Back Custom print Link Text Only Rich Text Print

  • Risk Assessment

    • C4-4.3.9

      Category 4 investment firms must undertake a thorough risk assessment of an outsourcing proposal, before formally submitting the request for approval to the CBB and committing itself to an agreement.

      Added: January 2022

    • C4-4.3.10

      Before entering into, or significantly changing, an outsourcing arrangement, a licensee should:

      (a) Analyse how the arrangement will fit with its organisation and reporting structure; business strategy; overall risk profile; and ability to meet its regulatory obligations;
      (b) Consider whether the agreements establishing the arrangement will allow it to monitor and control its operational risk exposure relating to the outsourcing;
      (c) Conduct appropriate due diligence of the service provider’s financial stability and expertise;
      (d) Consider how it will ensure a smooth transition of its operations from its current arrangements to a new or changed outsourcing arrangement (including what will happen on the termination of the contract);
      (e) Consider any concentration risk implications such as the business continuity implications that may arise if a single service provider is used by several firms; and
      (f) Analyse the outsourcing provider’s financial soundness, its technical competence, its commitment to the arrangement, its reputation, its adherence to international standards, and the associated country risk.
      Added: January 2022

    • C4-4.3.11

      In negotiating its contract with a service provider, a licensee should have regard to:

      (a) Reporting or notification requirements it may wish to impose on the service provider;
      (b) Whether sufficient access will be available to its internal auditors, external auditors and to the CBB;
      (c) Information ownership rights, confidentiality agreements and Chinese walls to protect client and other information (including arrangements at the termination of the contract);
      (d) The adequacy of any guarantees and indemnities;
      (e) The extent to which the service provider must comply with the licensee’s policies and procedures (covering, for example, information security);
      (f) The extent to which a service provider will provide business continuity for outsourcing operations;
      (g) The processes for making changes to the outsourcing arrangement and the conditions under which the licensee or service provider can choose to change or terminate the outsourcing arrangement, such as where there is:
      (i) A change of ownership or control (including insolvency or receivership) of the service provider or firm;
      (ii) Significant change in the business operations (including sub-contracting) of the service provider or firm; or
      (iii) Inadequate provision of services that may lead to the firm being unable to meet its regulatory obligations.
      Added: January 2022

    • C4-4.3.12

      Category 4 investment firms must maintain and regularly review contingency plans to enable them to set up alternative arrangements with minimum disruption to business should the outsourcing contract be terminated, or the outsourcing provider fail. This may involve the identification of alternative outsourcing providers or the provision of the service in-house. These plans must consider how long the transition would take and what interim arrangements would apply.

      Added: January 2022

    • C4-4.3.13

      All material outsourcing arrangements by a category 4 investment firm must be the subject of a legally enforceable outsourcing agreement. The contractual liabilities and obligations of the outsourcing provider and licensee must be clearly specified in an outsourcing agreement. Where the outsourcing provider interacts directly with a licensee’s customers, the contract must, where relevant, reflect the licensee’s own standards regarding client care. Once an outsourcing agreement has been entered into, licensees must regularly review the suitability of the outsourcing provider, and the on-going impact of the agreement on their risk profile and systems and controls framework.

      Added: January 2022

    • C4-4.3.14

      Category 4 investment firms must ensure that the outsourcing arrangement is in compliance with the Personal Data Protection Law (PDPL) and the outsourcing provider implements adequate safeguards and procedures to protect client data confidentiality. Category 4 investment firms must ensure that they retain title under any outsourcing agreements for data, information and records that form part of the prudential records of the licensee.

      Added: January 2022

    • C4-4.3.15

      Category 4 investment firms must ensure that its internal and external auditors have timely access to any relevant information they may require to fulfil their responsibilities. Such access must allow them to conduct on-site examinations of the outsourcing provider, if required.

      Added: January 2022

    • C4-4.3.16

      Category 4 investment firms must also ensure that the CBB inspectors and appointed experts have timely access to any relevant information they may reasonably require to fulfil its responsibilities under the law. Such access must allow the CBB to conduct on-site examinations of the outsourcing provider, if required.

      Added: January 2022

    • C4-4.3.17

      Termination under any other circumstances allowed under the agreement must give category 4 investment firms a sufficient notice period in which they can affect a smooth transfer of the service to another provider or bring it back in-house.

      Added: January 2022