Find out more about the PRA SS2/21 regulations and how they affect you and your customers

Fill in the form to download the guide


Download our SS2/21 compliance guide, here's what's inside:

An overview of SS2/21, details of which firms must comply with the regulation and the deadline for compliance

A summary of the outsourcing and third-party risk management requirements and expectations that must be met

Advice on what you can do as a vendor supplying customers within the UK financial markets to ensure they comply with the regulatory requirements around documenting and testing business continuity and exit plans for outsourced software

Recommended solutions that vendors can easily embed into their current service offering to ensure customers are compliant with key financial regulations such as PRA SS2/21

Get up to speed with the regulations

Building upon its strong regulatory infrastructure, the UK’s Prudential Regulation Authority (PRA) has published a Supervisory Statement on Outsourcing and Third-party Risk Management (SS2/21). The PRA advises all regulated entities to ‘actively consider’ Escrow when undertaking business continuity and exit planning.

Although the responsibility for operational resilience rests with a regulated firm, it benefits the vendors to understand the requirements and the impact they will have when engaging with firms operating in the financial services sector.


What should vendors supplying the finance sector do next?

Key areas of SS2/21 vendors need to be aware of:

As SS2/21 requires firms to have a fully stressed exit plan before it commits to procuring an application, it is critical for vendors to proactively address the guidelines

Firms are expected to pay attention to the end-to-end provision of important business services. Therefore, vendors will be requested to present their own business continuity plan to demonstrate the resilience of their supplier’s infrastructure.

An Escrow Agreement, which the PRA advises all regulated entities to consider when exit planning, will ensure your customers comply with third-party risk mitigation, outsourcing and business continuity requirements as stipulated in SS2/21.


The additional requirements on firms to identify dependencies and set impact tolerances will require greater engagement with their service providers. Any application that is deemed as material must have an exit plan – putting software vendors firmly under the microscope and therefore making them an integral element to the requirements set out in SS2/21.

Ultimately, without a pre-defined exit plan or software resilience solution built into their offering, software vendors are closing their doors to new opportunities within the industry should they not accommodate the stressed exit plans set out in SS2/21.

How can you deliver business continuity assurance at scale?


Our Partner Network enables software vendors to stand out from the competition and deliver business continuity assurance at scale by embedding Software Escrow solutions into your offering. Doing so reduces the perceived risk of your software application and enables your customers to easily comply with the ever-growing number of outsourcing regulations in the financial services sector.

14,000+ businesses rely on NCC Group's Business Continuity Solutions

Get in touch


Fill in the form to get in touch

For more information on how NCC Group can help you support customers in complying with the PRA's SS2/21 Outsourcing and Third-Party Risk Management requirements, please get in touch.

NCC Group has been supporting software vendors to mitigate the associated risk of outsourcing for over 30 years, giving us an excellent understanding of industry-specific needs and compliance regulations.

Call us on:

UK: 0161 209 5200

US: 800 813 3523

NL: 020 620 7151

DE: +49 89 599 762-0

© NCC Group 2021. All rights reserved.