Outsourcing arrangements

Transcription

1 Rules Ntice Guidance Nte Dealer Member Rules Please distribute internally t: Internal Audit Legal and Cmpliance Operatins Regulatry Accunting Senir Management Cntacts: Luis Piergeti Vice President, Financial and Operatins Cmpliance (416) Richard J. Crner Vice President, Member Regulatin Plicy (416) January 13, 2014 Outsurcing arrangements Guidance Nte bjectives The bjectives f this Guidance Nte are t: summarize the existing requirements and guidance relating t entering int and maintaining utsurcing arrangements, identify the Dealer Member business activities that may nt be utsurced and thse that may be utsurced, set ut IIROC s expectatins as t the apprpriate due diligence prcedures that must be undertaken by IIROC Dealer Members befre utsurcing any business activity, and set ut IIROC s plans t prpse rules relating t utsurcing. Backgrund infrmatin and cntext are als prvided n the develpment f regulatry principles gverning utsurcing arrangements by regulated entities and relevant financial sectr guidance published n this subject matter. The cncept f utsurcing is nt new in the securities industry. The IIROC Dealer Member Rules set ut the requirements fr many f the cmmn utsurcing arrangements that are entered int by Dealer Members, including: Back ffice sharing arrangements with an affiliated Canadian financial institutin,

2 Intrducing brker/carrying brker arrangements, Security custdy arrangements, and External prtfli management arrangements. Hwever, as firms face increasing cmpetitive pressures t cntain and reduce csts, there is a crrespnding trend t utsurce mre business functins, activities and prcesses t third-party service prviders thrugh arrangements that IIROC Dealer Member Rules d nt adequately address. In recent years, there has been an evlutin f utsurcing arrangements put in place between Dealer Members and regulated/unregulated entities that may r nt be affiliated, and that may be freign r dmestic. Fr example, emplyees f Canadian banks, that wn a Dealer Member, cnduct certain back-ffice peratinal functins n behalf f the Dealer Member and the parent bank charges the Dealer Member fr thse services rendered, pursuant t a service agreement. Similar arrangements exist fr US FINRA-registered parent cmpanies f Dealer Member subsidiaries. These functins include accunting and back-ffice supprt that are utside the scpe f Rule 35 Intrducing brker/carrying brker arrangements. There is a grwing interest by self-clearing Dealer Members t utsurce the daily management f bks and recrds, including the recnciliatin f bank accunt balances, psitins held in custdy, dividend/interest incme received, and stck rerganizatins, t bth dmestic and freign unregulated, third-party service prviders. Withut adequate safeguards, this industry trend may give rise t incremental investr prtectin, market reputatin, credit and systemic risks. Dealer Members are reminded f their bligatin t prvide IIROC with advance ntificatin f material changes in their business mdel, including peratins pursuant t IIROC Rules Ntice Reprting f changes t business mdels dated March The effective date f this guidance nte is April 14, What is utsurcing? The term utsurcing is nt currently defined within the IIROC rules. A reprt prepared in 2005 by the Internatinal Organizatin f Securities Cmmissins (the IOSCO Reprt ) sets ut the fllwing definitin fr utsurcing: utsurcing is defined as an event in which a regulated utsurcing firm cntracts with a service prvider fr the perfrmance f any aspect f the utsurcing firm s regulated r unregulated functins that culd therwise be undertaken by the firm itself. It is intended t include nly thse services that were r can be delivered by internal staff and management the service prvider may be a related party within a crprate grup, r an unrelated utside entity. The service prvider may itself be either regulated (whether r nt by the same regulatr with authrity ver the utsurcing firm), r may be an unregulated entity. utsurcing wuld nt cver purchasing cntracts, althugh as with utsurcing, firms shuld ensure that what they are buying is apprpriate fr the intended purpse. Purchasing is defined as the acquisitin frm a vendr f services, IIROC Ntice Rules Ntice Guidance Nte Outsurcing Arrangements 2

3 gds r facilities withut the transfer f the purchasing firm s nn-public prprietary r custmer infrmatin 1. The IOSCO Reprt makes an imprtant distinctin between cre and nn-cre functins f a firm and describes a cre functin as ne that is:...critical t the nging viability f an entity as well as meeting its regulatry bligatins t custmers. The IOSCO Reprt als sets ut guiding principles that financial intermediaries shuld fllw when planning and arranging fr the utsurcing f bth cre and nn-cre activities, functins and/r prcesses (fr simplicity referred t cllectively as activities thrughut the remainder f this guidance nte). These guiding principles are included as Appendix A. As IIROC has n current definitin fr the term utsurcing and wishes t fcus its regulatry effrts n the utsurcing f critical r cre activities, the definitins f the terms utsurcing, cre and nn-cre, where used thrughut the remainder f this ntice, are the same as the definitins cntained in the IOSCO Reprt. 2. What are the Canadian regulatry requirements relevant t utsurcing? IIROC REQUIREMENTS As previusly mentined, the IIROC Dealer Member Rules set ut the requirements fr many f the cmmn utsurcing arrangements that are entered int by Dealer Members. These arrangements are as fllws: Back ffice sharing arrangements with an affiliated Canadian financial institutin [Dealer Member Rule 35.1(d)] This rule allws an affiliated Canadian financial institutin t handle the clearance and settlement f trades, as well as the preparatin f related bks and recrds and the perfrmance f related peratinal functins, n behalf f the Dealer Member, prvided that prper segregatin f the Dealer Member and Dealer Member client accunt assets is maintained. Intrducing brker/carrying brker arrangements [Dealer Member Rules 35.1 thrugh 35.6] These rules permit a dealer, the intrducing brker, t utsurce certain back ffice functins t anther dealer, the carrying brker. The rules cntemplate fur different types f intrducing brker / carrying brker arrangements that can be entered between tw IIROC Dealer Members. 2 Fr each permitted arrangement, the rules list the varius activities that are t be carried ut by the carrying brker fr the intrducing brker as 1 2 Surce: Principles n Outsurcing f Financial Services fr Market Intermediaries, Sectin I Technical Cmmittee f the Internatinal Organizatins f Securities Cmmissin (IOSCO), February The rules als include a fifth intrducing brker / carrying brker arrangement that can be entered int between an IIROC Dealer Member and a freign affiliated dealer. This arrangement may nly be entered int if certain rule cnditins are met and apprval f the applicable District Cuncil is btained. IIROC Ntice Rules Ntice Guidance Nte Outsurcing Arrangements 3

4 well as activities that will cntinue t be carried ut by the intrducing brker. Cnsistent with ther utsurcing arrangements, the intrducing brker retains the respnsibility fr ensuring that all activities are perfrmed prperly and in cmpliance with relevant IIROC requirements, including thse activities carried ut by the carrying brker n its behalf. In additin, since the utsurce services prvider is anther IIROC Dealer Member, the carrying brker als assumes the respnsibility fr ensuring that all activities it has agreed t perfrm n behalf f the intrducing brker are perfrmed prperly and in cmpliance with relevant IIROC requirements. 3 Security custdy arrangements [Dealer Member Rules 17.3; 17.3A; 17.3B; thrugh ; Frm 1, General Ntes and Definitins, Definitin f acceptable securities lcatins ; and Frm 1, Statement, Line 20] These rules require a Dealer Member t establish, maintain and cmply with adequate plicies and prcedures fr the segregatin and safekeeping f client accunt assets. In meeting these bligatins, the requirements allw the Dealer Member t utsurce the security custdy activity t an external custdian prvided: and the external custdian is a depsitry, clearing agency, financial institutin, dealer r mutual fund that maintains its financial capital at r abve a specific level 4 ; and the written custdial agreement entered int with the external custdian prhibits the use f securities held in custdy withut Dealer Member cnsent and specifies that securities are t be delivered back t the Dealer Member prmptly n demand 4. Where a Dealer Member uses an external custdian, it retains the respnsibility fr ensuring that all custdy activities are perfrmed prperly and in cmpliance with relevant IIROC requirements. External prtfli management arrangements [Dealer Member Rule ] This rule allws a Dealer Member t utsurce its discretinary authrity with respect t sme r all f its managed accunts t an external prtfli manager, prvided: the external prtfli manager is prperly registered t prvide discretinary prtfli management services; and the external prtfli manager is subject t cnflict f interest legislatin r regulatins that are either equivalent t r mre stringent than the IIROC requirements. 3 4 Fr each f the fur types f intrducing brker / carrying brker arrangements, Dealer Member Rule 35 requires that the carrying brker treat the intrduced clients in the same manner as the carrying brker s wn clients, in rder t ensure that the carrying brker is perfrming the utsurced functins in cmpliance with all applicable IIROC rules. The financial capital requirements t be met by the custdian and the minimum required custdial agreement terms are set ut in the acceptable securities lcatin definitin set ut in the General Ntes and Definitins t IIROC Dealer Member Frm 1. IIROC Ntice Rules Ntice Guidance Nte Outsurcing Arrangements 4

5 Under such arrangements, the IIROC Dealer Member retains the respnsibility fr ensuring that all managed accunt activities are perfrmed prperly and in cmpliance with relevant IIROC requirements. Other than the rules that are in place that gvern these specific arrangements, there are n ther IIROC rules that directly reference utsurcing arrangements. CSA REQUIREMENTS When Natinal Instrument was implemented in September 2009, Part 11 f its Cmpanin Plicy intrduced general principles fr the establishment and maintenance f internal cntrl systems at registrants with specific reference t the need t fllw prudent business practices and t cnduct a due diligence analysis when cnsidering whether r nt t utsurce. The guidance set ut in the Cmpanin Plicy states that registered firms are respnsible and accuntable fr all functins that they utsurce t a service prvider. Further, the functins utsurced shuld be set ut in a written, legally binding cntract between the utsurcing party and the service prvider that sets ut the expectatins f each f the parties t the utsurcing arrangement. The guidance als requires that registered firms cnduct a due diligence analysis f prspective third-party service prviders, including affiliates f the firm. This due diligence analysis shuld include an assessment f the service prvider s reputatin, financial stability, relevant internal cntrls and ability t deliver the services being utsurced. The guidance als states that a registrant firm shuld: ensure that third-party service prviders have adequate safeguards fr keeping infrmatin cnfidential and, where apprpriate, fr recvering frm a business disruptin; cnduct nging reviews f the quality f utsurced services; develp and test a business cntinuity plan t minimize disruptin t the firm s business and its clients if the third-party service prvider des nt deliver the services satisfactrily; and, cnsider ther legal requirements, such as privacy laws, that may apply when entering int utsurcing arrangements. Finally, the guidance specifies that the registrant firm and its regulatr and auditrs shuld have the same access t the wrk prduct f a third-party service prvider as they wuld if the firm itself perfrmed the activities. Firms shuld ensure this access is prvided and shuld include a prvisin requiring it in any cntract entered int with a service prvider. IIROC Ntice Rules Ntice Guidance Nte Outsurcing Arrangements 5

6 3. Wh is respnsible fr cmplying with IIROC rules and securities legislatin requirements that relate t any activities that are utsurced? A Dealer Member wh utsurces activities t an utsurce service prvider retains the respnsibility t ensure that thse activities are cnducted in accrdance with the requirements set ut in the applicable IIROC rules and securities legislatin, whether r nt the utsurce service prvider is als a Dealer Member. T carry ut this respnsibility, Dealer Members must, at a minimum, supervise the activities perfrmed n their behalf by the utsurce service prvider in manner that is similar t the type f supervisin that wuld be required if the activities were perfrmed by the Dealer Member itself. 4. Which investment dealer activities may nt be utsurced? Since the IIROC rules d nt specifically refer t utsurcing, the nly IIROC rules that effectively prhibit the utsurcing f certain activities are thse rules which require certain functins r activities t be perfrmed by specific Apprved Persns. Specifically, pursuant t Dealer Member Rule 1.1: Apprved Persn means, in respect f a Dealer Member, an individual wh is a partner, Directr, Officer, emplyee r agent f a Dealer Member wh is apprved by the Crpratin r anther Canadian Self Regulatry Organizatin t perfrm any functin required under any Rule; Given that apart frm Dealer Member partners, directrs and certain fficers an Apprved Persn f a Dealer Member must be an individual that is an emplyee r agent f a Dealer Member, all IIROC rules that require that a certain Apprved Persn perfrm a certain activity r functin are effectively prhibiting the utsurcing f that activity r functin. The result f this restrictin (i.e. wh can be an Apprved Persn) is that the IIROC rules effectively prhibit the utsurcing f mst client-facing activities f the Dealer Member (all f which wuld be cnsidered t be cre activities) including: a Registered Representative s assessment f the infrmatin cllected frm the client t ensure that the infrmatin is current, cmplete and accurate and that they cmply with their knw yur client bligatin [Dealer Member Rules 39.3; (a); 2500, Intrductin; 2500, Part II and 2700, Part II]; a Registered Representative s perfrmance f suitability assessments [Dealer Member Rules 39.3; (p) thrugh (s) and 2500, Intrductin]; a Designated cmplaints fficer s versight f the handling f client cmplaints [Dealer Member Rule 2500B, Sectin 3]; and Varius cmpliance and supervisin requirements, relating t client facing activities, that must be perfrmed by Apprved Persns f the Dealer Member [including Dealer Member Rules 29.7, 30.3, 30.5, 38, 39.4, , , , , , 2600, 3400 and ]. An exceptin t the general prhibitin against the utsurcing f client-facing activities is the utsurcing f the perfrmance f investment decisin making in managed accunts. As previusly IIROC Ntice Rules Ntice Guidance Nte Outsurcing Arrangements 6

7 mentined, IIROC Dealer Member Rule specifically allws fr the utsurcing f managed accunt investment decisin making t an external prtfli manager hired by the Dealer Member. 5. Fr thse investment dealer activities that may be utsurced, which activities are mst imprtant t IIROC? Nt all investment dealer activities that are eligible t be utsurced under IIROC rules are f equal imprtance and impact. Sme activities are immaterial t the verall peratins f the dealer and/r are mre rutine/administrative in nature than thers. These activities therefre pse less risk t the Dealer Member and/r its clients. In additin t fcusing n material utsurcing arrangements, IIROC supprts the apprach taken in the IOSCO Reprt (i.e. distinguishing between the utsurcing f cre and nn-cre activities) and intends t fcus its regulatry resurces n the review f material utsurcing arrangements invlving cre activities. T facilitate this regulatry fcus, IIROC has perfrmed a high-level analysis f Dealer Member activities and categrized these activities as either: cre activities; r nn-cre activities. Cre activities Cre activities f a Dealer Member that are eligible t be utsurced include the fllwing: the perfrmance f certain activities that are nt required in the IIROC rules t be perfrmed by an emplyee r agent f a Dealer Member relating t the firm s: accunt pening prcess suitability assessment prcess client cmplaint handling prcess the perfrmance f investment decisins in managed accunts (as previusly mentined in sectin 2 abve); the perfrmance f certain client accunt-related peratins activities, such as the clearing and settlement f client trades the administratin f margin lans and ther client accunt lans the preparatin f client accunt statements the preparatin f regulatry financial reprts the preparatin f nn-financial regulatry reprts the perfrmance f registratin-related filing and database maintenance activities the perfrmance f treasury activities the perfrmance f crprate finance activities the preparatin f research reprts and marketing newsletters the perfrmance f marketing activities IIROC Ntice Rules Ntice Guidance Nte Outsurcing Arrangements 7

8 the use f utside prfessinal services relating t the business activities f the Dealer Member, such as accunting and internal audit services the management and maintenance f Dealer Member infrmatin systems Where any f these activities are t be utsurced, including where activities are utsurced t anther Dealer Member, cnsistent with the guidance set ut in the Cmpanin Plicy t Natinal Instrument : IIROC expects the Dealer Member t frmally assess the initial and nging apprpriateness f the utsurce service prvider (see sectin 6 f this ntice fr further details); and the Dealer Member that has utsurced specific activities retains respnsibility fr ensuring that the activities are perfrmed prperly and in cmpliance with relevant IIROC requirements. Nn-cre activities Nn-cre activities f the Dealer Member that are eligible t be utsurced under the applicable IIROC Dealer Member Rules, and that wuld nt give rise t regulatry cncern if they were utsurced, include the fllwing: ffice service management activities; the prcurement f external cnsultant services; and human resurces management activities. Similar t the utsurcing f cre activities, where any f these activities are t be utsurced IIROC expects the Dealer Member t frmally assess the initial and nging apprpriateness f the utsurce service prvider (see sectin 6 f this ntice fr further details). 6. What shuld be assessed when determining whether r nt t utsurce a particular activity? As discussed in sectin 2 abve, certain IIROC Dealer Member Rules set ut detailed requirements fr specific utsurcing arrangements but d nt set ut general requirements t be met when cnsidering whether r nt t enter int an utsurcing arrangement. On the ther hand, the CSA expectatins in Part 11 f the Cmpanin Plicy t Natinal Instrument , set ut general principles fr the establishment and maintenance f internal cntrl systems at registrants with specific reference t the need t fllw prudent business practices and t cnduct a due diligence analysis when cnsidering whether r nt t utsurce. In rder t address these CSA expectatins, we recmmend that Dealer Members adpt frmal due diligence plicies and prcedures relating t utsurcing arrangements. T facilitate Dealer Members efficient assessment f individual prpsed utsurcing arrangements, it wuld be acceptable fr Dealer Members t adpt plicies and prcedures that acknwledge that the extent f due diligence wrk perfrmed may be prprtinate t the materiality and risk f the functins/activities that are prpsed t be utsurced. Dealer IIROC Ntice Rules Ntice Guidance Nte Outsurcing Arrangements 8

9 Members are encuraged t cnsider and include, where apprpriate, the fllwing as part f their due diligence plicies and prcedures: A Dealer Member shuld have a cmprehensive utsurcing plicy that guides the perfrmance f due diligence assessment(s) that will underlie decisins regarding whether, and hw, certain activities can be apprpriately utsurced As part f the cmprehensive utsurcing plicy, an initial assessment shuld be made as t whether the Dealer Member has the internal expertise that is necessary t perfrm the due diligence assessment(s) and, if nt, the Dealer Member shuld identify and btain third party expertise t perfrm r assist in the perfrmance f the due diligence assessment(s) A Dealer Member shuld never enter int an utsurcing arrangement that: diminishes its ability t fulfill its bligatins t clients and regulatrs, impedes effective supervisin by regulatrs, r unduly r inapprpriately cncentrates its utsurced activities in ne r a few utsurce service prviders, r allws the utsurce services prvider t, in turn, utsurce sme r all f the utsurced activities t a third party withut the Dealer Member s knwledge and/r withut retaining the respnsibility fr the perfrmance f the utsurced activities A Dealer Member shuld infrm IIROC f any new utsurcing arrangements invlving cre Dealer Member activities that are being entered int by a Dealer Member, in accrdance with IIROC Rules Ntice , Reprting f Changes t Business Mdels. A Dealer Member that has utsurced ne r mre activities shuld: enter int written utsurcing cntracts that clearly describe all material aspects f the utsurcing arrangements, including the rights, respnsibilities and expectatins f all parties maintain a centralized list, alng with cpies f related agreements, f the utsurce service prviders t which cre Dealer Member activities have been utsurced establish and carry-ut a cmprehensive utsurcing risk management prgram that mnitrs the risks assciated with: the utsurced activities; and the utsurcing relatinship entered int with the service prvider. The risks assciated with the utsurcing relatinship that need t be managed by the Dealer Member include: client harm risk, the risk the utsurce service prvider will fail t prvide adequate prtectin and timely access t client accunt assets and related accunt recrds; reputatin risk, the risk that pr service by the utsurce prvider will affect the reputatin f the Dealer Member; cmpliance risk, the risk that the utsurce prvider will nt cmply with regulatry r ther requirements that apply t the Dealer Member; exit strategy risk, the risk that due t ver-reliance n the utsurce prvider and a lack f relevant skills within the Dealer Member, the Dealer Member wn t be able t re- IIROC Ntice Rules Ntice Guidance Nte Outsurcing Arrangements 9

10 assume perfrmance f the utsurced activities r cntract with anther utsurce prvider n a timely basis; access risk, the risk that the Dealer Member wn t have timely access t data, recrds r assets; and individual firm cncentratin risk, the risk that the Dealer Member, has a significant expsure t the utsurce prvider, because f the number and/r the materiality f the activities that have been utsurced t that prvider See Appendix B fr a mre cmplete list f the key risks assciated with utsurcing and the majr cncerns assciated with these risks. perfrm utsurcing agreement reviews t ensure that the utsurced activities cvered by each utsurcing agreement are being perfrmed in accrdance with the agreement service level requirements withut expsing the Dealer Member t undue risk determine the timing and frequency f the utsurcing agreement reviews by establishing and maintaining a risk-based utsurcing agreement review schedule where practical and/r available (such as special purpse reprts regularly prepared by external auditrs fr utsurce service prviders 5 ), btain and prvide t IIROC a reprt n the adequacy f internal cntrls fr each utsurce arrangement relating t a cre Dealer Member activity; and include as part f its business cntinuity planning, plans that address the scenari where ne r mre majr utsurce service prviders underg a business disruptin. 7. Are utsurcing arrangements invlving affiliates subject t this guidance? The guidance set ut in this ntice cvers bth arm s length and nn-arm s length utsurcing arrangements. In additin, in the case f nn-arm s length utsurcing arrangements, such as arrangements invlving affiliates, Dealer members shuld be mindful f the access risk that flws frm the affiliated nature f the parties. Specifically, Dealer Members shuld cnsider ensuring that the utsurcing arrangement with an affiliate includes prcedures designed t limit the access and cntrl that affiliate emplyees, as well as Dealer Member emplyees wh are dually emplyed by the affiliate, may have ver Dealer Member and Dealer Member client accunt data, recrds and assets. Withut such prcedures in place, emplyees acting in the best interests f their affiliate emplyer may be able t make material changes t Dealer Member data and recrds r mve Dealer Member and/r Dealer Member client accunt assets withut cnsidering r acting in the best interests f the Dealer Member and its clients. 5 Reprts such as the CICA 5970 (nw changed t CSAE 3416) reprt r the SAS 70 (nw changed t SSAE 16) reprt prvide assurance that the service prvider s system f internal cntrls is adequate and may reduce r eliminate the need fr the Dealer Member t d its wn assessment f the service prvider s system f internal cntrls during its due diligence analysis f a prpsed utsurcing arrangement. IIROC Ntice Rules Ntice Guidance Nte Outsurcing Arrangements 10

11 Appendix A Excerpts frm reprt entitled Principles n Outsurcing f Financial Services fr Market Intermediaries issued by the IOSCO Technical Cmmittee Standing Cmmittee n the Regulatin f Market Intermediaries (SC3) in February III. Outsurcing Principles Tpic 1: Due diligence in selectin and mnitring f service prvider and service prvider's perfrmance Principle: An utsurcing firm shuld cnduct suitable due diligence prcesses in selecting an apprpriate third party service prvider and in mnitring its nging perfrmance.... Means fr Implementatin It is expected that utsurcing firms will implement apprpriate means, such as the fllwing, fr ensuring that they select suitable service prviders and that service prviders are apprpriately mnitred, having regard t the services they prvide: Dcumenting prcesses and prcedures that enable the utsurcing firm t assess, prir t selectin, the third party service prvider s ability and capacity t perfrm the utsurced activities effectively, reliably, and t a high standard, including the service prvider s technical, financial and human resurces capacity, tgether with any ptential risk factrs assciated with using a particular service prvider. Dcumenting prcesses and prcedures that enable the utsurcing firm t mnitr the third party service prvider's perfrmance and cmpliance with its cntractual bligatins, including prcesses and prcedures that: Clearly define metrics that will measure the service level, and specify what service levels are required; and Establish measures t identify and reprt instances f nn-cmpliance r unsatisfactry perfrmance t the utsurcing firm as well as the ability t assess the quality f services perfrmed by the service prvider n a regular basis (see als tpic 2). Implementing prcesses and prcedures designed t help ensure that the service prvider is in cmpliance with applicable laws and regulatry requirements in its jurisdictin, and that where there is a failure t perfrm duties required by statute r regulatins, the utsurcing firm, t the extent required by law r regulatin, reprts the failure t its regulatr and/r self-regulatry rganizatin and takes crrective actins. 6 Fr example, prcedures may include: 6 Such a requirement is cnsistent with regulatins in many IOSCO jurisdictins requiring that a firm ntify its regulatr with respect t any breaches f law that may have ccur. IIROC Ntice Rules Ntice Guidance Nte Outsurcing Arrangements 11

12 Appendix A The use f service delivery reprts and the use f internal and external auditrs t mnitr, assess, and reprt t the utsurcing firm n perfrmance; The use f written service level agreements r the inclusin f specific service level prvisins in cntracts fr service t achieve clarity f perfrmance targets and measurements fr third party service prviders. With respect t utsurcing n a crss-brder basis, in determining whether the use f a freign service prvider is apprpriate, the utsurcing firm may, with respect t a functin that is material t the firm, need t cnduct enhanced due diligence that fcuses n special cmpliance risks, including the ability t effectively mnitr the freign service prvider, the ability t maintain the cnfidentiality f firm and custmer infrmatin; and the ability t execute cntingency plans and exit strategies where the service is being perfrmed n a crss-brder basis. Tpic 2: The cntract with a service prvider Principle: There shuld be a legally binding written cntract between the utsurcing firm and each third party service prvider, the nature and detail f which shuld be apprpriate t the materiality f the utsurced activity t the nging business f the utsurcing firm.... Means fr Implementatin An utsurcing firm is expected t have a written, legally binding cntract between itself and the third party service prvider, apprpriate t the materiality f the utsurced activity t the nging business f the firm. The cntract may include, as applicable, prvisins dealing with: Limitatins r cnditins, if any, n the service prvider's ability t subcntract, and, t the extent subcntracting is permitted, bligatins, if any, in cnnectin therewith; Firm and client cnfidentiality (see als tpic 4); Defining the respnsibilities f the utsurcing firm and the respnsibilities f the service prvider and subcntractrs, if any, and hw such respnsibilities will be mnitred; Respnsibilities relating t IT security (see als tpic 3); Payment arrangements; Liability f the service prvider t the utsurcing firm fr unsatisfactry perfrmance r ther breach f the agreement; Guarantees and indemnities; Obligatin f the service prvider t prvide, upn request, recrds, infrmatin and/r assistance cncerning utsurced activities t the utsurcing firm, its auditrs and/r its regulatrs (see tpic 7); IIROC Ntice Rules Ntice Guidance Nte Outsurcing Arrangements 12

13 Appendix A Mechanisms t reslve disputes that might arise under the utsurcing arrangement; Business cntinuity prvisins (see tpic 3); With respect t utsurcing n a crss-brder basis, chice f law prvisins; Terminatin f the cntract, transfer f infrmatin and exit strategies (see als tpic 6). Tpic 3: Infrmatin Technlgy Security and Business Cntinuity at the Outsurcing Firm Principle: The utsurcing firm shuld take apprpriate measures t determine that: (a) Prcedures are in place t prtect the utsurcing firm s prprietary and custmer-related infrmatin and sftware; and (b) Its service prviders establish and maintain emergency prcedures and a plan fr disaster recvery, with peridic testing f backup facilities.... Means fr Implementatin Outsurcing firms are expected t take apprpriate steps t require, in apprpriate cases based n the materiality f the functin that is being utsurced, that service prviders have in place a cmprehensive IT security prgram. These steps may include: Specificatin f the security requirements f autmated systems t be used by the service prvider, including the technical and rganizatinal measures that will be taken t prtect firm and custmer-related data. Apprpriate care shuld be exercised t ensure that IT security prtects the privacy f the utsurcing firm s custmers as mandated by law: Requirements that the service prvider maintain apprpriate measures t ensure security f bth the utsurcing firm s sftware as well as any sftware develped by the service prvider fr the use f the utsurcing firm; Specificatin f the rights f each party t change r require changes t security prcedures and requirements and f the circumstances under which such changes might ccur; Prvisins that address the service prvider s emergency prcedures and disaster recvery and cntingency plans as well as any particular issues that may need t be addressed where the utsurcing firm is utilizing a freign service prvider. Where relevant, this may include the service prvider s respnsibility fr backing up and therwise prtecting prgram and data files, as well as regulatry reprting; Where apprpriate, terms and cnditins relevant t the use f subcntractrs with respect t IT security, and apprpriate steps t minimize the risks arising ut f such subcntracting; IIROC Ntice Rules Ntice Guidance Nte Outsurcing Arrangements 13

14 Appendix A Where apprpriate, requirement f testing by the service prvider f critical systems and back-up facilities n a peridic basis in rder t review the ability f the service prviders t perfrm adequately even under unusual physical and/r market cnditins at the utsurcing firm, the service prvider, r bth, and t determine whether sufficient capacity exists under all relevant cnditins; Requirement f disclsure by the service prvider f breaches in security resulting in unauthrized intrusins (whether deliberate r accidental, and whether cnfirmed r nt) that may affect the utsurcing firm r its custmers, including a reprt f crrective actin taken; and Prvisins in the utsurcing firm s wn cntingency plans that address circumstances in which ne r mre f its service prviders fail t adequately perfrm their cntractual bligatins. Where relevant, this may include reprting by the utsurcing firm t its regulatr. The utsurcing firm may need t require cntractually infrmatin frm the service prvider t fulfill this bligatin. Tpic 4: Client Cnfidentiality Issues Principle: The utsurcing firm shuld take apprpriate steps t require that service prviders prtect cnfidential infrmatin regarding the utsurcing firm s prprietary and ther infrmatin, as well as the utsurcing firm s clients frm intentinal r inadvertent disclsure t unauthrized individuals.... Means fr Implementatin Regulated firms that engage in utsurcing are expected t take apprpriate steps t cnfirm that cnfidential firm and custmer infrmatin is nt misused r misapprpriated. Such steps may include insertin f prvisins in the cntract with the service prvider that: Prhibit the service prvider and its agents frm using r disclsing the utsurcing firm s prprietary infrmatin r that f the firm s custmers, except as necessary t prvide the cntracted services; and Where apprpriate, including terms and cnditins relevant t gvern the use f subcntractrs with respect t firm and client cnfidentiality. Outsurcing firms shuld als cnsider whether it is apprpriate t ntify custmers that custmer data may be transmitted t a service prvider, taking int accunt any regulatry r statutry prvisins that may be applicable. Regulatrs shuld seek t becme aware f whether utsurcing firms within their jurisdictin are taking apprpriate steps t mnitr their relatinships with service prviders with respect t the prtectin f cnfidential firm and custmer infrmatin. IIROC Ntice Rules Ntice Guidance Nte Outsurcing Arrangements 14

15 Appendix A Tpic 5: Cncentratin f Outsurcing Functins Principle: Regulatrs shuld be cgnizant f the risks psed where ne service prvider prvides utsurcing services t multiple regulated entities.... Means fr Implementatin Regulatrs shuld cnsider the fllwing means fr addressing cncentratin risk: Taking steps t becme aware f cases where a significant prprtin f their regulated entities rely upn a single service prvider t prvide critical functins. This culd include, where apprpriate, a mnitring prgram and/r a risk assessment methdlgy, and the cllectin f rutine infrmatin n utsurcing arrangements frm utsurcing firms and/r service prviders. In this regard, regulatrs shuld be cgnizant f the ptential that subcntracting by service prviders f a particular functin may itself result in cncentratin risk; Tailring their examinatin prgrams r related activities in light f cncentratins f utsurcing activity. Where a regulatr has identified a pssible cncentratin risk issue, utsurcing firms shuld cnsider taking steps t ensure, t the degree practicable, that the service prvider has adequate capacity t meet the needs f all utsurcing firms, bth during nrmal peratins as well as unusual circumstances (e.g., unusual market activity, physical disaster). Tpic 6: Terminatin Prcedures Principle: Outsurcing with third party service prviders shuld include cntractual prvisins relating t terminatin f the cntract and apprpriate exit strategies.... Means fr Implementatin: Outsurcing firms are expected t take apprpriate steps t manage terminatin f utsurcing arrangements. These steps may include prvisins in cntracts with service prviders such as the fllwing: Terminatin rights, e.g., in case f inslvency, liquidatin r receivership, change in wnership, failure t cmply with regulatry requirements, r pr perfrmance; Minimum perids befre an annunced terminatin can take effect t allw an rderly transitin t anther prvider r t the firm itself, and t prvide fr the return f custmerrelated data, and any ther resurces; The clear delineatin f wnership f intellectual prperty fllwing the cntract s terminatin, and specificatins relating t the transfer f infrmatin back t the utsurcing firm. IIROC Ntice Rules Ntice Guidance Nte Outsurcing Arrangements 15

16 Appendix A Tpic 7. Regulatr's and Intermediary s Access t Bks and Recrds, Including Rights f Inspectin. Principle: The regulatr, the utsurcing firm, and its auditrs shuld have access t the bks and recrds f service prviders relating t the utsurced activities and the regulatr shuld be able t btain prmptly, upn request, infrmatin cncerning activities that are relevant t regulatry versight.... Means fr Implementatin: Outsurcing firms are expected t take steps t ensure that they and their regulatrs have access t bks and recrds f service prviders cncerning utsurced activities, and that their regulatrs have the right t btain, upn request, infrmatin cncerning the utsurced activities. These steps may include the fllwing: Cntractual prvisins by which the utsurcing firm (including its auditr) has access t, and a right f inspectin f, the service prvider's bks and recrds dealing with utsurced activities, and similar access t the bks and recrds f any subcntractr. Where apprpriate, these may include physical inspectins at the premises f the service prvider, delivery f bks and recrds r cpies f bks and recrds t the utsurcing firm r its auditr, r inspectins that utilize electrnic technlgy (i.e., virtual inspectins ); Cntractual prvisins by which the service prvider is required t make bks, recrds, and ther infrmatin abut regulated activities by the service prvider available t the regulatr upn request and, in additin, t cmply with any requirements in the utsurcing firm s jurisdictin t prvide peridic reprts t the regulatr. Regulatrs shuld cnsider implementatin f apprpriate measures designed t supprt access t bks, recrds and infrmatin f the service prvider abut the perfrmance f regulated activities. These measures may include: Where apprpriate, taking actin against utsurcing firms fr the failure t prvide bks and recrds required in that jurisdictin, withut regard t whether the regulated entity has transferred pssessin f required bks and recrds t ne r mre f its service prviders; Impsing specific requirements cncerning access t bks and recrds that are held by a service prvider and which are necessary fr the authrity t perfrm its versight and supervisry functins with respect t regulated entities in its jurisdictin. These may pssibly include requiring that recrds be maintained in the regulatr s jurisdictin, allwing fr a right f inspectin, r requiring that the service prvider agree t send riginals r cpies f the bks and recrds t the regulatr s jurisdictin upn request IIROC Ntice Rules Ntice Guidance Nte Outsurcing Arrangements 16

17 Key Risks f Outsurcing Appendix B While the utsurcing f certain activities can be beneficial t a financial services rganizatin, utsurcing can give rise t risks which need t be managed effectively. Risk Majr Cncerns Client harm risk Inadequate third-party utsurce service prvider cntrls t ensure adequate prtectin and timely client access t their accunt assets and related accunt recrds Strategic risk The third-party utsurce service prvider may cnduct activities n its wn behalf which are incnsistent with the verall strategic gals f the regulated entity. Failure t implement apprpriate versight f the utsurce service prvider. Failure t maintain adequate in-huse expertise t versee the utsurce service prvider. Reputatin risk Pr service frm third-party utsurce service prvider. Custmer interactin is nt cnsistent with verall standards f the regulated entity. Third-party utsurce service prvider practices are nt in line with stated practices (ethical r therwise) f regulated entity. Cmpliance risk Privacy laws are nt cmplied with. Cnsumer and prudential laws nt adequately cmplied with. Outsurce service prvider has inadequate cmpliance systems and cntrls. Operatinal risk Technlgy failure. Inadequate financial capacity t fulfill bligatins and/r prvide remedies. Inadequate internal cntrls leading t undetected errrs r fraud. Difficult/cstly fr firm t undertake inspectins f the utsurce service prvider s peratins. Exit strategy risk The risk that apprpriate exit strategies are nt in place. This culd arise frm verreliance n ne firm, the lss f relevant skills in the institutin itself preventing it frm bringing the activity back in-huse, and cntracts which make a timely exit prhibitively expensive. Limited ability t return services t firm due t lack f staff r lss f institutinal knwledge. Cunterparty risk Inapprpriate underwriting r credit assessments. Quality f receivables may diminish. Cuntry risk Plitical, scial and legal climate may create added risk. Business cntinuity planning is mre cmplex. Cntractual risk Ability t enfrce cntract. Fr ff shre utsurcing arrangements, chice f law is imprtant. Access risk Outsurcing arrangement hinders ability f regulated entity t prvide timely data and ther infrmatin t regulatrs. Additinal layer f difficulty in regulatr understanding activities f the utsurce prvider. Individual firm cncentratin risk Industry cncentratin and systemic risk The firm has significant expsure t the third-party utsurce service prvider, because f the number and/r the materiality f the activities that have been utsurced t that prvider The industry, as a whle, has significant expsure t the utsurce prvider. This cncentratin risk has a number f facets, including: Lack f cntrl, by individual firms, ver prvider; and Systemic risk t industry as a whle. IIROC Ntice Rules Ntice Guidance Nte Outsurcing Arrangements 17