Wake up and get ready to pay fines! Your guide to global regulations and how software escrow can assist.

With increased cloud adoption and use of third-party services, businesses worldwide are facing tighter regulations and increased pressure on regulated institutions, in the banking sector for example, to appropriately manage and mitigate risks across their supply chain. Understanding and adhering to these regulations is essential to avoiding hefty fines and maintaining operational reliability. This article reviews these important regulations – PRA SS1/21, DORA and APRA CPS 23, as well as exploring what the US regulatory agencies are doing. We then go on to explain how software escrow agreements (also known as source code escrow) and SaaS Escrow agreements can help mitigate these risks and ensure compliance for businesses.


Understanding the Regulatory Landscape

PRA’s Outsourcing and Third-Party Risk Management (PRA SS2/21)
Most companies regulated by the Prudential Regulation Authority (PRA) including banks, financial institutions, credit unions and insurance firms are adopting SaaS hosted applications for many critical applications within their companies.

The PRA SS2/21 and PS7/21 polices are aimed at ensuring these regulated companies have robust continuity measures in place for services designated under outsourcing and third-party risk management. The new policies came into effect on the 31st March 2022. All the information about PRA SS2/21 can be found here.

The Digital Operational Resilience Act (DORA)
The European Union’s aim of the Digital Operational Resilience Act (DORA) is to improve the cybersecurity and operational resiliency of the financial services sector. As an integral part of the ICT risk management framework, DORA requires financial companies such as banks, insurance companies and investment firms to adopt a robust and comprehensive digital operational resilience testing program covering ICT tools, systems and processes.

Before DORA, financial institutions may not have managed all components of operational resilience, however, with DORA, they must also follow strict rules for the protection, detection, containment, recovery and repair capabilities against ICT-related incidents.

DORA entered into force on 16th January 2023, 20 days after its initial publication in the Official Journal of the European Union on 27 December 2022. Financial entities in the European Union (EU) and their critical ICT providers must be ready to comply with DORA by 17th January 2025. Further information about DORA can be found here.

APRA CPS 230: Operational Risk Management in Australia
The Australian Prudential Regulation Authority (APRA) has introduced the Prudential Standard CPS 230 Operational Risk Management (CPS 230), a standard aimed at supporting operational risk management across the financial services sector in Australia. The new standard, which comes into effect on 1st July 2025, highlights the importance of resilience, enhancement of risk management practices and effective operational controls. All the information about APRA CPS 230 can be found here.

Regulatory Agencies in the United States
Regulatory agencies in the United States have also tightened their belts when it comes to third-party risk management and outsourcing. The Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), and the Federal Reserve Board (FED Board), released revised guidelines in June of this year for third-party risk management. Notably consideration to establish software escrow agreements when a banking organisation licenses software so access is available to source code and applications under certain circumstances such as insolvency of the  third-party software vendor. Click here for more information about the US regulations.

How Software Escrow Can Mitigate Risks And Ensure Regulatory Compliance

Software escrow agreements (also known as source code escrow) and SaaS escrow agreements can provide a safety net for organisations relying on third-party software whether they reside on-premise or in the cloud.

By depositing the software source code, documentation and other critical assets such as databases with an independent software escrow vendor, businesses can mitigate risks associated with vendor failure or software discontinuity. Here’s how software escrow and SaaS escrow can assist with compliance:

  • Ensuring business continuity – There is a need for businesses to ensure robust business continuity plans. Software escrow and SaaS escrow can ensure critical source code and other assets are accessible in the event of a software vendor failure, therefore maintaining business operations without disruption.
  • Improving third-party risk management – Businesses today are being pressured to ensure their third-party risk management practices adhere to regulatory standards. Software escrow and SaaS escrow can help businesses safeguard against the potential risks of vendor insolvency or discontinuation of support, ensuring compliance.
  • Regular testing and validation of software –  Software escrow and SaaS escrow can also include regular verification and testing services which are important to ensure the source code deposit will be accessible and usable.

Conclusion

Navigating the complex world of global regulations can be a daunting task, but understanding key requirements and leveraging solutions like software escrow and SaaS escrow can significantly ease the burden. By ensuring business continuity, enhancing third-party risk management and supporting compliance efforts, software escrow agreements serve as a vital component when it comes to regulatory compliance. Stay ahead of the curve, safeguard your operations and mitigate risks by integrating software escrow and SaaS escrow into your regulatory compliance strategy, or be ready to pay those fines!

##

About Escrow London

Escrow London is a global software and SaaS escrow company with offices in Sydney, Australia and London, UK. Our North American division called The Escrow Company, is based in Atlanta, US.

We have invested considerable resources into innovation to reinvent software escrow for a SaaS world. Escrow London provides a range of SaaS continuity escrow solutions suitable for AWS, Microsoft Azure and Google Cloud hosted SaaS applications. We support a wide range of clients includes major law firms, banks, central banks, insurance companies, technology companies and government organisations.

To find out more about Escrow London and our software escrow and SaaS continuity escrow solutions, visit our YouTube channel.