PRA SS2/21 Third Party Risk Compliance Guide (2023)>
Upguard Blog – Edward Kost
In recognizing the growing impact of third-party risks on operational resilience, the Prudential Regulation Authority (PRA) has established new regulatory requirements in the areas of third-party risk management and outsourcing. The details were published in a Supervisory Statement that has been put into effect since March 2022.

To strengthen the operational resilience component of the PRA rulebook, SS2/21 specifies security requirements across two categories of third-party relationships – material outsourcing and non-outsourcing third parties.

Because PRA SS2/21 implements the Guidelines on Outsourcing Arrangements by the European Banking Authority (EBA), much of its terminology has been borrowed from the EBA.

The PRA SS2/21 outlines its third-party risks and due diligence requirements across four primary risk categories. Data security Access, audit, and information rights. Sub-outsourcing. Business continuity and exit strategies. To comply with Section 2.8 of the Supervisory Statement SS2/21, firms have two options for managing third-party risk: Implement a holistic, single third-party risk management policy that covers both outsourcing and non-outsourcing third-party arrangements. This policy should be comprehensive and address all relevant risks associated with third-party relationships. ‍ Develop separate policies for outsourcing and non-outsourcing third-party arrangements. These separate policies must be aligned, consistent, effective, and risk-based to ensure proper management of third-party risks.
Link: https://www.upguard.com/blog/pra-ss2-21-a-third-party-risk-management-compliance