The table below sets out areas for firms to consider in outsourcing, including how organisations should discharge their oversight obligations
|Area of interest||Notes|
|Legal and regulatory considerations||Before acceptance, firms should review the contract with the outsource provider to ensure that it complies with our rules. A firm should; |
– Have a clear and documented business case or rationale in support of the decision to use one or more service providers for the delivery of critical or important operational functions or material outsourcing
– ensure the service is suitable for the firm and consider any relevant legal or regulatory obligations, including where a firm is looking to change their existing outsourcing requirements
– as part of the due diligence exercise, ensure that in entering into an outsource agreement, it does not erode, impair or worsen the firms operational risk
– consider the relative risks of using one type of service over another e.g. public versus private ‘cloud’
– maintain an accurate record of contracts between the firm and its service provider(s)
– know which jurisdiction the service provider’s business premises are located in and how that affects the firm’s outsource arrangements
– know whether its contract with the service provider is governed by the law and subject to the jurisdiction of your own country. If it is not, it should still ensure effective access to data and business premises for the firm, auditor and regulator (see below sections on access to data and business premises)consider any additional legal or regulatory obligations and requirements that may arise such as through GDPR
– identify all the service providers in the supply chain and ensure that the requirements on the firm can be complied with throughout the supply chain. Similarly, where multiple providers form part of an overall arrangement (as distinct from a chain) the requirements should be complied with across the arrangement.
|Risk management||A fundamental principle of the rules and guidance on outsourcing is that firms identify and manage any risks introduced by their outsourcing arrangements. |
Accordingly firms should:
– carry out a risk assessment to identify relevant risks and identify steps to mitigate them
– document this assessment
– identify current industry good practice, including data and information security management system requirements, as well as the relevant regulator’s rules and guidance to then use this to support its decision making
– review whether the legal and regulatory risks differ if the customers, firms and employees involved in providing or using the services are in different geographic or jurisdictional locations e.g. Ireland, UK, EEA or non-EEA
– assess the overall operational risks associated with the regulated service for which the firm is responsible and assign responsibility for managing them
– monitor concentration risk and consider what action it would take if the outsource provider failed
– require prompt and appropriately detailed notification of any breaches or other relevant events arising including the invocation of business recovery arrangements
– ensure the contract(s) provide for the remediation of breaches and other adverse events.
|International standards||In conducting its due diligence on potential third-party providers, and as part of ongoing monitoring of service provision, a firm may wish to take account of the provider’s adherence to international standards as relevant to the provision of IT services. Assurance obtained from international standards for the delivery of critical or important operational functions or material outsourcing is unlikely to be sufficient on its own. |
Nevertheless firms should:
– take account of any external assurance that has already been provided when conducting their own due diligence.
External assurance may be more relevant to a firm’s consideration where:
– it complies to well-understood standards (such as, for example, the ISO 27000 series)
– the part of the service being assessed is relatively stable (such as physical controls in the data centre or staff vetting)
– the service is uniform across the customer base (i.e. not particular or bespoke to the firm outsourcing)
– the scope of the third-party audit is specific to the service a firm proposes to use (i.e. the audit is against the data-centre you are using – not a similar data-centre in another jurisdiction)
|Oversight of service provider||Firms retain full accountability for discharging all of their responsibilities under the regulatory system and cannot delegate responsibility to the service provider. |
At a high level, a firm should:
– be clear about the service being provided and where responsibility and accountability between the firm and its service provider(s) begins and ends
– allocate responsibility for the day-to-day and strategic management of the service provider
– ensure staff have sufficient skills and resources to oversee and test the outsourced activities; identify, monitor and mitigate against the risks arising; and properly manage an exit or transfer from an existing third-party provider
– verify that suitable arrangements for dispute resolution exist
|Data Security||Firms should carry out a security risk assessment that includes the service provider and the technology assets administered by the firm. |
A firm should:
– have a data residency policy that sets out where data can be stored
– understand the provider’s data loss and breach notification processes and ensure they are aligned with the firm’s risk appetite and legal or regulatory obligations
– have choice and control regarding the jurisdiction in which their data is stored, processed and managed consider how data will be segregated (if using a public cloud)
– take appropriate steps to mitigate security risks so that the firm’s overall security exposure is acceptable
– consider data sensitivity and how the data is transmitted, stored and encrypted, where necessary.
|GDPR||A firm should comply with the principles of the (GDPR) Act and any associated guidance.|
|Effective access to Data||Specific regulatory requirements for some firms require effective access to data for regulated firms, their auditors and for regulators. The term “data” has a wide meaning. It includes but is not limited to firm, personal customer and transactional data, but also system and process data: for example Human Resource vetting procedures or system audit trails and logs. |
A firm should:
– ensure that notification requirements on accessing data, as agreed with the service provider are reasonable and not overly restrictive.
– ensure there are no restrictions on the number of requests the firm, its auditor or the regulator can make to access or receive data
– advise the service provider that the regulator will not enter into a non-disclosure agreement with the service provider but will treat any information disclosed in accordance with confidentiality
– ensure that, where a firm cannot disclose data for any reason, the contract enables the regulator or the firm’s auditor to contact the service provider directly
|Change management||Risks can be introduced when changes are made to processes and procedures – even where these are well established. We expect firms to have in place a comprehensive change management process, but particular note should be taken of the following points: |
– establishing what provision has been made for making future changes to technology service provision
– establishing how the testing of changes will be carried out.
|Continuity and Business Planning||A firm should have in place appropriate arrangements to ensure that it can continue to function and meet its regulatory obligations in the event of an unforeseen interruption.|
– consider the likelihood and impact of an unexpected disruption to the continuity of its operations
– document its strategy for maintaining continuity of its operations, including recovery from an event, and its plans for communicating and regularly testing the adequacy and effectiveness of this strategy
– regularly update and test arrangements to ensure their effectiveness
– consider that disruptions could be caused by intentional cyber-attacks, and that these may negate controls focused on delivering system availability (such as distribution of data to multiple locations)
|Resolution (where applicable)||Any services should be organised in such a way that they do not create additional complexity in a resolution and do not become a barrier to the resolution or orderly wind-down of a firm. |
– For firms where stabilisation powers will, or may, be applied, this will mean that the outsourcing provider and any subcontractor should agree that neither the entry into resolution nor a subsequent change in control arising from the firm’s entry into resolution shall constitute a termination event. The outsourcing provider should also agree not to delete, revoke, alter or change any data and to continue to provide services to the firm (or such other entity as necessary) for an appropriate transitional period following the resolution.
|Exit Plan||Firms need to ensure that they are able to exit outsourcing plans, should they wish to, without undue disruption to their provision of services, or their compliance with the regulatory regime. |
– have exit plans and termination arrangements that are understood, documented and regularly rehearsed
– know how it would transition to an alternate service provider and maintain business continuity
– have a specific obligation put on the outsourcing provider to cooperate fully with both the firm and any new outsource provider(s) to ensure there is a smooth transition
– know how it would remove data from the service provider’s systems on exit
– monitor concentration risk and consider what action it would take if the outsource provider failed.