Learn how to use SaaS applications and comply with PRA’s Outsourcing and Third-Party Risk Management (PRA SS2/21)

Most companies regulated by the Prudential Regulation Authority (PRA) including: banks; financial institutions; credit unions; insurance and reinsurance firms are adopting SaaS hosted applications for many critical applications within their companies.

The PRA SS2/21 and PS7/21 polices are aimed at ensuring these regulated companies have robust continuity measures in place for services designated under outsourcing and third party risk management. The new policies come into effect on the 31st March 2022.


In March 2021, the Bank of England’s Prudential Regulation Authority PRA published their expected policy and supervisory statements on outsourcing and third-party risk management.

The PS7/21 policy statement provides the PRA’s response to feedback received regarding their Consultation Paper (CP) 30/19 titled “Outsourcing and third-party risk management”, and supervisory expectations statement SS2/21 outlines the PRA’s supervisory expectations with respect to third party outsourcing arrangements. 

These documents outline the expectations and outcomes regulated financial institutions will need to comply with to establish and maintain resilience of their Important Business Services.

Which companies are impacted by SS2/21?

The SS2/21 polices are relevant to banks, building societies, PRA designated investment firms, insurance, reinsurance firms, branches of overseas banks, insurers and credit unions.

The SS2/21 policy may apply to all outsourcing arrangements and even some non-outsourcing third party arrangements. Non-outsourcing third party arrangements include the purchases of hardware, software, and other ICT products including SaaS hosted applications.

The PRA expects the firms to assess the materiality and risks of non-outsourcing third party arrangements as well as outsourcing arrangements. Where a firm deems a non-outsourcing third party arrangement “material” or “high risk” it should implement proportionate controls appropriate to the risk, and as robust as the controls that would apply to outsourcing arrangements with an equivalent level of materiality. These do not need to be the same as the controls which apply to outsourcing, but firms should apply stricter controls to “material” non-outsourcing third party arrangements than to non-material outsourcing arrangements.

How to ensure your SaaS hosted applications comply with SS/21?

When analysing the compliance risks associated with a critical SaaS application, the PRA designated firms need to understand the impact on their business if a SaaS vendor failed and were unable to provide a critical service.

The SS/21 policy highlights the requirement for a robust business continuity and exit plan for such outsourced third-party services.

The Operational Resilience Parts of the PRA Rulebook require firms to test their ability to remain within impact tolerances in severe but plausible disruption scenarios. Likewise, the SS expects that firms’ testing of their business continuity and exit plans should include the ability to remain within impact tolerances. Firms may choose to conduct testing that fulfils both of these obligations at the same time. In addition, Chapter 5 of the SS notes that a key criterion for assessing materiality is whether an arrangement could materially impair the firm’s operational resilience, particularly its ability to continue providing important business services. The PRA expects, therefore, that all outsourcing arrangements that support an important business service should be considered material.

Severe but plausible disruption scenarios would include:

  • Service interruption due to natural or other disaster
  • Failure due to SaaS vendor mismanagement or malicious employees
  • Hacking or ransomware attack
  • Bankruptcy or other insolvency event

As the ultimate responsibility lies with the PRA regulated firm, relying on the SaaS vendor’s DRP or BCP plan is not adequate. The PRA regulated firms would require their own internal continuity plan to tackle such an outsourced third-party failure.

This is where things get complex. SaaS hosted applications are popular because they are hosted by specialist software vendors taking responsibility for the application, security, data, and the infrastructure which are all outside the control of the financial institution.

In order to comply with the continuity requirements of the SS/21 policy, financial institutions are investing in SaaS Continuity Escrow solutions to provide a safety net in the event of a critical SaaS vendor failure.

Escrow London have been building bespoke SaaS Continuity Escrow solutions for a number of large PRA regulated banks and financial institutions in the UK to assist with SS/21 compliance.

These SaaS Continuity Escrow solutions typically include:

  • Replicated SaaS Continuity with Live Continuity
    • Providing a replicated cloud environment with databases using deployment scripts that may be activated in the event of a release situation.
    • Escrow London will maintain a dedicated beneficiary cloud account in AWS, Microsoft Azure or Google Cloud Platform (GCP). After implementation, the cloud environment will be maintained in a dormant state with a copy of the database updated daily. In the event of a material failure of the SaaS vendor, Escrow London will be in the position to spin up a recovery environment with the most recent deposited database. The new escrow environment may be maintained by Escrow London for an agreed period of time anywhere from 30 days to 1 year, allowing the financial institution to continue operating and complying with their obligations under SS/21 until a new solution is implemented.
    • The Replicated SaaS Continuity solutions are tested by Escrow London on a quarterly basis to ensure the deposited system is up to date and functioning as expected by the financial institution.
  • Access Credentials with Live Continuity
    • Deposit of access credentials to the production environment usually hosted within AWS, Microsoft Azure or GCP. Escrow London’s team of cloud engineers will become familiar with the production environment through a transfer of knowledge process with the SaaS vendor. In the event of a material failure, Escrow London has the authority to step in, segregate and transfer the beneficiary’s AWS environment to a new AWS account under the ownership of Escrow London or the financial institution. The recovered escrow environment may be maintained by Escrow London for an agreed period of time anywhere from 30 days to 1 year, allowing the financial institution to continue operating and complying with their obligations under SS/21 until a new solution is implemented.
    • The Access Credentials continuity solution is tested on a quarterly basis to ensure the process for migrating the accounts is valid and documented.
  • Vendor Financial Monitoring (VFM)
    • VFM provides an additional layer of assurance to the financial institution that the SaaS vendor is keeping up to date with their payments to the cloud hosting vendor. In the event of payment irregularities, the financial institution will receive a red-flag that there may be an issue.
  • Ransomware Recovery
    • With the current boom in ransomware attacks, recovery and backup hidden away from your network are critical to overcoming an attack. The Escrow London Ransomware Recovery Escrow solutions give financial institutions the chance to restore quickly when the worst happens through the following services:
      • Ransomware Recovery Live – dormant copy of the production environment that can be spun up at short notice.
      • Ransomware Database Recovery – daily copy of your database held out of reach from ransomware hackers.
      • Ransomware Source Code & Infrastructure as Code Sync – automated pull of source code and IaaC scripts held outside of your network.

SS2/21 highlights escrow as one of the measures that can be put in place to assist with business continuity plans and stressed exits. The PRA advises that firms’ exit plans should cover stressed exits and be appropriately documented and tested as far as possible.

The PRA continue to advise that Firms should also actively consider temporary measures that can help ensure the ongoing provision of important business services following a disruption and/or a stressed exit, even if these are not suitable long-term solutions, (e.g. contractual or escrow arrangements), allowing for continued use of a service or technology for a transitional period following termination.

The above Escrow London SaaS Continuity Escrow solutions meet the stringent standards required to ensure financial institution resilience in the face of stressed challenges such as a material failure of a SaaS vendor.  

Contact Escrow London to learn more about robust SaaS Continuity and Ransomware Escrow solutions and how they can assist with your business with PRA compliance.