Outsourcing and third party risk management part of the Code of Practice

Code of practice about the operation of recognised payment systems.
Published on 08 February 2023

Powers exercised

A. This code of practice is published under section 189 of the Banking Act 2009.

B. A failure to comply with this code will constitute a ‘compliance failure’ under section 196 of the Banking Act 2009, which can result in the imposition of a sanction under section 198 to 200 of the Banking Act 2009 (financial penalty, management disqualification, and in certain specified circumstances, a closure order). It can also involve publication of the details of the compliance failure and any sanction imposed (section 197 of the Banking Act 2009).


C. This code of practice comes into force on 9 February 2024.


D. This code of practice may be cited as the Bank of England Recognised Payment Systems Code of Practice.

Part 3: Outsourcing and third party risk management

1: Applications and definitions

1.1 This part of the code of practice applies to a Recognised Payment System Operator (RPSO) that is not operated by a recognised clearing house or a central securities depository and also to a Specified Service Provider (SSP) unless 1.2 applies.

1.2 The Bank of England may notify a RPSO or SSP that this part of the code shall not apply to it where:

1.2.1 The RPSO or SSP is not incorporated in the UK; and

1.2.2 The Bank of England considers that:

(a) The RPSO or SSP is subject to a domestic supervisory regime that has the objective of protecting and enhancing financial stability and which implements the Committee for Payment and Market Infrastructure and the International Organization of Securities Commission’s ‘Principles for Financial Market Infrastructures’; and

(b) Arrangements in place for international co-operation enable it to discharge its statutory requirements and supervisory functions in respect of the RPSO or SSP.

1.3 In this part the following definitions shall apply:

Third parties

Means organisations, whether supervised entities or not, that have entered into business relationships or contracts with a RPSO or SSP to provide products, services, processes, activities or business functions, whether in whole or in part, including utility and providers of other services.

Outsourcing agreement

Means an agreement set out in rule 4 of this part.

Outsourcing arrangement

Means an arrangement of any form between a RPSO or SSP, and a third party, whether a supervised entity or not, by which that third party provides a product, a service, performs a process, an activity or a business function, whether directly or by sub outsourcing, which would otherwise be undertaken by the RPSO or SSP itself.


Means a situation where the third party under an outsourcing arrangement further transfers, in whole or in part, an outsourced function to another third party.

Supervised entities

Means supervision by any UK or overseas authority that has the objective or function of protecting and enhancing financial stability.

2: Governance and record keeping

2.1 A RPSO or SSP must ensure that its board remain fully accountable for complying with its requirements under this part when entering into an outsourcing arrangement or other arrangement with a third party.

2.2 The board of a RPSO or SSP must approve, implement and regularly review a written outsourcing and third party risk management policy.

2.3 A RPSO or SSP must keep appropriate written records of its outsourcing arrangements.

2.4 A RPSO or SSP must maintain, and provide to the Bank on request, a current version of its written record produced in compliance with rule 2.3.

3: Pre-outsourcing

3.1 Before entering into an outsourcing arrangement or arrangement with a third party a RPSO or SSP must:

3.1.1 Determine the criticality of the arrangement;

3.1.2 Perform appropriate and proportionate due diligence on all potential third parties; and

3.1.3 Assess the risk of the arrangement in line with its risk management policy set out at rule 2.2.

3.2 The board of a RPSO or SSP must approve and regularly review the criticality of the RPSO or SSP’s outsourcing arrangements and arrangements with third parties.

3.3 A RPSO or SSP must notify the Bank in writing prior to entering into any new outsourcing agreement.

4: Outsourcing agreements

4.1 A RPSO or SSP must have appropriate written agreements for all outsourcing arrangements including intra-group arrangements.

4.2 All written outsourcing agreements must include appropriate contractual safeguards to manage and monitor relevant risks.

4.3 A RPSO or SSP must ensure that outsourcing agreements do not impede or limit the Bank’s ability to supervise the RPSO or SSP.

4.4 Outsourcing agreements must contain adequate provision:

4.4.1 In relation to the rights of the RPSO, SSP to inspect and audit the third party in relation to the services provided; and

4.4.2 To require prior approval from the RPSO or SSP before the third party can itself outsource all or part of the outsourced service to another third party.

5: Data security

5.1 Where a third party arrangement or outsourcing arrangement involves the transfer of, or access to, data, the RPSO or SSP must:

5.1.1 Establish, implement and maintain appropriate measures to protect outsourced data and ensure such measures are set out in its outsourcing and third party risk management policy, as required by rule 2.2; and

5.1.2 Where appropriate, ensure that the relevant third party arrangements or outsourcing arrangement contains provision to implement robust controls, including security mechanisms where relevant, for data-in-transit, data-in-memory, and data-at-rest.

6: Business continuity and exit plans

6.1 Where an RPSO or SSP has an outsourcing arrangement with a third party, the RPSO or SSP must develop, maintain and test:

6.1.1 A business continuity plan; and

6.1.2 A documented exit strategy, which should at a minimum cover, and differentiate between, situations where a RPSO or SSP may exit an outsourcing arrangement in both:

(a) a stressed scenario; and

(b) a planned and managed exit.