arrangements

The PRA states that it expects firms to assess the materiality and risks of third-party arrangements, irrespective of whether they fall within the usual definition of “outsourcing”.

We recommend you review your current third-party software portfolio with risk assessment tools or work with an independent specialist to assess potential risks associated with any extensive reliance your firm may have on one service provider.

Think about the size and complexity of the business areas that could be affected by disruption to this outsourced function.

style=”margin-left:0px; margin-right:0px”>Would an interruption in service stop you from complying with the guidelines?

Would it impact your financial performance? Would you still be able to perform the activities of your core business lines?

2. Categorize third-party dependencies on criticality and concentration risk

PRA SS2/21 stipulates that in scope firms will need to maintain an up-to-date register of outsourcing relationships, distinguishing between those that are material (or high risk) and those that are not.

Any applications that are deemed as material must have an exit plan, which means you should categorize the materiality of third parties based upon the role they perform in supporting critical business services.

This will allow you to prioritize the highest-risk vendors and focus your efforts where they are needed most. This way you’ll immediately reduce the greatest risks to your organization should you experience a stressed exit.

Wayne Scott, our Regulatory Compliance lead, explains what is meant by a stressed exit.

3. Carry out supplier risk assessment & due diligence

Once you’ve established which services are most critical to your business, you’ll then need to conduct proper due diligence on any potential service provider.

A superficial evaluation is not sufficient to proactively assess and mitigate risk – so make sure your due diligence practices reflect the materiality and risk assessment from the previous steps. For material (or high risk) outsourcing your due diligence process should address:

  • Whether the software provider has the ability, capacity, resources, organizational structure and authorization to reliably deliver the service.
  • The software providers ability to meet standards of service quality, security and reliability for the length of the contract.
  • Any sub-contracting or additional party collaboration that might be required, along with any risks these additional relationships may bring.
  • Any potential conflicts of interest.

4. Immediately revisit procurement procedures

It’s important to remember that signing a contract with a third-party vendor doesn’t mean that responsibility and accountability has been outsourced to the third party as well.

That’s why we recommend you develop an onboarding process for any new third-party software providers. This will ensure any future applications you add to your software estate have a demonstrably working stressed exit plan in place as soon as they are procured, rather than at go live.

5. Document and test business continuity and exit plans

The PRA expects you to demonstrate that you can retain flexibility to deliver important business services when disruption occurs. When building your stressed exit plan make sure it is comprehensive, well documented and where possible, regularly tested.

We recommend implementing software resilience measures such as Escrow agreements and Verification to help protect outsourced software and ensure compliance with PRA guidelines.

Software Escrow Agreements combined with Escrow Verification provides firms with the legal and technical assurance to bring an important service back-in house or the necessary materials to migrate to another service provider to rebuild the outsourced service should disruption occur.

Head of Product & Solution Architecture, Jamie Mackay, explains how Software Escrow can be used to meet PRA SS2/21 requirements.

6. Continual monitoring

Ongoing vendor monitoring throughout the life of a third-party relationship is critical. Engagements with third parties do not end after the assessment phase – or after your stressed exit plans have been built.

Continually review and revise your due diligence activities, procurement policies as well as both material and non-material applications as the business, and any third-party relationships, evolve.

Identify any current non-material services which have the potential to become a material service overtime and make sure these are built into your stressed exit plan to avoid having to adapt when new issues arise.

Key takeaways

  • Review your current third-party software portfolio and assess potential risks associated with any reliance your firm may have on one service provider.
  • Categorise the materiality of third parties based upon the role they perform in supporting critical business services to ensure the highest-risk vendors have the necessary stressed exit plan in place.
  • For high-risk outsourcing arrangements make sure due diligence processes address whether the software provider has the ability, capacity and resources to reliably deliver the service.
  • Develop an onboarding process to ensure a demonstrably working stressed exit plan is in place as soon as new third-party applications are procured, rather than at go live.
  • Software Escrow and Verification solutions form a vital part of any business continuity plan as they provide regulated firms with the legal right to access the outsourced application and gives a firm the knowledge required to execute their exit plan accordingly.
  • Continually review and revise your due diligence activities and procurement policies to ensure any current non-material services can be built into your stressed exit plan.

[View source.]

Story originally seen here

Editorial Staff

The American Legal Journal Provides The Latest Legal News From Across The Country To Our Readership Of Attorneys And Other Legal Professionals. Our Mission Is To Keep Our Legal Professionals Up-To-Date, And Well Informed, So They Can Operate At Their Highest Levels.

The American Legal Journal Favicon

Related

IPWatchdog LIVE Panel Notes Order Curbing Albright May Soon Be Revoked

Editorial Staff

“The panelists also recognized that the Chief Judge of the Western District is going to change in November 2022, which

Vidal Delays OpenSky Payment But Upholds Attorney’s Fees Award for VLSI

Editorial Staff

“While Goodyear does require a causal link between attorney’s fees incurred and misconduct, Vidal noted that the Supreme Court’s ruling

What You Need to Know About Trade Secrets in 2022

Editorial Staff

“One of the unique aspects of trade secret law…is that the boundaries of the right are not specified in a

Leave a Reply