Skip to content
Royalty-free stock illustration ID: 755847970
Royalty-free stock illustration ID: 755847970

News -

UK PRA publishes rules for outsourcing and third-party risk management

This week, the UK’s Prudential Regulation Authority (PRA) published its Supervisory Statement on outsourcing and third-party risk management.

The publication offers guidance for businesses across the banking and financial services sector on what they should do when outsourcing services and mitigating third-party risk.

This follows the Bank of England’s Consultation Paper 30/19 published in 2019, which set out the key considerations to take forward in the official guidance.

Within this Supervisory Statement, the PRA considers an escrow agreement as one of a number of relevant resiliency options for firms to consider when undertaking business continuity and exit planning.

While it does not mandate or favour a single resiliency option, the PRA encourages firms to explore appropriate and viable options which, the PRA states explicitly, “may include escrow”.

Commenting on this news, Simon Fieldhouse, global managing director – software resilience at NCC Group said:"NCC Group has long taken the view that software and technology escrow solutions offer legal and technical assurance to allow firms to adopt, innovate and manage third-party technologies with confidence.

"We are delighted that the PRA has explicitly included escrow agreements as a relevant resiliency option in outsourcing contracts, as proposed by our experts.

“However, the work doesn't stop here. We must continue to engage with regulators world-wide to encourage them to acknowledge escrow agreements as a mechanism that enable organisations to comply with third-party risk mitigation, outsourcing and business continuity requirements and as a way to operate and grow in a resilient, safe and secure way.

"We believe that awareness and education of operational resilience needs to improve and that regulators can play a role in supporting financial institutions in achieving resilience by design.”

The new regulation will come into play on Thursday 1 April and will affect all regulated entities, independent software vendors, and cloud suppliers. If you’d like to find out more about what’s next read our Spotlight on’ piece here.



Press contacts

NCC Group Press Office

NCC Group Press Office

Press contact All media enquires relating to NCC Group plc +44 7824 412 405

Related content

Related events

NCC Group exists to make the world safer and more secure

In today’s threat landscape understanding the risks organisations and customers are exposed to is more important than ever.

Understanding the impact and how to be more resilient is key to protecting brand, reputation and sensitive customer information. Building a cyber-resilient organization can be a complex process but it’s not impossible.

With our knowledge, experience and global footprint, we help assess, develop and manage cyber resilience posture.

NCC Group Newsroom
XYZ Building, 2 Hardman Boulevard, Spinningfield
M3 3AQ Manchester
United Kingdom