The UK’s Prudential Regulation Authority (PRA) has included software and technology escrow as resiliency options for firms to consider when undertaking business continuity and exit planning.
This is the first time an escrow agreement has been included on the PRA’s list of viable options.
The recommendation was made in its most recent Supervisory Statement, a publication that offers guidance for businesses across the banking and financial services sector on what they should do when outsourcing services and mitigating third-party risk.
The Supervisory Statement follows the Bank of England’s Consultation Paper 30/19 published in 2019, which set out the key considerations to take forward in the official guidance.
While it does not mandate or favour a single resiliency option within its publication, the PRA encourages firms to explore appropriate and viable options which, the PRA states explicitly, ‘may include escrow’.
Delighted that the PRA has explicitly included escrow agreements, technology escrow providers in the UK said that they will continue to engage with regulators worldwide to encourage them to acknowledge escrow agreements as a mechanism that enable organisations to comply with third-party risk mitigation, outsourcing and business continuity requirements and as a way to operate and grow in a resilient, safe and secure way.
Commenting on the news out of the UK, Escrow Europe director, Andrew Stekhoven, says Gartner has long maintained that technology escrow is a smart and effective component of a business continuity strategy that software licensees can use to protect their mission-critical applications in an ever-changing environment.
“There is no doubt that there are operational risks when one has a service provider because confidential information leaves the company. In IT governance one seeks confidentiality; integrity and availability of the functioning system; possession of the system, authenticity of system information; and assurance that the system is usable and useful,” he says.
In South Africa, the King Report on Corporate Governance published by the Institute of Directors cites three lines of defence for risk management: line management, risk experts and then assurance functions. One such assurance function endorsed by the IoD is active escrow.
“For every South African CFO or CTO who takes that the view that software and technology escrow solutions offer legal and technical assurance to allow firms to adopt, innovate and manage third-party technologies with confidence, there is – unfortunately – one who doesn’t. And that’s a situation Escrow Europe would like to see change,” adds Stekhoven.
“An active escrow agreement safeguards your business-critical software using an agreement between you and your service provider that includes both compulsory verifications of every deposit and tracking of updates and new releases thereby safeguarding the quality of the deposits, ensuring business continuity when the unforeseen happens.”
Escrow Europe is a BEE certified provider of active software escrow in South Africa, and a former recipient of the Institute of Risk Management of South Africa’s Best Small Business Initiative Related to Risk Management Award.