Prudential Regulation Authority Rulebook

5.1

As set out in the PRA’s outsourcing rules,^[14] firms remain responsible for their obligations when functions are outsourced to a third party. In the PRA’s operational resilience policy, the PRA expects firms to be operationally resilient regardless of any outsourcing arrangements or use of third parties. Firms should not allow their ability to deliver their important business services within their impact tolerances to be undermined when they are delivered wholly or in part by third parties, whether these third parties are other entities within their group or external providers.

5.2

The PRA’s policy for modernising the regulatory framework on outsourcing and third party risk management (SS2/21 'Outsourcing and third party risk management’)^[15] complements the PRA’s operational resilience policy. SS2/21 reflects the increased importance to firms of cloud computing and other new technologies. The PRA’s approach is to consider SS2/21 and the PRA’s operational resilience policy in combination.