BANKS AND DEPOSIT COMPANIES ACT 1999: The Outsourcing of Services or Functions by Institutions Licensed under the Banks and Deposit Companies Act 1999



Similar documents
Banking Guidance Note No. 1 Outsourcing of Services or Functions by Gibraltar- Licensed Banks. Date of Paper : 31 January 2000 Version Number : 1.

Guidance Note on Outsourcing/Delegation of Functions

Guidance note on Outsourcing/Delegation of Functions and inward outsourcing

OUTSOURCING POLICY

NOTICE ON OUTSOURCING

Mapping of outsourcing requirements

Outsourcing. FSA Regulated firms (including offshore outsourcing) Contents. March 2004

Statement of Guidance: Outsourcing All Regulated Entities

GUIDELINES ON OUTSOURCING ARRANGEMENTS

GUIDANCE NOTE OUTSOURCING OF FUNCTIONS BY ENTITIES LICENSED UNDER THE PROTECTION OF INVESTORS (BAILIWICK OF GUERNSEY) LAW, 1987

CONSULTATION PAPER ON HIGH LEVEL PRINCIPLES ON OUTSOURCING COVER NOTE

Application for Status as a Registered Bank:

Financial Services Guidance Note Outsourcing

OUTSOURCING GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS, 2008

SUPERVISORY AND REGULATORY GUIDELINES: PU GUIDELINES ON MINIMUM STANDARDS FOR THE OUTSOURCING OF MATERIAL FUNCTIONS

Outsourcing Risk Guidance Note for Banks

GUIDANCE NOTE ON OUTSOURCING

GUIDELINES FOR THE MANAGEMENT OF OPERATIONAL RISK FOR CREDIT UNIONS

BERMUDA MONETARY AUTHORITY

Objective and key requirements of this Prudential Standard

14 December 2006 GUIDELINES ON OUTSOURCING

Statement of Principles

OUTSOURCING REGULATIONS IN THE BANKING AND INSURANCE INDUSTRIES IN ASIA PACIFIC

Risk Management Programme Guidelines

SPG 223 Fraud Risk Management. June 2015

Guidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004

Managing Outsourcing Arrangements

Proposed Principles to be addressed in APES GN 20 Outsourced Accounting Services

GUIDELINE ON THE APPLICATION OF THE OUTSOURCING REQUIREMENTS UNDER THE FSA RULES IMPLEMENTING MIFID AND THE CRD IN THE UK

Prudential Practice Guide

CHAPTER 11 MONEY BROKERS

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

PAYMENT SERVICES AND SYSTEMS ACT (ZPlaSS) CHAPTER 1 GENERAL PROVISIONS SUBCHAPTER 1 CONTENT OF THE ACT. Article 1. (scope)

Corporate Finance Adviser. Code of Conduct

Authorised Persons Regulations

Proposed guidance for firms outsourcing to the cloud and other third-party IT services

Bank of Papua New Guinea Prudential Standard BPS251: Business Continuity Management

Financial Services Regulatory Commission Antigua and Barbuda Division of Gaming Customer Due Diligence Guidelines for

APB ETHICAL STANDARD 5 (REVISED) NON-AUDIT SERVICES PROVIDED TO AUDITED ENTITIES

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

POV on Draft Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by NBFCs

INSURANCE CORE PRINCIPLES, STANDARDS, GUIDANCE AND ASSESSMENT METHODOLOGY

BANKING UNIT BANKING RULES OUTSOURCING BY CREDIT INSTITUTIONS AUTHORISED UNDER THE BANKING ACT 1994

Securities Regulations (Trading Platform to its Own Account), 2014

SUPERVISION GUIDELINE

CHEUNG KONG INFRASTRUCTURE HOLDINGS LIMITED AUDIT COMMITTEE - TERMS OF REFERENCE

FUND SERVICES BUSINESS & COLLECTIVE INVESTMENT FUNDS

INSURANCE ACT 2008 CORPORATE GOVERNANCE CODE OF PRACTICE FOR REGULATED INSURANCE ENTITIES

Saxo Capital Markets CY Limited

Draft Guidelines on Outsourcing of activities by Insurance Companies

APES GN 30 Outsourced Services

Managing General Agents (MGAs) Guideline

GUIDELINES ON COMPLIANCE FUNCTION FOR FUND MANAGEMENT COMPANIES

Guideline Note Mobile Financial Services: Regulatory Reporting

中 國 通 信 服 務 股 份 有 限 公 司

GUIDE TO INVESTMENT FUNDS IN BERMUDA

10 Shenton Way MAS Building Singapore Telephone: (65) Facsimile: (65)

Guidance on Investor Money Regulations Consultation Paper CP 60. For Fund Service Providers. March 2015

GUIDELINES ON OUTSOURCING

PART A : OVERVIEW INTRODUCTION OBJECTIVE SCOPE APPLICABILITY DEFINITION LEGAL PROVISIONS...

Supervisory Policy Manual

Appendix 14 CORPORATE GOVERNANCE CODE AND CORPORATE GOVERNANCE REPORT

GUIDELINES ON OUTSOURCING

POLICY STATEMENT AND GUIDANCE NOTES ON: (1) OUTSOURCING; AND

Guideline. Outsourcing of Business Activities, Functions and Processes. Category: Sound Business and Financial Practices

TERMS OF REFERENCE OF AUDIT COMMITTEE

For captive insurers and captive insurance managers

FinTech Webinar Series: Vendor Management Principles

CORPORATE GOVERNANCE. 1 Introduction. 2 Board composition and conduct

Adopted by the Board of Directors of the Nordic Investment Bank on 17 December 2009 COMPLIANCE POLICY

Guidance on Arrangements to Support Operational Continuity in Resolution. Consultative Document

TO ALL CHIEF EXECUTIVE OFFICERS OF BANKS, BRANCHES OF FOREIGN BANKS AND MUTUAL BANKS

Internal Control Systems and Maintenance of Accounting and Other Records for Interactive Gaming & Interactive Wagering Corporations (IGIWC)

Cumbria Constabulary. Business Continuity Planning

Vendor Management. Outsourcing Technology Services

- 1 - CATHAY PACIFIC AIRWAYS LIMITED. Corporate Governance Code. (Amended and restated with effect from 3rd March 2014)

The Australian Consumer Law: draft provisions on unfair contract terms

Outsourcing by UK-based Fund Managers: Identifying and Applying the Rules

Authorisation Requirements and Standards for Debt Management Firms

(Incorporated in Bermuda with limited liability) (Stock Code : 75) TERMS OF REFERENCE OF AUDIT COMMITTEE DEFINITIONS

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

It includes Form SRF Fund Profile and associated specific instructions.


INTERNATIONAL CORRESPONDENT BANKS. Knowing Your Customer (KYC) Anti-Money Laundering Prevention of Terrorist Financing

Auditor Independence Policy

DRAFT September These instructions assist completion of Reporting Form SRF Services (SRF 231.0).

Investment Business in Bermuda

GUIDELINES FOR MANAGED LICENSEES

Cayman and Singapore: Still an attractive combination

Statement of Guidance

Auditing of the Annual Accounts of Credit Unions for the year ending

Objectives and key requirements of this Prudential Standard

Appendix 1. This appendix is a proposed new module of the DFSA Rulebook. Therefore, the text is not underlined as it is all new text.

INTERNATIONAL ASSOCIATION OF INSURANCE SUPERVISORS PRINCIPLES FOR THE CONDUCT OF INSURANCE BUSINESS

Morgan Stanley. Policy for the Management of Third Party Residential Mortgage Servicing Providers

Basel Committee on Banking Supervision. Shell banks and booking offices

Fit and Proper Assessment Best Practice

KINGDOM OF SAUDI ARABIA. Capital Market Authority CREDIT RATING AGENCIES REGULATIONS

Practice note on credit risk management for loans to the corporate sector

When does an Insurer or Reinsurer Need to be Licensed in Canada?

Transcription:

THE BERMUDA MONETARY AUTHORITY BANKS AND DEPOSIT COMPANIES ACT 1999: The Outsourcing of Services or Functions by Institutions Licensed under the Banks and Deposit May 2007

Introduction 1 This paper revises and replaces the existing policy guidance set out in a paper of the same title published in December 2003. It has been the subject of detailed consultation with the banking industry based on proposals set out in a consultation paper published in December 2006. 2 The paper sets out the general approach taken by the Bermuda Monetary Authority ( the Authority ) in relation to proposals by licensed banks and deposit companies to outsource particular aspects of their activities. Although the practice by Bermuda institutions of outsourcing activities to other entities whether affiliated or unaffiliated is not widespread, proposals are advanced from time to time. These may become more frequent, given the growing trend in the banking industry worldwide. 3 Decisions to outsource activities to more specialized entities may be based on a number of factors, such as the need to achieve economies of scale or to improve the quality of service to customers. In some instances, a shortage of the relevant expertise or personnel in Bermuda may also drive such a decision. Any proposal for a licensed institution to cede material control over a key activity through outsourcing either of the activity itself or of related services needs very careful consideration by the Authority, in particular to ensure that proper control is maintained and that the risk of the disruption or interruption though events outside the institution s own control is minimised. 4 The Authority views such arrangements as raising a number of important management and control issues for institutions. Accordingly, appropriate policies and procedures must be in place to assess proposals as well as to manage and monitor the resultant activities. The Authority also expects to be consulted in advance in particular cases (see paragraph 4 below). In reviewing such proposals, it seeks in particular to satisfy itself that adequate management control over the activities will be maintained and that institutions internal compliance and internal audit functions, as well as their external auditors, can gain such access as may be necessary to the outsourced activities. In general, therefore, when a proposal is for outsourcing to other entities within the same economic group, it is likely to present fewer difficulties or concerns than where non-group outsourcing is involved. 5 The Authority expects institutions to consult it in advance regarding all proposals to outsource material activities. Material outsourcing in this context means the use of third parties (whether related or unrelated) to provide services to the institution which are of such importance that any weakness or failure in the outsourced activity would cast serious doubts on the institution s compliance with the requirements in the Second Schedule to the Banks & Deposit Companies Act, 1999 (the Act ) to conduct its business in a prudent manner and with integrity and skill. Material outsourcing does not involve the purchase of standardized services such as financial information from e.g. Bloomberg/ Reuters, normal custodian arrangements, or non-financial administrative services e.g. office cleaning and maintenance. On the other hand, given the importance attaching to institutions internal controls, the presumption should be that all proposals to outsource IT services are likely to May 2007 2 of 5

be material in nature unless there are good reasons (for example the outsourcing is small in scale and involves a non-core function) to believe otherwise. It is the responsibility of an institution s management to determine what constitutes a material outsourcing. Where, however, institutions are unclear whether a particular proposal involves material outsourcing, they should consult the Authority about whether there is a need to submit the proposal in question. 6 This paper deals only with the prudential issues related to outsourcing and does not address the legal or other issues which may be relevant such as, for example, data protection or confidentiality of customer information. These are issues that must be considered by the institution s management in arriving at decisions to outsource activities. The Authority s General Approach 7 The institution s management must satisfy the Authority that adequate procedures are in place to enable it to assess, manage and monitor the outsourced activities on an ongoing basis and to ensure that the integrity of its systems and controls is maintained. Its risk management programme for outsourced activities should include appropriate arrangements for: i. conducting due diligence in selecting proposed service providers; ii. structuring the outsourcing arrangement; iii. managing and monitoring the risks associated with the outsourcing arrangement; iv. ensuring an effective control environment; and v. establishing viable contingency planning. There must also be comprehensive contracts and/or service level agreements in place, providing a clear allocation of responsibilities between the outsourcing provider and the institution. Where relevant, the Authority will also need to be satisfied that compliance with anti-money laundering requirements will not be adversely impacted by an outsourcing proposal. At the same time, the institution must be in a position to satisfy any standard reporting requirements of the Authority in relation to the activities in question. Responsibility for the outsourced functions in terms of the institution s compliance with the licensing and other ongoing requirements with the Act remains at all times with the institution s management. 8 The Authority must be able to continue to supervise the outsourced activities as necessary, including having appropriate access to documentation and accounting records in relation to them. 9 Reporting Accountants reports may be required to include coverage of outsourced activities. There should be no impediment to auditors and reporting accountants obtaining such access as may be necessary to the outsourced activity. Where this is not the case, outsourcing will not be permitted or approval will be withdrawn. May 2007 3 of 5

10 In general, proposals for material outsourcing to entities outside Bermuda will be scrutinised particularly carefully. In certain cases, approval will be granted only where the outsourcing is to a regulated entity in a jurisdiction with an equivalent standard of regulation and supervision to that in Bermuda. Similarly, the service provider may be required to give consent to its home regulator releasing relevant information to the BMA. In no case must the service provider be prohibited, implicitly or explicitly, from doing so. 11 The Authority reserves the right in all cases where approval to outsource activities is granted to review this consent if any of the circumstances under which the approval was granted should change. Submission of Proposals 12 Proposals to outsource material activities must be submitted to the Authority in writing well in advance of the date on which it is intended that the outsourcing will commence. Decisions to outsource functions critical to the delivery of the institution s core services or to the operation of its internal controls should first be approved at Board level. 13 The degree of detail that the Authority will require depends on the activities that the institution proposes to outsource and the nature of the service provider to be used. In general, proposals should include full details of the rationale for the outsourcing, information on the proposed service provider and a detailed description of the methods whereby the institution will ensure that it retains proper ability to control and monitor the outsourced activities. Where the outsourcing of key activities is proposed, the Authority should be provided with a detailed risk assessment. Where a proposal has potential implications for the institution s anti-money laundering compliance, the Authority should be provided with a full analysis of the implications, explaining the means by which the institution will ensure that it remains properly able to meet its legal obligations. 14 As noted above, before selecting a service provider, the Authority expects the institution to conduct detailed due diligence on the service provider. It will also require sight of relevant parts of the draft outsourcing agreement negotiated between the parties involved. All such agreements must satisfy the Authority that the outsourcing institution will obtain all information that is necessary for it to exercise control over the outsourced activity. They should also deal, as may be necessary, with the question of access to information by the Authority for its regulatory functions. 15 Institutions which propose to outsource functions must also have contingency plans in place in the event of an outsourcing agreement being suddenly terminated or failure of the service provider to perform. Proposals submitted to the Authority should also contain an analysis of the risks to which a sudden termination of services or failure of the provider to perform may expose the institution, together with details of contingency planning to deal with such an event. May 2007 4 of 5

16 The Authority must be made aware if a service provider, to which an institution proposes to outsource functions, has plans, either initially or at any subsequent time, to further outsource (sub-contract) the functions to another service provider. May 2007 5 of 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information