Having initially delayed its planned consultation exercise to allow the financial services sector to focus on responding to Covid-19, the International Organization of Securities Commissions (IOSCO) subsequently found the pandemic a catalyst to proceed. Therefore, at the end of May, IOSCO launched its consultation on proposed updates to the 2005 Outsourcing Principles for Market Intermediaries and the 2009 Outsourcing Principles for Markets; feedback on the proposed new Outsourcing Principles (OPs) is requested on or before 1 October 2020. The decision to proceed reflects the acknowledgement that outsourcing is a key element for consideration when assessing operational resilience across the sector.
This article gives a high level summary of the consultation, with a link to our briefing that focuses in more detail on: the scope of application; IOSCO’s definition of outsourcing; intragroup arrangements; concentration risk; and access and audit rights. To provide additional context to IOSCO’s proposals, the associated briefing also catalogues relevant proposals and initiatives which are running concurrent to the consultation exercise.
In common with some regional and national authorities among its membership, IOSCO has found that much has changed since its original efforts to define universal principles for outsourcing, not least the move towards use of cloud and the increased speed of markets. However, like many regulators in its membership, IOSCO holds to two principles:
- that regulated entities retain full responsibility, legal liability, and accountability to the regulator for all outsourced tasks; and
- that policy should be technology neutral.
While cloud has been a factor driving regulators to revisit their existing guidelines, it clearly has not prompted a fundamental rethink on whether firms’ responsibilities for compliance should be modified – much as some may have hoped this would be the case.
Increased and increasing reliance on third party providers is drawing greater regulatory focus as supervisors look to ensure the operational resilience of regulated entities – a condition that is unlikely to change anytime soon, particularly in light of the lessons being learnt under Covid-19. In this consultation, IOSCO explains that, ‘operational resilience refers to the ability of regulated entities, other firms such as service providers, and the financial market as a whole to prevent, respond to, recover, and learn from operational disruptions.’
The OPs commence with a set of ‘fundamental precepts’ covering issues such as the definition of outsourcing, the assessment of materiality and criticality, their application to affiliates, the treatment of sub-contracting and outsourcing on a cross-border basis.
IOSCO then sets out seven principles which explain the expectations for regulated entities that outsource tasks, along with guidance for implementation. The principles are:
- Principle 1: A regulated entity should conduct suitable due diligence processes in selecting an appropriate service provider and in monitoring its ongoing performance.
- Principle 2: A regulated entity should enter into a legally binding written contract with each service provider, the nature and detail of which should be appropriate to the materiality or criticality of the outsourced task to the business of the regulated entity.
- Principle 3: A regulated entity should take appropriate steps to ensure both the regulated entity and any service provider establish procedures and controls to protect the regulated entity’s proprietary and client-related information and software and to ensure a continuity of service to the regulated entity, including a plan for disaster recovery with periodic testing of backup facilities.
- Principle 4: A regulated entity should take appropriate steps to ensure that service providers protect confidential information and data related to the regulated entity and its clients, from intentional or inadvertent unauthorised disclosure to third parties.
- Principle 5: A regulated entity should be aware of the risks posed, and should manage them effectively, where it is dependent on a single service provider for material or critical outsourced tasks or where it is aware that one service provider provides material or critical outsourcing services to multiple regulated entities including itself.
- Principle 6: A regulated entity should take appropriate steps to ensure that its regulator, its auditors, and itself are able to obtain promptly, upon request, information concerning outsourced tasks that is relevant to contractual compliance and/or regulatory oversight including, as necessary, access to the data, IT systems, premises and personnel of service providers relating to the outsourced tasks.
- Principle 7: A regulated entity should include written provisions relating to the termination of outsourced tasks in its contract with service providers and ensure that it maintains appropriate exit strategies.
Our briefing examines the IOSCO proposals in more detail. We focus in particular on aspects of outsourcing regulations and guidance which have proved challenging in a range of jurisdictions, including: intragroup arrangements; concentration risk; and access and audit rights. We also consider the scope of application of the OPs and IOSCO’s definition of outsourcing. The briefing concludes with our catalogue of concurrent and forthcoming consultations and initiatives.
The contents of this publication are for reference purposes only and may not be current as at the date of accessing this publication. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.
© Herbert Smith Freehills 2022