Outsourcing and Third Party Risk Management

Policies relating to outsourcing and third party risk management for banks, building societies and investment firms.

PRA Rules


UK legislation

  • Organisational requirements and operating conditions for investment firms - Commission Delegated Regulation (EU) 2017/565 Chapter II, Section 2, as amended, including by the Markets in Financial Instruments (Amendment) (EU Exit) Regulations 2018 (Part 4, Chapter 2)

Supervisory Statements and Statements of Policy

  • Outsourcing and third party risk management (SS2/21)
  • Strengthening individual accountability in banking (SS28/15 paragraphs 2.11G, 2.41A)
  • Internal governance (SS21/15, paragraphs 2.15, 2.23)
  • Ensuring operational continuity in resolution (SS9/16, paragraphs 2.1, 5.1, 5.10, 6.1, 8.2, 11.5, and Chapter 4)
  • Operational resilience: Impact tolerances for important business services (SS1/21)
  • Operational Resilience (Statement of Policy)

Other relevant material

Guidelines originally issued by European Supervisory Authorities should be read in conjunction with "Interpretation of EU Guidelines and Recommendations: Bank of England and PRA approach after the UK’s withdrawal from the EU" (Statement of Policy)

  • Guidelines on Outsourcing Arrangements (EBA/GL/2019/02)
  • Guidelines on information and communications technology (ICT) and security risk management (EBA/GL/2019/04)
  • Guidelines on internal governance (EBA/GB/2017/11)
This page was last updated 31 January 2023