• OM-2.5 OM-2.5 Outsourcing agreement

    • OM-2.5.1

      The activities to be outsourced and respective contractual liabilities and obligations of the outsourcing provider and licensee must be clearly specified in an outsourcing agreement. This agreement must — amongst other things — address the following points:

      (a) Control over outsourced activities
      1. The Board and management of licensees are held ultimately responsible by the Agency for the adequacy of systems and controls in outsourced activities. Licensees must therefore ensure that they have adequate mechanisms for monitoring the performance of, and managing the relationship with, the outsourcing provider.
      2. A service level agreement ("SLA") — setting out the standards of service to be provided — must form part of the outsourcing agreement. Where the outsourcing provider interacts directly with a licensee's customers, the SLA should — where relevant — reflect the licensee's own standards regarding customer care.
      3. Mechanisms for the regular monitoring by licensees of performance against the SLA and other targets, and for implementing remedies in case of any shortfalls, should also form part of the agreement.
      4. Clear reporting and escalation mechanisms should be specified in the agreement.
      5. Where an outsourcing provider in turn decides to sub-contract to other providers, the original provider must remain contractually liable to the licensee for the quality and level of service agreed, and its obligations to the licensee must remain unchanged.
      (b) Customer data confidentiality
      1. Licensees should ensure that outsourcing agreements comply with all applicable legal requirements regarding customer confidentiality.
      2. Licensees should ensure that the outsourcing provider implements adequate safeguards and procedures. Amongst other things, customer data should be properly segregated from those belonging to other clients the outsourcing provider may have. Outsourcing providers should give suitable undertakings that the company and its staff will comply with all applicable confidentiality rules. Licensees should have contractual rights to take action against the service provider in the event of a breach of confidentiality.
      3. Licensees should assess the impact of using an overseas-based outsourcing provider on their ability to maintain customer data confidentiality, for instance, because of the powers of local authorities to access such data.
      (c) Access to information
      1. Outsourcing agreements must ensure that the licensee's internal and external auditors have timely access to any relevant information they may require to fulfill their responsibilities. Such access must allow them to conduct on-site examinations of the outsourcing provider, if required.
      2. Licensees must also ensure that the Agency has timely access to any relevant information it may reasonably require under the law. Such access must allow the Agency to conduct on-site examinations of the outsourcing provider, if required.
      3. Where the outsourcing provider is based overseas, the outsourcing provider must confirm in the outsourcing agreement that there are no regulatory or legal impediments to either the licensee's internal and external auditors, or the Agency, having the access described above. Should such restrictions subsequently be imposed, the licensee must communicate this fact to the Agency as soon as it becomes aware of the matter.
      4. The outsourcing provider must commit itself, in the outsourcing agreement, to informing the licensee of any developments that may have a material impact on its ability to meet its obligations. These may include, for example, relevant control weaknesses identified by the outsourcing provider's internal or external auditors, and material adverse developments in the financial performance of the outsourcing provider.
      (d) Business continuity
      1. Licensees should ensure that service providers maintain, regularly review and test plans to ensure continuity in the provision of the outsourced service.
      2. Licensees should have an adequate understanding of the outsourcing provider's arrangements, to understand the implications for its own contingency arrangements (see section OM-2.6).
      (e) Termination
      1. Licensees must have the right to terminate the agreement should the outsourcing provider undergo a change of ownership (whether direct or indirect) that poses a potential conflict of interest; becomes insolvent; or goes into liquidation or administration.
      2. Termination under any other circumstances allowed under the agreement must give licensees a sufficient notice period in which they can effect a smooth transfer of the service to another provider or bring it back in-house.
      3. In the event of termination, for whatever reason, the agreement should provide for the return of all customer data — where required by licensees — or their destruction.