OSC Staff Notice: 11-735 - IOSCO and International Joint Forum Publish Reports on Outsourcing of Financial Services for Public Comment

OSC Staff Notice: 11-735 - IOSCO and International Joint Forum Publish Reports on Outsourcing of Financial Services for Public Comment

OSC Notice


OSC STAFF NOTICE 11-735

IOSCO AND INTERNATIONAL JOINT FORUM PUBLISH REPORTS ON

OUTSOURCING OF FINANCIAL SERVICES FOR PUBLIC COMMENT

On August 2, 2004, Standing Committee 3 of the International Organization of Securities Commissions (IOSCO) published for public comment a Consultation Report, Principles on Outsourcing of Financial Services for Market Intermediaries. The Consultation Report proposes a set of principles designed to assist regulated entities in determining the steps they should take when considering outsourcing activities. The Consultation Report also contains some principles to assist securities regulators in addressing outsourcing in their regular risk reviews of firms.

A copy of the Consultation Report is reproduced in the OSC Bulletin following this Notice and has been posted on the IOSCO website at www.iosco.org (Public Document No. 171) and on the Ontario Securities Commission's website at www.osc.gov.on.ca (International Affairs -- Current Consultations). The public is invited to submit comments on this Consultation Report by September 20, 2004 to [email protected]. Please include in the email subject line "Public Comment on Principles on Outsourcing of Financial Services for Market Intermediaries". Additional instructions on how to submit comments by email, fax or mail are included in the Consultation Report.

We encourage the Canadian investment industry to provide comments. The Commission, and some members of IOSCO Standing Committee 3, will also be surveying industry participants in their respective jurisdictions for factual information regarding current outsourcing practices. The form of the survey is also available on the IOSCO website (Public Document No. 171).

The Consultation Report will be revised and finalized after consideration of all comments received from the public and all information gathered through the surveys conducted by IOSCO members.

On August 2, 2004, the International Joint Forum{1} also released for public consultation its report on Outsourcing in Financial Services. This report, which proposes high level principles aimed collectively at the banking, insurance and securities sectors, was prepared in coordination with IOSCO's Consultation Report focusing on outsourcing in the securities sector. The public is invited to submit comments on this report by September 20, 2004 to [email protected]. Please include in the subject line "Public Comment on Outsourcing in Financial Services".

The International Joint Forum's report has been posted on IOSCO's website at www.iosco.org (Public Document No. 172) and the Commission's website at www.osc.gov.on.ca (International Affairs -- Current Consultations). The Commission is a member both of IOSCO Standing Committee 3 and the International Joint Forum.

The report can also be found via the website of the Office of the Superintendent of Financial Institutions (OSFI) (www.osfi-bsif.gc.ca). OSFI notes that the principles are consistent with Guideline B-10, Outsourcing of Business Activities, Functions and Processes. OSFI is a member of the International Joint Forum. A notice that this document is available for comments has been posted on its website under "consultation Papers".

The International Joint Forum and IOSCO will continue to work together to achieve an appropriate level of consistency across their reports and principles. Furthermore, IOSCO SC3 is also in the process of consulting both with emerging market regulators through the IOSCO Emerging Markets Committee's Working Group on Financial Intermediaries and with self-regulatory organizations (SROs) through IOSCO's SRO Consultative Committee.

More information about IOSCO, the International Joint Forum and the Commission's participation in these organizations can be found on the Commission's website at www.osc.gov.on.ca (International Affairs -- Who's Who).

Questions may be referred to:

Randee Pavalow
Director
Capital Markets
Ontario Securities Commission
(416) 593-8257
 
Antoinette Leung
Senior Accountant
Market Regulation, Capital Markets
Ontario Securities Commission
(416) 595-8901

Principles On Outsourcing Of Financial

Services For Market Intermediaries

A Consultation Report

of the International Organization of Securities Commissions

Standing Committee 3

on

Market Intermediaries

August 2004

This report is for public consultation purposes only and it has not been approved by the IOSCO Technical Committee or any of its member securities commissions. Any final report will be submitted to the IOSCO Technical Committee for approval at the conclusion of the consultation process.

Preamble

The IOSCO Technical Committee Standing Committee 3 on Market Intermediaries has published for public consultation this Consultation Report on Principles on Outsourcing of Financial Services for Market Intermediaries. The Consultation Report sets out a set of principles that are designed to assist regulated entities in determining the steps they should take when considering outsourcing activities. The Consultation Report also contains some broad principles to assist securities regulators in addressing outsourcing in their regular risk reviews of firms. Some members of IOSCO's Standing Committee on Market Intermediaries will be surveying industry participants in their respective jurisdictions for information regarding current outsourcing practices. The Consultation Report will be revised and finalized after consideration of all comments received from the public and all information gathered through the surveys conducted by IOSCO members. The form of the survey also is available on the IOSCO website. After the consultation process, the IOSCO Technical Committee's Standing Committee on Market Intermediaries will submit a final report on Principles on Outsourcing of Financial Services for Market Intermediaries to the IOSCO Technical Committee for approval.

How to Submit Comments

Comments may be submitted by one of three methods. To help us process and review your comments more efficiently, please use only one method.

Important: All comments may be made available to the public unless the respondent requests that they be kept confidential.

    1. E-mail

      • Send comments to [email protected].

      • The subject line of your message must indicate "Public Comment on Principles on Outsourcing of Financial Services for Market Intermediaries."

      • If you attach a document, indicate the software used (e.g., WordPerfect, Microsoft WORD, ASCII text, etc.) to create the attachment.

      • DO NOT submit attachments as HTML, PDF, GIF, TIFF, PIF, ZIP, or EXE files.

OR

    2. Facsimile Transmission

    Send by facsimile transmission using the following fax number: 34 (91) 555 93 68.

OR

    3. Paper

    Send 3 copies of your paper comment letter to:

    Philippe Richard
    IOSCO Secretary General
    Oquendo 12
    28006 Madrid
    Spain

    Your comment letter should indicate prominently that it is a "Public Comment on Principles on Outsourcing of Financial Services for Market Intermediaries."

IOSCO STANDING COMMITTEE 3

Consultation Report on Principles on Outsourcing{1} of

Financial Services for Market Intermediaries

I. Introduction

The volume of activities that regulated market intermediaries ("outsourcing firms" or "firms") outsource to third party service providers ("service providers") continues to increase. For purposes of this paper, "outsourcing" is defined as an event in which a regulated outsourcing firm contracts with a service provider for the performance of any aspect of the outsourcing firm's regulated or unregulated functions that could otherwise be undertaken by the entity itself.{1} It is intended to include only those services that were or can be delivered by internal staff and management. {2} As discussed in Section II, the service provider may be a related party within a corporate group, or an unrelated outside entity. The service provider may itself either be regulated (whether or not by the same regulator with authority over the outsourcing entity), or may be an unregulated entity.{3}

The utilization of outsourcing by the financial services industry can provide a number of substantial benefits. For example, it may permit financial firms to obtain necessary expertise at a lower cost than might be possible by hiring internal staff, and permits firms to focus on their core business. By lowering costs, outsourcing may also permit smaller firms and start-up companies to break into the market and increase market competition.

Outsourcing also poses a number of challenges, however, both for financial firms that choose to undertake such a strategy, and for the regulators of such firms. With respect to the financial firm, transferring a function to a third party may have a detrimental impact on the firm's understanding of how the function is performed, with a consequent loss of control. The lack of control over a firm's proprietary and customer-related information and software may also hinder the ability of an outsourcing firm to maintain its proprietary and customer-related information and software, and may also impact on the confidentiality of customer records. There is the potential that the inappropriate selection of a service provider may lead to a business disruption, with negative consequences for the outsourcing firm's customers, and, in certain instances, the potential for systemic risk to the market as a whole.

Principle 23 of the Objectives and Principles for Securities Regulation requires that the issues identified above be addressed because it states that "Market intermediaries should be required to comply with standards for internal organizations and operational conduct that aim to protect the interests of clients, ensure proper management of risk, and under which management of the intermediary accepts primary responsibility for these matters". The Objectives and Principles also note that "Effective policies and operational procedures and controls in relation to the firm's day-to-day business operations should be established." See id. at §12.5.

Outsourcing poses important challenges to the integrity and effectiveness of financial services regulatory systems. First, where outsourcing takes place by regulated entities, a firm's control over the people and processes dealing with the outsourced function will decrease. Nonetheless, regulators require the outsourcing firm, including its board of directors and senior management, remains fully responsible (towards clients and regulatory authorities), for the outsourced function as if the service were being performed in house.{4} In some jurisdictions, as discussed below, regulators impose restrictions on the outsourcing of certain functions where they believe the outsourcing introduces an unacceptable risk or it is so intrinsic to the function of an intermediary. Second, regulators expect that they will have complete access to books and records concerning an outsourcing firm's activities, even if such documents are in the custody of the firm's service provider. Regulators must also take account of possible operational and systemic risks that may exist in the event that multiple regulated entities use a common service provider.

II. Fundamental Precepts

    A. Materiality of Outsourcing

The following Principles set out the regulators' expectations for outsourcing firms. These principles should be applied according to the degree of materiality of the business activity. Even where the activity is not material, the outsourcing firm should consider the appropriateness of applying the principles.

For areas of business activity that are not restricted by the regulator, the outsourcing firm should develop a process for determining the materiality of outsourcing arrangements. The assessment of what is material is often a subjective one and depends on the circumstances of the particular outsourcing firm. Factors to be considered include, but are not limited to:

    • Financial impact on the outsourcing firm of the failure of a service provider to perform,

    • Reputation impact on the outsourcing firm of the failure of a service provider to perform,

    • Operational impact on the outsourcing firm of the failure of a service provider to perform,

    • Potential impact of outsourcing on the provision of adequate services to an outsourcing firm's customers,

    • Potential losses to an outsourcing firm's customers on the failure of a service provider to perform,

    • Impact of outsourcing the activity on the ability and capacity of the outsourcing firm to conform with regulatory requirements and changes in requirements,

    • Cost,

    • Affiliation or other relationship between the outsourcing firm and the service provider,

    • Regulatory status of the service provider; and

    • Degree of difficulty and time required to select an alternative service provider or to bring the business activity in-house, if necessary.

    B: Accountability and Scope of Outsourcing

The outsourcing firm, its management and its governing authority retain full legal liability and accountability to the regulator for any and all functions that the firm may outsource to a service provider to the same extent as if the service were provided in-house. In this regard, the relevant regulator may impose sanctions and penalties on regulated entities in its jurisdiction for violations of statutory and regulatory requirements that resulted in whole or in part from the failure of a service provider (whether licensed or unlicensed) to perform its contractual obligations for the outsourcing firm.

Accordingly, management and the governing authority of the outsourcing firm should develop and implement appropriate policies designed to achieve satisfaction of these Outsourcing Principles, periodically review the effectiveness of those policies, and address outsourcing risks in an effective and timely manner. Outsourcing firms should also be aware of and comply with local mechanisms that may have been put in place to implement these Principles. Such mechanisms may take the form of government regulation, regulations imposed by non-government statutory regulators, industry codes or practices, or some combination of these items. Whatever level of outsourcing is utilized, outsourcing firms remain responsible for conducting due diligence (see topic 1).

The outsourcing firm must retain the competence and ability to be able to ensure that the firm complies with all regulatory requirements. Accordingly, with respect to the outsourcing of key regulated functions, such as risk management, both firms and regulators will need to consider how and whether such functions may be outsourced consistent with this expectation. Moreover, outsourcing must not be permitted to impair the regulator's ability to exercise its statutory responsibilities, such as the proper supervision and audit of the firm.

Regulators should also consider the implications that the use of unlicensed service providers may have on the regulator's ability to supervise properly securities activities in their jurisdiction. Such concerns may be heightened in instances where the outsourcing firm delegates to the service provider the authority to act in the name of the outsourcing firm.

    C. Outsourcing to Affiliates

While the Outsourcing Principles apply regardless of whether such outsourcing is performed by an affiliated entity of a corporate group or by an entity that is external to the corporate group, the risks associated with outsourcing activities to an affiliated entity within a corporate group may be different than those encountered in outsourcing to an unaffiliated external service provider. In certain cases, risks may not be as pronounced within an affiliated group. For example, there may be an ability by the outsourcing firm to control the actions of the service provider, and the outsourcing firm may have a high familiarity with the service provider's business attributes. Such factors might reduce the risks involved in outsourcing. However, intra-group outsourcing may be less than an arm's --length relationship, and the outsourcing firm (and its customers) may have different interests than the affiliated service-provider. Moreover, in some cases, the intra-group relationship may as a practical matter restrict the outsourcing firm's ability to control the service provider. These factors may increase the potential risk in certain instances. Accordingly, while it is necessary to apply the Outsourcing Principles to affiliated entities, it may be appropriate to adopt them with some modification.

    D. Outsourcing on a Cross-Border Basis

The Outsourcing Principles apply to functions that are outsourced within the jurisdiction in which the outsourcing firm maintains a presence, as well as on a cross-border basis. However, with respect to outsourcing on a cross-border basis, there may be additional concerns that are raised which may not necessarily be present with respect to cases where the service provider is in the same jurisdiction as that of the outsourcing firm. For example, in the event of an emergency, it may be more difficult to monitor and control the function that was outsourced, or to implement appropriate responses in a timely fashion. Moreover, the use of a foreign service provider may necessitate an analysis of the economic, social or political conditions that might adversely impact the service provider's ability to perform effectively for the outsourcing firm.

In light of these concerns, outsourcing on a cross-border basis may raise additional issues that should be addressed during the due diligence process (see topic 1), as well as during the implementation of a contract with a foreign service provider (see topic 2). Special consideration and procedures may be necessary with respect to other issues relating to the use of a foreign service provider -- for example, as discussed in topic 7, there may be particular concerns with the provision of books and records maintained in a foreign jurisdiction, as well as issues relating to the translation of such books and records.

III. Outsourcing Principles

Topic 1: Due diligence in selection and monitoring of service provider and service provider's performance

    Principle: An outsourcing firm should conduct suitable due diligence processes in selecting an appropriate third party service provider and in monitoring its ongoing performance.

It is important that outsourcing firms exercise due care, skill, and diligence in the selection of third party service providers, so that they can be satisfied that the third party service provider has the ability and capacity to undertake the provision of the service effectively.

The outsourcing firm should also establish appropriate processes and procedures for monitoring the performance of the third party service provider. In determining the appropriate level of monitoring processes and procedures, the outsourcing firm should consider the materiality of the outsourced activity to the ongoing business of the outsourcing firm and its regulatory obligations, as discussed in the introduction to these Principles.

    Means for Implementation

It is expected that outsourcing firms will implement appropriate means, such as the following, for ensuring that they select suitable service providers and that service providers are appropriately monitored, having regard to the services they provide:

    • Documenting processes and procedures that enable the outsourcing firm to assess, prior to selection, the third party service provider's ability and capacity and ability to perform the outsourced activities effectively, reliably, and to a high standard, including the service provider's technical, financial and human resources capacity, together with any potential risk factors associated with using a particular service provider.

    • Documenting processes and procedures that enable the outsourcing firm to monitor the third party service provider's performance and compliance with its contractual obligations, including processes and procedures that:

      • Clearly define metrics that will measure the service level, and specify what service levels are required; and

      • Establish measures to identify and report instances of non-compliance or unsatisfactory performance to the outsourcing firm as well as the ability to assess the quality of services performed by the service provider on a regular basis (see also topic 2).

    • Implementing processes and procedures designed to help ensure that the service provider is in compliance with applicable laws and regulatory requirements in its jurisdiction, and that where there is a failure to perform duties required by statute or regulations, the outsourcing firm, to the extent required by law or regulation, reports the failure to its regulator and/or SRO and takes corrective actions.{5} For example, procedures may include:

      • The use of service delivery reports and the use of internal and external auditors to monitor, assess, and report to the outsourcing firm on performance.

      • The use of written service level agreements or the inclusion of specific service level provisions in contracts for service to achieve clarity of performance targets and measurements for third party service providers.

    • With respect to outsourcing on a cross-border basis, in determining whether the use of a foreign service provider is appropriate, the outsourcing firm may, with respect to a function that is material to the firm, need to conduct enhanced due diligence that focuses on special compliance risks, including the ability to effectively monitor the foreign service provider, and the ability to execute contingency plans and exit strategies where the service is being performed on a cross-border basis.

Topic 2: The contract with a service provider

    Principle: There should be a legally binding written contract between the outsourcing firm and each third party service provider, the nature and detail of which should be appropriate to the materiality of the outsourced activity to the ongoing business of the outsourcing firm.

A legally binding written contract between an outsourcing firm and a service provider is an important management tool and appropriate contractual provisions can reduce the risks of non-performance or disagreements regarding the scope, nature, and quality of the service to be provided. A written contract will help facilitate the monitoring of the outsourced activities by the outsourcing firm and/or by securities regulators.

The level of detail of the contents of the written contract should reflect the level of monitoring, assessment, inspection and auditing required, as well as the risks, size and complexity of the outsourced services involved.

    Means for Implementation

Outsourcing firms are expected to have a written, legally binding contract, appropriate to the materiality of the outsourced activity to the ongoing business of the firm, between the outsourcing firm and the third party service provider. The contract may include, as applicable, provisions dealing with:

    • Limitations or conditions, if any, on the service provider's ability to sub-contract, and, to the extent subcontracting is permitted, obligations, if any, in connection therewith;

    • Client confidentiality (see also Topic 4);

    • Defining the responsibilities of the outsourcing firm and the responsibilities of the service provider and how such responsibilities will be monitored;

    • Responsibilities relating to IT security (see also Topic 3);

    • Payment arrangements;

    • Liability of the service provider to the outsourcing firm for unsatisfactory performance or other breach of the agreement;

    • Guarantees and indemnities;

    • Obligation of the service provider to provide, upon request, records, information and/or assistance concerning outsourced activities to the outsourcing firm, its auditors and/or its regulators (see Topic 7: Intermediary's and regulator's access to books and records, including rights of inspection);

    • Mechanisms to resolve disputes that might arise under the outsourcing arrangement;

    • Business continuity provisions (see topic 3);

    • With respect to outsourcing on a cross-border basis, choice of law provisions;

    • Termination of the contract, transfer of information and exit strategies (see also Topic 6: termination procedures).

Topic 3: Information Technology Security and Business Continuity at the Outsourcing Provider

    Principle: The outsourcing firm should take appropriate measures to determine that:

      (a) procedures are in place to protect the outsourcing firm's proprietary and customer-related information and software; and

      (b) its service providers establish and maintain emergency procedures and a plan for disaster recovery, with periodic testing of backup facilities.

Effective and reliable information technology systems are fundamental to the ongoing business of securities firms. The June 2001 IOSCO Internet Task Force Report confirms that a breakdown in information technology capacity that impairs access to markets can compromise the trading and the financial position of investors. Security breaches can undermine investors' privacy interests, and have a damaging effect on an outsourcing firm's reputation, which may ultimately cause a loss of market confidence and impact on the overall operational risk profile of the firm. Moreover, robust IT security is particularly important where details of client assets or the assets themselves might be vulnerable to unauthorized access. Accordingly, outsourcing firms should seek to ensure that service providers maintain appropriate IT security and, when appropriate, disaster recovery capabilities. As part of its reviews of these matters, an outsourcing firm should also take into account whether additional issues are raised when the outsourcing is performed on a cross-border basis.

    Means for Implementation

Outsourcing firms are expected to take appropriate steps to require, in appropriate cases based on the materiality of the function that is being outsourced, that service providers have in place a comprehensive IT security program. These steps may include:

    • Specification of the security requirements of automated systems used by the service provider, including the technical and organizational measures that will be taken to protect customer-related data. Appropriate care should be exercised to ensure that IT security protects the privacy of the outsourcing firm's customers as mandated by law.

    • Requirements that the service provider maintain appropriate measures to ensure security of both the outsourcing firm's software as well as any software developed by the service provider for the use of the outsourcing firm.

    • Specification of the rights of each party to change or require changes to security procedures and requirements and of the circumstances under which such changes might occur.

    • Provisions that address the service provider's emergency procedures and disaster recovery and contingency plans as well as any particular issues that may need to be addressed where the outsourcing firm is utilizing a foreign service provider. Where relevant, this may include the service provider's responsibility for backing up and otherwise protecting program and data files, as well as regulatory reporting.

    • Where appropriate, terms and conditions relevant to the use of subcontractors with respect to IT security, and appropriate steps to minimize the risks arising out of such subcontracting.

    • Where appropriate, requirement of testing by the service provider of critical systems and back-up facilities on a periodic basis in order to review the ability of the service providers to perform adequately even under unusual physical and/or market conditions at the outsourcing firm, the service provider, or both, and to determine whether sufficient capacity exists under all relevant conditions;

    • Requirement of disclosure by the service provider of breaches in security resulting in unauthorized intrusions (whether deliberate or accidental, and whether confirmed or not) that may affect the outsourcing firm or its customers, including a report of corrective action taken; and

    • Provisions in the outsourcing firm's own contingency plans that address circumstances in which one or more of its service providers fail to adequately perform their contractual obligations. Where relevant, this may include regulatory reporting.

Topic 4: Client Confidentiality Issues

    Principle: The outsourcing firm should take appropriate steps to require that service providers protect confidential information regarding the outsourcing firm's clients from intentional or inadvertent disclosure to unauthorized individuals.

Unauthorized disclosure of confidential customer information could have a number of negative consequences. Such unauthorized disclosure could result in the disclosure of private and sensitive information about individuals who have a reasonable expectation of privacy, and might also result in a material financial loss to a firm's customers. In addition to the potential harm to a firm's customers, an unauthorized disclosure could also result in the outsourcing firm having financial liability to its customers and/or its regulators, possibly affecting the firm's solvency. Where appropriate, regulators may choose to review the protections that are in place between the outsourcing firm and the service provider, and, in addition, may choose to review the measures that are in place between a service provider and its agents that may have an impact on the data and/or its use, so that there are no unauthorized disclosures among the various service providers.

    Means for Implementation

Regulated firms that engage in outsourcing are expected to take appropriate steps to confirm that confidential customer information is not misused or misappropriated. Such steps may include provisions in the contract with the service provider:

    • Prohibiting the service provider and its agents from using or disclosing the outsourcing firm's proprietary information or that of the firm's customers, except as necessary to provide the contracted services.

    • Where appropriate, including terms and conditions relevant to the use of subcontractors with respect to client confidentiality.

Outsourcing firms should consider whether it is appropriate to notify customers that customer data may be transmitted to a service provider, taking into account any regulatory or statutory provisions that may be applicable.

Regulators should seek to become aware of whether outsourcing firms within their jurisdiction are taking appropriate steps to monitor their relationships with service providers with respect to the protection of confidential customer information.

Topic 5: Concentration of Outsourcing Functions

    Principle: Regulators should be cognizant of the risks posed where one outsourcing service provider provides outsourcing services to multiple regulated entities.

Where multiple outsourcing firms use a common service provider, operational risks are correspondingly concentrated, and may pose a threat of systemic risk. For example, if the service provider suddenly and unexpectedly becomes unable to perform services that are critical to the business of a significant number of regulated outsourcing firms, each of the regulated entities will be similarly disabled. A latent flaw in the design of a product or service that multiple outsourcing firms rely upon -- e.g., computer software -- may affect all of those firms. A vulnerability in application software relied upon by multiple outsourcing firms may permit an intruder to disable or contaminate the systems or data of some or all of those entities. Alternatively, if multiple outsourcing firms depend upon the same provider of business continuity services (e.g., a common disaster recovery site), a disruption that affects a large number of those entities may result in a lack of capacity for the business continuity services. Each of these scenarios may result in follow-on effects on markets that depend on participation by the outsourcing firms, or on public confidence.

    Means for Implementation

Regulators should consider the following means for addressing concentration risk:

    • Taking steps, including, where appropriate, a monitoring program and/or a risk assessment methodology, to become aware of cases where significant proportions of their regulated entities rely upon a single outsourcing firm to provide critical functions. This may include the collection of routine information on outsourcing arrangements from outsourcing firms and/or service providers in the jurisdiction. In this regard, regulators should be cognizant of the potential that subcontracting of a particular function may result in concentration risk (where the concentration occurs at the subcontractor level).

    • Tailoring their examination programs or related activities in light of concentrations of outsourcing activity.

Where a regulator has identified a possible concentration risk issue, outsourcing firms should consider taking steps to ensure, to the degree practicable, that the service provider has adequate capacity to meet the needs of all outsourcing firms, both during normal operations as well as unusual circumstances (e.g., unusual market activity, physical disaster, etc.)

Topic 6: Termination Procedures

    Principle: Outsourcing with third party service providers should include contractual provisions relating to termination of the contract and appropriate exit strategies.

Where an activity is outsourced, there is an increased risk that the continuity of the particular activity in terms of daily management and control of that activity, information and data, staff training, and knowledge management, is dependent on the service provider continuing in that role and performing that function. This risk needs to be managed by an agreement between the firm and the service provider taking into account factors such as when an arrangement can be terminated, what will occur on termination and strategies for managing the transfer of the activity back to the firm or to another party.

    Means for Implementation:

Outsourcing firms are expected to take appropriate steps to manage termination of outsourcing arrangements. These steps may include provisions in contracts with service providers such as the following:

    • Termination rights, e.g., in case of insolvency, liquidation or receivership, change in ownership, failure to comply with regulatory requirements, or poor performance;

    • Minimum periods before an announced termination can take effect to allow an orderly transition to another provider or to the firm itself, and to provide for the return of the third party's data, and any other resources;

    • The clear delineation of ownership of intellectual property following the contract's termination, and specifications relating to the transfer of information back to the outsourcing firm.

Topic 7. Regulator's and Intermediary's Access to Books and Records, Including Rights of Inspection.

    Principle: The regulator, the outsourcing firm, and its auditors, should have access to the books and records of service providers relating to the outsourced activities and the regulator should be able to obtain promptly, upon request, other information concerning activities that are relevant to regulatory oversight.

As set forth in IOSCO Principle 12.7, the regulator should have the right to inspect books and records of regulated entities. Accordingly, regulators should be able, upon request, to obtain promptly any books and records pertaining to the regulated activity, irrespective of whether they are in the possession of the outsourcing firm or the third party service provider, and to obtain additional information concerning regulated activities performed by the service provider. A regulator's access to such books and records may be direct or indirect, though the outsourcing firm should always maintain direct access to such books and records. This may include a requirement that the books and records be maintained in the regulator's jurisdiction, or that the service provider agrees to send originals or copies of the books and records to the regulator's jurisdiction upon request. Moreover, in order to facilitate the regulator's access to books and records as well as to maintain orderly business operations of the outsourcing firms, arrangements between outsourcing firms and service providers should seek to ensure that the outsourcing firms have appropriate access to books and records and other information where it is in the custody of a third party.

    Means for Implementation:

Outsourcing firms are expected to take steps to ensure that they and their regulators have access to books and records of service providers concerning outsourced activities, and that their regulators have the right to obtain, upon request, other information concerning the outsourced activities. These steps may include the following:

    • Contractual provisions by which the outsourcing firm (including its auditor) has access to, and a right of inspection of, the service provider's books and records dealing with outsourced activities, and similar access to the books and records of any subcontractor. Where appropriate, these may include physical inspections at the premises of the service provider, delivery of books and records or copies of books and records to the outsourcing firm or its auditor, or inspections that utilize electronic technology (i.e., "virtual inspections.").

    • Contractual provisions by which the service provider is required to make books, records, and other information about regulated activities by the service provider available to the regulator upon request and, in addition, to comply with any requirements in the outsourcing firm's jurisdiction to provide periodic reports to the regulator.

Regulators should consider implementation of appropriate measures designed to support access to books, records and information of the service provider about the performance of regulated activities. These measures may include:

    • Where appropriate, taking action against outsourcing firms for the failure to provide books and records required in that jurisdiction, without regard to whether the regulated entity has transferred possession of required books and records to one or more of its service providers.

    • Imposing specific requirements concerning access to books and records that are held by a service provider and which are necessary for the authority to perform its oversight and supervisory functions with respect to regulated entities in its jurisdiction. These may possibly include requiring that records be maintained in the regulator's jurisdiction, allowing for a right of inspection, or requiring that the service provider agree to send originals or copies of the books and records to the regulator's jurisdiction upon request

    {1} The Basel Committee on Banking Supervision, the International Association of Insurance Supervisors and IOSCO established the Joint Forum in 1996. It focuses on issues of common interest to the three financial sectors. Because it brings together regulators from different financial sectors and countries, the International Joint Forum is particularly interested in: (1) identifying core regulatory principles that are common to all three sectors; (2) identifying differences in regulation across the sectors; (3) assessing the potential for these differences to lead to regulatory gaps, or regulatory arbitrage; and (4) examining the supervision of large, complex financial groups, such as financial services firms that operate in several sectors and countries.

     

    {1} In this paper, "outsourcing" is limited to the initial transfer of a function from a regulated entity to a service provider. Further transfers of a function (or a part of that function) from one third-party service provider to another are referred to herein as "subcontracting." In this connection, please note that in some jurisdictions, the initial outsourcing is also referred to as subcontracting.

     

    {2} The Federal Reserve Bank of New York incorporated this concept in the definition of outsourcing by stating that it should include only those services that were "previously delivered by internal staff and management." Thus, certain supply arrangements, such as the provision of electricity and water, while perhaps critical to the functioning of the financial services industry, are beyond the scope of "outsourcing" covered in this paper.

     

    {3} In a study published by the Federal Reserve Bank of New York, the authors found that initially, outsourcing in the financial services industry was limited to, activities that were relatively tangential to the firm's primary business, such as payroll processing. In recent years, however, outsourced activities have included information technology, accounting, audit, electronic funds transfer, investment management and human resources. The most frequently outsourced activity, according to a survey of commercial institutions cited by the Federal Reserve Bank of New York, is some aspect of information technology (e.g., desktop support). Next in importance is business process outsourcing, such as human resource functions. See Outsourcing Financial Services Activities Industry Practices to Mitigate Risks, Federal Reserve Bank of New York, October 1999.

     

    {4} Id.

     

    {5} Such a requirement is consistent with regulations in many IOSCO jurisdictions requiring that a firm notify its regulator with respect to any breaches of law that may have occur.