• GR-9.1 GR-9.1 Outsourcing Risk

    • GR-9.1.1

      Licensees must identify all material outsourcing contracts and ensure that the risks associated with such contracts are adequately controlled. In particular, licensees must comply with the specific requirements set out in this Chapter.

      May 2011

    • GR-9.1.2

      Outsourcing means an arrangement whereby a third party performs on behalf of a licensee an activity that was previously undertaken by the licensee itself (or in the case of a new activity, one which ordinarily would have been performed internally by the licensee). Examples of services that are typically outsourced include data processing, cloud services, customer call centres and back-office related activities.

      Amended: October 2017
      May 2011

    • GR-9.1.3

      For purposes of GR-9.1.1, a contract is 'material' where, if it failed in any way, it would pose significant risks to the on-going operations of a licensee, its reputation and/or the quality of service provided to its customers. For instance, the outsourcing of all or a substantial part of functions such as customer sales and relationship management, settlements and processing, IT and data processing and financial control, would normally be considered "material". Management should carefully consider whether a proposed outsourcing arrangement falls under this Chapter's definition of "material". If in doubt, management should consult with the CBB.

      May 2011

    • GR-9.1.3A

      For outsourcing services that are not considered material outsourcing arrangements, licenses must submit a written notification to the CBB before committing to the new outsourcing arrangement.

      Added: October 2017

    • GR-9.1.4

      Licensees must retain ultimate responsibility for functions or activities that are outsourced. In particular, licensees must ensure that they continue to meet all their regulatory obligations with respect to outsourced activities.

      May 2011

    • GR-9.1.5

      Licensees must not contract out their regulatory obligations and must take reasonable care to supervise the discharge of outsourced functions, if any.

      May 2011