PROPERTY OF THE SECURITIES COMMISSION OF THE BAHAMAS

Transcription

1 SUPERVISORY AND REGULATORY GUIDE: APPLICABLE LEGISLATION: OUTSOURCING OF MATERIAL FUNCTIONS SIA, 2011; IFA, 2003; FCSPA, ISSUED: 15 MAY 2012 LAST AMENDED: REFERENCE NUMBER: 31 DECEMBER SPG SECURITIES COMMISSION OF THE BAHAMAS POSITION FOR THE OUTSOURCING OF MATERIAL FUNCTIONS THIS PAPER IS THE COMMISSION S FINAL POSITION ON THE OUTSOURCING OF MATERIAL FUNCTIONS, TAKING INTO ACCOUNT COMMENTS RECEIVED FROM CONSULTATION WITH THE INDUSTRY. THE FINAL GUIDELINE WILL BE DRAFTED TO REFLECT THE POSITIONS DESCRIBED IN THIS PAPER.

2 TABLE OF CONTENTS I. INTRODUCTION... 3 II. PURPOSE... 3 III. APPLICABILITY... 3 IV. EXECUTIVE SUMMARY... 4 V. GENERAL GUIDELINES ON OUTSOURCING FOR REGISTRANTS... 5 VI. OUTSOURSING OF MATERIAL ACTIVITIES WITH REGARDS TO INVESTMENT FUNDS ADMINISTRATORS AND SENIOR MANAGEMENT...11 VII. OFFSHORE OUTSOURCING...11 VIII. THE OUTSOURCING AGREEMENT...12 X. BIBLIOGRAPHY REFERENCES...14 ANNEX I...15 ANNEX II...17 ANNEX III...19 ANNEX IV P age

3 I. INTRODUCTION The Securities Commission of The Bahamas ( the Commission ) is responsible for the administration of the Securities Industry Act, 2011 (SIA, 2011) and the Investment Funds Act, 2003 (IFA, 2003), pursuant to which it supervises and regulates the activities of the investment funds, securities and capital markets. The Commission, having been appointed Inspector of Financial and Corporate Service Providers January 1, 2008, is also responsible for administering the Financial and Corporate Service Providers Act, 2000 (FCSPA 2000). The Commission s mandate is to advise the Minister on all matters relating to the capital markets and its participants; maintain surveillance over the capital markets and ensure orderly, fair and equitable dealings in securities; foster timely, accurate, fair and efficient disclosure of information to the investing public and the capital markets; protect the integrity of the capital markets against any abuses arising from financial crime, market misconduct and other unfair and improper practices; promote an understanding by the public of the capital markets and its participants and the benefits, risks, and liabilities associated with investing; create and promote conditions that facilitate the orderly development of the capital markets; and perform any other function conferred or imposed on it by securities laws or Parliament. II. PURPOSE These guidelines will outline the minimum standards and principals that registrants/licensees are required to follow in relation to outsourcing and identify the major issues to be considered and the obligations of supervised entities when entering into outsourcing agreements. III. APPLICABILITY Pursuant to Regulation 44 all entities registered/licensed under Part V & VI of the SIA 2011, the IFA 2003 and the FCSPA 2000 and Public Issuers (hereafter defined as supervised entities 1 ) should give notice to the Commission of its intent to enter into an outsourced arrangement and ensure that such arrangement complies with the standards detailed in the guideline. An entity seeking to apply this guideline should seek clarification from the Commission on any of the requirements. These guidelines apply to all material outsourcing arrangements. Supervised entities should review all outsourced arrangements that pre-existed the guideline to assess compliance with the standards. Where deficiencies are observed, supervised entities should immediately seek to rectify those deficiencies. Where the required changes cannot be made until the next contract 1 Supervised entities are defined as Persons registered or licensed under the SIA, 2011, the IFA, 2003, the FCSPA, 2000 and public issuers 3 P age

4 period, the Commission expects that the supervised entities would have in place measures to mitigate against any potential risks. The firms should have in place an Action Plan identifying those steps that will be taken to address all deficiencies and the timing of such actions. Such a plan should be submitted to the Commission within one month of the issuance of this guideline for any existing arrangements with deficiencies and every time a deficiency is identified following a review (internal or external reviews.) Additionally, supervised entities should, within (6) six months of the issuance of this guideline, ensure that a notice of all material outsourcing arrangements is submitted to the Commission. For the purpose of this guideline, a material function will be defined as a function that has the potential to have a critical impact both qualitative and quantitative on a significant line of business of the registrant. Section VIII of this guideline sets out the assessment methodology for materiality. Applicants who may be uncertain as to whether a business activity that is to be outsourced would be regarded as material for the purposes of these guidelines should seek direction from the Commission. IV. EXECUTIVE SUMMARY Outsourcing is a significant component of the management of business by modern companies as it facilitates the rationalization of resources, people, material and funds. Registrants may seek to outsource functions so as to reduce costs, improve the quality of service to its clients, or centralize activities. However, it is important to ensure that the delegation of functions does not reduce the protection available to investors, or result in or cause non-compliance with the legislation and regulatory requirements. The management of outsourcing has been a concern for many regional and international jurisdictions, resulting in the development of rules by the various regulators to govern this area. The International Organization of Securities Commissions (IOSCO) released principles to guide the management of outsourcing. These principles emphasize: conducting due diligence when selecting service providers and monitoring their performance; having a contract with the service provider; ensuring that service providers have adequate business continuity plans; specifying requirements for the security and confidentiality of information; ensuring termination provisions are in place; and ensuring that there is access to the books and records by the regulators and the client. These proposed Outsourcing Guidelines are in compliance with IOSCO Principals and have also been adapted by other international and regional jurisdictions. A review of (10) ten 4 P age

5 international and regional jurisdictions 2 revealed that outsourced arrangements are managed in many different ways. Most jurisdictions required outsourcing arrangements to be subject to the fit and proper requirements and an assessment of the service provider s ability and willingness to perform the outsourced functions. Outsourcing arrangements are also permitted under their general rules that govern the initial authorization of the market and require the institution to seek specific regulatory approval before a function can be outsourced. V. GENERAL GUIDELINES ON OUTSOURCING FOR REGISTRANTS (1) What can be outsourced - Outsourcing arrangements must be limited to activities that are considered material or core to the business of the market. In addition to considering the materiality of the outsourcing arrangement to the market's core business, it has been identified, that among others, the following factors should be considered when assessing outsourcing arrangements: potential risks to the regulatory objectives of maintaining fair, orderly and transparent markets; potential impact on price formation; potential negative impacts on investor protection; and potential threats to the jurisdiction s clearance and settlement system. This assessment should be used to protect the interests of clients and to ensure that operational procedures and controls are in line with the supervised entity s day-to-day operation. (2) Confidentiality - The supervised entity should take appropriate steps to ensure that service providers protect confidential information regarding the firm s proprietary and other information, as well as their clients or investors from intentional or inadvertent disclosure to unauthorized individuals. To facilitate this: Supervised entities must take appropriate steps to confirm that confidential firm information is not misused or misappropriated. Provisions should be made in the contract to prohibit the outsourcing service provider and any subcontracted providers from using or disclosing the outsourcing firm s proprietary information, except as necessary to provide the contracted services. Supervised entities should have controls in place to ensure that the requirements of customer data confidentiality are observed and proper safeguards are established to protect the integrity and confidentiality of customer information. 2 Australia, Barbados, Canada, Hong Kong, India, Jamaica, Malaysia, Singapore, the United Kingdom, and the United States 5 P age

6 Supervised entities should not undertake outsourcing arrangements that may result in the disclosure of client information to the service provider or any subcontracted provider without the prior consent of the client. Supervised entities should consider whether it is appropriate to notify customers that customer data may be transmitted to a service provider or a subcontracted provider, taking into account any regulatory or statutory provisions that may be applicable. Where supervised entities choose not to inform customers, supervised entities must be prepared to accept all resulting liability issues. (3) Governance - The ultimate responsibility and accountability for the proper management of the outsourced function and the associated risks of outsourcing remains with the supervised entities. The Board and senior management should ensure that there is an appropriate risk management framework for the management of outsourcing arrangements. Outsourcing cannot transfer the risks to the service provider and as such, firms should ensure that all risks associated with the activity are managed to the same extent that would be required if the activity was conducted in-house: The Board of Directors or delegated committee should; Review and approve the policies governing outsourcing and review compliance against the policies on a regular basis; Approve all material outsourcing arrangements; Ensure that outsourcing arrangements are included in the scope of work of the audit function. Auditors should regularly review and report on compliance of the arrangement with applicable terms and conditions of the outsourcing agreement. All outsourcing arrangements must comply with all statutory requirements inter alia, requirements on anti-money laundering, and record keeping. A statement to this effect should be included in the Annual Update. Supervised entities must be prepared to resume direct control of the outsourced activity or have suitable conditions in place to accommodate such activity once it can no longer be outsourced. The supervised entity should have policies and procedures in place to address the additional risks arising from outsourcing a business activity. When a material outsourcing arrangement results in services being provided outside The Bahamas, supervised entities must address additional concerns linked to the economic and political environment, technological sophistication, and the legal and regulatory risk profile of the foreign jurisdiction(s), if any. 6 P age

7 A centralized list of all material outsourcing arrangements should be maintained. This list should contain relevant information namely, the name of the service provider, the location where the services are being provided, the expiry or renewal date of the contract or outsourcing agreement and the value of the contract or outsourcing agreement. The list should be updated when agreements are being amended, renewed, or terminated and should be a part of the senior management s report. (4) Due Diligence - The Commission recognises that the level of due diligence conducted will vary depending on the prospective outsourcing partner, 3 thus supervised entities should conduct appropriate due diligence in selecting their service providers. When renewing a contract or outsourcing arrangement, supervised entities need to ensure that the outsourced firm has the ability, capacity and authorization required by law to perform the outsourced activities reliably and professionally. The due diligence process should include, (but is not limited to) an assessment of the following: financial soundness to perform the outsourcing assignment; technical competence of the service provider to deliver the required services; service provider s internal control, reporting and monitoring environment; business reputation, complaints, and pending litigation; business continuity arrangements and contingency plans; reliance on and success in dealing with subcontractors; insurance coverage; business objectives; and human resource policies, service philosophies, business culture, and how they fit with those of the registrant. Due diligence undertaken during the selection process should be documented and reperformed periodically as part of the monitoring and control processes of outsourcing. The due diligence process can vary depending on the nature of the outsourcing arrangement (e.g. Reduced due diligence may be sufficient where no developments or changes have arisen to affect an existing outsourcing arrangement or where the outsourcing is to a member of the group). A supervised entity should ensure that the information used for due diligence evaluation is current and should not be more than twelve (12) months old. Where the proposal to outsource to a third party (i.e. to an entity not affiliated or related to the supervised entity) the third party should be an entity in a jurisdiction acceptable to the Commission. It is expected that the due diligence conducted on the third party will include an assessment to ensure that the third party meets the fit and proper criteria that is applied by the Commission to the supervised entity. It is the role of the compliance department or a compliance officer, and internal auditor, to ensure that the 3 It follows therefore that a reduced level of due diligence may be appropriate if the prospective outsourcing partner is an entity affiliated or related to the licensee. 7 Page

8 activities undertaken by third party providers, adheres to the regulated firm s outsourcing policy. The due diligence process should have a clearly defined metrics, that will specify what the service level standards are, measure the service level against these standards and specify what service levels are required. There should also be a mechanism to identify and report instances of non-compliance or unsatisfactory performance to the outsourcing firm as well as the ability to assess the quality of services performed by the service provider on a regular basis. In assessing the effectiveness of the service provider the supervised entity should consider: the impact of the outsourcing arrangement on the finances, reputation and operations of the firm; its ability to maintain important controls and meet supervisory regulatory requirements; the cost of outsourcing the service; and the degree of difficulty and time required to find an alternative service provider or return the outsourced activity in-house. (See XIII Annex III for additional information for conformity to IOCSO s Principles on outsourcing of financial services for market intermediaries) (5) Anti-Money Laundering Requirements Supervised entities must satisfy the Commission that outsourcing arrangements will not violate any statutory/prudential requirements on antimoney laundering or record keeping procedures. (6) Business Contingency and Continuity Arrangements - The supervised entity and its outsourced service providers should establish and maintain contingency and continuity plans. These plans should include disaster recovery and periodic testing of back-up facilities. Where a material function is outsourced, the supervised entity should ensure that its business continuity arrangements address foreseeable situations (either temporary or permanent) when the arrangement is suddenly terminated or when the service provider is unable to fulfill its obligations under the outsourcing agreement for any reason. In particular, a supervised entity should make provision in its business continuity arrangements for the retention of information 4, ready access to all records necessary to allow it to sustain business operations, meet its statutory obligations, and provide such information as may be required by the Commission, to exercise its regulatory powers or perform its supervisory functions. (See XIII Annex III for additional information for conformity to IOCSO s Principles on outsourcing of financial services for market intermediaries.) 4 SIR Sec 20 Records location and retention requirement 8 P age

9 (7) Termination and Exit Management Supervised entities should have a termination and exit management process in place in the event that an outsourced function is discontinued. Supervised entities are expected to take appropriate steps to manage all termination of outsourcing arrangements. These should include exit strategies to allow transfer of service, client data, and any other resources to another service provider or to the supervised entity itself. Provision of termination rights may include (but are not limited to) cases of the following: insolvency; liquidation or receivership; change of ownership failure to comply with regulatory requirements; and/or poor performance. Supervised entities should submit a written notice to the Commission of dismissal or cancellation after informing the outsourced service provider that the outsourced service arrangement will be cancelled or terminated within (30) thirty days before final termination date. e.g. if intended termination date is September 30 of that year written notice should be sent to the Commission on August 31 of that year. Supervised entities should require the cooperation of the service provider upon termination. This cooperation should be clearly stated in the outsourcing arrangements that details the acquisition of full access to any relevant systems and documentations held at the outsourced firm relating to the activities carried out on behalf of the supervised entity. (8) Approval process for Outsourcing by the Commission Supervised entities must inform the Commission in writing of any activity to be outsourced. Prior to entering into an agreement notification should be made to the Commission within (40) forty days, to consider the proposal and must include at a minimum, the following information: the activities to be outsourced; the name of the outsourcing service provider (indicating whether this firm is part of the registered firm s group and its regulatory status, if any); and the location where the outsource activity will be carried out whether in The Bahamas or outside of The Bahamas. The supervised entity must submit a written confirmation from senior management which may include the Chief Executive Officer - CEO, the Executive Director - ED or the Compliance Officer CO 5 stating the best practice has been utilized in the selection of 5 SIR 2012 Sec 3 Fit and Proper 9 P age

10 the outsourced service provider, ensuring that the outsourcing of material functions guidelines have been followed and in line with the proposed outsourced activity. The Commission may impose, at its discretion, specific conditions on the outsourcing activities, in addition to those outlined in the guidelines. A written No Objection response to supervised entities should be received within (40) forty days from the Commission. Once the Commission is satisfied with the supervised entity s outsourcing activity, the outsourcing agreement and the outsourced service provider, and there has not been a no objection response within that (40) forty days it should be understood that the agreement would be automatically approved. The Commission should object by written response within (40) forty days, to the following: a proposed outsourcing arrangement; the continued use of an outsourced service provider; or to require the outsourcing arrangement to be terminated. (9) ACCESS TO BOOKS, RECORDS AND PREMISES - the Commission, and the auditors of the supervised entity should have access to the books and records of the outsourced service provider relating to the activities outsourced. Additionally, the Commission may at any time conduct on-site inspections of the business. 6 Pursuant to Regulation 44 of the SIR 2012, the Commission is also permitted access to any information concerning the activities carried out on behalf of the registered firm, as if those records and information were held at the supervised entity. Supervised entities should provide for by way of contractual agreement with service providers, the Commission having access to books, records and outsourcing service providers in relation to outsourced activities. It should be ensured that the Commission has the right to obtain upon request, information regarding outsourced activities. Supervised entity s contractual agreements should also provide for the supervised entity and its auditor to have access to and the rights to inspect the service provider s books and records relating to the outsourced function. Where appropriate, the inspection can be performed by way of physical inspection at the service provider premises, or by way of delivery of books and records to the registrant or auditor. The Commission should be notified if a service provider has plans to chain outsource any material functions of a supervised entity to another service providing entity. The Commission, the supervised entity and the auditor must also be granted access to the books and records of the subcontracted service provider. 6 SIA 2011 Sec 45 (1) Compliance inspections regulated persons 10 P age

11 Supervised entities should notify the Commission of any adverse developments arising in outsourcing that could significantly affect their operations, including any event that could potentially lead to termination and early exit from the outsourcing arrangement and provide such information as may be required by the Commission to exercise its regulatory powers or perform its supervisory functions. VI. OUTSOURSING OF MATERIAL ACTIVITIES WITH REGARDS TO INVESTMENT FUNDS ADMINISTRATORS AND SENIOR MANAGEMENT Administrators and senior managers of investment funds should not be permitted to outsource core administration activities such as strategic oversight; and internal audit function VII. OFFSHORE OUTSOURCING In addition to the general due diligence process outlined in Sec (4) of these guidelines, the Commission, in assessing whether to approve an application to outsource offshore material functions it should be expected, that the Board consider the risks which could arise from material functions being operated offshore, to include: country risk - the risk that overseas economic, political and/or social events which could impact upon the ability of the overseas service provider to continue to provide an outsourced service to the registrants; compliance (legal) risk - the risk that offshore arrangements will impact upon the supervised entity s ability to comply with relevant Bahamian and overseas laws and regulations. contractual risk - the risk associated with supervised entity s ability to enforce the offshore agreement may be limitedly or completely hindered; access risk - the risk relating to the Commission obtaining information and to retain records, is partly or completely hindered. This risk also refers to the potential difficulties or inability of the Commission to access the service provider and the material business activity being conducted. Where The Commission approves the offshore arrangement, these risks stated above should also be considered when conducting the ongoing monitoring and control of the material function/s. There are some specific risk management considerations that should be exercised when assessing, monitoring and controlling material functions outsourced to service providers when conducting the activities outside of The Bahamas. These considerations that supervised 11 P age

12 entities should consider with regards to the provisions in the outsourcing agreement should include (but are not limited to): Choice of law - Contracts should specify under which particular jurisdiction, contractual disputes will be resolved. The due diligence process should include an examination of the relevant overseas legislation and regulations by a suitably qualified expert to ensure that contractual provisions are recognized by the overseas jurisdiction and are able to be enforced in the chosen jurisdiction. Security and confidentiality of information Supervised entities should ensure that contractual provisions in relation to data are of the same standard as those required of a domestic service provider and in accordance with requirements under Bahamian legislation and regulations. Contracts should also ensure that all information forwarded to the service provider by the supervised entity (as well as any information forwarded by the service provider to third parties in the course of providing that service, such as to a back-up disaster recovery provider) remains the property of the supervised entity. Access to information/persons - Any agreement with a service provider should not restrict access to information by the Commission, external auditors, independent third parties or representatives of the supervised entity for the purposes of confirming the performance of the risk management systems. Legal due diligence undertaken prior to the execution of the contract should also ensure that there are no legal impediments to the Commission s access to information and/or relevant persons employed by the Commission or service provider for the purposes of examining the organization in relation to the regulation of the supervised entity s activities. Records should be maintained by the registrant in a Bahamian office and in English. These records should include (but are not limited to): copies of the contractual agreement; copies of the due diligence assessment; and copies of financial statements, reports and any other information the registrant/licensee considers critical to the ongoing monitoring and control of the outsourcing arrangement with the service provider. VIII. THE OUTSOURCING AGREEMENT The Commission expects that the outsourcing arrangement undertaken by way of construction be detailed and appropriate to the materiality of the outsourced activity and to the business of the outsourcing firm. The level of detail to the contents of the written agreement should reflect the level of monitoring, assessment, inspection, auditing required, the risks, the size and complexity of the outsourced service. Additionally, the Commission expects the arrangement to be: 12 P age

13 A legally binding written document between the supervised entity and the outsourcing service provider stating clearly the defined activities and responsibilities to be outsourced by the supervised entity and service provider; and Supervised entities should consider adopting measures to ensure that such agreements remain up-to-date and accurate and reflect the arrangements that are actually in operation. The contract at a minimum, should include, (but is not limited to) the following provisions; defining the responsibilities of the supervised entity and the outsourcing service provider; access to the records and information held by the outsourced agent/s; audit and monitoring procedures; legal compliance; time limitations; fees and payment structure; firm and client confidentiality and security; insurance, guarantees and indemnities; business continuity provisions; termination of contract, transfer of information and exit strategies; Subcontracting, including the limitations or conditions, the extent it is permitted, and further obligations; dispute settlement mechanism for cross-border outsourcing should be determined by the country s law that governs the relationship within that particular jurisdiction and be outlined in the agreement procedures; and obligation of the outsourced service provider, to provide, upon request records, information and/or any assistance concerning the outsourced activity to the registrant, its auditors and the Commission once it has received consent from its home supervisor to do so. 13 P age

14 X. BIBLIOGRAPHY REFERENCES bsif.gc.ca/app/docrepository/1/eng/guidelines/sound/guidelines/b10_e.pdf %20Guidelines%20on%20Outsourcing% %20Final.pdf P age

15 ANNEX I Administrator: - a company that has been licensed by the Commission under the International Financial Authority (IFA) as a restricted or unrestricted investment fund administrator. Chain Outsourcing: - outsourcing where the outsourcing service provider subcontracts elements of the service to other providers. Core Investment Activities: - the final checking and release of the investment funds net asset value calculation and the maintenance of the shareholder register. Material activities: - activities of such importance that any weakness or failure in the provision of these activities could have a significant effect on the regulated firm s ability to meet its regulatory responsibilities and/or to continue in business; key systems without which a regulated firm would be unable to deliver services to its clients, e.g. the sole means of providing a service; any other activities requiring a license or authorization from the Commission; any activity having a significant impact on a regulated firm s risk management; and the management of risks relating to these activities. In any case, what is considered as a critical or important function varies according to the circumstances and nature of the regulated firm and the specific arrangements contemplated. Outsourcing: - a registered firm entering into an arrangement with a third party service provider whereby that service provider will undertake a material business function, activity or process on behalf of the registered firm, which currently is, or could be undertaken by the registrant itself. Outsourcing Firm: - a registrant of the Commission that is the purchaser of the good, service, or facility provided by an outsourcing service provider. Outsourcing Service Provider: - the supplier of goods, services or facilities, and/or an affiliated entity within a registrant s corporate group, or which may not be affiliated with the registrant or regulated by the Commission. Senior Management: - persons who effectively direct the business of a registered firm, this includes the firm s board of directors and other persons who effectively direct the business of the firm. Registrant: - licensed and registered firms of the Commission. Client information/data: - any data, facts, correspondence and or transactions related to the client. 15 P age

16 Records: - an account, as of information or facts, set down especially in writing as a means of preserving knowledge. 16 P age

17 ANNEX II The outsourcing arrangements covered by these guidelines may involve the following areas: Information technology management and maintenance of systems (e.g., data entry and processing, applications development, programming, and coding); Document processing (e.g., cheques, credit cards, bill payments); Management of investments (e.g., portfolio management); Research and marketing (e.g., product development, media relations, call centres, telemarketing); Back office management (e.g., payroll processing, transactions and payment processing); Professional services related to the business activities of the financial institution (e.g., internal audits, actuarial services, accounting); Human resources (e.g., recruitment); However, these guidelines do not apply to the following: Courier services, regular mail, utilities, telephone; Procurement of specialized training; Discrete advisory services (e.g., legal services, certain investment advisory services that do not result directly in investment decisions, independent appraisals, trustees in bankruptcy); Purchase of goods, wares, commercially available software and other commodities; Independent audit reviews; Credit background and background investigation and information services; Market information services (e.g., Bloomberg, Moody s); Independent consulting; Services the financial institution is not legally able to provide; 17 P age

18 Printing services; Repair and maintenance of fixed assets; Supply and service of leased telecommunication equipment; Travel agency and transportation services; Maintenance and support of licensed software; Temporary help and contract personnel; Specialized recruitment; External conferences; Clearing and settlement arrangements between members or participants of recognized clearing and settlement systems; 18 P age

19 ANNEX III Continuity at the Outsourcing Firm (IOSCO S PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES) Means for Implementation Outsourcing firms are expected to take appropriate steps to require, in appropriate cases based on the materiality of the function that is being outsourced, that service providers have in place a comprehensive program. Specification of the security requirements of automated systems to be used by the service provider, including the technical and organizational measures that will be taken to protect firm and customer-related data. Appropriate care should be exercised to ensure that IT security protects the privacy of the outsourcing firm s customers as mandated by law: Requirements that the service provider maintain appropriate measures to ensure security of both the outsourcing firm s software as well as any software developed by the service provider for the use of the outsourcing firm; Specification of the rights of each party to change or require changes to security procedures and requirements and of the circumstances under which such changes might occur; Provisions that address the service provider s emergency procedures and disaster recovery and contingency plans as well as any particular issues that may need to be addressed where the outsourcing firm is utilizing a foreign service provider. Where relevant, this may include the service provider s responsibility for backing up and otherwise protecting program and data files, as well as regulatory reporting; Where appropriate, terms and conditions relevant to the use of subcontractors with respect to IT security, and appropriate steps to minimize the risks arising out of such subcontracting; Where appropriate, requirement of testing by the service provider of critical systems and back-up facilities on a periodic basis in order to review the ability of the service providers to perform adequately even under unusual physical and/or market conditions at the outsourcing firm, the service provider, or both, and to determine whether sufficient capacity exists under all relevant conditions; Requirement of disclosure by the service provider of breaches in security resulting in unauthorized intrusions (whether deliberate or accidental, and whether confirmed or not) that may affect the outsourcing firm or its customers, including a report of corrective action taken; and Provisions in the outsourcing firm s own contingency plans that address circumstances in which one or more of its service providers fail to adequately perform their contractual obligations. Where relevant, this may include reporting by the outsourcing firm to its regulator. The outsourcing firm may need to require contractually information from the service provider to fulfill this obligation. 19 P age

20 ANNEX IV Due diligence in selection and monitoring of service provider and service provider's performance (IOSCO S PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES) Means for Implementation Documenting processes and procedures that enable the outsourcing firm to assess, prior to selection, the third party service provider s ability and capacity to perform the outsourced activities effectively, reliably, and to a high standard, including the service provider s technical, financial and human resources capacity, together with any potential risk factors associated with using a particular service provider. Documenting processes and procedures that enable the outsourcing firm to monitor the third party service provider's performance and compliance with its contractual obligations, including processes and procedures that: Clearly define metrics that will measure the service level, and specify what service levels are required; and Establish measures to identify and report instances of non-compliance or unsatisfactory performance to the outsourcing firm as well as the ability to assess the quality of services performed by the service provider on a regular basis (see also topic 2). Implementing processes and procedures designed to help ensure that the service provider is in compliance with applicable laws and regulatory requirements in its jurisdiction, and that where there is a failure to perform duties required by statute or regulations, the outsourcing firm, to the extent required by law or regulation, reports the failure to its regulator and/or self regulatory organization and takes corrective actions.5 For example, procedures may include: The use of service delivery reports and the use of internal and external auditors to monitor, assess, and report to the outsourcing firm on performance; The use of written service level agreements or the inclusion of specific service level provisions in contracts for service to achieve clarity of performance targets and measurements for third party service providers. With respect to outsourcing on a cross-border basis, in determining whether the use of a foreign service provider is appropriate, the outsourcing firm may, with respect to a function that is material to the firm, need to conduct enhanced due diligence that focuses on special compliance risks, including the ability to effectively monitor the foreign service provider, the ability to maintain the confidentiality of firm and customer information; and the ability to execute contingency plans and exit strategies where the service is being performed on a cross-border basis. 20 P age

21 The Securities Commission of The Bahamas 3rd Floor, Charlotte House Charlotte Street P.O. Box N By fax to: (242) /2 By to: Website: 21 P age