Outsourcing and third party risk management

Consultation Paper 30/19
Published on 05 December 2019

Update 20 March 2020: The deadline for responses will, in line with the FCA, be extended to 1 October 2020. For more information on this please see our statement ‘Bank of England announces supervisory and prudential policy measures to address the challenges of Covid-19’.


In this consultation paper (CP), the Prudential Regulation Authority (PRA) sets out and invites comments on its proposals for modernising the regulatory framework on outsourcing and third-party risk management. These proposals are set out in the draft Supervisory Statement (SS) on ‘Outsourcing and third-party risk management’ in the Appendix to this CP (draft SS) and pursue the following objectives: 

This CP is relevant to all UK banks, building societies and PRA-designated investment firms, insurance and reinsurance firms and groups in scope of Solvency II, including the Society of Lloyd’s and managing agents, and branches of overseas banks and insurers.

Some of the proposals in this CP are relevant to credit unions and non-directive firms (NDFs) namely those in: paragraph 2.3 of this CP; the PRA rules, statutory powers and requirements referenced in tables 2, 5 and 6; and paragraphs 5.11-5.12. In line with the principle of proportionality, the PRA proposes not to apply the remaining sections of the draft SS to credit unions and NDFs.

Responses and next steps

This consultation closes on Friday 3 April 2020. The PRA invites feedback on the proposals set out in this consultation. Please address any comments or enquiries to CP30_19@bankofengland.co.uk.


The PRA proposes to publish its final policy on the proposals in this CP in the second half of 2020, (in line with the final policy on Operational Resilience) with implementation of most the proposals shortly after. 

Certain proposals in this CP, which derive from the EBA Outsourcing Guidelines or, (if adopted in the current form), the draft EIOPA Cloud Guidelines would be subject to longer implementation periods. In particular, those relating to:

  • the register of outsourcing arrangements (‘Outsourcing Register’); and
  • the revision by:
    • banks of outsourcing arrangements entered into before 30 September 2019; and 
    • insurers of cloud Outsourcing arrangements entered into before 1 July 2020 (‘Legacy Outsourcing Arrangements’) to bring them into compliance with the EBA Outsourcing Guidelines and EIOPA Cloud Guidelines respectively.  

PDFConsultation paper 30/19

Give your feedback

Was this page useful?
Add your details...