No. 1 of Services or Functions by Gibraltar- Licensed Banks Date of Paper : 31 January 2000 Version Number : 1.00
Table of Contents Introduction... 3 Submissions to FSC... 3 Assessment of Proposals... 4 General Principles... 4 Other Issues... 5 (a) Contingency Planning... 5 (b) Sub-contracting... 5 Date of application of this Guidance Note... 5 Further Clarification... 5 Published by: Financial Services Commission PO Box 940, Suite 943, Europort, Gibraltar Tel (+350) 40283 Fax (+350) 40282 E-Mail: info@fsc.gi www.fsc.gi 2
Introduction This Guidance Note applies to all banks that are licensed by the Financial Services Commission in Gibraltar. It does not apply to Gibraltar branches of banks which are licensed or authorised in an EEA Member State, as the main supervisory responsibility for these entities rests with their Home State supervisors. In late 1998, the Financial Services Commission (FSC) conducted a detailed survey on the extent to which functions were being outsourced by Gibraltarlicensed banks to other entities and jurisdictions. The survey revealed that while the practice was not widespread there appeared to be a growing trend. Up to now, the FSC has not had any specific requirements in this area, other than a general understanding that it expected to be advised in advance of significant outsourcing proposals by licensed banks. The FSC recognises that banks decisions to outsource functions may be based on a number of factors, such as to achieve economies of scale or to improve the quality of service to customers through outsourcing to more specialised entities. It is also recognised that, in some instances, there may be a shortage of the relevant expertise in Gibraltar which would necessitate such a decision. From the FSC s prudential supervisory viewpoint, it will consider all proposals to outsource services or functions from the point of view of the continuance of adequate management control over the functions and the ability of internal compliance and internal audit functions, as well as external audit, to monitor the outsourced functions. This Note does not make an explicit distinction between functions that are outsourced to group and non-group entities. However, in assessing proposals, the FSC will take into account that certain of its concerns may not apply, or apply to a lesser extent, in cases of outsourcing to other entities within the same economic group. This Note deals only with the prudential issues related to outsourcing and does not deal with the legal or other issues which may be relevant such as, for example, data protection or confidentiality of customer information. These are issues that should be considered by the banks own managements in arriving at decisions to outsource functions. The FSC recognises that there are circumstances, some of which have been outlined above, where outsourcing is attractive or necessary from a bank s point of view. The issuing of this Note is, however, not intended to encourage outsourcing, rather the FSC favours banks conducting all functions in-house, insofar as this is practicable. Submissions to FSC Proposals to outsource functions must be submitted to the FSC in writing well in advance of the date on which it is intended that the outsourcing will commence. Decisions to outsource material functions (i.e., those related to the core activities of the bank) should be approved at Board level in the case of locally incorporated banks. For licensees that are branches of non-eeaauthorised banks, the approval should be by the Local Supervisory Board or Head Office Director or Senior Executive with responsibility for the branch s operations, as appropriate. The degree of detail that the FSC will require will depend on the functions that the bank proposes to outsource and the service provider to be used. In general, proposals should include details of the rationale for the outsourcing, details 3
relating to the proposed service provider and a description of the methods that the bank will employ to ensure that it retains its ability to control and monitor the outsourced functions. Before selecting a service provider, the FSC expects the bank to conduct detailed due diligence on the service provider and it reserves the right to examine that due diligence as part of its assessment of an outsourcing proposal. The FSC may also require sight of a draft outsourcing agreement between the parties involved. Such agreements must ensure that the bank can provide to the FSC any information relating to the outsourced activity that it requires in order to carry out its supervisory functions and the agreements must not contain any provisions which are contrary to the principles contained in this guidance. Assessment of Proposals The general principles that will guide the FSC in assessing applications from banks to outsource functions follow. However, proposals will be considered on a case by case basis and the FSC reserves the right not to approve proposals although they may appear to comply with the general principles. Conversely, the FSC may grant approval for proposals which do not strictly meet the criteria, if the merits of the specific case justify such a decision. In assessing a proposal from a bank to outsource functions, the FSC will at first consider whether any of the fundamental or statutory criteria which must be complied with before a banking licence is granted, and which have to be adhered to on an ongoing basis, will be adversely affected. In particular, the FSC will consider if, after the outsourcing, the mind and management of the bank (and of its operations) will remain in Gibraltar - this automatically imposes limits on the extent to which functions can be outsourced. In making this judgement, the FSC will distinguish between functions that it considers to be material and not material in the context of the bank s overall operations. General Principles 1. The FSC must be in a position to be able to continue to supervise the outsourced functions, including having access to documentation and accounting records in relation to the outsourced activities. This implies that approval will be unlikely to be granted for functions to be transferred to entities or jurisdictions where visits by the Gibraltar bank s staff, external auditors or FSC staff would be impractical or would be prohibited. Exceptions may be made where, for example, the outsourcing is to other group entities or where alternative arrangements can be made with the external auditors or with the financial regulators in these other jurisdictions. 2. In general, approvals for functions to be outsourced to entities outside of Gibraltar (other than what might be considered to be less material functions such as payroll, for example) will only be granted where the outsourcing is to a regulated entity in a jurisdiction with an equivalent standard of regulation and supervision as pertains in Gibraltar. If the FSC so requires, the service provider must give its consent to its home regulator releasing any relevant information in relation to its operations that the FSC would wish to receive and in no case must it be prohibited, implicitly or explicitly, from doing so. 3. The bank s management must satisfy the FSC that adequate procedures are in place to enable the bank to monitor and control the outsourced functions on an ongoing basis. The FSC will hold the bank s management responsible for ensuring that the outsourced functions are carried out to a proper standard and that the integrity of the bank s systems and controls is maintained. In particular, the FSC will need to be satisfied that any anti-money laundering requirements can continue to be met. The bank must also be in a position to 4
satisfy all the reporting requirements of the FSC in relation to these activities. The bank s management will be responsible to the FSC for the outsourced functions, as if no outsourcing had taken place. 4. As at present, scopes for Reporting Accountant s Reports may include coverage of outsourced functions, where appropriate. In the event that the Reporting Accountants would, for whatever reason, not be in a position to carry out this task, outsourcing will not be permitted or approval will be withdrawn, as the case may be. 5. The FSC will reserve its right in all cases where approval to outsource functions is granted to review this consent if any of the circumstances under which the approval was granted should change. Other Issues (a) (b) Contingency Planning Banks which propose to outsource functions must have contingency plans in place in the event of an outsourcing agreement being suddenly terminated or failure of the service provider to perform. Sub-contracting The FSC must be made aware if a service provider, to which a bank proposes to outsource functions, has plans to further outsource (sub-contract) the functions to another service provider. Date of application of this Guidance Note The criteria and policy set out above apply to all outsourcing arrangements entered into after the date of this Note. As arrangements negotiated before this date become due for renewal these arrangements should be discussed with the FSC before being renewed. Further Clarification Further clarification of the issues contained in this Note may be obtained from the Banking Supervisor or from the Assistant Banking Supervisor. Financial Services Commission January 2000 5