The Bank of England’s Prudential Regulation Authority (PRA) Supervisory Statement SS2/21 sets expectations for how PRA-regulated firms should comply with regulatory requirements relating to outsourcing and third-party risk management to improve business resilience.
The Supervisory Statement applies to all UK banks, investment and insurance firms, and UK branches of overseas banks and insurance firms, and
Supervisory Statement SS2/21 requires that PRA-regulated firms conduct a Materiality Assessment for each vendor during onboarding and periodically thereafter. It is therefore important to follow the third-party business and operational resilience practices necessary to be compliant and minimize risk to your organization.
Conduct Materiality Assessments and continuously monitor outsourcing and non-outsourcing third parties for business resilience risks
Identify and regularly report on third party business resilience
Measure third-party performance against operational risk, conduct risk, information risk and legal risk
Proactively set business resilience requirements in third-party contracts
The PRA SS2/21 Third-Party Compliance Checklist
Uncover third-party risk management requirements in the Bank of England's Prudential Regulatory Authority SS2/21, and learn how Prevalent can help.
Complying with PRA Supervisory Statement SS2/21
The summary table below maps capabilities in the Prevalent Third-Party Risk Management Platform to select outsourcing and non-outsourcing third-party requirements.
NOTE: This table is a summary of the most relevant requirements only, and it should not be considered comprehensive, definitive guidance. For a complete list of requirements, please review the complete Supervisory Statement in detail and consult your auditor.
PRA SS2/21 Requirements | How We Help |
---|---|
2 Definitions and scope |
|
2.8 “In line with the expectations in Chapter 4 of this SS, firms may implement a holistic, single third party risk management policy covering outsourcing and non-outsourcing third party arrangements. Alternatively, they may have separate policies on each of those respective areas provided that they are aligned, consistent, effective, and suitably risk-based.” |
The Prevalent Third-Party Risk Management Platform simplifies the management of third parties, enabling organizations to unify and automate the critical tasks required to identify, assess, manage, continuously monitor, and remediate third-party security, privacy, compliance and operational risks across every stage of the vendor lifecycle. The solution delivers:
|
2.9 “The following standards apply to all third party ICT arrangements: |
The Prevalent Platform includes a library of more than 100 questionnaire templates that address a multitude of ICT security-based frameworks, including Cyber Essentials, ISO 27001, NIST 800-53, GDPR, and many others. |
3 Proportionality |
|
3.6 “Depending on its level of control and influence in respect of intragroup outsourcing arrangements, a firm may, for example:
|
The Prevalent TPRM Platform enables security and risk management teams to automatically tier suppliers according to their inherent risk scores. Results can be used to set appropriate levels of further due diligence and determine the scope of ongoing assessments. |
3.7 “Where relevant, firms may be able to leverage compliance with existing requirements in other areas of regulation to help meet their regulatory obligations in respect of their intragroup outsourcing arrangements.” |
The Prevalent Platform automatically maps information gathered from control-based assessments to regulatory frameworks including ISO 27001, GDPR and dozens more. This enables you to quickly visualize and address important compliance requirements and simplify auditing processes. Customers can also choose to use the Prevalent Compliance Framework (PCF), a single, comprehensive assessment that enables security and risk management teams to map answers to several regulatory requirements. |
5 Pre-outsourcing phase |
|
5.8 “Firms are responsible for assessing the materiality of their outsourcing and third party arrangements. Materiality may vary throughout the duration of an arrangement and should therefore be (re)assessed:
|
The Prevalent Platform enables organizations to assess, monitor and remediate risks at all stages of the third-party lifecycle. Key capabilities include:
|
5.10 “Firms should develop their own processes for assessing materiality as part of their outsourcing or third party risk management policy (see Chapter 4).” |
The Prevalent Platform automates the identification, assessment, analysis, ongoing monitoring and remediation of third-party risks at every stage of the vendor lifecycle – from selection to offboarding. The Platform includes an extensive library of assessment templates, including those to determine the materiality of a third-party arrangement and the risks involved. |
5.11 “Consistent with the definition of ‘material outsourcing’ in the PRA Rulebook and, where applicable, the criteria in the EBA Outsourcing GL, a firm should generally consider an outsourcing or third party arrangement as material where a defect or failure in its performance could materially impair the financial stability of the UK or firms';
|
The Prevalent TPRM Platform automates the assessment, continuous monitoring, analysis, and remediation of outsourcing and non-outsourcing third-party business resilience and continuity – while automatically mapping results to NIST, ISO, and other control frameworks to demonstrate compliance. To complement business resilience assessments and validate results, Prevalent:
|
5.12 “The PRA also expects firms to classify an outsourcing arrangement as material if the service being outsourced involves an:
|
Prevalent enables organizations to classify third parties based on multiple criteria, including:
An effective tiering and categorization process enables organizations to assess third parties according to their criticality to business operations, while informing further due diligence efforts. |
5.13 “The PRA expects firms to have regard to all applicable criteria in Table 5 below, both individually and in conjunction, when assessing the materiality of an outsourcing or third party arrangement not otherwise covered by paragraphs 5.8 and 5.9. Although in practice many material outsourcing and third party arrangements involve ICT products or services (eg cloud), the presence of a given ICT product or service does not, in itself, automatically render an outsourcing arrangement material. Recreated from Table 5: Direct connection to the performance of a regulated activity. Size and complexity of relevant business area(s) or function(s). The potential impact of a disruption, failure, or inadequate performance on the firm’s:
The firm’s ability to scale up the outsourced service. Ability to substitute the service provider or bring the outsourced service back in-house, including estimated costs, operational impact, risks, and timeframe of an exit in stressed and non-stressed scenarios.” |
The Prevalent Platform includes a comprehensive business resilience assessment based on ISO 22301 standard practices. This enables organizations to:
|
5.18 “The PRA expects firms to conduct appropriate due diligence on the potential service provider before entering into an outsourcing arrangement, and to identify a suitable alternative or back-up providers where available. If no alternative or back-up providers for a material outsourcing arrangement are available, firms should consider alternative business continuity, contingency planning, and disaster recovery arrangements to ensure they can continue providing relevant important business within their impact tolerances in the event of material disruption at their chosen service provider (see Chapter 10).” |
Prevalent RFx Essentials centralizes and automates the distribution, comparison, and management of requests for proposals (RFPs) and requests for information (RFIs). RFx Essentials makes it easy for procurement teams to not only select solutions and vendors that meet the organization’s functionality and risk requirements, but also take a critical first step in managing risk throughout the third-party lifecycle. Organizations can also take advantage of the Prevalent Vendor Intelligence Networks, which are on-demand libraries of thousands of vendor risk reports based on security, privacy, business resilience and operational risks. Prevalent Vendor Networks are continuously updated and populated with supporting evidence. |
5.19 “In the case of material outsourcing, the PRA expects firms’ due diligence to consider the potential providers’:
5.20 “The due diligence should also consider whether potential service providers:
|
The Prevalent Platform includes 100+ pre-defined assessment templates including standardized information security vendor risk assessment questionnaires, as well as business resilience, GDPR, FCA, ISO 27001, Modern Slavery, Anti-Bribery, Health & Safety, Financial Performance, Management & Ethics and more. Prevalent Vendor Threat Monitor continuously tracks and analyzes external threats to third parties. The solution monitors the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information. Prevalent manages centralized vendor profiles that unify demographics, Modern Slavery statements, ESG scores, and mapped fourth parties. Prevalent integrates and correlates continuous monitoring and profile insights against assessment results to provide a central location to view and act on risks. |
5.21 “In line with Risk Control 3.4(2) and Risk Management 3.1, firms should, in a proportionate manner, assess the potential risks of all third party arrangements, including outsourcing arrangements, regardless of materiality. As part of the risk assessment, the PRA expects firms to consider:
|
The Prevalent Third-Party Incident Response Service enables teams to rapidly identify and mitigate the impact of third-party vendor breaches by centrally managing vendors, conducting event assessments, scoring identified risks, and accessing remediation guidance. Customers can also access a database containing 10+ years of data breach history for thousands of companies around the world. The database includes types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications. Combined with continuous cyber monitoring, it provides organizations with a comprehensive view of external information security risks that can impact operations. Prevalent taps into financial information from a global network of 2 million businesses. This includes 5 years of organizational changes and financial performance, such as turnover, profit and loss, shareholder funds, and other data useful for evaluating company health and viability. |
5.22 “The PRA expects firms to carry out risk assessments in the circumstances referred to in paragraph 5.6 and also if they consider that there may have been a significant change to an outsourcing arrangement’s risks due to, for instance, a serious breach/continued breaches of the agreement or a crystallised risk.” |
Prevalent continuously tracks and analyzes external threats to third parties. The solution monitors the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information. The Platform offers access to a database containing 10+ years of data breach history for thousands of companies around the world. The database includes types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications. These capabilities help to fill gaps in between regular third-party risk assessments, with results triggering automated actions such as additional assessments and remediations. |
5.23 “A firm’s risk assessment should balance any risks that the outsourcing arrangement may create or increase against any risks it may reduce or enable the firm to manage more effectively (for instance, a firm’s resilience to disruption). The assessment should also take into account existing or planned risk mitigation, eg staff procedures and training.” |
The Prevalent Platform includes built-in remediation recommendations to accelerate risk mitigations with third parties. Organizations can use the platform to communicate with vendors and coordinate remediation efforts, as well as capture and audit conversations; record estimated completion dates; accept or reject individual assessment responses; assign tasks based on risks, documents or entities; and match documentation and evidence to risks. |
5.24 “The PRA expects firms and groups to periodically (re)assess and take reasonable steps to manage their overall reliance on third parties; and
|
Prevalent mitigates concentration risks by identifying fourth-party relationships through a native identification assessment or by passively scanning the third party’s public infrastructure. The resulting relationship map depicts information paths and dependencies that could open pathways into an environment. Suppliers discovered through this process are monitored to identify financial, ESG, cyber, business, and data breach risks, as well as for sanctions/PEP screening. |
6 Outsourcing agreements |
|
6.3 “Firms should ensure that written agreements for non-material outsourcing arrangements include appropriate contractual safeguards to manage and monitor relevant risks. Moreover, regardless of materiality, firms should ensure that outsourcing agreements do not impede or limit the PRA’s ability to effectively supervise the firm or outsourced activity, function, or service.” |
Prevalent Contract Essentials centralizes the distribution, discussion, retention, and review of vendor contracts. It also includes workflow capabilities to automate the contract lifecycle from onboarding to offboarding. With Contract Essentials, organizations can centrally track all contracts and contract attributes that can impact service levels, effectively enforcing contractual safeguards. |
7 Data security |
|
Prevalent delivers a single, collaborative platform for conducting privacy assessments and mitigating both third-party and internal privacy risks. Key data security and privacy assessment capabilities include:
|
|
8 Access, audit, and information rights |
|
8.7 “Firms may use a range of audit and other information gathering methods, including:
|
The Prevalent Controls Validation Service reviews third-party assessment responses and documentation against established testing protocols to validate that indicated controls are in place. Prevalent experts first review assessment responses, whether from custom or standardized questionnaires. We then map the responses to SIG, SCA, ISO, SOC II, AITECH, and/or other control frameworks. Finally, we work with you to develop remediation plans and track them to completion. With remote and onsite options available, Prevalent delivers the expertise to help you reduce risk with your existing resources. |
8.9 “Certificates and reports supplied by service providers may help firms obtain assurance on the effectiveness of the service provider’s controls. However, in material outsourcing arrangements, the PRA expects firms to:
|
Prevalent centralizes certifications, agreements, contracts and supporting evidence with built-in task and acceptance management, plus mandatory upload features. |
9 Sub-outsourcing |
|
Prevalent identifies fourth-party and Nth-party relationships through a native identification assessment or by passively scanning the third party’s public infrastructure. The resulting relationship map depicts information paths and dependencies that could open pathways into an environment. Suppliers discovered through this process are monitored to identify financial, ESG, cyber, business, and data breach risks, as well as for sanctions/PEP screening. |
|
10 Business continuity and exit plans |
|
10.1 “For each material outsourcing arrangement, the PRA expects firms to develop, maintain, and test a business continuity plan; and documented exit strategy, which should cover and differentiate between situations where a firm exits an outsourcing agreement:
|
The Prevalent Third-Party Risk Management Platform automates the assessment, continuous monitoring, analysis, and remediation of third-party business resilience and continuity – while automatically mapping results to NIST, ISO, and other control frameworks.
This proactive approach enables organizations to minimize the impact of third-party disruptions and stay on top of compliance requirements. |
10.3 “Firms should implement and require service providers in material outsourcing arrangements to implement appropriate business continuity plans to anticipate, withstand, respond to, and recover from severe but plausible operational disruption.” 10.9 “In line with Fundamental Rule 7, in the event of a disruption or emergency (including at an outsourced or third party service provider), firms should ensure that they have effective crisis communication measures in place. This is so all relevant internal and external stakeholders, including the Bank, PRA, FCA, other international regulators, and, if relevant, the service providers themselves, are informed in a timely and appropriate manner.” |
The Prevalent Platform includes a comprehensive business resilience assessment based on ISO 22301 standard practices that enables organizations to:
Prevalent delivers free resources for organizations to use as they build or mature their third-party business continuity programs. |
Align Your TPRM Program with 14 Industry Standards
Download this guide to review industry standards with specific TPRM requirements, and discover best practices for simplifying compliance.
Use this guidance to address outsourcing requirements in the Bank of England's Prudential Regulation Authority (PRA)...
The EBA Guidelines set out the internal governance arrangements that credit, payment, and electronic money institutions...
The FCA defines guidance for selecting secure outsourced IT vendors. Discover the key criteria for compliance...