The International Organization of Securities Commissions has published an updated Principles on Outsourcing for regulated market participants in the securities markets. The updated Principles are based on IOSCO’s 2005 Outsourcing Principles for Market Intermediaries and 2009 Outsourcing Principles for Markets. However, the updated Principles will also apply to trading venues, market intermediaries, market participants acting on a proprietary basis, and credit rating agencies. Financial market infrastructures may also choose to consider their application, although the Principles are not addressed to those entities.
The updated Principles on Outsourcing comprise fundamental precepts and seven principles. The fundamental precepts cover scope, definition of outsourcing, responsibility for outsourcing, potential risks and challenges, assessments of materiality and criticality, the application of the Principles to affiliates, the treatment of sub-contracting, outsourcing on a cross-border basis and concentration of outsourcing tasks. The revised Principles are:
- A regulated entity should conduct suitable due diligence processes in selecting an appropriate service provider and in monitoring its ongoing performance.
- A regulated entity should enter a legally binding written contract with each service provider, the nature and detail of which should be appropriate to the materiality or criticality of the outsourced task to the business of the regulated entity.
- A regulated entity should take appropriate steps to ensure both the regulated entity and any service provider establish procedures and controls to protect the regulated entity’s proprietary and client-related information and software and to ensure a continuity of service to the regulated entity, including a plan for disaster recovery with periodic testing of backup facilities.
- A regulated entity should take appropriate steps to ensure that service providers protect confidential information and data related to the regulated entity and its clients, from intentional or inadvertent unauthorized disclosure to third parties.
- A regulated entity should be aware of the risks posed, and should manage them effectively, where it is dependent on a single service provider for material or critical outsourced tasks or where it is aware that one service provider provides material or critical outsourcing services to multiple regulated entities including itself.
- A regulated entity should take appropriate steps to ensure that its regulator, its auditors and itself can obtain promptly, upon request, information concerning outsourced tasks that is relevant to contractual compliance and/or regulatory oversight including, as necessary, access to the data, IT systems, premises and personnel of service providers relating to the outsourced tasks.
- A regulated entity should include written provisions relating to the termination of outsourced tasks in its contract with service providers and ensure that it maintains appropriate exit strategies.