1 G u i d e l i n e s o n O u t s o u r c i n g P a g e 1 SUPERVISION GUIDELINE G10: GUIDELINES ON OUTSOURCING Issued To All Licensed Financial Institutions
2 G u i d e l i n e s o n O u t s o u r c i n g P a g e 2 1 AUTHORITY 1.1 Section 316(4) of the International Business Corporations Act (IBC Act) requires the Commission to take any necessary action required to ensure the integrity of the International Business Corporation sector. The International Business Corporations (Prudential Management of Licensed Corporations) Regulations, Statutory Instrument No. 9 of prescribe that a licensed corporation: shall carry out its business in a prudent manner in accordance with the industry standards and best practices and any Guidelines or directions issued by the Commission [regulation 4]. establish and implement policies, practices and procedures relating to identification, measurement, monitoring and control of credit risk, liquidity risk, interest rate risk, legal risks and operational risks [regulation 8(1) (g)]. shall be guided by such Guidelines or directions as the Commission may issue in relation to policies, practices and procedures of a licensed corporation [regulation 6]. 2 INTRODUCTION 2.1 While outsourcing can bring cost and other benefits, it may increase the risk profile of an institution due to, for example, strategic, reputation, compliance and operational risks arising from failure of a service provider in providing the service, breaches in security, or inability to comply with legal and regulatory requirements by the institution. An institution
3 G u i d e l i n e s o n O u t s o u r c i n g P a g e 3 can also be exposed to country risk when a service provider is located overseas and concentration risk when there is lack of control by a group of institutions over a common service provider. It is therefore important that an institution adopts a sound and responsive risk management framework in outsourcing. 2.2 These Guidelines on Outsourcing ( these Guidelines ) set out the Commission s expectations of an institution that has entered into outsourcing or is planning to outsource its business activities to a service provider. 3 APPLICATION OF GUIDELINES 3.1 These Guidelines contain prudent practices on risk management of outsourcing. These Guidelines do not affect, and should not be regarded as a statement of the standard of care owed by institutions to their customers. The extent and degree to which an institution implements these Guidelines should be commensurate with the nature of risks in, and materiality of, the outsourcing. In supervising an institution, the Commission will review its implementation of these Guidelines to assess the quality of its risk management systems. The Commission is particularly interested in material outsourcing which, if disrupted, has the potential to significantly impact an institution s business operations, reputation or profitability and which may have systemic implications. 3.2 Annex 1 provides examples of outsourcing to which these Guidelines are applicable, and arrangements that are generally not intended to be subject to these Guidelines. These are
4 G u i d e l i n e s o n O u t s o u r c i n g P a g e 4 only examples and are not meant to circumscribe the application of the Guidelines to arrangements that are not listed. Institutions should consider the materiality of outsourcing in applying the Guidelines. It should also not be misconstrued that activities and operations not listed as outsourcing need not be subject to adequate risk management and sound internal controls. 3.3 Annex 2 provides broad guidance to institutions in determining how the Guidelines apply to their outsourcing arrangements. Where outsourcing is material, the Commission expects the institution to apply all the risk management practices in paragraph 7 of these Guidelines to the arrangements. Any divergence from these Guidelines because of other risk mitigating factors or controls should be clearly documented. For nonmaterial outsourcing, an institution may adapt the practices accordingly for the arrangement. However, guidelines on the right of access to information on an institution at the service provider, at paragraphs 7.8 and 7.9, apply for all outsourcing, whether material or non-material. 3.4 An institution should notify the Commission when it is planning or has entered into material outsourcing, or plan to vary such outsourcing. The institution should expect to engage and demonstrate to the Commission their observance with these Guidelines. The Commission may require additional measures to be taken by an institution and other supervisory actions, depending on the potential impact of the outsourcing on the institution and the financial system, and also on the circumstances of the case. The
5 G u i d e l i n e s o n O u t s o u r c i n g P a g e 5 Commission may also directly communicate with the home and/or host regulator of the institution and its service provider, on their ability and willingness to cooperate with the Commission in supervising the outsourcing risks to the institution. 3.5 A self-assessment should be conducted of all existing outsourcing arrangements against these Guidelines. Where the outsourcing is material and has not been notified to the Commission, the institution should do so in writing, within two months from the date of issue of these Guidelines. Every institution is also expected to rectify the deficiencies identified in the self-assessment no later than one year from the date of issue of the Guidelines. Where the rectification concerns an existing contractual agreement, it can be made when the agreements are substantially amended, renewed or extended, whichever is earliest. Nevertheless, if a deficiency identified from the self-assessment process is significant, the Commission expects an institution to have in place measures to mitigate the risks in the interim. 3.6 The Commission should also be notified of any adverse development arising in outsourcing that could significantly affect the institution, including any events that could potentially lead to the termination and early exit of the arrangement. Any breach of legal and regulatory requirements by the service provider should also be notified to the Commission.
6 G u i d e l i n e s o n O u t s o u r c i n g P a g e Notwithstanding paragraph 3.4, the Commission may require an institution to modify, make alternative arrangements or re-integrate an outsourcing into the institution where:- an institution fails or is unable to implement adequate measures to address the risks and deficiencies arising in its outsourcing in a satisfactory and timely manner; adverse developments arise from the outsourcing that could significantly affect an institution; or The Commission s supervisory powers and ability to carry out its supervisory functions are hindered. 3.8 Licensed institutions are expected to also consider the impact of outsourcing arrangements on its offices and any corporation under its control, including those located overseas, on its consolidated operations. The Commission expects such an institution to ensure these Guidelines are applied to its offices and corporations under its control. 4 DEFINITIONS 4.1 In these Guidelines, unless the context otherwise requires: board or board of directors means the board of directors. institution means any institution licensed under the International Business Corporation Act Cap 2000 As Amended.
7 G u i d e l i n e s o n O u t s o u r c i n g P a g e 7 outsourcing according to the Basel Committee On Banking Supervision occurs when a regulated entity uses a third party (either an affiliated entity within a corporate group or an entity that is external to the corporate group) to perform activities on a continuing basis that would normally be undertaken by the regulated entity, now or in the future. Outsourcing can be the initial transfer of an activity (or a part of that activity) from a regulated entity to a third party or the further transfer of an activity (or a part thereof) from one third-party service provider to another, sometimes referred to as subcontracting. In some cases, the initial outsourcing is also referred to as subcontracting. material outsourcing means an outsourcing arrangement which, if disrupted, has the potential to significantly impact an institution s business operations, reputation or profitability; service provider, includes a member of the group to which the institution belongs e.g. its Head Office, parent institution, another branch or related company, or an unrelated party, whether located in Antigua and Barbuda or elsewhere. 5 LEGAL AND REGULATORY OBLIGATIONS 5.1 Outsourcing does not diminish the obligations of an institution, and those of its board and senior management, to comply with relevant laws and regulations in Antigua and Barbuda. Risk management practices should therefore include steps to ensure all relevant laws,
8 G u i d e l i n e s o n O u t s o u r c i n g P a g e 8 regulations, guidelines and other directions, as well as any condition of approval, licensing or registration, continue to be met. The Commission s supervisory powers over institutions and ability to carry out supervisory functions should also not be hindered, whether the service provider is located within Antigua and Barbuda or elsewhere. 5.2 Every institution should conduct its business with integrity and competence. Hence an institution should not engage in outsourcing that results in its internal control, business conduct or reputation being compromised or weakened. An institution has to take steps to ensure that the service provider employs a high standard of care in performing the service as if the activity were not outsourced and conducted within the institution. The institution also needs to maintain the capability and appropriate level of monitoring and control over outsourcing, such that in the event of disruption or unexpected termination of the service, it remains able to conduct its business with integrity and competence. 6 MATERIAL OUTSOURCING 6.1 An institution should assess the degree of materiality in an outsourcing to the institution. The extent and degree to which these Guidelines are implemented is expected to be commensurate with the materiality of the outsourcing. In assessing materiality, the Commission recognises that qualitative judgment is involved and the circumstances faced by individual institutions may vary. Factors that an institution should consider include, among others:-
9 G u i d e l i n e s o n O u t s o u r c i n g P a g e 9 importance of the business activity to be outsourced, for example, in terms of contribution to income and profit; potential impact of the outsourcing on earnings, solvency, liquidity, funding and capital, and risk profile; impact on the institution s reputation and brand value, and ability to achieve its business objectives, strategy and plans, should the service provider fail to perform the service; cost of the outsourcing as a proportion of total operating costs of the institution; aggregate exposure to a particular service provider in cases where the institution outsources various functions to the same service provider; and ability to maintain appropriate internal controls and meet regulatory requirements, if there were operational problems faced by the service provider. Outsourcing of all or substantially all risk management and internal control functions including compliance, internal audit and financial accounting, is to be considered material. 6.2 An institution should undertake periodic reviews of its outsourcing arrangements to identify new material outsourcing risks as they arise. An arrangement which was previously not material may subsequently become material from incremental activities outsourced to the same service provider or an increase in volume or nature of the activity outsourced to the service provider. Material outsourcing risks may also arise when the
10 G u i d e l i n e s o n O u t s o u r c i n g P a g e 10 service provider in a material outsourcing plans to subcontract the service or makes significant changes to its sub contracting arrangements. 6.3 An institution should consider materiality at both the institution and on a consolidated basis, i.e. together with the institution s branches and corporations under its control. 7 RISK MANAGEMENT PRACTICES 7.1 Role Of The Board And Senior Management The board and senior management of an institution retain ultimate responsibility for the effective management of risks arising from outsourcing. While an institution may delegate its day-to-day operational duties to the service provider, the responsibilities for effective due diligence, oversight and management of outsourcing and accountability for all outsourcing decisions, continue to rest with the institution, its board and senior management. The board, or a committee delegated by it, is responsible for:- approving a framework to evaluate the risks and materiality of all existing and prospective outsourcing and the policies that apply to such arrangements; laying down the appropriate approval authorities for outsourcing depending on the nature of risks in, and materiality of the outsourcing; assessing management competencies for developing sound and responsive outsourcing risk management policies and procedures as commensurate with the nature, scope and complexity of the outsourcing arrangements;
11 G u i d e l i n e s o n O u t s o u r c i n g P a g e 11 undertaking regular review of outsourcing strategies and arrangements for their continued relevance, and safety and soundness; and reviewing a list of all material outsourcing and relevant reports on outsourcing Senior management is responsible for:- Evaluating the risks and materiality of all existing and prospective outsourcing, based on the framework approved by the board; Developing and implementing sound and prudent outsourcing policies and procedures commensurate with the nature, scope and complexity of the outsourcing; Reviewing periodically the effectiveness of policies and procedures; Communicating information pertaining to material outsourcing risks to the board in a timely manner; Ensuring that contingency plans, based on realistic and probable disruptive scenarios, are in place and tested; and Ensuring that there is independent review and audit for compliance with set policies. 7.2 Evaluation Of Risks To satisfy themselves that an outsourcing does not result in the internal control, business conduct or reputation of an institution being compromised or weakened, its board and senior management would need to be fully aware of and understand the risks in an
12 G u i d e l i n e s o n O u t s o u r c i n g P a g e 12 outsourcing and resulting impact on the institution. A framework for systematic risk evaluation should be established and it should include the following steps:- Identification of the role of outsourcing in the overall business strategy and objectives of the institution, and its interaction with corporate strategic goals; Comprehensive due diligence on the nature, scope and complexity of the outsourcing to identify the key risks and risk mitigation strategies; Analysis of the impact of the arrangement on the overall risk profile of the institution, and whether there are adequate internal expertise and resources to mitigate the risks identified; and Analysis of risk-return on the potential benefits of outsourcing against the vulnerabilities that may arise, ranging from the impact of temporary disruption to that of an unexpected termination in the outsourcing, and whether for strategic and internal control reasons, the arrangement should not be entered into Such evaluations should be performed whenever an institution is planning to enter into an outsourcing arrangement, or reviewing the performance of an existing arrangements, as part of the outsourcing approval and strategic planning or review processes of the institution. 7.3 Capability of Service Providers In considering, renegotiating or renewing an outsourcing arrangement, an institution should subject the service provider to appropriate due diligence to assess its capability to
13 G u i d e l i n e s o n O u t s o u r c i n g P a g e 13 employ a high standard of care in performing the service and comply with its obligations under the outsourcing agreement. The due diligence should take into consideration qualitative and quantitative, financial, operational and reputation factors. Compatibility and performance should be emphasized in the assessment. Where possible, the institution should obtain independent reviews and market feedback on the service provider to supplement its own findings The due diligence should involve an evaluation of all available information about the service provider such as:- its experience and competence to implement and support the proposed activity over the contracted period; its financial strength and resources (the due diligence should be similar to a credit assessment of the viability of the service provider based on reviews of business strategy and goals, audited financial statements, the strength of commitment of significant equity sponsors and ability to service commitments even under adverse conditions); its business reputation and culture, compliance, complaints and outstanding or potential litigation; its security and internal controls, audit coverage, reporting and monitoring environment; its business continuity management; its reliance on and success in dealing with sub-contractors;
14 G u i d e l i n e s o n O u t s o u r c i n g P a g e 14 its insurance coverage; and its external factors (such as the political, economic, social and legal environment of the jurisdiction in which the service provider operates, and other events) that may impact service performance Due diligence undertaken during the selection process should be documented and reperformed periodically as part of the monitoring and control processes of outsourcing. The due diligence process can vary depending on the nature of the outsourcing arrangement e.g. reduced due diligence may be sufficient where no developments or changes have arisen to affect an existing outsourcing arrangement or where the outsourcing is to a member of the group5. An institution should ensure that the information used for due diligence evaluation is current and should not be more than 12 months old. 7.4 Outsourcing Agreement Contractual terms and conditions governing relationships, functions, obligations and responsibilities of the contracting parties in the outsourcing should be carefully and properly defined in written agreements. The detail in these agreements should be appropriate for the nature and materiality of the arrangement. They should also be vetted by a competent authority e.g. the institutions legal counsel on their legal effect and enforceability.
15 G u i d e l i n e s o n O u t s o u r c i n g P a g e An institution should ensure that every outsourcing agreement addresses the risks and risk mitigation strategies identified at the risk evaluation and due diligence stages. Each agreement should allow for renegotiation and renewal to enable the institution to retain an appropriate level of control over the outsourcing and the right to intervene with appropriate measures to meet its legal and regulatory obligations. The agreement should also not hinder the Commission in the exercise of its supervisory powers over the institution and right of access to information on the institution and the service provider. It should at the very least, have provisions pertaining to:- The scope of the outsourcing service; Performance standards defined in terms of, for example, service levels and performance targets; service availability, reliability, stability and upgrade; Confidentiality and security; Business continuity management; Monitoring and control; Audit and inspection; Dispute resolution Agreements should specify the resolution process, events of default, and the indemnities, remedies and recourse of the respective parties in the agreements; Default termination and early exit An institution should have the right to terminate the agreement in the event of default, including circumstances when the service provider undergoes a change in
16 G u i d e l i n e s o n O u t s o u r c i n g P a g e 16 ownership, becomes insolvent, goes into liquidation, receivership or judicial management, whether in Antigua and Barbuda or elsewhere; or when there has been a breach of security, confidentiality or demonstrable deterioration in the ability of the service provider to perform the service as contracted. The minimum period to execute a termination provision should be specified; and Sub-contracting An institution should retain the ability to maintain similar control over its outsourcing risks when a service provider uses a subcontractor as in its agreement with the service provider. Agreements should have clauses setting out the rules and limitations on sub-contracting. An institution may want to include clauses making the service provider contractually liable for the capability of the sub-contractor it selects and for compliance with the provisions in its agreement with the service provider, including the prudent practices set out in these Guidelines, and in particular those relating to security and confidentiality, audit and inspection as well as business continuity management. For material outsourcing arrangements, the sub-contracting of all or substantially all of a service provided, should be subject to prior approval of the institution; and Applicable Laws Agreements should include choice-of-law provisions, agreement covenants and jurisdictional covenants that provide for adjudication of disputes between the parties under the laws of Antigua and Barbuda.
17 G u i d e l i n e s o n O u t s o u r c i n g P a g e Each agreement should be tailored to address additional issues arising from country risks and potential obstacles in exercising oversight and management of the arrangements when outsourcing to a service provider outside Antigua and Barbuda. 7.5 Confidentiality and Security As public confidence in financial institutions is a cornerstone in the stability and reputation of the financial industry, it is vital that an institution satisfies itself that the service provider s security policies, procedures and controls will enable the institution to protect confidentiality and security of customer information An institution should be proactive in identifying and specifying requirements for confidentiality and security in the outsourcing arrangement. An institution may want take the following steps to ensure that the issue of customer confidentiality is addressed:- Address, agree and document the respective responsibilities of the various parties in the outsourcing to ensure the adequacy and effectiveness of security policies and practices, including the circumstances under which each party has the right to change security requirements. It should also address the issue of the party liable for losses in the event of a breach of security and the service provider s obligation to inform the institution; Address issues of access and disclosure of customer information provided to the service provider having regard to the institution s obligations under relevant laws and regulations. Customer information should be used by the service provider and
18 G u i d e l i n e s o n O u t s o u r c i n g P a g e 18 its staff strictly for the purpose of the contracted service. Any unauthorized disclosure of the institution s customer information to any other party should be prohibited; Disclose customer information to the service provider only on a need-to -know basis and ensure that the amount of information disclosed is commensurate with the requirements of the situation; Ensure the service provider is able to isolate and clearly identify the institution s customer information, documents and records and assets to protect the confidentiality of the information. An institution should also ensure that the service provider takes technical, personnel and organisational measures in order to maintain the confidentiality of customer information between its various customers; and Review and monitor the security practices and control processes of the service provider on a regular basis, including commissioning or obtaining periodic expert reports on security adequacy and compliance in respect of the operations of the service provider, and requiring the service provider to disclose security breaches Confidentiality and security protection should be commensurate with the nature and materiality of the outsourcing. An institution would need to take into consideration any legal or contractual obligation to notify customers of the outsourcing and circumstances under which their information may be disclosed.
19 G u i d e l i n e s o n O u t s o u r c i n g P a g e An institution should notify the Commission of any unauthorised access or breach of security and confidentiality by the service provider or its subcontractors that affect the institution or its customers. 7.6 Business Continuity Management An institution should ensure that its business continuity preparedness is not compromised by outsourcing. It is expected to adopt the sound practices and standards contained in the G4 Operational Risk Guidelines issued by the Commission, in evaluating the impact of outsourcing on its risk profile and for effective Business Continuity Management on an ongoing basis In line with the G4 Operational Risk Guidelines, an institution should take steps to evaluate and satisfy itself that the interdependency risk arising from the outsourcing arrangement can be adequately mitigated such that the institution remains able to conduct its business with integrity and competence in the event of disruption, or unexpected termination of the outsourcing or liquidation of the service provider. These should include steps to:- Determine that the service provider has in place satisfactory business continuity plans (BCP) commensurate with the nature, scope and complexity of the outsourcing. Outsourcing agreements should contain BCP requirements on the service provider, in particular recovery time objectives (RTO) and resumption operating capacities. Escalation, activation and crisis management procedures should also be clearly defined;
20 G u i d e l i n e s o n O u t s o u r c i n g P a g e 20 Proactively seek assurance on the state of BCP preparedness of the service provider. It should ensure the service provider regularly tests its BCP plans and that the tests validate the feasibility of the RTOs and resumption operating capacities. The institution should require the service provider to notify the institution of any test finding that may affect the service provider s performance. The institution should also require the service provider to notify it of any significant changes in the service provider s BCP plans and of any adverse development that could significantly impact the service provided to the institution; and Ensure the service provider is able to isolate and clearly identify the institution s information, documents and records, and other assets such that in adverse conditions, all documents, records of transactions and information given to the service provider, and assets of the institution, can be either removed from the possession of the service provider in order to continue its business operations, or deleted, destroyed or rendered unusable For assurance on the functionality and effectiveness of its BCP plan, an institution should design and carry out regular, complete and meaningful testing of its plans as commensurate with the nature, scope and complexity of the outsourcing, including risks arising from interdependencies on the institution. For tests to be complete and meaningful, the institution should involve the service provider so as to validate its BCP as well as for assurance on the awareness and preparedness of its own staff. The institution should also
21 G u i d e l i n e s o n O u t s o u r c i n g P a g e 21 base its business continuity considerations and requirements on probable worst-case scenarios of unexpected termination of the outsourcing or liquidation of the service provider. 7.7 Monitoring and Control of Outsourced Activities An institution should establish a structure for the management and control of outsourcing. Such a structure will vary depending on the nature, scope and complexity of the outsourced activity. As outsourcing relationships and interdependencies increase in materiality and complexity, a more rigorous risk management approach should be adopted. An institution also has to be more proactive in its relationship with the service provider e.g. having frequent meetings, to ensure that performance levels are upheld. An institution should ensure that outsourcing agreements with service providers contain provisions to address their monitoring and control of outsourced activities A structure for effective monitoring and control of material outsourcing would comprise the following:- A central record of all material outsourcing that is readily accessible for review by the board and senior management of the institution. Information maintained in the record should include the name and location(s) of the service provider, the value and expiry or renewal dates of the contract, and reviews on the performance of the outsourced arrangement. The record should be updated promptly and form part of
22 G u i d e l i n e s o n O u t s o u r c i n g P a g e 22 the corporate governance reviews undertaken by the board and senior management of the institution, similar to those described in paragraph 6.1; Multi -disciplinary outsourcing management groups with members from functions including legal, compliance and finance, to ensure that other than technical issues, legal and regulatory requirements are also met. The institution should allocate sufficient resources, in terms of both time and manpower, to the management groups to enable staff to adequately plan and oversee the entire outsourcing effort; Establishment of management control groups to monitor and control the outsourced service on an ongoing basis. There should be policies and procedures to monitor service delivery, performance reliability and processing capacity of the service provider for the purpose of gauging ongoing compliance with agreed service levels and the viability of its operations. Such monitoring could be done through the review of reports by auditors of the service provider or audits commissioned by the institution; Regular reviews and audits to ensure outsourcing risk management policies and procedures, and these Guidelines, are being effectively complied with; and Reporting policies and procedures. Reports on the monitoring and control activities of the institution should be prepared or reviewed by its senior management and provided to its board. The institution should also ensure that any adverse
23 G u i d e l i n e s o n O u t s o u r c i n g P a g e 23 development arising in any outsourced activity is brought to the attention of the senior management of the institution and service provider, or to its board, where warranted, on a timely basis. Actions should be taken by an institution to review the outsourcing relationship for modification or termination of the agreement The Commission should be informed if there are any adverse developments or noncompliance with legal and regulatory requirements in an outsourcing arrangement. 7.8 Audit and Inspection Outsourcing should not interfere with the ability of the institution to effectively manage its activities or impede the Commission in carrying out its supervisory functions and objectives. Every institution is therefore required to take steps to ensure that outsourcing agreements with the service provider include clauses that allow:- The institution to conduct audits on the service provider, whether by its internal or external auditors, or by agents appointed by the institution; and to obtain copies of any report and finding made on the service provider in conjunction with the service performed for the institution; and The Commission, or any agent appointed by the Commission, to access both the service provider and the institution to obtain records and documents, of transactions, and information of the institution given to, stored at or processed by the service provider and the right to access any report and finding made on the service provider.
24 G u i d e l i n e s o n O u t s o u r c i n g P a g e 24 An institution should ensure that these requirements are met in its arrangements with the service provider as well as any sub-contractor that the service provider may engage in the outsourcing, including any disaster recovery and backup service providers As a practice, institutions should conduct pre- and postoutsourcing implementation reviews. An institution should also review its outsourcing arrangements periodically to ensure that its outsourcing risk management policies and procedures, and these Guidelines, are effectively complied with. Such reviews should ascertain the adequacy of internal risk management and management information systems established by the institution e.g. assessing the suitability of indicators that evaluate the performance level of the service provider, and highlight any deficiency or breach in the institution s systems of control. This should form part of the procedures for effective monitoring and control of the institution s outsourcing risks, and is to be complemented through audits by the institution s internal or external auditors, or by agents appointed by the institution, provided the appointed persons possess the requisite knowledge and skills to perform the review An institution should, at least on an annual basis, review the financial and operational condition of the service provider to assess its ability to continue to meet outsourcing obligations. Such due diligence reviews, which can be based on all available information about the service provider including reports by the service provider s external auditors,
25 G u i d e l i n e s o n O u t s o u r c i n g P a g e 25 should highlight any deterioration or breach in performance standards, confidentiality and security, and in business continuity preparedness In addition to the annual reviews undertaken to assess the capability of service providers as stated in paragraph 7.8.3, an institution should also periodically commission independent audit and expert assessments on the security and control environment of the service provider. Such assessments and reports on the service provider may be performed and prepared by the institution s internal or external auditors, or by agents appointed by the institution. The appointed persons should possess the requisite knowledge and skills to perform the engagement, and be independent of the unit or function performing the outsourced activity The scope of reviews in paragraphs 7.8.2, and may vary depending on the nature and materiality of the outsourcing. Copies of audit reports should be made available to the Commission upon request. 7.9 Outsourcing Outside Antigua and Barbuda The engagement of a service provider in a foreign country exposes an institution to country risk - economic, social and political conditions and events in a foreign country that may adversely affect the institution. Such conditions and events could prevent the service provider from carrying out the terms of its agreement with the institution. In its risk management of such outsourcing, an institution should take into account, at due diligence
26 G u i d e l i n e s o n O u t s o u r c i n g P a g e 26 and on a continuous basis, the government policies and political, social, economic and legal conditions in the foreign country, its ability to effectively monitor the service provider, and to execute its business continuity management plans and exit strategy Outsourcing outside Antigua and Barbuda should be conducted in a manner so as not to hinder efforts to supervise or reconstruct the Antigua and Barbuda activities of the institution (i.e. from its books, accounts and documents) in a timely manner. Specifically:- An institution should, in principle, enter into arrangements only with parties operating in jurisdictions that uphold confidentiality clauses and agreements; It should not outsource to jurisdictions where prompt access to information by the Commission or agents appointed by the Commission to act on its behalf, at the service provider, may be impeded by legal or administrative restrictions. An institution must at least commit to retrieve information readily from the service provider should the Commission request for such information. The institution should confirm in writing to the Commission, the rights of access to the institution s information, reports and findings at the service provider, as set out in paragraph 7.8.1; and It should notify the Commission if any overseas authority were to seek access to its customer information or if a situation were to arise where the rights of access of the institution and the Commission set out in paragraph 7.8.1, have been restricted or denied.
27 G u i d e l i n e s o n O u t s o u r c i n g P a g e The Commission may require additional measures to be taken by an institution and other supervisory actions, depending on the potential impact of the outsourcing on the institution and the financial system, or as circumstances warrant. The Commission may also directly communicate with the home or host regulator of the institution and its service provider, on their ability and willingness to cooperate with the Commission in supervising the outsourcing risks to the institution. The Commission may require an institution to terminate or make alternative outsourcing arrangements if the confidentiality of its customer information or the ability of the Commission to carry out its supervisory functions cannot be assured Outsourcing Within a Group These Guidelines are generally applicable to outsourcing to parties within an institution s group, including its Head Office or parent institution, another branch or related company, whether located within or outside Antigua and Barbuda. The requirements may be addressed within group -wide risk management policies and procedures. The institution would be expected to be able to provide, when requested, information demonstrating the structure and processes by which its board and senior management discharge their role in the oversight and management of outsourcing risks on a group-wide basis Due diligence on an intra-group service provider may take the form of evaluating qualitative aspects on the ability of the service provider to address risks specific to the institution, particularly those relating to business continuity management, monitoring and
28 G u i d e l i n e s o n O u t s o u r c i n g P a g e 28 control, and audit and inspection, including confirmation on the right of access to be provided to the Commission to retain effective supervision over the institution, and compliance with local regulatory standards. The respective roles and responsibilities of each office in the outsourcing arrangement should be documented in writing in a service level agreement or an equivalent document. The Commission may require additional measures to be taken by an institution and other supervisory actions, depending on the potential impact of the outsourcing on the institution or as circumstances warrant Outsourcing of Internal Audit to External Auditors Where the outsourced service is the internal audit function of an institution, there are additional issues that an institution should deliberate upon. One of these is the lack of independence or the appearance of impaired independence, when a service provider is handling multiple engagements for an institution, such as internal and external audits, and consulting work. There is doubt that the service provider, in its internal audit role, would criticize itself for the quality of the external audit or consultancy services provided to the institution. In addition, when the operations of an institution are complex and involve large transaction volumes and amounts, it should ensure service providers have the expertise to adequately complete the engagement. An institution should address these and other relevant issues before outsourcing the internal audit function.
29 G u i d e l i n e s o n O u t s o u r c i n g P a g e Before outsourcing the internal audit function to external auditors, an institution should satisfy itself that the external auditor would be in compliance with the G9 Guidelines Issued by the Commission.
30 G u i d e l i n e s o n O u t s o u r c i n g P a g e 30 Annex 1 1 The following are examples of some services that, when performed by a third party, would be regarded as outsourcing for the purposes of the Guidelines although they are not exhaustive:- Back office management (e.g. electronic funds transfer, payroll processing, custody operations, quality control, purchasing, maintaining the register of participants of a collective investment scheme (CIS) and sending of accounts and reports to CIS participants); Claims administration (e.g. loan negotiations, loan processing, collateral management, collection of bad debt); Application processing (e.g. loan origination, credit cards); Document processing (e.g. cheques, credit card and bill payments, bank statements, other corporate payments); Information system management and maintenance (e.g. data entry and processing, data centres, facilities management, end-user support, local area networks, help desks); Investment management (e.g. portfolio management, cash management); Manpower management (e.g. benefits and compensation administration, staff appointment, training and development); Marketing and research (e.g. product development, data warehousing and mining, media relations, call centres, telemarketing);
31 G u i d e l i n e s o n O u t s o u r c i n g P a g e 31 Business continuity and disaster recovery capacity and capabilities; and Professional services related to the business activities of the institution (e.g. accounting, internal audit, actuarial). 2 The following arrangements would generally not be considered outsourcing and they are categorized under 4 general groupings: Arrangements where the required infrastructure necessitates such substantial investments as to render in -house provision of services nearly impossible, or where certain industry characteristics require the use of third-party providers. Telephone, utilities; Market information services (e.g. Bloomberg, Moody s, Standard & Poors); Common network infrastructures (e.g. VISA, Mastercard) Clearing and settlement arrangements between clearing and settlement institutions/houses and their members, and similar arrangements between members and non-members; Correspondent banking services; and Introducer arrangements (where the institution does not have any contractual relationship with customers). Arrangements that pertain to principal-agent relationships rather than outsourcing. Sale of insurance policies by agents or brokers, and ancillary services relating to those sales.
32 G u i d e l i n e s o n O u t s o u r c i n g P a g e 32 Arrangements that the institution is not legally or administratively able to provide. Statutory audit and independent audit assessments; Discreet advisory services (e.g. legal opinions, certain investment advisory services that do not result directly in investment decisions, independent appraisals, trustees in bankruptcy, loss adjuster); and Independent consulting. Arrangements that are generally considered low-risk. Mail, courier services; Printing services; Purchase of goods, commercially available software and other commodities; Credit background, background investigation and information services; and Employment of contract or temporary personnel.
33 G u i d e l i n e s o n O u t s o u r c i n g P a g e 33 Annex 2 Is the arrangement Considered Outsourcing? (Use Annex 1 as a guide) Yes No Arrangement not subject to these guidelines eg those cited in paragraph 2 of Annex 1. Conduct business-as-usual due diligence. Is the outsourcing material? Yes No Pre-notify the Commission. Evaluate the outsourcing against the Guidelines and apply accordingly. Use these Guidelines, where applicable, to assess and manage outsourcing risks
Monetary Authority of Singapore GUIDELINES ON OUTSOURCING ISSUED IN OCTOBER 2004 (Last Updated 1 July 2005) Monetary Authority of Singapore TABLE OF CONTENTS 1 INTRODUCTION... 1 2 APPLICATION OF GUIDELINES...
CONSULTATION PAPER P019-2014 SEPTEMBER 2014 GUIDELINES ON OUTSOURCING PREFACE 1 MAS first issued the Guidelines on Outsourcing ( the Guidelines ) in 2004 1 to promote sound risk management practices for
SUPERVISORY AND REGULATORY GUIDELINES: PU48-0809 ISSUED: 4 th May 2004 REVISED: 27 th August 2009 GUIDELINES ON MINIMUM STANDARDS FOR THE OUTSOURCING OF MATERIAL FUNCTIONS I. INTRODUCTION The Central Bank
Guidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004 1. INTRODUCTION Financial institutions outsource business activities, functions and processes
CONSULTATION PAPER P018-2014 SEPTEMBER 2014 NOTICE ON OUTSOURCING PREFACE 1 MAS first issued the Guidelines on Outsourcing in 2004 1 ( Guidelines ) to promote sound risk management practices for the outsourcing
GUIDANCE FOR MANAGING THIRD-PARTY RISK Introduction An institution s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships,
POV on Draft Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by NBFCs April 2015 For private circulation only Draft Guidelines on Managing Risks and Code of Conduct
Statement of Guidance: Outsourcing All Regulated Entities 1. STATEMENT OF OBJECTIVES 1.1. 1.2. 1.3. 1.4. This Statement of Guidance ( Guidance ) is intended to provide guidance to regulated entities on
OUTSOURCING GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS, 2008 BANK OF TANZANIA PART I PRELIMINARY 1 These guidelines may be cited as the Outsourcing Guidelines for Banks and Financial Institutions,
PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES TECHNICAL COMMITTEE OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS FEBRUARY 2005 Preamble The IOSCO Technical Committee
Bank of Papua New Guinea Prudential Standard BPS252: Outsourcing of Business Activities, Functions and Processes Issued under Section 27 of the Banks and Financial Institutions Act 2000 Overview and Key
SUPERVISORY AND REGULATORY GUIDELINES Guidelines Issued: 22 December 2015 GUIDELINES FOR THE MANAGEMENT OF OPERATIONAL RISK FOR CREDIT UNIONS 1. INTRODUCTION 1.1 The Central Bank of The Bahamas ( the Central
PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES A CONSULTATION REPORT OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS STANDING COMMITTEE 3 ON MARKET INTERMEDIARIES
GUIDANCE NOTE OUTSOURCING OF FUNCTIONS BY ENTITIES LICENSED UNDER THE PROTECTION OF INVESTORS (BAILIWICK OF GUERNSEY) LAW, 1987 CONTENTS Page 1. Introduction 3-4 2. The Commission s Policy 5 3. Outsourcing
November 8, 2010 To All Insurers Draft Guidelines on Outsourcing of activities by Insurance Companies Reference: 1. INV/CIR/031/2004-05 dated 27 th July, 2004 2. INV/CIR/058/2004-05 dated 28 th December,
Guidance Note GGN 221.1 Managing Outsourcing Arrangements 1. This Guidance Note provides further detail on the requirements for managing material outsourcing arrangements (refer Prudential Standard GPS
GUIDELINE ON THE APPLICATION OF THE OUTSOURCING REQUIREMENTS UNDER THE FSA RULES IMPLEMENTING MIFID AND THE CRD IN THE UK This Guideline does not purport to be a definitive guide, but is instead a non-exhaustive
Risk Management of Outsourced Technology Services November 28, 2000 Purpose and Background This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the
Mapping of outsourcing requirements Following comments received during the first round of consultation, CEBS and the Committee of European Securities Regulators (CESR) have worked closely together to ensure
An Overview for Bank Directors Managing the Third Party Relationship Patrick Neuman Boardman & Clark LLP Madison, Wisconsin Any business relationship between a bank and another entity, by contract or otherwise
Outsourcing Risk Guidance Note for Banks Part 1: Definitions Guideline 1 For the purposes of these guidelines, the following is meant by: a) outsourcing: an authorised entity s use of a third party (the
BANKING UNIT BANKING RULES OUTSOURCING BY CREDIT INSTITUTIONS AUTHORISED UNDER THE BANKING ACT 1994 Ref: BR/14/2009 OUTSOURCING BY CREDIT INSTITUTIONS AUTHORISED UNDER THE BANKING ACT 1994 INTRODUCTION
CIRCULAR CIR/MIRSD/24/2011 December 15, 2011 All intermediaries registered with SEBI Merchant Bankers/Registrars to An issue and Share Transfer Agents/Debenture Trustees/Bankers to An Issue/Underwriters/Credit
PART I - PRELIMINARY...1 Objective...1 Applicability...2 Legal and Regulatory Provision...2 PART II POLICY REQUIREMENTS...3 Investment and Risk Management Policy...3 Monitoring and Control...5 Roles of
OUTSOURCING POLICY OF Version Number 1.0 Dated 15 th July 2009 1 Table of contents Page No. Introduction 3 Activities that are proposed to be outsourced by the Bank 4 Activities that are already outsourced
14 December 2006 GUIDELINES ON OUTSOURCING CEBS presents its Guidelines on Outsourcing. The proposed guidelines are based on current practices and also take into account international, such as the Joint
Prudential Practice Guide PPG 231 Outsourcing October 2006 www.apra.gov.au Australian Prudential Regulation Authority Disclaimer and copyright This prudential practice guide is not legal advice and users
Internal Control Systems and Maintenance of Accounting and Other Records for Interactive Gaming & Interactive Wagering Corporations (IGIWC) 1 Introduction 1.1 Section 316 (4) of the International Business
World Council of Credit Unions Annual Conference Credit Union Liability with Third-Party Processors Andrew (Andy) Poprawa CEO, Deposit Insurance Corporation of Ontario Canada 1 Credit Union Liability with
Morgan Stanley Policy for the Management of Third Party Residential Mortgage Servicing Providers Title Policy for the Management of Third Party Residential Mortgage Servicing Providers Effective Date Owner
Solvency Assessment and Management: Pillar II Sub Committee Governance Task Group Discussion Document 81 (v 3) Governance, Risk Management, and Internal Controls INTERIM REQUIREMENTS CONTENTS 1. INTRODUCTION
20 th February, 2013 To Insurance Companies Reinsurance Companies GUIDELINES ON RISK MANAGEMENT AND INTERNAL CONTROLS FOR INSURANCE AND REINSURANCE COMPANIES These guidelines on Risk Management and Internal
RBI/2006/167 DBOD.NO.BP. 40/ 21.04.158/ 2006-07 November 3, 2006 All Scheduled Commercial Banks(excluding RRBs) Dear Sir, Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services
Solvency II Detailed guidance notes March 2010 Section 1 - System of governance Section 1: System of Governance Overview This section outlines the Solvency II requirements for an effective system of governance,
Principles on Outsourcing by Markets Final Report TECHNICAL COMMITTEE OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS July 2009 CONTENTS I. Introduction 3 II. Survey Results 5 A. Outsourced
Prudential Standard CPS 510 Governance Objectives and key requirements of this Prudential Standard The ultimate responsibility for the sound and prudent management of an APRA-regulated institution rests
Managing General Agents (MGAs) Guideline JUNE 2013 DRAFT FOR COMMENT BC AUTHORIZED LIFE INSURERS www.fic.gov.bc.ca PURPOSE This draft guideline outlines best practices that the Financial Institutions Commission
Unofficial translation Riga, 11 November 2011 Regulation No. 246 (Minutes No. 43 of the meeting of the Board of the Financial and Capital Market Commission, item 8) Regulation for Establishing the Internal
1 Sound Practices for the Management of Operational Risk Authority 1.1 Section 316 (4) of the International Business Corporations Act (IBC Act) requires the Commission to take any necessary action required
Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Sopra HR Software as a Data Processor Sopra HR Software, 2014 / Ref. : 20141120-101114-m 1/32 1.
Monetary Authority of Singapore SECURITIES AND FUTURES ACT (CAP. 289) GUIDELINES ON CRITERIA FOR THE GRANT OF A CAPITAL MARKETS SERVICES LICENCE OTHER THAN FOR FUND MANAGEMENT Guideline No : SFA 04-G01
This module should be read in conjunction with the Introduction and with the Glossary, which contains an explanation of abbreviations and other terms used in this Manual. If reading on-line, click on blue
Prudential Standard CPS 231 Outsourcing Objective and key requirements of this Prudential Standard This Prudential Standard requires that all outsourcing arrangements involving material business activities
FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB 2014-07 OVERSIGHT OF SINGLE-FAMILY SELLER/SERVICER RELATIONSHIPS Purpose This advisory bulletin communicates the Federal Housing Finance Agency s (FHFA)
Advisory Guidelines of the Financial Supervisory Authority Requirements regarding the arrangement of operational risk management These Advisory Guidelines have established by resolution no. 63 of the Management
SD 0880/10 INSURANCE ACT 2008 CORPORATE GOVERNANCE CODE OF PRACTICE FOR REGULATED INSURANCE ENTITIES Laid before Tynwald 16 November 2010 Coming into operation 1 October 2010 The Supervisor, after consulting
OVERVIEW Attachment Supervisory Guidance for Assessing Risk Management at Supervised Institutions with Total Consolidated Assets Less than $50 Billion [Fotnote1 6/8/2016 Managing risks is fundamental to
Interest-in-Shares and Collective Investment Schemes for Islamic Banks BNM/RH/ GL 002-5 PART A: INTRODUCTION AND OVERVIEW...1 1. Overview of the Guidelines... 1 2. Definitions... 2 3. Legal Enforceability
Risk Management Programme Guidelines Submissions are invited on these draft Reserve Bank risk management programme guidelines for non-bank deposit takers. Submissions should be made by 29 June 2009 and
KINGDOM OF SAUDI ARABIA Capital Market Authority CREDIT RATING AGENCIES REGULATIONS English Translation of the Official Arabic Text Issued by the Board of the Capital Market Authority Pursuant to its Resolution
GUIDELINES ON CORPORATE GOVERNANCE FOR LABUAN BANKS 1.0 Introduction 1.1 Good corporate governance practice improves safety and soundness through effective risk management and creates the ability to execute
Monetary Authority of Singapore SECURITIES AND FUTURES ACT (CAP. 289) GUIDELINES ON CRITERIA FOR THE GRANT OF A CAPITAL MARKETS SERVICES LICENCE OTHER THAN FOR FUND MANAGEMENT Guideline No : SFA 04-G01
Interest-in-Shares and Collective BNM/RH/GL 001-30 Prudential Financial Policy Department PART A INTRODUCTION AND OVERVIEW... 1 1. Overview of the Guidelines... 1 2. Definitions... 1 3. Legal Enforceability
FUND MANAGER CODE OF CONDUCT First Edition pursuant to the Securities and Futures Ordinance (Cap. 571) April 2003 Securities and Futures Commission Hong Kong TABLE OF CONTENTS Page INTRODUCTION 1 I. ORGANISATION
Statement of Principles Bank Registration and Supervision Prudential Supervision Department Document Issued: 2 TABLE OF CONTENTS Subject Page A. INTRODUCTION... 3 B. PURPOSES OF BANK REGISTRATION AND SUPERVISION...
POLICY STATEMENT AND GUIDANCE NOTES ON: (1) OUTSOURCING; AND (2) DELEGATION BY JERSEY CERTIFIED FUNDS AND FUND SERVICES BUSINESSES Issued: May 2011 Contents CONTENTS Contents...3 Background...4 1 Scope...
Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent
2008 Guidelines for for Insurance Insurance Undertakings Undertakings on Asset on Asset Management Management 2 Contents Context...3 1. General...3 2. Introduction...3 3. Regulations and guidelines for
2013 Authorisation Requirements and Standards for Debt Management Firms 2 Contents Authorisation Requirements and Standards for Debt Management Firms Contents Chapter Part A: Authorisation Requirements
Guidance consultation 15/6 Proposed guidance for firms outsourcing to the cloud and other third-party IT services November 2015 1. Introduction and consultation 1.1 The purpose of this draft guidance is
Guidance Note: Corporate Governance - Board of Directors March 2015 Ce document est aussi disponible en français. Applicability The Guidance Note: Corporate Governance - Board of Directors (the Guidance
OUTSOURCING POLICY Strategy and Business Development Department Table of contents. 1. Introduction 2. Scope of the Policy 3. Definition of Outsourcing 3.1. Indicative list of activities that can be outsourced
GUIDELINES ON COMPLIANCE FUNCTION FOR FUND MANAGEMENT COMPANIES Issued: 15 March 2005 Revised: 25 April 2014 1 P a g e List of Revision Revision Effective Date 1 st Revision 23 May 2011 2 nd Revision 16
2013 Policy on the Management of Country Risk by Credit Institutions 1 Policy on the Management of Country Risk by Credit Institutions Contents 1. Introduction and Application 2 1.1 Application of this
B o a r d of Governors of the Federal Reserve System Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing January 23, 2013 P U R P O S E This policy statement is being issued
KINGDOM OF SAUDI ARABIA Capital Market Authority CREDIT RATING AGENCIES REGULATIONS English Translation of the Official Arabic Text Issued by the Board of the Capital Market Authority Pursuant to its Resolution
Audit and Permitted Non-Audit Services Pre-Approval Policy (Pertaining to the Company s Independent Auditor) Statement of Principles Pursuant to the Sarbanes-Oxley Act of 2002 (the Act ) and in accordance
S t a n d a r d 4. 4 a M a n a g e m e n t o f c r e d i t r i s k Regulations and guidelines THE FINANCIAL SUPERVISION AUTHORITY 4 Capital adequacy and risk management until further notice J. No. 1/120/2004
CEIOPS-DOC-29/09 CEIOPS Advice for Level 2 Implementing Measures on Solvency II: System of Governance (former Consultation Paper 33) October 2009 CEIOPS e.v. Westhafenplatz 1-60327 Frankfurt Germany Tel.
2013 Central Bank of Ireland Guidelines on Preparing for Solvency II System of Governance Contents 1 Context... 1 2 General... 2 3 Guidelines on the System of Governance... 3 3.1 Section I General Provisions...
www.cudgc.sk.ca MISSION We instill public confidence in Saskatchewan credit unions by guaranteeing deposits. As the primary prudential and solvency regulator, we promote responsible governance by credit
GUIDELINES ON OUTSOURCING ARRANGEMENTS STATE BANK OF PAKISTAN BANKING POLICY & REGULATIONS DEPARTMENT KARACHI CONTENTS Page No I INTRODUCTION:... 1 II APPLICABILITY:... 1 III DEFINITION OF OUTSOURCING:...
D2725D-2013 EURIBOR - CODE OF OBLIGATIONS OF PANEL BANKS Version: 1 October 2013 1. Objectives The European Money Markets Institute EMMI previously known as Euribor-EBF, as Administrator for the Euribor
Statement of Guidance Country and Transfer Risk Management by Banks 1. Statement of Objectives 1.1. To provide guidance on the accepted level of risk associated with international banking activities, in
White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety
STANDARDS OF SOUND BUSINESS PRACTICES CREDIT RISK MANAGEMENT 2005 The. All rights reserved Credit Risk Management Page 2 CREDIT RISK MANAGEMENT A. PURPOSE This document sets out the minimum policies and
Infinedi HIPAA Business Associate Agreement This Business Associate Agreement ( Agreement ) is entered into this day of, 20 between ( Company ) and Infinedi, LLC, a Limited Liability Corporation, ( Contractor
Outsourcing Technology Services A Management Decision A Telephone Seminar for National Banks Tuesday, July 20, 2004 And again on Wednesday, July 21, 2004 Agenda Outsourcing activities and relationships
Insurance Guidance Note No. 14 Transition to Governance Requirements established under the Solvency II Directive Date of Paper : 31 December 2013 Version Number : V1.00 Table of Contents General governance
Application for a Banking Authority Foreign Bank Branches Prudential Statement J2 PS J2 Introduction 1. A foreign bank wishing to operate as a branch in Australia must obtain a banking authority issued
Code of Conduct for Persons Providing Credit Rating Services June 2011 Appendix A 1 Table of Contents Introduction 1 Part 1 Quality And Integrity Of The Rating Process 2 Quality of the Rating Process 2
2015 Fund Management Companies - Guidance Fund Management Companies Guidance November 2015 1 Contents Part I. Delegate Oversight 2 Part II. Organisational Effectiveness 24 Part III. Directors Time Commitments
INTERNATIONAL STANDARD ON 220 QUALITY CONTROL FOR AN AUDIT OF FINANCIAL STATEMENTS (Effective for audits of financial statements for periods beginning on or after December 15, 2009) CONTENTS Introduction
GUIDANCE NOTE FOR DEPOSIT-TAKERS Operational Risk Management March 2012 Version 1.0 Contents Page No 1 Introduction 2 2 Overview 3 Operational risk - fundamental principles and governance 3 Fundamental