Outsourcing and Third Party Risk Management

PRA Rules

• Allocation of Responsibilities (4.1(21))
• Information Gathering (2.2 and 3.3) 
• Internal Capital Adequacy Assessment Rules (10.1 and 10.2)
• Notifications (2.3(1)(e))
• Operational Continuity (3.2 and 3.4) 
• Operational Resilience (2.5 and 4.1) 
• Outsourcing 

UK legislation

• Organisational requirements and operating conditions for investment firms - Commission Delegated Regulation (EU) 2017/565 Chapter II, Section 2, as amended, including by the Markets in Financial Instruments (Amendment) (EU Exit) Regulations 2018 (Part 4, Chapter 2)

Supervisory Statements and Statements of Policy

• Outsourcing and third party risk management (SS2/21)
• Strengthening individual accountability in banking (SS28/15 paragraphs 2.11G, 2.41A)
• Internal governance (SS21/15, paragraphs 2.15, 2.23)
• Ensuring operational continuity in resolution (SS9/16, paragraphs 2.1, 5.1, 5.10, 6.1, 8.2, 11.5, and Chapter 4)
• Operational resilience: Impact tolerances for important business services (SS1/21)
• Operational Resilience (Statement of Policy)

Other relevant material

Guidelines originally issued by European Supervisory Authorities should be read in conjunction with "Interpretation of EU Guidelines and Recommendations: Bank of England and PRA approach after the UK’s withdrawal from the EU" (Statement of Policy)

• Guidelines on Outsourcing Arrangements (EBA/GL/2019/02)
• Guidelines on information and communications technology (ICT) and security risk management (EBA/GL/2019/04)
• Guidelines on internal governance (EBA/GB/2017/11)