Yesterday the Prudential Regulatory Authority (PRA) jointly issued a policy statement (PS) 6/21 with the Financial Conduct Authority and the Bank of England (BoE) on "Operational resilience: Impact tolerances for important business services". PS6/21 provides feedback to the responses received to draft rules on the same subject matter that were set out in the PRA’s consultation paper (CP) 29/19 that was published on 2 December 2019.
PS6/21 provides the PRA’s final policy on the following areas:
- a new Operational Resilience Parts of the PRA Rulebook;
- amendments to the Group Supervision Part of the PRA Rulebook;
- a new Supervisory Statement (SS) 1/21 which sets out the PRA’s expectations for the operational resilience of firms’ important business services, for which they are required to set impact tolerances; and
- a new Statement of Policy (SoP) "Operational resilience" which clarifies how the PRA’s operational resilience policy affects its approach to four key areas of the regulatory framework in particular governance, risk management, business continuity planning and the management of outsourced relationships.
Separately, the PRA has also issued PS7/21 on "Outsourcing and third party risk management". PS 7/21 provides feedback to responses to draft rules on the same subject matter that were set out in CP30/19. It also contains the PRA’s final Supervisory Statement (SS) 2/21 that:
- complements the requirements and expectations on operational resilience;
- facilitates greater resilience and adoption of the cloud and other new technologies as set out in the BoE’s response to the "Future of Finance" report; and
- implements the European Banking Authority (EBA) "Guidelines on outsourcing arrangements’ (EBA Outsourcing GL)"; and
- clarifies how the PRA expects banks to approach the EBA Outsourcing GL in the context of its requirements and expectations.
PS6/21, PS7/21, SS1/21 and SS2/21 apply to:
- UK banks;
- building societies;
- PRA-designated investment firms (banks);
- UK Solvency II firms and groups; and
- The Society of Lloyd’s and its managing agents (insurers).
PS 7/21 also applies to branches of overseas banks and insurers (third-country branches) and some aspects of SS2/21 are also relevant to credit unions and non-directive firms. All the publications may also be of interest to other firms but they should not be applied as guidance.
The Operational Resilience Parts, SS1/21 and SS2/21 will be effective from 31 March 2022. To comply with the rules, firms should contact their supervisors to agree their plans for meeting policy requirements. Firms should also seek to review and update legacy outsourcing agreements entered into before 31 March 2021 at the first appropriate contractual renewal or revision point to meet the expectations in the SS2/21 as soon as possible on or after 31 March 2022.