View the Standard

The document examines trends in outsourcing in the financial sector, it highlights the potential risks that outsourcing activities can pose to firms, while recognising the substantial benefits that outsourcing can provide. To assist firms and regulators in considering their outsourcing activities, the report presents a set of nine principles outlining issues that should be taken into account in the process while recognising that a firm's senior management remains responsible for activities that are outsourced:

  • A regulated entity seeking to outsource activities should have in place a comprehensive policy to guide the assessment of whether and how those activities can be appropriately outsourced. The board of directors or equivalent body retains responsibility for the outsourcing policy and related overall responsibility for activities undertaken under that policy.
  • The regulated entity should establish a comprehensive outsourcing risk management programme to address the outsourced activities and the relationship with the service provider.
  • The regulated entity should ensure that outsourcing arrangements neither diminish its ability to fulfil its obligations to customers and regulators, nor impede effective supervision by regulators.
  • The regulated entity should conduct appropriate due diligence in selecting third-party service providers.
  • Outsourcing relationships should be governed by written contracts that clearly describe all material aspects of the outsourcing arrangement, including the rights, responsibilities and expectations of all parties.
  • The regulated entity and its service providers should establish and maintain contingency plans, including a plan for disaster recovery and periodic testing of backup facilities.
  • The regulated entity should take appropriate steps to require that service providers protect confidential information of both the regulated entity and its clients from intentional or inadvertent disclosure to unauthorised persons.
  • Regulators should take into account outsourcing activities as an integral part of their ongoing assessment of the regulated entity. Regulators should assure themselves by appropriate means that any outsourcing arrangements do not hamper the ability of a regulated entity to meet its regulatory requirements.
  • Regulators should be aware of the potential risks posed where the outsourced activities of multiple regulated entities are concentrated within a limited number of service providers.

Issues for consideration in drawing up contracts and contingency planning are also discussed