News -

UK PRA publishes rules for outsourcing and third-party risk management

This week, the UK’s Prudential Regulation Authority (PRA) published its Supervisory Statement on outsourcing and third-party risk management.

The publication offers guidance for businesses across the banking and financial services sector on what they should do when outsourcing services and mitigating third-party risk.

This follows the Bank of England’s Consultation Paper 30/19 published in 2019, which set out the key considerations to take forward in the official guidance.

Within this Supervisory Statement, the PRA considers an escrow agreement as one of a number of relevant resiliency options for firms to consider when undertaking business continuity and exit planning.

While it does not mandate or favour a single resiliency option, the PRA encourages firms to explore appropriate and viable options which, the PRA states explicitly, “may include escrow”.

Commenting on this news, Simon Fieldhouse, global managing director – software resilience at NCC Group said:"NCC Group has long taken the view that software and technology escrow solutions offer legal and technical assurance to allow firms to adopt, innovate and manage third-party technologies with confidence.

"We are delighted that the PRA has explicitly included escrow agreements as a relevant resiliency option in outsourcing contracts, as proposed by our experts.

“However, the work doesn't stop here. We must continue to engage with regulators world-wide to encourage them to acknowledge escrow agreements as a mechanism that enable organisations to comply with third-party risk mitigation, outsourcing and business continuity requirements and as a way to operate and grow in a resilient, safe and secure way.

"We believe that awareness and education of operational resilience needs to improve and that regulators can play a role in supporting financial institutions in achieving resilience by design.”

The new regulation will come into play on Thursday 1 April and will affect all regulated entities, independent software vendors, and cloud suppliers. If you’d like to find out more about what’s next read our Spotlight on’ piece here.


  • Technology, general


  • uk


NCC Group Press Office

Press contact All media enquires relating to NCC Group plc +44 7721577574

Related content

Insights paper: EU Financial Services Guidance for IT Outsourcing Regulation and Managing Third-Party Risk

To support EU financial services organisations on their journey to compliance we have compiled the key EU regulations around IT outsourcing, highlighting specific rules and guidance around business continuity and contingency planning for critical functions. In this paper, you’ll find NCC Group’s best practice advice and recommended solutions for managing third-party risk and ensuring compliance.

Related events