Financial Supervisory Authority of Norway notes missing annual testing of PRA Group Norge’s ICT disaster recovery plan in on-site inspection report

The Financial Supervisory Authority of Norway has published an on-site inspection report on PRA Group Norge AS covering the firm’s risk assessments, internal control, debt collection process routines, client funds reconciliations, sample-based case handling, and compliance with the ICT Regulation. The main remark concerned the firm’s failure to carry out annual training and testing of its documented disaster recovery plan. The inspection (6–7 October 2025) found the firm’s routines and documentation for reconciling client funds to be in line with Finanstilsynet Circular 7/2013. Finanstilsynet also requested additional explanations on handling cases involving VAT joint registration within the group, routines for invoicing court fees in purchased portfolios where legal steps had already been initiated, and case handling following debtor complaints; it took note of the firm’s explanations in these areas, as well as its approach to risk assessments for outsourced arrangements abroad. Under the ICT Regulation, the disaster recovery plan must be exercised and tested at least annually with documented results; the firm stated that annual testing had not been performed, but subsequently carried out an exercise and test which Finanstilsynet took note of. Finanstilsynet asked the firm to send a copy of the report letter to its auditor.