• OM-2 OM-2 Outsourcing

    • OM-2.1 OM-2.1 Introduction

      • OM-2.1.1

        This chapter sets out the Agency's approach to outsourcing by licensees. It also sets out various requirements that licensees must address when considering outsourcing an activity or function.

      • OM-2.1.2

        In the context of this chapter, 'outsourcing' means an arrangement whereby a third party performs on behalf of a licensee an activity which was previously undertaken by the licensee itself (or in the case of a new activity, one which commonly would have been performed internally by the licensee). Examples of services that are typically outsourced include data processing, customer call centres and back-office related activities.

      • OM-2.1.3

        Most of the Regulations in this chapter are concerned with situations where the third party provider is outside the licensee's group. Section OM-2.8, however, sets out the Agency's requirements when a service is outsourced to a company within the licensee's group.

      • OM-2.1.4

        The requirements in this chapter only apply to 'material' outsourcing arrangements. These are arrangements that, if they failed in any way, would pose significant risks to the on-going operations of a licensee, its reputation and/or quality of service provided to its customers. For instance, the outsourcing of all or a substantial part of functions such as customer sales and relationship management, settlements and processing, IT and data processing and financial control, would normally be considered 'material'.

      • OM-2.1.5

        Management should carefully consider whether a proposed outsourcing arrangement falls under this chapter's definition of 'material'. If in doubt, management should consult with the Agency.

      • OM-2.1.6

        The requirements in this chapter only apply to outsourcing arrangements entered into after the issuance of the original circular as depicted in paragraph OM-A.3.3. In the case of pre-existing outsourcing agreements, the Agency requires licensees to apply the requirements of this chapter to the fullest extent possible when these arrangements are subsequently renewed.

      • Legal source

        • OM-2.1.7

          The BMA "Standard Conditions and Licensing Criteria" require a licensee's activities to be conducted in an orderly manner and subject to appropriate sound risk management systems, in accordance with the regulations, circulars, notices and directions of the Agency.

    • OM-2.2 OM-2.2 Supervisory approach

      • OM-2.2.1

        The Agency recognises the benefits that can potentially be achieved through outsourcing an activity to a third party provider. They can include reduced costs, enhanced service quality and a reduction in management time spent on non-core activities. However, outsourcing an activity also poses potential risks. These include the ability of the service provider to maintain service quality levels, reduced control over the activity and access to relevant information, and increased legal and client confidentiality risks.

      • OM-2.2.2

        The Agency's approach is to allow licensees the freedom to enter into outsourcing arrangements, providing these have been properly structured and associated risks addressed. The Agency requires prior approval to be sought by licensees wishing to outsource material activities, to give the Agency the opportunity to verify that the proposed arrangements are adequate.

      • OM-2.2.3

        The Agency expects licensees to have undertaken a thorough assessment of a proposal before formally submitting a notification to the Agency. However, the Agency is also willing to discuss ideas informally at an early stage of development, on a 'no-commitment' basis. It especially encourages an early approach when the proposed outsourcing is particularly material or innovative.

      • OM-2.2.4

        Once an outsourcing arrangement has been implemented, the Agency requires a licensee to continue to monitor the associated risks and the effectiveness of its mitigating controls. It will verify this through the course of its normal on-site and off-site supervisory processes, such as prudential meetings and on-site examinations. The Agency also requires access to the outsourced activity, which it may occasionally want to examine itself, through management meetings or on-site examinations.

      • OM-2.2.5

        Fundamental to the Agency's supervisory approach to outsourcing is that the Board and management of the licensee may not abdicate their responsibility for a licensee's business and the way its customers are treated. The Board and management remain ultimately responsible for the effectiveness of systems and controls in outsourced activities.

    • OM-2.3 OM-2.3 Notifications and prior approval

      • OM-2.3.1

        A licensee must formally notify the Agency and seek its prior approval before committing to a new material outsourcing arrangement.

      • OM-2.3.2

        The above notification must:

        (a) be made in writing to the licensee's normal supervisory contact;
        (b) contain sufficient detail to demonstrate that relevant issues raised in section OM-2.4 onward of this chapter have been addressed; and
        (c) be made at least 6 weeks before the licensee intends to commit to the arrangement.

      • OM-2.3.3

        The Agency will review the information provided and provide a definitive response within 6 weeks of receiving the notification. Where further information is requested from the licensee, however, the time taken to provide this further information will not be taken into account. The Agency may also contact home or host supervisors of the licensee or the service provider, to seek their comments — in such cases, the 6-week turnaround is also subject to the speed of their response.

      • OM-2.3.4

        Once an activity has been outsourced, a licensee must immediately inform its normal supervisory contact at the Agency of any material problems encountered with the outsourcing provider. In exceptional cases, the Agency reserves the right to direct a licensee to make alternative arrangements for the outsourced activity.

    • OM-2.4 OM-2.4 Risk assessment

      • OM-2.4.1

        Licensees must undertake a thorough risk assessment of an outsourcing proposal, before formally notifying the Agency and committing itself to an agreement.

      • OM-2.4.2

        The risk assessment should — amongst other things — include an analysis of:

        (a) the business case;
        (b) the suitability of the outsourcing provider; and
        (c) the impact of the outsourcing on the licensee's overall risk profile and its systems and controls framework.

      • OM-2.4.3

        In assessing the suitability of the outsourcing provider, the licensee should amongst other things consider its financial soundness, its technical competence, its commitment to the arrangement, and its reputation.

      • OM-2.4.4

        Once an outsourcing agreement has been entered into, licensees must regularly review the suitability of the outsourcing provider and the on-going impact of the agreement on their risk profile and systems and controls framework. Such reviews should take place at least every year.

      • OM-2.4.5

        A licensee must nominate a member of senior management with day-to-day responsibility for handling the relationship with the outsourcing provider and ensuring that relevant risks are addressed. This person should be notified to the Agency as part of the notification required under section OM-2.3 above.

    • OM-2.5 OM-2.5 Outsourcing agreement

      • OM-2.5.1

        The activities to be outsourced and respective contractual liabilities and obligations of the outsourcing provider and licensee must be clearly specified in an outsourcing agreement. This agreement must — amongst other things — address the following points:

        (a) Control over outsourced activities
        1. The Board and management of licensees are held ultimately responsible by the Agency for the adequacy of systems and controls in outsourced activities. Licensees must therefore ensure that they have adequate mechanisms for monitoring the performance of, and managing the relationship with, the outsourcing provider.
        2. A service level agreement ("SLA") — setting out the standards of service to be provided — must form part of the outsourcing agreement. Where the outsourcing provider interacts directly with a licensee's customers, the SLA should — where relevant — reflect the licensee's own standards regarding customer care.
        3. Mechanisms for the regular monitoring by licensees of performance against the SLA and other targets, and for implementing remedies in case of any shortfalls, should also form part of the agreement.
        4. Clear reporting and escalation mechanisms should be specified in the agreement.
        5. Where an outsourcing provider in turn decides to sub-contract to other providers, the original provider must remain contractually liable to the licensee for the quality and level of service agreed, and its obligations to the licensee must remain unchanged.
        (b) Customer data confidentiality
        1. Licensees should ensure that outsourcing agreements comply with all applicable legal requirements regarding customer confidentiality.
        2. Licensees should ensure that the outsourcing provider implements adequate safeguards and procedures. Amongst other things, customer data should be properly segregated from those belonging to other clients the outsourcing provider may have. Outsourcing providers should give suitable undertakings that the company and its staff will comply with all applicable confidentiality rules. Licensees should have contractual rights to take action against the service provider in the event of a breach of confidentiality.
        3. Licensees should assess the impact of using an overseas-based outsourcing provider on their ability to maintain customer data confidentiality, for instance, because of the powers of local authorities to access such data.
        (c) Access to information
        1. Outsourcing agreements must ensure that the licensee's internal and external auditors have timely access to any relevant information they may require to fulfill their responsibilities. Such access must allow them to conduct on-site examinations of the outsourcing provider, if required.
        2. Licensees must also ensure that the Agency has timely access to any relevant information it may reasonably require under the law. Such access must allow the Agency to conduct on-site examinations of the outsourcing provider, if required.
        3. Where the outsourcing provider is based overseas, the outsourcing provider must confirm in the outsourcing agreement that there are no regulatory or legal impediments to either the licensee's internal and external auditors, or the Agency, having the access described above. Should such restrictions subsequently be imposed, the licensee must communicate this fact to the Agency as soon as it becomes aware of the matter.
        4. The outsourcing provider must commit itself, in the outsourcing agreement, to informing the licensee of any developments that may have a material impact on its ability to meet its obligations. These may include, for example, relevant control weaknesses identified by the outsourcing provider's internal or external auditors, and material adverse developments in the financial performance of the outsourcing provider.
        (d) Business continuity
        1. Licensees should ensure that service providers maintain, regularly review and test plans to ensure continuity in the provision of the outsourced service.
        2. Licensees should have an adequate understanding of the outsourcing provider's arrangements, to understand the implications for its own contingency arrangements (see section OM-2.6).
        (e) Termination
        1. Licensees must have the right to terminate the agreement should the outsourcing provider undergo a change of ownership (whether direct or indirect) that poses a potential conflict of interest; becomes insolvent; or goes into liquidation or administration.
        2. Termination under any other circumstances allowed under the agreement must give licensees a sufficient notice period in which they can effect a smooth transfer of the service to another provider or bring it back in-house.
        3. In the event of termination, for whatever reason, the agreement should provide for the return of all customer data — where required by licensees — or their destruction.

    • OM-2.6 OM-2.6 Contingency planning

      • OM-2.6.1

        Licensees should maintain and regularly review contingency plans to enable them to set up alternative arrangements — with minimum disruption to business — should the outsourcing contract be suddenly terminated or the outsourcing provider fails. This may involve the identification of alternative outsourcing providers or the provision of the service in-house. These plans should consider how long the transition would take and what interim arrangements would apply.

      • OM-2.6.2

        See chapter OM-4 for further guidance on business continuity and contingency planning.

    • OM-2.7 OM-2.7 Internal audit outsourcing

      • OM-2.7.1

        Because of the critical importance of an effective internal audit function to a licensee's control framework, all proposals to outsource internal audit operations are to be considered material.

      • OM-2.7.2

        The Agency will generally not permit licensees to outsource their internal audit function to the same firm that acts as their external auditors. However, the Agency may allow short-term outsourcing of internal audit operations to a licensee's external auditor, to meet unexpected urgent or short-term needs (for instance, on account of staff resignation or illness). Any such arrangement will normally be limited to a maximum of one year.

      • OM-2.7.3

        Licensees who have existing outsourcing arrangements in place with their external auditors relating to the provision of internal audit services are required to find suitable alternatives when the existing arrangements terminate or come up for renewal.

      • OM-2.7.4

        In all circumstances, Board and management of licensees must retain responsibility for ensuring that an adequate internal audit programme is implemented, and will be held accountable in this respect by the Agency.

    • OM-2.8 OM-2.8 Intra-group outsourcing

      • OM-2.8.1

        As with outsourcing to non-group companies, the Board and management of licensees are held ultimately responsible by the Agency for the adequacy of systems and controls in activities outsourced to group companies.

      • OM-2.8.2

        However, the degree of formality required — in terms of contractual agreements and control mechanisms — for outsourcing within a licensee's group is likely to be less, because of common management and enhanced knowledge of other group companies.

      • OM-2.8.3

        A licensee must formally notify the Agency at least 6 weeks before committing to a material intra-group outsourcing. The request must be made in writing to the licensee's normal supervisory contact, and must set out a summary of the proposed outsourcing, its rationale, and an analysis of its associated risks and proposed mitigating controls. The Agency will respond to the notification in the same manner and timescale as set in section OM-2.3 above.

      • OM-2.8.4

        The Agency expects, as a minimum, an agreed statement of the standard of service to be provided by the group provider, including a clear statement of responsibilities allocated between the group provider and licensee.

      • OM-2.8.5

        The Agency also expects a licensee's management to have addressed the issues of customer confidentiality, access to information and business continuity covered above (section OM-2.5 and OM-2.4).