OM-2.2 OM-2.2 Supervisory approach
The Agency recognises the benefits that can potentially be achieved through outsourcing an activity to a third party provider. They can include reduced costs, enhanced service quality and a reduction in management time spent on non-core activities. However, outsourcing an activity also poses potential risks. These include the ability of the service provider to maintain service quality levels, reduced control over the activity and access to relevant information, and increased legal and client confidentiality risks.
The Agency's approach is to allow licensees the freedom to enter into outsourcing arrangements, providing these have been properly structured and associated risks addressed. The Agency requires prior approval to be sought by licensees wishing to outsource material activities, to give the Agency the opportunity to verify that the proposed arrangements are adequate.
The Agency expects licensees to have undertaken a thorough assessment of a proposal before formally submitting a notification to the Agency. However, the Agency is also willing to discuss ideas informally at an early stage of development, on a 'no-commitment' basis. It especially encourages an early approach when the proposed outsourcing is particularly material or innovative.
Once an outsourcing arrangement has been implemented, the Agency requires a licensee to continue to monitor the associated risks and the effectiveness of its mitigating controls. It will verify this through the course of its normal on-site and off-site supervisory processes, such as prudential meetings and on-site examinations. The Agency also requires access to the outsourced activity, which it may occasionally want to examine itself, through management meetings or on-site examinations.
Fundamental to the Agency's supervisory approach to outsourcing is that the Board and management of the licensee may not abdicate their responsibility for a licensee's business and the way its customers are treated. The Board and management remain ultimately responsible for the effectiveness of systems and controls in outsourced activities.