.avif)
The Prudential Regulation Authority (PRA), part of the Bank of England, is a UK financial services regulator that sets and enforces prudential rules for banks, insurers, and major investment firms. Its core mandate is to ensure that firms can operate safely and remain resilient, even when faced with operational challenges. The PRA publishes binding rules and supervisory statements through the PRA Rulebook, which outlines the prudential requirements firms must meet.
Operational Resilience, A Major Theme Across PRA Policy
The PRA sets out a clear expectation that organisations must be operationally resilient, meaning they can minimise disruption, adapt their systems and processes when issues arise, restore normal operations quickly, and learn from any incidents. The PRA’s operational resilience policy is embedded across multiple elements of their wider regulatory framework and applies to all UK Solvency II firms, as well as the Society of Lloyd’s and its managing agents. The policy was issued on 15 November 2024and came into force on 31 December 2024.
Why Outsourcing and Third‑Party Risk Matter
Modern financial institutions rely heavily on external software vendors for payments, trading, compliance, risk modelling, customer onboarding, and much more. This heavy reliance creates a vulnerability as ultimately, if a critical vendor fails, becomes insolvent, or stops supporting a product, the firm may face operational disruption and regulatory consequences.
PRA Supervisory Statement SS2/21 sets out firm expectations for how firms should manage these outsourcing and third‑party arrangements. It emphasises the need for continuity planning, exit strategies, and demonstrable resilience if a vendor becomes unavailable.
How Software Escrow Supports PRA Compliance
Software Escrow provides a structured way to mitigate vendor‑related risks. In an Escrow arrangement, a trusted third party, such as SES Secure, holds the source code, documentation, and other critical materials for a critical software application. These materials are released to the financial institution only if predefined trigger events occur, such as vendor insolvency or failure to meet support obligations.
The structure of a Software Escrow (also known as Source Code Escrow) aligns closely with PRA expectations in several ways:
- Operational continuity — If a vendor fails, the firm can access the source code and maintain or transition the system, reducing downtime and regulatory exposure.
- Exit strategy readiness — SS2/21 requires firms to have viable exit plans for critical outsourced services. Escrow strengthens those exit plans by giving firms an auditable, verifiable, and independently managed safeguard that can be activated if a supplier fails or service is disrupted.
- Risk management evidence — Escrow demonstrates proactive management of third‑party risk, supporting the firm’s ability to show compliance during PRA reviews.
- Resilience for critical functions — Many core banking and insurance processes rely on bespoke or niche software applications. Escrow ensures these systems remain operational, even if the vendor becomes unavailable.
Essentially, as financial institutions become more dependent on third‑party hosted software and SaaS, Software Escrow has evolved into a key tool for meeting regulatory expectations around resilience and continuity.
The PRA’s Broader Focus on Resilience
The PRA’s wider prudential framework emphasises that firms must be able to withstand operational obstacles. This includes cyber incidents, technology failures, and supply‑chain disruptions. Escrow fits naturally into this landscape by reducing single‑vendor dependency and strengthening the firm’s ability to recover from unexpected failures.
The PRA’s overarching goal is to ensure that regulated firms can demonstrate resilience across all critical operations, and Software Escrow is being increasingly recognised as a practical, regulator‑aligned safeguard.
To learn more or to arrange a call with a member of our team, please get in touch.