SS2/21 – Outsourcing and third party risk management

The Supervisory Statement (SS) 2/21, titled “Outsourcing and third party risk management,” issued by the Prudential Regulation Authority (PRA) of the Bank of England in March 2021, outlines the PRA’s expectations of how PRA-regulated firms should comply with regulatory requirements and expectations relating to outsourcing and third-party risk management.

“Firms should implement proportionate, risk-based, suitable controls. These controls do not necessarily have to be the same as those that apply to outsourcing arrangements. However, the controls should be appropriate to the materiality and risks of the third party arrangement and as robust as the controls that would apply to outsourcing arrangements with an equivalent level of materiality or risk. It follows that firms should apply stricter controls to material, non-outsourcing third party arrangements than to non-material outsourcing arrangements.”