PRA SS2/21 is the Prudential Regulation Authority's supervisory statement on outsourcing and third-party risk management. It is detailed, practical, and especially important for material outsourcing, cloud outsourcing, data, audit rights, business continuity, exit, and governance.
Official sources
The PRA states that SS2/21 sets out expectations for how PRA-regulated firms should comply with regulatory requirements and expectations relating to outsourcing and third-party risk management. The statement was first published on 29 March 2021.
What SS2/21 is trying to do
SS2/21 aims to make outsourcing safer without blocking firms from using specialist providers and cloud services. The PRA's concern is that a firm should remain able to meet its obligations when a service is outsourced. Outsourcing should not impair governance, supervision, auditability, data protection, operational resilience, or the firm's ability to exit.
The supervisory statement is particularly useful because it translates high-level requirements into practical areas: identify outsourcing, determine materiality, perform due diligence, keep a register, write appropriate contracts, manage cloud and data risk, monitor the provider, and plan for exit.
What SS2/21 covers
SS2/21 covers:
- definitions of outsourcing and material outsourcing;
- governance, prescribed responsibilities, and senior management accountability;
- materiality assessment and proportionality;
- pre-outsourcing due diligence;
- outsourcing registers;
- written agreements and contractual rights;
- access, audit, and information rights;
- data security and data location;
- sub-outsourcing;
- business continuity and stressed exit planning;
- cloud outsourcing and resilience;
- notifications to the PRA where required.
What firms need to operationalize
Firms need a clear way to decide whether a third-party arrangement is outsourcing and whether it is material. That decision should not live in someone's inbox. It should be recorded with the service, business owner, legal entity, provider, contract, data, location, technology dependency, and important business service mapping.
For material outsourcing, firms need stronger diligence and evidence. They need to know whether contracts provide adequate access, audit, information, security, continuity, subcontracting, and termination rights. They also need to understand cloud resilience options, data risks, and whether exit is credible in a severe but plausible scenario.
Evidence teams should maintain
- Outsourcing policy and governance records.
- Outsourcing and third-party inventory with materiality decisions.
- Due diligence and risk assessment evidence.
- Outsourcing register fields required by the firm's policy and applicable PRA expectations.
- Contract review evidence for access, audit, information, security, data, subcontracting,
termination, and exit rights.
- Cloud, resilience, and data-location assessments where relevant.
- Monitoring records, incidents, issues, remediation, and management reporting.
- Business continuity and stressed exit plans for material arrangements.
Common gaps
- Firms label arrangements as "third-party" to avoid outsourcing discipline without documenting the
analysis.
- The outsourcing register is maintained for reporting but not used to run monitoring and change
management.
- Cloud arrangements are assessed at onboarding but not refreshed when architecture, regions,
subcontractors, or resilience options change.
- Exit plans assume cooperation from the provider but do not describe data migration, substitute
services, timeframes, and operational impact.
- Access and audit rights are reviewed by legal but not tested against practical evidence needs.
How Halbarad helps
Halbarad helps firms keep SS2/21 records connected. A firm can use Halbarad to maintain an outsourcing register, capture materiality decisions, link arrangements to important services, collect diligence, review contracts, monitor provider signals, track issues, and preserve the evidence trail.
Halbarad can help teams:
- map outsourcing arrangements to services, owners, contracts, data, locations, and critical
dependencies;
- use Spark Assessment to gather an initial provider evidence view;
- use Nth-Party Discovery to identify sub-outsourcing, fourth parties, fifth parties, and
concentration exposure;
- monitor provider incidents, outages, advisories, trust-center updates, and material changes;
- track audit-right evidence, resilience evidence, issues, remediation, approvals, and exit posture;
- produce management and audit reporting from the same record used to run the program.
Halbarad supports operationalization and evidence. It does not replace PRA supervisory materials, legal advice, or firm-specific accountability.
Disclaimer
This guide is for general information only and is not legal advice. Review the official regulation, guidance, and supervisory materials, and consult qualified counsel or compliance advisors for your organization's specific obligations.