Description
According to this definition, outsourcing would not cover purchasing contracts, although as with outsourcing, firms should ensure that what they are buying is appropriate for the intended purpose. Purchasing is defined as the acquisition from a vendor of services, good or facilities without the transfer of the purchasing firm's nonpublic proprietary or customer information.
PRINCIPLES ON OUTSOURCING OF FINANCIAL
SERVICES FOR MARKET INTERMEDIARIES
TECHNICAL COMMITTEE
OF THE
INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS
FEBRUARY 2005
Preamble
The IOSCO Technical Committee Standing Committee on the Regulation of Market
Intermediaries (SC3) published for public consultation in August 2004 a Consultation Report on
Principles on Outsourcing of Financial Services for Market Intermediaries. The Consultation
Report set out a set of principles that are designed to assist regulated entities in determining the
steps they should take when considering outsourcing activities. The Consultation Report also
contained some broad principles to assist securities regulators in addressing outsourcing in their
regular risk reviews of firms. Some members of SC3 surveyed industry participants in their
respective jurisdictions for information regarding current outsourcing practices. Following the
receipt of comments by the public, SC3 revised the Consultation Report and the IOSCO
Technical Committee approved the revised report during its 31 January – 1 February 2005
meeting.
1
1
In December 2000, the Technical Committee published its paper on the “Delegation of Functions”
pertaining to the asset management industry. This paper provided useful information and background that
was utilized by SC3 in its subsequent work on the issue of outsourcing by market intermediaries. The
publication of the present paper on outsourcing does not supersede or limit the applicability of the earlier
paper on delegation of functions with respect to the asset management industry, and to the specific
measures included in the December 2000 paper.
PRINCIPLES ON OUTSOURCING
1
OF
FINANCIAL SERVICES FOR MARKET INTERMEDIARIES
I. Introduction
The volume of activities that regulated market intermediaries (“outsourcing firms” or
“firms”) outsource to third party service providers (“service providers”) continues to
increase. For purposes of this paper, “outsourcing” is defined as an event in which a
regulated outsourcing firm contracts with a service provider for the performance of any
aspect of the outsourcing firm's regulated or unregulated functions that could otherwise
be undertaken by the entity itself.
2
It is intended to include only those services that
were or can be delivered by internal staff and management. As discussed in Section II,
the service provider may be a related party within a corporate group, or an unrelated
outside entity. The service provider may itself either be regulated (whether or not by the
same regulator with authority over the outsourcing firm), or may be an unregulated
entity.
3
According to this definition, outsourcing would not cover purchasing contracts,
although as with outsourcing, firms should ensure that what they are buying is
appropriate for the intended purpose. Purchasing is defined as the acquisition from a
vendor of services, good or facilities without the transfer of the purchasing firm's non-
public proprietary or customer information.
Firms should consider several factors as they apply these principles to activities that fall
under the outsourcing definition. First, as discussed in section II.A, these principles
should be applied according to the degree of materiality of the outsourced activity to the
firm's business. Even where the activity is not material, the outsourcing entity should
consider the appropriateness of applying the principles. Second, as discussed in section
II.C, firms should consider any affiliation or other relationship between the outsourcing
entity and the service provider. While it is necessary to apply the Outsourcing Principles
to affiliated entities, it may be appropriate to adopt them with some modification to
account for the potential differing degrees of risk with respect to intra-group
outsourcing. Third, the firm may consider whether the service provider is a regulated
entity subject to independent supervision.
The utilization of outsourcing by the financial services industry can provide a number of
substantial benefits. For example, it may permit financial firms to obtain necessary
2
In this paper, “outsourcing” is limited to the initial transfer of a function from a regulated entity to a
service provider. Further transfers of a function (or a part of that function) from one third-party service
provider to another are referred to herein as “subcontracting.” In this connection, please note that in some
jurisdictions, the initial outsourcing is also referred to as subcontracting.
3
In a study published by the Federal Reserve Bank of New York, the authors found that outsourcing in the
financial services industry was initially limited to activities that were relatively tangential to the firm’s
primary business, such as payroll processing. In recent years, however, outsourced activities have
included information technology, accounting, audit, electronic funds transfer, investment management
and human resources. The most frequently outsourced activity, according to a survey of commercial
institutions cited by the Federal Reserve Bank of New York, is some aspect of information technology
(e.g., desktop support). Next in importance is business process outsourcing, such as human resource
functions. See Outsourcing Financial Services Activities: Industry Practices to Mitigate Risks, Federal
Reserve Bank of New York (Oct. 1999)
2
expertise at a lower cost than might be possible by hiring internal staff, and permits
firms to focus on their core business. By lowering costs, outsourcing may also permit
smaller firms and start-up companies to break into the market and increase market
competition.
Outsourcing also poses a number of challenges, however, both for financial firms that
choose to undertake such a strategy, and for the regulators of such firms. With respect to
the financial firm, transferring a function to a third party may have a detrimental impact
on the firm’s understanding of how the function is performed, with a consequent loss of
control. The lack of control over a firm’s proprietary and customer-related information
and software may also hinder the ability of an outsourcing firm to maintain its
proprietary and customer-related information and software, and may also impact on the
confidentiality of customer records. There is the potential that the inappropriate
selection of a service provider may lead to a business disruption, with negative
consequences for the outsourcing firm’s customers, and, in certain instances, the
potential for systemic risk to the market as a whole.
Principle 23 of the Objectives and Principles for Securities Regulation requires that the
issues identified above be addressed. It states that “market intermediaries should be
required to comply with standards for internal organizations and operational conduct
that aim to protect the interests of clients, ensure proper management of risk, and under
which management of the intermediary accepts primary responsibility for these
matters”. The Objectives and Principles also note that “Effective policies and
operational procedures and controls in relation to the firm’s day-to-day business
operations should be established.” See id. at §12.5.
Outsourcing poses important challenges to the integrity and effectiveness of financial
services regulatory systems. First, where outsourcing takes place by regulated entities, a
firm’s control over the people and processes dealing with the outsourced function may
decrease. Nonetheless, regulators require that the outsourcing firm, including its board
of directors and senior management, remain fully responsible (towards clients and
regulatory authorities) for the outsourced function, as if the service was being
performed in-house.
4
In some jurisdictions, as discussed below, regulators impose
restrictions on the outsourcing of certain functions where they believe the outsourcing
introduces an unacceptable risk or is critical to the function of an intermediary.
Second, regulators expect that they will have complete access to books and records
concerning an outsourcing firm’s activities, even if such documents are in the custody
of the firm’s service provider. Regulators must also take account of possible operational
and systemic risks that may exist in the event that multiple regulated entities use a
common service provider.
II. Fundamental Precepts
A. Materiality of Outsourcing
The following Principles set out regulators’ expectations for outsourcing firms. These
principles should be applied according to the degree of materiality of the outsourced
activity to the ongoing business of the outsourcing firm and its regulatory obligations.
4
Id.
3
Even where the activity is not material, the outsourcing firm should consider the
appropriateness of applying the principles.
For areas of business activity that are not restricted by the regulator, the outsourcing
firm should develop a process for determining the materiality of outsourcing
arrangements. The assessment of what is material is often a subjective one and depends
on the circumstances of the particular outsourcing firm. Factors to be considered
include, but are not limited to:
• Financial, reputational and operational impact on the outsourcing firm of the
failure of a service provider to perform;
• Potential impact of outsourcing on the provision of adequate services to an
outsourcing firm’s customers;
• Potential losses to an outsourcing firm's customers on the failure of a service
provider to perform;
• Impact of outsourcing the activity on the ability and capacity of the outsourcing
firm to conform with regulatory requirements and changes in requirements;
• Cost;
• Affiliation or other relationship between the outsourcing firm and the service
provider;
• Regulatory status of the service provider; and
• Degree of difficulty and time required to select an alternative service provider or
to bring the business activity in-house, if necessary.
B: Accountability and Scope of Outsourcing
The outsourcing firm, its management and its governing authority retains full legal
liability and accountability to the regulator for any and all functions that the firm may
outsource to a service provider to the same extent as if the service were provided in-
house. In this regard, the relevant regulator may impose sanctions and penalties on a
regulated entity in its jurisdiction for violations of statutory and regulatory requirements
that resulted in whole or in part from the failure of a service provider (whether licensed
or unlicensed) to perform its contractual obligations for the outsourcing firm.
Accordingly, management and the governing authority of the outsourcing firm should
develop and implement appropriate policies designed to achieve satisfaction of these
Outsourcing Principles, periodically review the effectiveness of those policies, and
address outsourcing risks in an effective and timely manner. Outsourcing firms should
also be aware of and comply with local mechanisms that may have been put in place to
implement these Principles. Such mechanisms may take the form of government
regulation, regulations imposed by non-government statutory regulators, industry codes
or practices, or some combination of these items. Whatever level of outsourcing is
utilized, outsourcing firms remain responsible for conducting due diligence (see topic
1).
The outsourcing firm must retain the competence and ability to be able to ensure that
the firm complies with all regulatory requirements. Moreover, outsourcing must not be
permitted to impair the regulator’s ability to exercise its statutory responsibilities, such
as the proper supervision and audit of the firm.
4
Regulators should also consider the implications that the use of unlicensed service
providers may have on the regulator’s ability to supervise properly securities activities
in their jurisdiction. Such concerns may be heightened in instances where the
outsourcing firm delegates to the service provider the authority to act in the name of the
outsourcing firm.
C. Outsourcing to Affiliates
While the Outsourcing Principles apply regardless of whether such outsourcing is
performed by an affiliated entity of a corporate group or by an entity that is external to
the corporate group, the risks associated with outsourcing activities to an affiliated
entity within a corporate group may be different than those encountered in outsourcing
to an unaffiliated external service provider. In certain cases, risks may not be as
pronounced within an affiliated group. For example, there may be an ability by the
outsourcing firm to control the actions of the service provider, and the outsourcing firm
may have a high familiarity with the service provider’s business attributes. Such factors
might reduce the risks involved in outsourcing. However, intra-group outsourcing may
be less than an arm’s-length relationship, and the outsourcing firm (and its customers)
may have different interests than the affiliated service provider. Moreover, in some
cases, the intra-group relationship may as a practical matter restrict the outsourcing
firm’s ability to control the service provider. These factors may increase the potential
risk in certain instances. Accordingly, while it is necessary to apply the Outsourcing
Principles to affiliated entities, it may be appropriate to adopt them with some
modification.
D. Outsourcing on a Cross-Border Basis
The Outsourcing Principles apply to functions that are outsourced within the jurisdiction
in which the outsourcing firm maintains a presence, as well as on a cross-border basis.
However, with respect to outsourcing on a cross-border basis, there may be additional
concerns that are raised, which may not necessarily be present with respect to cases
where the service provider is in the same jurisdiction as that of the outsourcing firm.
For example, in the event of an emergency, it may be more difficult to monitor and
control the function that was outsourced, or to implement appropriate responses in a
timely fashion. Moreover, the use of a foreign service provider may necessitate an
analysis of economic, social or political conditions that might adversely impact the
service provider’s ability to perform effectively for the outsourcing firm.
In light of these concerns, outsourcing on a cross-border basis may raise additional
issues that should be addressed during the due diligence process (see topic 1), as well as
during the implementation of a contract with a foreign service provider (see topic 2).
Special consideration and procedures may be necessary with respect to other issues
relating to the use of a foreign service provider – for example, as discussed in topic 7,
there may be particular concerns with the provision of books and records maintained in
a foreign jurisdiction, as well as issues relating to the translation of such books and
records.
5
III. Outsourcing Principles
Topic 1: Due diligence in selection and monitoring of service provider and
service provider's performance
Principle: An outsourcing firm should conduct suitable due diligence processes in
selecting an appropriate third party service provider and in monitoring its ongoing
performance.
It is important that outsourcing firms exercise due care, skill, and diligence in the
selection of third party service providers, so that they can be satisfied that the third party
service provider has the ability and capacity to undertake the provision of the service
effectively.
The outsourcing firm should also establish appropriate processes and procedures for
monitoring the performance of the third party service provider. In determining the
appropriate level of monitoring processes and procedures, the outsourcing firm should
consider the materiality of the outsourced activity to the ongoing business of the
outsourcing firm and its regulatory obligations, as discussed in the introduction to these
Principles.
Means for Implementation
It is expected that outsourcing firms will implement appropriate means, such as the
following, for ensuring that they select suitable service providers and that service
providers are appropriately monitored, having regard to the services they provide:
Documenting processes and procedures that enable the outsourcing firm to
assess, prior to selection, the third party service provider’s ability and
capacity to perform the outsourced activities effectively, reliably, and to a
high standard, including the service provider’s technical, financial and
human resources capacity, together with any potential risk factors associated
with using a particular service provider.
Documenting processes and procedures that enable the outsourcing firm to
monitor the third party service provider's performance and compliance with
its contractual obligations, including processes and procedures that:
• Clearly define metrics that will measure the service level, and specify
what service levels are required; and
• Establish measures to identify and report instances of non-compliance or
unsatisfactory performance to the outsourcing firm as well as the ability
to assess the quality of services performed by the service provider on a
regular basis (see also topic 2).
6
Implementing processes and procedures designed to help ensure that the
service provider is in compliance with applicable laws and regulatory
requirements in its jurisdiction, and that where there is a failure to perform
duties required by statute or regulations, the outsourcing firm, to the extent
required by law or regulation, reports the failure to its regulator and/or self-
regulatory organization and takes corrective actions.
5
For example,
procedures may include:
• The use of service delivery reports and the use of internal and external
auditors to monitor, assess, and report to the outsourcing firm on
performance;
• The use of written service level agreements or the inclusion of specific
service level provisions in contracts for service to achieve clarity of
performance targets and measurements for third party service providers.
With respect to outsourcing on a cross-border basis, in determining whether
the use of a foreign service provider is appropriate, the outsourcing firm
may, with respect to a function that is material to the firm, need to conduct
enhanced due diligence that focuses on special compliance risks, including
the ability to effectively monitor the foreign service provider, the ability to
maintain the confidentiality of firm and customer information; and the ability
to execute contingency plans and exit strategies where the service is being
performed on a cross-border basis.
5
Such a requirement is consistent with regulations in many IOSCO jurisdictions requiring that a firm
notify its regulator with respect to any breaches of law that may have occur.
7
Topic 2: The contract with a service provider
Principle: There should be a legally binding written contract between the outsourcing
firm and each third party service provider, the nature and detail of which should be
appropriate to the materiality of the outsourced activity to the ongoing business of the
outsourcing firm.
A legally binding written contract between an outsourcing firm and a service provider is
an important management tool. Appropriate contractual provisions can reduce the risks
of non-performance or disagreements regarding the scope, nature, and quality of the
service to be provided. A written contract will help facilitate the monitoring of the
outsourced activities by the outsourcing firm and/or by securities regulators.
The level of detail of the contents of the written contract should reflect the level of
monitoring, assessment, inspection and auditing required, as well as the risks, size and
complexity of the outsourced services involved.
Means for Implementation
An outsourcing firm is expected to have a written, legally binding contract between
itself and the third party service provider, appropriate to the materiality of the
outsourced activity to the ongoing business of the firm. The contract may include, as
applicable, provisions dealing with:
Limitations or conditions, if any, on the service provider's ability to sub-
contract, and, to the extent subcontracting is permitted, obligations, if any, in
connection therewith;
Firm and client confidentiality (see also topic 4);
Defining the responsibilities of the outsourcing firm and the responsibilities
of the service provider and subcontractors, if any, and how such
responsibilities will be monitored;
Responsibilities relating to IT security (see also topic 3);
Payment arrangements;
Liability of the service provider to the outsourcing firm for unsatisfactory
performance or other breach of the agreement;
Guarantees and indemnities;
Obligation of the service provider to provide, upon request, records,
information and/or assistance concerning outsourced activities to the
outsourcing firm, its auditors and/or its regulators (see topic 7);
Mechanisms to resolve disputes that might arise under the outsourcing
arrangement;
8
Business continuity provisions (see topic 3);
With respect to outsourcing on a cross-border basis, choice of law
provisions;
Termination of the contract, transfer of information and exit strategies (see
also topic 6).
9
Topic 3: Information Technology Security and Business Continuity at the
Outsourcing Firm
Principle: The outsourcing firm should take appropriate measures to determine that:
(a) Procedures are in place to protect the outsourcing firm’s proprietary and
customer-related information and software; and
(b) Its service providers establish and maintain emergency procedures and a plan
for disaster recovery, with periodic testing of backup facilities.
Effective and reliable information technology systems are fundamental to the ongoing
business of securities firms. The June 2001 IOSCO Internet Task Force Report noted
that a breakdown in information technology capacity that impairs access to markets can
compromise the trading and the financial position of investors. Security breaches can
undermine investors’ privacy interests, and have a damaging effect on an outsourcing
firm’s reputation, which may ultimately cause a loss of market confidence and impact
on the overall operational risk profile of the firm. Moreover, robust IT security is
particularly important where details of client assets or the assets themselves might be
vulnerable to unauthorized access. Accordingly, outsourcing firms should seek to ensure
that service providers maintain appropriate IT security and, when appropriate, disaster
recovery capabilities. As part of its reviews of these matters, an outsourcing firm should
also take into account whether additional issues are raised when the outsourcing is
performed on a cross-border basis.
Means for Implementation
Outsourcing firms are expected to take appropriate steps to require, in appropriate cases
based on the materiality of the function that is being outsourced, that service providers
have in place a comprehensive IT security program. These steps may include:
Specification of the security requirements of automated systems to be used
by the service provider, including the technical and organizational measures
that will be taken to protect firm and customer-related data. Appropriate
care should be exercised to ensure that IT security protects the privacy of the
outsourcing firm’s customers as mandated by law:
Requirements that the service provider maintain appropriate measures to
ensure security of both the outsourcing firm’s software as well as any
software developed by the service provider for the use of the outsourcing
firm;
Specification of the rights of each party to change or require changes to
security procedures and requirements and of the circumstances under which
such changes might occur;
Provisions that address the service provider’s emergency procedures and
disaster recovery and contingency plans as well as any particular issues that
may need to be addressed where the outsourcing firm is utilizing a foreign
service provider. Where relevant, this may include the service provider’s
10
responsibility for backing up and otherwise protecting program and data
files, as well as regulatory reporting;
Where appropriate, terms and conditions relevant to the use of
subcontractors with respect to IT security, and appropriate steps to minimize
the risks arising out of such subcontracting;
Where appropriate, requirement of testing by the service provider of critical
systems and back-up facilities on a periodic basis in order to review the
ability of the service providers to perform adequately even under unusual
physical and/or market conditions at the outsourcing firm, the service
provider, or both, and to determine whether sufficient capacity exists under
all relevant conditions;
Requirement of disclosure by the service provider of breaches in security
resulting in unauthorized intrusions (whether deliberate or accidental, and
whether confirmed or not) that may affect the outsourcing firm or its
customers, including a report of corrective action taken; and
Provisions in the outsourcing firm’s own contingency plans that address
circumstances in which one or more of its service providers fail to
adequately perform their contractual obligations. Where relevant, this may
include reporting by the outsourcing firm to its regulator. The outsourcing
firm may need to require contractually information from the service provider
to fulfill this obligation.
11
Topic 4: Client Confidentiality Issues
Principle: The outsourcing firm should take appropriate steps to require that service
providers protect confidential information regarding the outsourcing firm’s proprietary
and other information, as well as the outsourcing firm’s clients from intentional or
inadvertent disclosure to unauthorized individuals.
Unauthorized disclosure of confidential firm and customer information could have a
number of negative consequences. Such unauthorized disclosure could result in damage
to the firm’s reputation, financial losses, and the loss of or risk to proprietary
information (including the firm’s trade secrets). In addition, unauthorized disclosure
could result in the disclosure of private and sensitive information about individuals who
have a reasonable expectation of privacy, and might also result in a material financial
loss to a firm’s customers. In addition to the potential harm to a firm’s customers, an
unauthorized disclosure could also result in the outsourcing firm having financial
liability to its customers and/or its regulators, possibly affecting the firm’s solvency.
Where appropriate, regulators may choose to review the protections that are in place
between the outsourcing firm and the service provider and, in addition, may choose to
review the measures that are in place between a service provider and its agents that may
have an impact on the data and/or its use, so that there are no unauthorized disclosures
among the various service providers.
Means for Implementation
Regulated firms that engage in outsourcing are expected to take appropriate steps to
confirm that confidential firm and customer information is not misused or
misappropriated. Such steps may include insertion of provisions in the contract with the
service provider that:
Prohibit the service provider and its agents from using or disclosing the
outsourcing firm’s proprietary information or that of the firm’s customers,
except as necessary to provide the contracted services; and
Where appropriate, including terms and conditions relevant to govern the use
of subcontractors with respect to firm and client confidentiality.
Outsourcing firms should also consider whether it is appropriate to notify customers that
customer data may be transmitted to a service provider, taking into account any
regulatory or statutory provisions that may be applicable.
Regulators should seek to become aware of whether outsourcing firms within their
jurisdiction are taking appropriate steps to monitor their relationships with service
providers with respect to the protection of confidential firm and customer information.
12
Topic 5: Concentration of Outsourcing Functions
Principle: Regulators should be cognizant of the risks posed where one service
provider provides outsourcing services to multiple regulated entities.
Where multiple outsourcing firms use a common service provider, operational risks are
correspondingly concentrated, and may pose a threat of systemic risk. For example, if
the service provider suddenly and unexpectedly becomes unable to perform services
that are critical to the business of a significant number of regulated outsourcing firms,
each of the regulated entities will be similarly disabled. Alternatively, if multiple
outsourcing firms depend upon the same provider of business continuity services (e.g., a
common disaster recovery site), a disruption that affects a large number of those entities
may result in a lack of capacity for the business continuity services. Each of these
scenarios may result in follow-on effects on markets that depend on participation by the
outsourcing firms, or on public confidence.
Means for Implementation
Regulators should consider the following means for addressing concentration risk:
Taking steps to become aware of cases where a significant proportion of
their regulated entities rely upon a single service provider to provide critical
functions. This could include, where appropriate, a monitoring program
and/or a risk assessment methodology, and the collection of routine
information on outsourcing arrangements from outsourcing firms and/or
service providers. In this regard, regulators should be cognizant of the
potential that subcontracting by service providers of a particular function
may itself result in concentration risk;
Tailoring their examination programs or related activities in light of
concentrations of outsourcing activity.
Where a regulator has identified a possible concentration risk issue, outsourcing firms
should consider taking steps to ensure, to the degree practicable, that the service
provider has adequate capacity to meet the needs of all outsourcing firms, both during
normal operations as well as unusual circumstances (e.g., unusual market activity,
physical disaster).
13
Topic 6: Termination Procedures
Principle: Outsourcing with third party service providers should include contractual
provisions relating to termination of the contract and appropriate exit strategies.
Where an activity is outsourced, there is an increased risk that the continuity of the
particular activity in terms of daily management and control of that activity, information
and data, staff training, and knowledge management, is dependent on the service
provider continuing in that role and performing that function. This risk needs to be
managed by an agreement between the firm and the service provider taking into account
factors such as when an arrangement can be terminated, what will occur on termination
and strategies for managing the transfer of the activity back to the firm or to another
party.
Means for Implementation:
Outsourcing firms are expected to take appropriate steps to manage termination of
outsourcing arrangements. These steps may include provisions in contracts with service
providers such as the following:
Termination rights, e.g., in case of insolvency, liquidation or receivership,
change in ownership, failure to comply with regulatory requirements, or poor
performance;
Minimum periods before an announced termination can take effect to allow
an orderly transition to another provider or to the firm itself, and to provide
for the return of customer-related data, and any other resources;
The clear delineation of ownership of intellectual property following the
contract’s termination, and specifications relating to the transfer of
information back to the outsourcing firm.
14
Topic 7. Regulator's and Intermediary’s Access to Books and Records,
Including Rights of Inspection.
Principle: The regulator, the outsourcing firm, and its auditors should have access to
the books and records of service providers relating to the outsourced activities and the
regulator should be able to obtain promptly, upon request, information concerning
activities that are relevant to regulatory oversight.
As set forth in IOSCO Principle 12.7, the regulator should have the right to inspect
books and records of regulated entities. Accordingly, regulators should be able, upon
request, to obtain promptly any books and records pertaining to the regulated activity,
irrespective of whether they are in the possession of the outsourcing firm or the third
party service provider, and to obtain additional information concerning regulated
activities performed by the service provider. A regulator’s access to such books and
records may be direct or indirect, though the outsourcing firm should always maintain
direct access to such books and records. This may include a requirement that the books
and records be maintained in the regulator’s jurisdiction, or that the service provider
agrees to send originals or copies of the books and records to the regulator’s jurisdiction
upon request. Moreover, in order to facilitate the regulator’s access to books and records
as well as to maintain orderly business operations of the outsourcing firms,
arrangements between outsourcing firms and service providers should seek to ensure
that the outsourcing firms have appropriate access to books and records and other
information where it is in the custody of a third party.
Means for Implementation:
Outsourcing firms are expected to take steps to ensure that they and their regulators
have access to books and records of service providers concerning outsourced activities,
and that their regulators have the right to obtain, upon request, information concerning
the outsourced activities. These steps may include the following:
Contractual provisions by which the outsourcing firm (including its auditor)
has access to, and a right of inspection of, the service provider's books and
records dealing with outsourced activities, and similar access to the books
and records of any subcontractor. Where appropriate, these may include
physical inspections at the premises of the service provider, delivery of
books and records or copies of books and records to the outsourcing firm or
its auditor, or inspections that utilize electronic technology (i.e., “virtual
inspections”);
Contractual provisions by which the service provider is required to make
books, records, and other information about regulated activities by the
service provider available to the regulator upon request and, in addition, to
comply with any requirements in the outsourcing firm’s jurisdiction to
provide periodic reports to the regulator.
Regulators should consider implementation of appropriate measures designed to support
access to books, records and information of the service provider about the performance
of regulated activities. These measures may include:
15
Where appropriate, taking action against outsourcing firms for the failure to
provide books and records required in that jurisdiction, without regard to
whether the regulated entity has transferred possession of required books and
records to one or more of its service providers;
Imposing specific requirements concerning access to books and records that
are held by a service provider and which are necessary for the authority to
perform its oversight and supervisory functions with respect to regulated
entities in its jurisdiction. These may possibly include requiring that records
be maintained in the regulator’s jurisdiction, allowing for a right of
inspection, or requiring that the service provider agree to send originals or
copies of the books and records to the regulator’s jurisdiction upon request
doc_121822573.pdf
According to this definition, outsourcing would not cover purchasing contracts, although as with outsourcing, firms should ensure that what they are buying is appropriate for the intended purpose. Purchasing is defined as the acquisition from a vendor of services, good or facilities without the transfer of the purchasing firm's nonpublic proprietary or customer information.
PRINCIPLES ON OUTSOURCING OF FINANCIAL
SERVICES FOR MARKET INTERMEDIARIES
TECHNICAL COMMITTEE
OF THE
INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS
FEBRUARY 2005
Preamble
The IOSCO Technical Committee Standing Committee on the Regulation of Market
Intermediaries (SC3) published for public consultation in August 2004 a Consultation Report on
Principles on Outsourcing of Financial Services for Market Intermediaries. The Consultation
Report set out a set of principles that are designed to assist regulated entities in determining the
steps they should take when considering outsourcing activities. The Consultation Report also
contained some broad principles to assist securities regulators in addressing outsourcing in their
regular risk reviews of firms. Some members of SC3 surveyed industry participants in their
respective jurisdictions for information regarding current outsourcing practices. Following the
receipt of comments by the public, SC3 revised the Consultation Report and the IOSCO
Technical Committee approved the revised report during its 31 January – 1 February 2005
meeting.
1
1
In December 2000, the Technical Committee published its paper on the “Delegation of Functions”
pertaining to the asset management industry. This paper provided useful information and background that
was utilized by SC3 in its subsequent work on the issue of outsourcing by market intermediaries. The
publication of the present paper on outsourcing does not supersede or limit the applicability of the earlier
paper on delegation of functions with respect to the asset management industry, and to the specific
measures included in the December 2000 paper.
PRINCIPLES ON OUTSOURCING
1
OF
FINANCIAL SERVICES FOR MARKET INTERMEDIARIES
I. Introduction
The volume of activities that regulated market intermediaries (“outsourcing firms” or
“firms”) outsource to third party service providers (“service providers”) continues to
increase. For purposes of this paper, “outsourcing” is defined as an event in which a
regulated outsourcing firm contracts with a service provider for the performance of any
aspect of the outsourcing firm's regulated or unregulated functions that could otherwise
be undertaken by the entity itself.
2
It is intended to include only those services that
were or can be delivered by internal staff and management. As discussed in Section II,
the service provider may be a related party within a corporate group, or an unrelated
outside entity. The service provider may itself either be regulated (whether or not by the
same regulator with authority over the outsourcing firm), or may be an unregulated
entity.
3
According to this definition, outsourcing would not cover purchasing contracts,
although as with outsourcing, firms should ensure that what they are buying is
appropriate for the intended purpose. Purchasing is defined as the acquisition from a
vendor of services, good or facilities without the transfer of the purchasing firm's non-
public proprietary or customer information.
Firms should consider several factors as they apply these principles to activities that fall
under the outsourcing definition. First, as discussed in section II.A, these principles
should be applied according to the degree of materiality of the outsourced activity to the
firm's business. Even where the activity is not material, the outsourcing entity should
consider the appropriateness of applying the principles. Second, as discussed in section
II.C, firms should consider any affiliation or other relationship between the outsourcing
entity and the service provider. While it is necessary to apply the Outsourcing Principles
to affiliated entities, it may be appropriate to adopt them with some modification to
account for the potential differing degrees of risk with respect to intra-group
outsourcing. Third, the firm may consider whether the service provider is a regulated
entity subject to independent supervision.
The utilization of outsourcing by the financial services industry can provide a number of
substantial benefits. For example, it may permit financial firms to obtain necessary
2
In this paper, “outsourcing” is limited to the initial transfer of a function from a regulated entity to a
service provider. Further transfers of a function (or a part of that function) from one third-party service
provider to another are referred to herein as “subcontracting.” In this connection, please note that in some
jurisdictions, the initial outsourcing is also referred to as subcontracting.
3
In a study published by the Federal Reserve Bank of New York, the authors found that outsourcing in the
financial services industry was initially limited to activities that were relatively tangential to the firm’s
primary business, such as payroll processing. In recent years, however, outsourced activities have
included information technology, accounting, audit, electronic funds transfer, investment management
and human resources. The most frequently outsourced activity, according to a survey of commercial
institutions cited by the Federal Reserve Bank of New York, is some aspect of information technology
(e.g., desktop support). Next in importance is business process outsourcing, such as human resource
functions. See Outsourcing Financial Services Activities: Industry Practices to Mitigate Risks, Federal
Reserve Bank of New York (Oct. 1999)
2
expertise at a lower cost than might be possible by hiring internal staff, and permits
firms to focus on their core business. By lowering costs, outsourcing may also permit
smaller firms and start-up companies to break into the market and increase market
competition.
Outsourcing also poses a number of challenges, however, both for financial firms that
choose to undertake such a strategy, and for the regulators of such firms. With respect to
the financial firm, transferring a function to a third party may have a detrimental impact
on the firm’s understanding of how the function is performed, with a consequent loss of
control. The lack of control over a firm’s proprietary and customer-related information
and software may also hinder the ability of an outsourcing firm to maintain its
proprietary and customer-related information and software, and may also impact on the
confidentiality of customer records. There is the potential that the inappropriate
selection of a service provider may lead to a business disruption, with negative
consequences for the outsourcing firm’s customers, and, in certain instances, the
potential for systemic risk to the market as a whole.
Principle 23 of the Objectives and Principles for Securities Regulation requires that the
issues identified above be addressed. It states that “market intermediaries should be
required to comply with standards for internal organizations and operational conduct
that aim to protect the interests of clients, ensure proper management of risk, and under
which management of the intermediary accepts primary responsibility for these
matters”. The Objectives and Principles also note that “Effective policies and
operational procedures and controls in relation to the firm’s day-to-day business
operations should be established.” See id. at §12.5.
Outsourcing poses important challenges to the integrity and effectiveness of financial
services regulatory systems. First, where outsourcing takes place by regulated entities, a
firm’s control over the people and processes dealing with the outsourced function may
decrease. Nonetheless, regulators require that the outsourcing firm, including its board
of directors and senior management, remain fully responsible (towards clients and
regulatory authorities) for the outsourced function, as if the service was being
performed in-house.
4
In some jurisdictions, as discussed below, regulators impose
restrictions on the outsourcing of certain functions where they believe the outsourcing
introduces an unacceptable risk or is critical to the function of an intermediary.
Second, regulators expect that they will have complete access to books and records
concerning an outsourcing firm’s activities, even if such documents are in the custody
of the firm’s service provider. Regulators must also take account of possible operational
and systemic risks that may exist in the event that multiple regulated entities use a
common service provider.
II. Fundamental Precepts
A. Materiality of Outsourcing
The following Principles set out regulators’ expectations for outsourcing firms. These
principles should be applied according to the degree of materiality of the outsourced
activity to the ongoing business of the outsourcing firm and its regulatory obligations.
4
Id.
3
Even where the activity is not material, the outsourcing firm should consider the
appropriateness of applying the principles.
For areas of business activity that are not restricted by the regulator, the outsourcing
firm should develop a process for determining the materiality of outsourcing
arrangements. The assessment of what is material is often a subjective one and depends
on the circumstances of the particular outsourcing firm. Factors to be considered
include, but are not limited to:
• Financial, reputational and operational impact on the outsourcing firm of the
failure of a service provider to perform;
• Potential impact of outsourcing on the provision of adequate services to an
outsourcing firm’s customers;
• Potential losses to an outsourcing firm's customers on the failure of a service
provider to perform;
• Impact of outsourcing the activity on the ability and capacity of the outsourcing
firm to conform with regulatory requirements and changes in requirements;
• Cost;
• Affiliation or other relationship between the outsourcing firm and the service
provider;
• Regulatory status of the service provider; and
• Degree of difficulty and time required to select an alternative service provider or
to bring the business activity in-house, if necessary.
B: Accountability and Scope of Outsourcing
The outsourcing firm, its management and its governing authority retains full legal
liability and accountability to the regulator for any and all functions that the firm may
outsource to a service provider to the same extent as if the service were provided in-
house. In this regard, the relevant regulator may impose sanctions and penalties on a
regulated entity in its jurisdiction for violations of statutory and regulatory requirements
that resulted in whole or in part from the failure of a service provider (whether licensed
or unlicensed) to perform its contractual obligations for the outsourcing firm.
Accordingly, management and the governing authority of the outsourcing firm should
develop and implement appropriate policies designed to achieve satisfaction of these
Outsourcing Principles, periodically review the effectiveness of those policies, and
address outsourcing risks in an effective and timely manner. Outsourcing firms should
also be aware of and comply with local mechanisms that may have been put in place to
implement these Principles. Such mechanisms may take the form of government
regulation, regulations imposed by non-government statutory regulators, industry codes
or practices, or some combination of these items. Whatever level of outsourcing is
utilized, outsourcing firms remain responsible for conducting due diligence (see topic
1).
The outsourcing firm must retain the competence and ability to be able to ensure that
the firm complies with all regulatory requirements. Moreover, outsourcing must not be
permitted to impair the regulator’s ability to exercise its statutory responsibilities, such
as the proper supervision and audit of the firm.
4
Regulators should also consider the implications that the use of unlicensed service
providers may have on the regulator’s ability to supervise properly securities activities
in their jurisdiction. Such concerns may be heightened in instances where the
outsourcing firm delegates to the service provider the authority to act in the name of the
outsourcing firm.
C. Outsourcing to Affiliates
While the Outsourcing Principles apply regardless of whether such outsourcing is
performed by an affiliated entity of a corporate group or by an entity that is external to
the corporate group, the risks associated with outsourcing activities to an affiliated
entity within a corporate group may be different than those encountered in outsourcing
to an unaffiliated external service provider. In certain cases, risks may not be as
pronounced within an affiliated group. For example, there may be an ability by the
outsourcing firm to control the actions of the service provider, and the outsourcing firm
may have a high familiarity with the service provider’s business attributes. Such factors
might reduce the risks involved in outsourcing. However, intra-group outsourcing may
be less than an arm’s-length relationship, and the outsourcing firm (and its customers)
may have different interests than the affiliated service provider. Moreover, in some
cases, the intra-group relationship may as a practical matter restrict the outsourcing
firm’s ability to control the service provider. These factors may increase the potential
risk in certain instances. Accordingly, while it is necessary to apply the Outsourcing
Principles to affiliated entities, it may be appropriate to adopt them with some
modification.
D. Outsourcing on a Cross-Border Basis
The Outsourcing Principles apply to functions that are outsourced within the jurisdiction
in which the outsourcing firm maintains a presence, as well as on a cross-border basis.
However, with respect to outsourcing on a cross-border basis, there may be additional
concerns that are raised, which may not necessarily be present with respect to cases
where the service provider is in the same jurisdiction as that of the outsourcing firm.
For example, in the event of an emergency, it may be more difficult to monitor and
control the function that was outsourced, or to implement appropriate responses in a
timely fashion. Moreover, the use of a foreign service provider may necessitate an
analysis of economic, social or political conditions that might adversely impact the
service provider’s ability to perform effectively for the outsourcing firm.
In light of these concerns, outsourcing on a cross-border basis may raise additional
issues that should be addressed during the due diligence process (see topic 1), as well as
during the implementation of a contract with a foreign service provider (see topic 2).
Special consideration and procedures may be necessary with respect to other issues
relating to the use of a foreign service provider – for example, as discussed in topic 7,
there may be particular concerns with the provision of books and records maintained in
a foreign jurisdiction, as well as issues relating to the translation of such books and
records.
5
III. Outsourcing Principles
Topic 1: Due diligence in selection and monitoring of service provider and
service provider's performance
Principle: An outsourcing firm should conduct suitable due diligence processes in
selecting an appropriate third party service provider and in monitoring its ongoing
performance.
It is important that outsourcing firms exercise due care, skill, and diligence in the
selection of third party service providers, so that they can be satisfied that the third party
service provider has the ability and capacity to undertake the provision of the service
effectively.
The outsourcing firm should also establish appropriate processes and procedures for
monitoring the performance of the third party service provider. In determining the
appropriate level of monitoring processes and procedures, the outsourcing firm should
consider the materiality of the outsourced activity to the ongoing business of the
outsourcing firm and its regulatory obligations, as discussed in the introduction to these
Principles.
Means for Implementation
It is expected that outsourcing firms will implement appropriate means, such as the
following, for ensuring that they select suitable service providers and that service
providers are appropriately monitored, having regard to the services they provide:
Documenting processes and procedures that enable the outsourcing firm to
assess, prior to selection, the third party service provider’s ability and
capacity to perform the outsourced activities effectively, reliably, and to a
high standard, including the service provider’s technical, financial and
human resources capacity, together with any potential risk factors associated
with using a particular service provider.
Documenting processes and procedures that enable the outsourcing firm to
monitor the third party service provider's performance and compliance with
its contractual obligations, including processes and procedures that:
• Clearly define metrics that will measure the service level, and specify
what service levels are required; and
• Establish measures to identify and report instances of non-compliance or
unsatisfactory performance to the outsourcing firm as well as the ability
to assess the quality of services performed by the service provider on a
regular basis (see also topic 2).
6
Implementing processes and procedures designed to help ensure that the
service provider is in compliance with applicable laws and regulatory
requirements in its jurisdiction, and that where there is a failure to perform
duties required by statute or regulations, the outsourcing firm, to the extent
required by law or regulation, reports the failure to its regulator and/or self-
regulatory organization and takes corrective actions.
5
For example,
procedures may include:
• The use of service delivery reports and the use of internal and external
auditors to monitor, assess, and report to the outsourcing firm on
performance;
• The use of written service level agreements or the inclusion of specific
service level provisions in contracts for service to achieve clarity of
performance targets and measurements for third party service providers.
With respect to outsourcing on a cross-border basis, in determining whether
the use of a foreign service provider is appropriate, the outsourcing firm
may, with respect to a function that is material to the firm, need to conduct
enhanced due diligence that focuses on special compliance risks, including
the ability to effectively monitor the foreign service provider, the ability to
maintain the confidentiality of firm and customer information; and the ability
to execute contingency plans and exit strategies where the service is being
performed on a cross-border basis.
5
Such a requirement is consistent with regulations in many IOSCO jurisdictions requiring that a firm
notify its regulator with respect to any breaches of law that may have occur.
7
Topic 2: The contract with a service provider
Principle: There should be a legally binding written contract between the outsourcing
firm and each third party service provider, the nature and detail of which should be
appropriate to the materiality of the outsourced activity to the ongoing business of the
outsourcing firm.
A legally binding written contract between an outsourcing firm and a service provider is
an important management tool. Appropriate contractual provisions can reduce the risks
of non-performance or disagreements regarding the scope, nature, and quality of the
service to be provided. A written contract will help facilitate the monitoring of the
outsourced activities by the outsourcing firm and/or by securities regulators.
The level of detail of the contents of the written contract should reflect the level of
monitoring, assessment, inspection and auditing required, as well as the risks, size and
complexity of the outsourced services involved.
Means for Implementation
An outsourcing firm is expected to have a written, legally binding contract between
itself and the third party service provider, appropriate to the materiality of the
outsourced activity to the ongoing business of the firm. The contract may include, as
applicable, provisions dealing with:
Limitations or conditions, if any, on the service provider's ability to sub-
contract, and, to the extent subcontracting is permitted, obligations, if any, in
connection therewith;
Firm and client confidentiality (see also topic 4);
Defining the responsibilities of the outsourcing firm and the responsibilities
of the service provider and subcontractors, if any, and how such
responsibilities will be monitored;
Responsibilities relating to IT security (see also topic 3);
Payment arrangements;
Liability of the service provider to the outsourcing firm for unsatisfactory
performance or other breach of the agreement;
Guarantees and indemnities;
Obligation of the service provider to provide, upon request, records,
information and/or assistance concerning outsourced activities to the
outsourcing firm, its auditors and/or its regulators (see topic 7);
Mechanisms to resolve disputes that might arise under the outsourcing
arrangement;
8
Business continuity provisions (see topic 3);
With respect to outsourcing on a cross-border basis, choice of law
provisions;
Termination of the contract, transfer of information and exit strategies (see
also topic 6).
9
Topic 3: Information Technology Security and Business Continuity at the
Outsourcing Firm
Principle: The outsourcing firm should take appropriate measures to determine that:
(a) Procedures are in place to protect the outsourcing firm’s proprietary and
customer-related information and software; and
(b) Its service providers establish and maintain emergency procedures and a plan
for disaster recovery, with periodic testing of backup facilities.
Effective and reliable information technology systems are fundamental to the ongoing
business of securities firms. The June 2001 IOSCO Internet Task Force Report noted
that a breakdown in information technology capacity that impairs access to markets can
compromise the trading and the financial position of investors. Security breaches can
undermine investors’ privacy interests, and have a damaging effect on an outsourcing
firm’s reputation, which may ultimately cause a loss of market confidence and impact
on the overall operational risk profile of the firm. Moreover, robust IT security is
particularly important where details of client assets or the assets themselves might be
vulnerable to unauthorized access. Accordingly, outsourcing firms should seek to ensure
that service providers maintain appropriate IT security and, when appropriate, disaster
recovery capabilities. As part of its reviews of these matters, an outsourcing firm should
also take into account whether additional issues are raised when the outsourcing is
performed on a cross-border basis.
Means for Implementation
Outsourcing firms are expected to take appropriate steps to require, in appropriate cases
based on the materiality of the function that is being outsourced, that service providers
have in place a comprehensive IT security program. These steps may include:
Specification of the security requirements of automated systems to be used
by the service provider, including the technical and organizational measures
that will be taken to protect firm and customer-related data. Appropriate
care should be exercised to ensure that IT security protects the privacy of the
outsourcing firm’s customers as mandated by law:
Requirements that the service provider maintain appropriate measures to
ensure security of both the outsourcing firm’s software as well as any
software developed by the service provider for the use of the outsourcing
firm;
Specification of the rights of each party to change or require changes to
security procedures and requirements and of the circumstances under which
such changes might occur;
Provisions that address the service provider’s emergency procedures and
disaster recovery and contingency plans as well as any particular issues that
may need to be addressed where the outsourcing firm is utilizing a foreign
service provider. Where relevant, this may include the service provider’s
10
responsibility for backing up and otherwise protecting program and data
files, as well as regulatory reporting;
Where appropriate, terms and conditions relevant to the use of
subcontractors with respect to IT security, and appropriate steps to minimize
the risks arising out of such subcontracting;
Where appropriate, requirement of testing by the service provider of critical
systems and back-up facilities on a periodic basis in order to review the
ability of the service providers to perform adequately even under unusual
physical and/or market conditions at the outsourcing firm, the service
provider, or both, and to determine whether sufficient capacity exists under
all relevant conditions;
Requirement of disclosure by the service provider of breaches in security
resulting in unauthorized intrusions (whether deliberate or accidental, and
whether confirmed or not) that may affect the outsourcing firm or its
customers, including a report of corrective action taken; and
Provisions in the outsourcing firm’s own contingency plans that address
circumstances in which one or more of its service providers fail to
adequately perform their contractual obligations. Where relevant, this may
include reporting by the outsourcing firm to its regulator. The outsourcing
firm may need to require contractually information from the service provider
to fulfill this obligation.
11
Topic 4: Client Confidentiality Issues
Principle: The outsourcing firm should take appropriate steps to require that service
providers protect confidential information regarding the outsourcing firm’s proprietary
and other information, as well as the outsourcing firm’s clients from intentional or
inadvertent disclosure to unauthorized individuals.
Unauthorized disclosure of confidential firm and customer information could have a
number of negative consequences. Such unauthorized disclosure could result in damage
to the firm’s reputation, financial losses, and the loss of or risk to proprietary
information (including the firm’s trade secrets). In addition, unauthorized disclosure
could result in the disclosure of private and sensitive information about individuals who
have a reasonable expectation of privacy, and might also result in a material financial
loss to a firm’s customers. In addition to the potential harm to a firm’s customers, an
unauthorized disclosure could also result in the outsourcing firm having financial
liability to its customers and/or its regulators, possibly affecting the firm’s solvency.
Where appropriate, regulators may choose to review the protections that are in place
between the outsourcing firm and the service provider and, in addition, may choose to
review the measures that are in place between a service provider and its agents that may
have an impact on the data and/or its use, so that there are no unauthorized disclosures
among the various service providers.
Means for Implementation
Regulated firms that engage in outsourcing are expected to take appropriate steps to
confirm that confidential firm and customer information is not misused or
misappropriated. Such steps may include insertion of provisions in the contract with the
service provider that:
Prohibit the service provider and its agents from using or disclosing the
outsourcing firm’s proprietary information or that of the firm’s customers,
except as necessary to provide the contracted services; and
Where appropriate, including terms and conditions relevant to govern the use
of subcontractors with respect to firm and client confidentiality.
Outsourcing firms should also consider whether it is appropriate to notify customers that
customer data may be transmitted to a service provider, taking into account any
regulatory or statutory provisions that may be applicable.
Regulators should seek to become aware of whether outsourcing firms within their
jurisdiction are taking appropriate steps to monitor their relationships with service
providers with respect to the protection of confidential firm and customer information.
12
Topic 5: Concentration of Outsourcing Functions
Principle: Regulators should be cognizant of the risks posed where one service
provider provides outsourcing services to multiple regulated entities.
Where multiple outsourcing firms use a common service provider, operational risks are
correspondingly concentrated, and may pose a threat of systemic risk. For example, if
the service provider suddenly and unexpectedly becomes unable to perform services
that are critical to the business of a significant number of regulated outsourcing firms,
each of the regulated entities will be similarly disabled. Alternatively, if multiple
outsourcing firms depend upon the same provider of business continuity services (e.g., a
common disaster recovery site), a disruption that affects a large number of those entities
may result in a lack of capacity for the business continuity services. Each of these
scenarios may result in follow-on effects on markets that depend on participation by the
outsourcing firms, or on public confidence.
Means for Implementation
Regulators should consider the following means for addressing concentration risk:
Taking steps to become aware of cases where a significant proportion of
their regulated entities rely upon a single service provider to provide critical
functions. This could include, where appropriate, a monitoring program
and/or a risk assessment methodology, and the collection of routine
information on outsourcing arrangements from outsourcing firms and/or
service providers. In this regard, regulators should be cognizant of the
potential that subcontracting by service providers of a particular function
may itself result in concentration risk;
Tailoring their examination programs or related activities in light of
concentrations of outsourcing activity.
Where a regulator has identified a possible concentration risk issue, outsourcing firms
should consider taking steps to ensure, to the degree practicable, that the service
provider has adequate capacity to meet the needs of all outsourcing firms, both during
normal operations as well as unusual circumstances (e.g., unusual market activity,
physical disaster).
13
Topic 6: Termination Procedures
Principle: Outsourcing with third party service providers should include contractual
provisions relating to termination of the contract and appropriate exit strategies.
Where an activity is outsourced, there is an increased risk that the continuity of the
particular activity in terms of daily management and control of that activity, information
and data, staff training, and knowledge management, is dependent on the service
provider continuing in that role and performing that function. This risk needs to be
managed by an agreement between the firm and the service provider taking into account
factors such as when an arrangement can be terminated, what will occur on termination
and strategies for managing the transfer of the activity back to the firm or to another
party.
Means for Implementation:
Outsourcing firms are expected to take appropriate steps to manage termination of
outsourcing arrangements. These steps may include provisions in contracts with service
providers such as the following:
Termination rights, e.g., in case of insolvency, liquidation or receivership,
change in ownership, failure to comply with regulatory requirements, or poor
performance;
Minimum periods before an announced termination can take effect to allow
an orderly transition to another provider or to the firm itself, and to provide
for the return of customer-related data, and any other resources;
The clear delineation of ownership of intellectual property following the
contract’s termination, and specifications relating to the transfer of
information back to the outsourcing firm.
14
Topic 7. Regulator's and Intermediary’s Access to Books and Records,
Including Rights of Inspection.
Principle: The regulator, the outsourcing firm, and its auditors should have access to
the books and records of service providers relating to the outsourced activities and the
regulator should be able to obtain promptly, upon request, information concerning
activities that are relevant to regulatory oversight.
As set forth in IOSCO Principle 12.7, the regulator should have the right to inspect
books and records of regulated entities. Accordingly, regulators should be able, upon
request, to obtain promptly any books and records pertaining to the regulated activity,
irrespective of whether they are in the possession of the outsourcing firm or the third
party service provider, and to obtain additional information concerning regulated
activities performed by the service provider. A regulator’s access to such books and
records may be direct or indirect, though the outsourcing firm should always maintain
direct access to such books and records. This may include a requirement that the books
and records be maintained in the regulator’s jurisdiction, or that the service provider
agrees to send originals or copies of the books and records to the regulator’s jurisdiction
upon request. Moreover, in order to facilitate the regulator’s access to books and records
as well as to maintain orderly business operations of the outsourcing firms,
arrangements between outsourcing firms and service providers should seek to ensure
that the outsourcing firms have appropriate access to books and records and other
information where it is in the custody of a third party.
Means for Implementation:
Outsourcing firms are expected to take steps to ensure that they and their regulators
have access to books and records of service providers concerning outsourced activities,
and that their regulators have the right to obtain, upon request, information concerning
the outsourced activities. These steps may include the following:
Contractual provisions by which the outsourcing firm (including its auditor)
has access to, and a right of inspection of, the service provider's books and
records dealing with outsourced activities, and similar access to the books
and records of any subcontractor. Where appropriate, these may include
physical inspections at the premises of the service provider, delivery of
books and records or copies of books and records to the outsourcing firm or
its auditor, or inspections that utilize electronic technology (i.e., “virtual
inspections”);
Contractual provisions by which the service provider is required to make
books, records, and other information about regulated activities by the
service provider available to the regulator upon request and, in addition, to
comply with any requirements in the outsourcing firm’s jurisdiction to
provide periodic reports to the regulator.
Regulators should consider implementation of appropriate measures designed to support
access to books, records and information of the service provider about the performance
of regulated activities. These measures may include:
15
Where appropriate, taking action against outsourcing firms for the failure to
provide books and records required in that jurisdiction, without regard to
whether the regulated entity has transferred possession of required books and
records to one or more of its service providers;
Imposing specific requirements concerning access to books and records that
are held by a service provider and which are necessary for the authority to
perform its oversight and supervisory functions with respect to regulated
entities in its jurisdiction. These may possibly include requiring that records
be maintained in the regulator’s jurisdiction, allowing for a right of
inspection, or requiring that the service provider agree to send originals or
copies of the books and records to the regulator’s jurisdiction upon request
doc_121822573.pdf