The PRA SS2/21
The PRA SS2/21 sets outsourcing resilience requirements, strengthening continuity whereby firms must demonstrate evidence for exit plans, recoverability, and third-party control from 31 March 2022.
What is The PRA SS2/21?
The PRA SS2/21 is a supervisory statement issued by the UK Prudential Regulation Authority that sets out regulatory expectations for outsourcing and third-party risk management. Its purpose is to ensure that banks, insurers, and PRA-regulated investment firms remain operationally resilient when they rely on external service providers, particularly for critical or important business services.
Scope of application
SS2/21 applies to all PRA-authorised banks, building societies, insurers, designated investment firms, and UK branches of overseas firms. It covers both material outsourcing arrangements and certain non-outsourcing third-party arrangements where failure could materially impact operational resilience. The statement makes clear that regulatory responsibility cannot be outsourced: firms remain fully accountable for risks arising from third-party relationships.
Core regulatory expectations
The statement sets expectations across the full outsourcing lifecycle, including pre-outsourcing due diligence, contractual safeguards, ongoing monitoring, and exit planning. Firms must assess materiality, ensure access, audit and information rights, manage sub-outsourcing risk, and maintain robust business continuity arrangements. A central requirement is the ability to execute stressed exit plans that allow services to be brought back in-house or transferred to an alternative provider without disrupting important business services.
Why it matters
SS2/21 matters because it embeds operational resilience into outsourcing regulation, reflecting the growing reliance on cloud, SaaS, and other third-party technologies. Supervisors evaluate compliance based on evidence of tested exit plans, documented controls, governance oversight, and senior management accountability. As a result, SS2/21 shifts outsourcing from a procurement exercise to a regulated risk discipline with direct supervisory and enforcement consequences.
Who must comply & what is expected
Who must comply
PRA SS2/21 applies to all firms regulated by the UK Prudential Regulation Authority, including banks, building societies, insurers, PRA-designated investment firms, and UK branches of overseas banks and insurers. The scope is deliberately broad and extends beyond traditional outsourcing to include certain non-outsourcing third-party arrangements where failure could materially affect a firm’s ability to deliver important business services. The Prudential Regulation Authority makes clear that firms remain fully accountable for outsourced activities, regardless of whether services are provided by cloud vendors, SaaS providers, or other technology suppliers.
In addition, SS2/21 applies on a materiality and risk basis. Firms are required to assess whether an outsourcing or third-party arrangement is “material” by considering its impact on operational resilience, financial stability, and service continuity. Where an arrangement supports an important business service, it will generally be considered material and subject to the highest level of regulatory scrutiny. This ensures that the standard scales proportionately while still capturing critical technology and service dependencies.
What is expected
SS2/21 expects firms to manage outsourcing and third-party risk across the full lifecycle of the arrangement. This includes robust pre-outsourcing due diligence, clear contractual protections (such as access, audit, and information rights), ongoing performance and risk monitoring, and controls over sub-outsourcing. Firms must also ensure that data security, confidentiality, and service availability are maintained at levels consistent with regulatory expectations, even where services are delivered by third parties.
A central expectation under SS2/21 is the ability to execute credible and tested exit plans, including stressed exits. Firms must be able to demonstrate that they can continue providing important business services if a supplier fails, deteriorates, or becomes unavailable. This may involve bringing services back in-house or transferring them to an alternative provider. Supervisors assess compliance based on evidence regarding documentation, verification testing outcomes, governance oversight, and senior management accountability, rather than policy intent, making SS2/21 an operational and continuously enforceable resilience standard rather than a one-off compliance exercise.
How software escrow maps PRA SS2/21 (UK)
Software escrow maps directly to outsourcing and third-party risk management expectations under PRA SS2/21 by addressing dependency risk on critical suppliers. SS2/21 requires firms to remain fully accountable for outsourced services and to ensure continuity where a third party fails, deteriorates, or exits the market. Software escrow operationalises this requirement by contractually securing access to essential software assets and documentation, ensuring that supplier failure does not result in the loss of an important business service.
From a business continuity and exit planning perspective, SS2/21 places particular emphasis on credible and tested stressed exit plans. Firms must be able to demonstrate that they can either bring services back in-house or transition them to an alternative provider without breaching impact tolerances. Software escrow supports this outcome by preserving the technical materials required to rebuild, support, or migrate a system, transforming exit planning from a contractual concept into an executable capability aligned with PRA expectations.
Finally, software escrow supports governance, assurance, and supervisory evidence under SS2/21. The Prudential Regulation Authority assesses compliance based on documentation, testing, oversight, and senior management accountability rather than policy intent alone. Escrow agreements, deposit records, and verification outputs provide auditable artefacts that demonstrate control over outsourced technology risk. Escrow functions as a practical control that helps firms evidence recoverability, exit readiness, and operational resilience in line with PRA supervisory expectations.
How ESCROWSURE make sure that you are compliant
ESCROWSURE supports compliance with PRA SS2/21 by embedding resilience, exit readiness, and third-party risk controls into the governance of outsourced software services. SS2/21 requires firms to retain accountability for outsourced arrangements and to ensure continuity where a supplier fails or deteriorates. ESCROWSURE addresses this by contractually securing access to critical software assets, documentation, and deployment materials, enabling firms to maintain or transition important business services without reliance on a failing vendor, directly supporting the PRA’s expectations for operational resilience and control.
In addition, ESCROWSURE enables evidence-based compliance aligned with supervisory scrutiny by the Prudential Regulation Authority. Escrow agreements, deposit records, update schedules, and optional verification provide auditable artefacts that demonstrate recoverability, tested exit capability, and ongoing oversight. While ESCROWSURE does not assume regulatory responsibility on behalf of firms, it ensures they can substantiate compliance with SS2/21 through documented controls, independent assurance, and clear accountability during audits and supervisory reviews.
PRA SS2/21 was issued by the Prudential Regulation Authority and became effective on 31 March 2022. From this date, PRA-regulated firms were required to apply the supervisory expectations set out in SS2/21 to new, renewed, or materially changed outsourcing and third-party arrangements, with the objective of strengthening operational resilience and control over outsourced services.
Update: Transition of legacy arrangements
Following commencement, firms were given a transition period to remediate legacy outsourcing arrangements entered into before 31 March 2022. The PRA clarified that firms must bring existing arrangements into line with SS2/21 at the earliest contractual opportunity, such as renewal or amendment, rather than treating legacy contracts as permanently exempt. This reinforced that SS2/21 is intended to apply across the full outsourcing landscape over time, not only to new contracts.
Update: Integration with operational resilience supervision
Since implementation, supervisory focus has increasingly aligned SS2/21 with the UK operational resilience framework. The PRA has emphasised that outsourcing arrangements supporting important business services should generally be treated as material and therefore subject to enhanced scrutiny. In practice, this has increased regulatory attention on exit planning, stressed exit testing, and evidence that third-party dependencies do not undermine firms’ ability to remain within impact tolerances.
Update: Ongoing supervisory emphasis on evidence
More recently, PRA supervisory engagement has centred on demonstrable compliance rather than policy intent. Firms are expected to evidence governance oversight, documented risk assessments, contractual safeguards, and tested exit plans for material outsourcing. SS2/21 is therefore treated as a living supervisory standard, with expectations evolving through supervisory feedback and reviews rather than through frequent formal amendments to the statement itself.
Frequently Asked Questions
Is the agreement customizable? How much customization do you allow?
Yes, absolutely. We believe that each escrow environment is unique and requires a customized approach. ESCROWSURE’s in-house legal counsel will craft a bespoke escrow agreement tailoring the provisions to meet the needs of your specific requirements.
How does software escrow support SS2/21 compliance?
Software escrow supports compliance with PRA SS2/21 by mitigating dependency risk on critical third-party technology providers. SS2/21 requires firms to retain accountability for outsourced services and to ensure continuity where a supplier fails or exits under stress. Escrow achieves this by contractually securing access to essential software, documentation, and deployment assets, enabling firms to maintain or transition important business services without reliance on the failing supplier.
What happens during software escrow verification?
Software escrow verification involves an independent review of the escrowed materials to confirm they are usable and complete. This typically includes validating source code, documentation, build instructions, and may extend to test builds and functional simulations. Verification aligns with SS2/21 expectations for assurance and evidence by demonstrating that exit and recovery plans are executable in practice, not merely documented in policy.
Why do we need escrow for SaaS applications?
With SaaS applications, software is not accessed on a server located on the end users premises, but instead, is hosted remotely in the cloud by a hosting services provider usually paid for by the software vendor. This introduces an additional layer of risk as it adds to the supply chain dependencies.
In addition, the data generated by the application is hosted in the cloud too. This means that if the software Vendor were to stop answering the phone, both application and data could be beyond the reach of the end user immediately.
Some end users believe that a migration to a cloud service eliminates the need for an escrow arrangement.
But this is not true.
If anything, the need for escrow is greater for SaaS applications, because of the additional layer of risk which puts both the software and the data at risk if the worst should happen.
What should firms look for when choosing an escrow vendor for SS2/21?
Firms should select an escrow provider that offers strong contractual governance, clear release conditions aligned to stressed exit scenarios, and robust verification capabilities. The vendor should support audit-ready documentation, regular deposit updates, and independent testing outputs that can be presented to supervisors. Importantly, escrow arrangements must integrate with the firm’s wider outsourcing governance framework to support oversight, accountability, and regulatory scrutiny by the Prudential Regulation Authority.
How do financial institutions test their stressed exit plans with software escrow?
Financial institutions test stressed exit plans by using escrowed materials to simulate supplier failure scenarios, such as rebuilding systems in-house or transferring them to an alternative provider. This may involve technical recovery exercises, tabletop simulations, or partial system deployments using escrow assets. These tests provide tangible evidence that exit plans are credible and align directly with SS2/21 expectations that firms can continue delivering important business services under severe but plausible disruption.