C4-4.3 C4-4.3 Outsourcing Risk
C4-4.3.1
Category 4 investment firms must identify all material outsourcing contracts and ensure that the risks associated with such contracts are adequately controlled.Added: January 2022C4-4.3.2
Outsourcing means an arrangement whereby a third party performs on behalf of alicensee an activity that was previously undertaken by thelicensee itself (or in the case of a new activity, one which ordinarily would have been performed internally by thelicensee ).Added: January 2022C4-4.3.3
For purposes of C4-4.3.1, a contract is ‘material’ where, if it failed in any way, it would pose significant risks to the on-going operations of a
licensee , its reputation and/or the quality of service provided to itsclients . For instance, the outsourcing of all or a substantial part of functions such as financial control, risk management, internal audit would be considered “material”. Management should carefully consider whether a proposed outsourcing arrangement falls under this Module’s definition of “material”. If in doubt, management should consult with the CBB.Added: January 2022C4-4.3.4
Category 4 investment firms must retain ultimate responsibility for functions or activities that are outsourced. In particular,licensees must ensure that they continue to meet all their regulatory obligations with respect to outsourced activities.Added: January 2022C4-4.3.5
Category 4 investment firms must seek the CBB’s prior written approval before committing to a new material outsourcing arrangement in accordance with Paragraph C4-2.1.10. The approval request must contain sufficient detail to demonstrate that relevant issues raised in this Chapter have been addressed.Added: January 2022C4-4.3.6
Category 4 investment firms must immediately inform the CBB of any material problems encountered with an outsourcing provider.Added: January 2022C4-4.3.7
The CBB reserves the right to require a
licensee to terminate or make alternative outsourcing arrangements if, among other reasons, the confidentiality of its customer information was, or is likely to be, breached or the ability of the CBB to carry out its supervisory functions in view of the outsourcing arrangement cannot be assured or executed.Added: January 2022C4-4.3.8
The CBB requires ongoing access to the outsourced activity, which it may occasionally want to examine itself, through management meetings or on-site examinations.
Added: January 2022Risk Assessment
C4-4.3.9
Category 4 investment firms must undertake a thorough risk assessment of an outsourcing proposal, before formally submitting the request for approval to the CBB and committing itself to an agreement.Added: January 2022C4-4.3.10
Before entering into, or significantly changing, an outsourcing arrangement, a
licensee should:(a) Analyse how the arrangement will fit with its organisation and reporting structure; business strategy; overall risk profile; and ability to meet its regulatory obligations;(b) Consider whether the agreements establishing the arrangement will allow it to monitor and control its operational risk exposure relating to the outsourcing;(c) Conduct appropriate due diligence of the service provider’s financial stability and expertise;(d) Consider how it will ensure a smooth transition of its operations from its current arrangements to a new or changed outsourcing arrangement (including what will happen on the termination of the contract);(e) Consider any concentration risk implications such as the business continuity implications that may arise if a single service provider is used by several firms; and(f) Analyse the outsourcing provider’s financial soundness, its technical competence, its commitment to the arrangement, its reputation, its adherence to international standards, and the associated country risk.Added: January 2022C4-4.3.11
In negotiating its contract with a service provider, a
licensee should have regard to:(a) Reporting or notification requirements it may wish to impose on the service provider;(b) Whether sufficient access will be available to its internal auditors, external auditors and to the CBB;(c) Information ownership rights, confidentiality agreements and Chinese walls to protectclient and other information (including arrangements at the termination of the contract);(d) The adequacy of any guarantees and indemnities;(e) The extent to which the service provider must comply with thelicensee’s policies and procedures (covering, for example, information security);(f) The extent to which a service provider will provide business continuity for outsourcing operations;(g) The processes for making changes to the outsourcing arrangement and the conditions under which thelicensee or service provider can choose to change or terminate the outsourcing arrangement, such as where there is:(i) A change of ownership or control (including insolvency or receivership) of the service provider or firm;(ii) Significant change in the business operations (including sub-contracting) of the service provider or firm; or(iii) Inadequate provision of services that may lead to the firm being unable to meet its regulatory obligations.Added: January 2022C4-4.3.12
Category 4 investment firms must maintain and regularly review contingency plans to enable them to set up alternative arrangements with minimum disruption to business should the outsourcing contract be terminated, or the outsourcing provider fail. This may involve the identification of alternative outsourcing providers or the provision of the service in-house. These plans must consider how long the transition would take and what interim arrangements would apply.Added: January 2022C4-4.3.13
All material outsourcing arrangements by a
category 4 investment firm must be the subject of a legally enforceable outsourcing agreement. The contractual liabilities and obligations of the outsourcing provider and licensee must be clearly specified in an outsourcing agreement. Where the outsourcing provider interacts directly with a licensee’s customers, the contract must, where relevant, reflect the licensee’s own standards regardingclient care. Once an outsourcing agreement has been entered into,licensees must regularly review the suitability of the outsourcing provider, and the on-going impact of the agreement on their risk profile and systems and controls framework.Added: January 2022C4-4.3.14
Category 4 investment firms must ensure that the outsourcing arrangement is in compliance with the Personal Data Protection Law (PDPL) and the outsourcing provider implements adequate safeguards and procedures to protectclient data confidentiality.Category 4 investment firms must ensure that they retain title under any outsourcing agreements for data, information and records that form part of the prudential records of thelicensee .Added: January 2022C4-4.3.15
Category 4 investment firms must ensure that its internal and external auditors have timely access to any relevant information they may require to fulfil their responsibilities. Such access must allow them to conduct on-site examinations of the outsourcing provider, if required.Added: January 2022C4-4.3.16
Category 4 investment firms must also ensure that the CBB inspectors andappointed experts have timely access to any relevant information they may reasonably require to fulfil its responsibilities under the law. Such access must allow the CBB to conduct on-site examinations of the outsourcing provider, if required.Added: January 2022C4-4.3.17
Termination under any other circumstances allowed under the agreement must give
category 4 investment firms a sufficient notice period in which they can affect a smooth transfer of the service to another provider or bring it back in-house.Added: January 2022Outsourcing Controls
Internal Audit Outsourcing
C4-4.3.18
Category 4 investment firms must not outsource their internal audit function to the same firm that acts as their external auditors.Added: January 2022C4-4.3.19
Board and management of
licensees must retain responsibility for ensuring that an adequate internal audit programme is implemented, and will be held accountable in this respect by the CBB.Added: January 2022
