As Regulatory Compliance Solutions Lead at NCC Group, Wayne Scott works with regulators, financial institutions and fintechs to support regulatory compliance with software resilience services.
To meet the expectations of today's digitally-focussed consumers, financial organisations are adopting new technologies at a faster rate than ever before. From rapidly scaling their processing capabilities to providing always-on banking services, the motivations for this adoption are vast. However, many firms lack the required in-house technical capabilities to support such software, and therefore turn to external providers and third-party vendors for support.
The Prudential Regulatory Authority Supervisory Statement 2/21
In response to this surge in dependence on third-party technology solutions, the Prudential Regulatory Authority (PRA) published its final Policy (PS7/21) and Supervisory Statement (SS2/21) focusing on mitigating third-party supplier risk to financial institutions trading within the UK.
The policy aims to improve the resilience of both firms and the wider financial sector against operational disruptions and consolidates the PRA's requirements, facilitating greater resilience around the adoption of cloud and other new technologies.
So, what risks does the policy aim to mitigate?
For a long time, risk has been largely considered from a technical or cyber security-focused perspective. However, these regulatory changes broaden the scope of risk in line with the increasing number of third-party supplied services used by financial businesses.
According to the Bank of England, 40-90% of banks' workloads globally could be hosted on public cloud or software-as-a-service within a decade. It's therefore important to consider the impact on business continuity if one of those suppliers were to fail - and this remains a firm focus for financial regulators, both in the UK and around the world, including the Bank of England, the Financial Conduct Authority (FCA) and the PRA.
PRA SS2/21: What you need to know
The SS2/21 predominantly focusses on important business services, such as critical third-party applications, which, if disrupted, would impact the PRA's objective of creating a more coherent regulatory landscape. As well as damaging a firm's reputation, the PRA also considers the wider impact to financial stability of the UK.
As a result, the regulator makes it clear that firms should assess the materiality and risks of all third-party agreements. Although certain elements such as network controls, host infrastructure and physical security fall out of the control of firms, SS2/21 stipulates these firms are now responsible for assessing and taking reasonable steps to manage concentration risk and vendor lock-in.
This means ensuring that outsourcers have processes in place to anticipate, withstand and respond to disruption, and requires firms to identify dependencies and set impact tolerances which will require greater engagement with their vendors.
Key requirements to be considered
- Where arrangements are identified as being material or high risk, there should be proportionate, risk-based, suitable controls which are as robust as those which would apply to an outsourcing agreement of equivalent materiality or risk - putting service providers firmly under the microscope and therefore making them an integral element of the requirements set out in SS2/21.
- Once any impact tolerances have been set, firms will need to put in place whatever measures are required to ensure that they will not be breached in practice. Every firm must have a pre-developed stressed exit plan in place - meaning that they have measures to maintain business continuity should an IT failure occur within their supply chain. These plans must also be tested to ensure that they work, and the results of this must be presented to the regulator.
- Although the PRA does not mandate or favour the inclusion of any single resiliency option in outsourcing contracts, it is advised that all regulated entities actively consider' an Escrow Agreement when undertaking business continuity and exit planning.
Supporting firms with PRA compliance
Securing the source code of third-party software in escrow mitigates against the non-technical risks associated with using outsourced technology - often unforeseen challenges such as supplier failure, service deterioration and elements of concentration risk.
With the source code in escrow, it allows the financial institution to either bring the failed service back in house, or equips them with all the necessary tools required to pass the service to an alternative third-party to manage it on the company's behalf - therefore providing a valuable resilience plan. And if the materials within escrow are validated through a verification process, the financial institution is able to use this as evidence that they have a successful stressed exit plan in place.
Over the past 30 years, NCC Group has been providing business continuity and software resilience solutions to the majority of the world's largest financial institutions. Having a large presence in this sector has given us a strong insight into not only the internal policies and best practice with regards to business continuity, but also the rules and guidance imposed by financial regulators.
To learn more about the PRA regulations and how software resilience services can support businesses with meeting the new compliance requirements, you can watch this on-demand webinar PRA SS2/21 Regulations: Preparing your stressed exit plan.