Third Party Regulation Mapping Matrix

Overview of the Spreadsheet
This spreadsheet is meant to analyze the current list of rules, regulations and guidelines pertaining to third-party suppliers. A d
found on Tab 2 of this worksheet. Additionally, the SIFMA Vendor Working Group recommends a life-cycle approach to supplie
The tabs on this worksheet represent the life-cycle phases as defined by the Office Of the Comptroller Of the Currency (OCC).
This workbook can also be used to help a firm profile itself against the requirements set forth by the OCC. The RACI method ha
to help companies determine who is involved regarding a specific compliance point and their role. If no one is involved then th
highlighted as an item requiring a corrective action plan. The roles in the RACI profiling method are:
Responsible: This is a person, who performs a task or work and he/she is responsible for the work.
Accountable: the primary person in charge of the task or work (e.g. department/division head) .
Consulted: Person, who gives feedback and contributes when required.
Informed: Person in charge who needs to know the action or decision taken.
"Top-level RACI" Tab:

Scroll to column B and determine if the life-cycle component is performed at your company. If not, highlight the cell in red. Th
of a project plan to bring your firm into compliance. If your firm feels that this does not apply, use the comments column to do
rationale.
Columns C through V are suggested functions/business units that are involved in third-party supplier management. Feel free t
to fit your firm. Use the drop down selection to determine what role a department may have with the compliance point. Som
perform multiple roles. Also, select N/A if you feel the function does not apply to you. Follow this practice across the tabs and
developed your "profile". Please note there is no scoring since there is no industry function to perform comparisons.
"Planning" through "Other" Tabs:
Scroll to column E and determine if the compliance point is performed at your company. If not, highlight the cell in red. This w
a project plan to bring your firm into compliance. If your firm feels that this does not apply, use the comments column to docu
Columns F through U are suggested functions/business units that are involved in third-party supplier management. Feel free t
to fit your firm. Use the drop down selection to determine what role a department may have with the compliance point. Som
perform multiple roles. Also, select N/A if you feel the function does not apply to you. Follow this practice across the tabs and
developed your "profile". Please note there is no scoring since there is no industry function to perform comparisons.
Also, since many firms use some sort of system, spreadsheet or tool, to support their supplier risk program, technology modific
needed to ensure compliance. The ability to extract compliance information will be just as important as performing the functio
"N" to any of the quesitons regarding system functionality, that is the basis for a development project to bring a firm's technolo
List Of Documents
Regulatory Guideline/Bulletin Link
1 OCC Bulletin 2013-29 http://www.occ.gov/news-issuances/bulletins/2013/bulletin-2013-29.html
2 Federal Reserve – Guidance on Managing http://www.federalreserve.gov/bankinforeg/srletters/sr1319.htm

Outsourcing Risk (12/5/13)
3 CFPB Bulletin on Service Providers http://files.consumerfinance.gov/f/201204_cfpb_bulletin_service-providers.pdf
4 CPSS 115 http://www.bis.org/publ/cpss115.pdf
5 FCA Outsourcing In Asset Mgmt. Industry http://www.fca.org.uk/static/documents/thematic-reviews/tr13-10.pdf
6 FFIEC – Supervision of TSP (10/2012) http://ithandbook.ffiec.gov/it-booklets/supervision-of-technology-service-providers-(tsp).aspx
7 FINRA – Notice to Members 11-14

(proposed reg 3190) – 5/11 http://www.finra.org/Industry/Regulation/Notices/2011/P123399
8 NASD NTM 05-48 http://www.finra.org/web/groups/industry/@ip/@reg/@notice/documents/notices/p014735.pdf
9 ICI - FICCA Engagements http://www.ici.org/pdf/27847.pdf
10 IIROC – Notice 14-0012 http://www.iiroc.ca/Documents/2014/1fd5248a-56d7-4e8e-b755-95f91a434985_en.pdf
11 IOSCOPD187 http://www.bis.org/press/p131218a.htm
12 IOSCOPD432 http://www.iosco.org/library/pubdocs/pdf/IOSCOPD432.pdf
13 GLB / Reg S-P – Privacy of Customer http://www.sec.gov/rules/final/34-42974.htm

Information
14 Senior Management Arrangements, http://fshandbook.info/FS/html/handbook/SYSC/8

Systems and Controls (FRA-FCA)
Outsourcing Working Group - Industry

15 Response To FSA Dear CEO Letter On http://www.investmentfunds.org.uk/assets/files/press/2013/20131209-owgreport.pdf
Outsourcing
16 NIST Framework On Cybersecurity http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf
17 Federal Reserve SR 14-1/14-1A http://www.federalreserve.gov/bankinforeg/srletters/SR1401.htm

List Of Documents
Regulatory Guideline/Bulletin Link
IOSCOPD187 AND IOSCOPD432

• Red Italics: Notes associated with the text
from the bottom of the page were added to the
spreadsheet.
• Red Underline: Additional Text added to
frame the section within the spreadsheet.
• Italics: In some long sections including a
number of sub bullet points, he core
component of the sub bullets are
summarizedin italics rather than including all of
the text.
• Bold: identifies supporting documents that are
referred to within the section.
Management Summary
Federal Reserve Senior Outsourcing

– Guidance on CFPB Bulletin on FCA Outsourcing FFIEC – FINRA – Notice GLB / Reg S-P – Management Working Group - NIST Framework
OCC Bulletin to Members 11- NASD NTM 05- ICI - FICCA IIROC – Notice Privacy of Arrangements, Industry Federal Reserve SR
TPS Life-cycle Phases Managing Service CPSS 115 In Asset Mgmt. Supervision of IOSCOPD187 IOSCOPD432 On
2013-29 Outsourcing Risk Providers Industry TSP (10/2012) 14 (proposed 48 Engagements 14-0012 Customer Systems and Response To FSA Cybersecurity 14-1/14-1A *
(12/5/13) reg 3190) – 5/11 Information Controls (FRA- Dear CEO Letter
FCA On Outsourcing
Planning ü ü ü ü ü ü ü ü ü ü ü ü
Due Diligence ü ü ü ü ü ü ü ü ü ü ü ü
Contract Negotiation ü ü ü ü ü ü ü ü ü
Ongoing Monitoring ü ü ü ü ü ü ü ü ü ü ü ü ü
Oversight & Accountability ü ü ü ü ü ü ü ü ü ü ü ü ü ü
Termination ü ü ü ü ü ü ü ü
Documentation and
Reporting ü ü ü ü ü ü ü ü ü ü
Independent Review ü ü ü ü ü ü ü ü
Supervisory Review of TSPs ü ü ü ü ü ü ü ü ü ü
Other ü ü ü ü ü ü ü ü ü ü ü
* As per the text of the rule, the financial companies in scope are: Bank of America Corporation, Bank of New York Mellon Corporation, PLC, Citigroup Inc., Goldman Sachs Group, Inc., JPMorgan Chase & Co., Morgan Stanley, State Street Corporation, and Wells Fargo & Company.
Business Support Functions
Is this
compliance
point
performed at Business Business Business Procurem
TPS Life-cycle Phases Legal
Unit #1 Unit #2 Unit #3 ent
your
company?
(Y/N)
Planning
Due Diligence
Contract Negotiation
Ongoing Monitoring
Oversight and Accountability
Termination
Documentation and Reporting
Independent Review
Supervisory Review of TSPs
Other
upport Functions Sector / Region Enterprise/Corporate Functions
Third
Regional Region Senior
Compl. Accounts Sector ESRM Party Ent. Risk Info.
SRM SRM Manage
Payable SRM Group Credit Mgmt Security
Head Utility ment Risk
Functions System Capabilities
Complian Evidence
Existing ce Easily
CoB Capabilit Evidence Extractab Comments
y? Exists in le?
System?
Planning
Regulatory Guideline/Bulletin Function Compliance Points
Terminate arrangements with 3rd parties that do not meet expectations or no longer align
with the banks strategic goals, objectives or risk appetite. Ensure that relationships
Senior Bank Management terminate in an efficient manner, whether the activities are transitioned to another third
party or in-house, or discontinued.
Recommend termination of arrangements with 3rd parties that do not meet expectations or
no longer align with the banks strategic goals, objectives or risk appetite.
1 OCC Bulletin 2013-29 Develop a plan to transition to an alternate vendor or bring a service in house if there are
no alternate 3rd parties to dilute risk in the event of a contract default or termination. The
Bank Employees who directly plan should cover:
manage 3rd party relationships • capabilities, resources, and the time frame required to transition the activity while still
managing legal, regulatory, customer, and other impacts that might arise.
• risks associated with data retention and destruction, information system connections and
access control issues, or other control concerns that require additional risk management and
monitoring during and after the end of the third-party relationship.
• handling of joint intellectual property developed during the course of the arrangement.
• reputation risks to the bank if the termination happens as a result of the third party’s
inability to meet expectations.
Sr. Bank Mgmt./ Enterprise Govern and monitor supplier contracts to ensure that they are adherent to supplier
2 Fed Outsourcing Guidance Risk Management Team/ compliance/ controls. Where need, have an exit strategy and terminate contracts with
Supplier Relationship minimal impact to business operations and services.
Managers
Supervised banks and

nonbanks (large insured
CFPB Bulletin on Service depository institutions, large Supervised banks and nonbanks may outsource certain functions to service providers due to
resource constraints, use service providers to develop and market additional products or
3 Providers insured credit unions, and services, or rely on expertise from service providers that would not otherwise be available
their affiliates and certain non- without significant investment.
depository consumer financial
services company.
The critical service provider is expected to have in place robust methods to plan for the
entire lifecycle of the use of technologies and the selection of technological standards.
Should have effective technology planning that minimizes overall operational risk and
enhances operational performance. Planning entails a comprehensive information
technology strategy that considers the entire lifecycle for the use of technologies and a
4 CPSS 115 Critical Service Provider process for selecting standards when deploying and managing a service.
Proposed changes to a critical service provider’s technology should entail a thorough and
comprehensive consultation with the FMI and, where relevant, its participants. A critical
service provider should regularly review its technology plans, including assessments of its
technologies and the processes it uses for implementing change.
FCA Outsourcing In Asset

5 NA NA
Mgmt. Industry
FFIEC Booklet on Technology To outline bank examiners TPA supervisory guidelines: Risk Tiers, Frequency, Composite
6 Service Providers Bank Examiners Ratings to measure the effectives of a suppliers compliance and adherence. Key areas of
focus include: Audit, Management, Development and Acquisition, Support and Delivery.
Establish and maintain a supervisory system and written procedures for any functions or
activities performed by a third party service provider that are reasonably designed to
achieve compliance with applicable securities laws and regulations and applicable FINRA
and MSRB rules.
7 FINRA 11-14 Program Development

Planning
7 FINRA 11-14 Program Development Clearing or Carrying member firms must have supervisory procedures that enable the firm
to take prompt corrective action when necessary to achieve compliance with applicable
securities laws and regulations and applicable FINRA and MSRB rules.
Development of due diligence and oversight processes

Additional requirements for clearing/carrying firms
Development of ongoing monitoring process
If a member, as part of its business structure, outsources covered activities, the member’s
supervisory system and written supervisory procedures must include procedures regarding
8 NASD NTM 05-48 its outsourcing practices to ensure compliance with applicable securities laws and
regulations and NASD rules
Describe the following:

- Whether or not the company uses subservice providers or subcontractors
- The primary partners or subcontractors
- Location: onsite, offsite, offshore
- Employee Background Checks
- Compliance awareness training
- Assessment process for subservice providers' or subcontractors' business continuity /
disaster recovery plans
9 ICI - FICCA Engagements Management - The company's policy / practice related to subcontractors, including the following:
- How long has this been in practice
- Communications protocols
- The conditions under which subcontractors are used
- How subcontractors are trained and held to the company's standards (e.g., privacy
protection)
- Whether the contractor has a SSAE 16 report or other form of external oversight report.
In not, how the company gains comfort with the subcontractors control environment.
A Dealer Member should have a comprehensive outsourcing policy that guides the
performance of due diligence assessment(s) that will underlie decisions regarding whether,
and how, certain activities can be appropriately outsourced
As part of the comprehensive outsourcing policy, an initial assessment should be made as to

whether the Dealer Member has the internal expertise that is necessary to perform the due
10 IIROC Guidance On Outsourcing diligence assessment(s) and, if not, the Dealer Member should identify and obtain third
party expertise to perform or assist in the performance of the due diligence assessment(s)
Establish and carry-out a comprehensive outsourcing risk management program that

monitors the risks associated with:
• the outsourced activities; and
• the outsourcing relationship entered into with the service provider
Ensure that third-party service providers have adequate safeguards for keeping
information confidential and, where appropriate, for recovering from a business
disruption;
Conduct ongoing reviews of the quality of outsourced services;
Develop and test a business continuity plan to minimize disruption to the firm’s
business and its clients if the third-party service provider does not deliver the
11 IOSCOPD187 Program Requirements
services satisfactorily; and,
The following Principles set out regulators’ expectations for outsourcing firms. These
principles should be applied according to the degree of materiality of the outsourced
activity to the ongoing business of the outsourcing firm and its regulatory obligations.
Even where the activity is not material, the outsourcing firm should consider the
appropriateness of applying the principles.
Annex F outlines five oversight expectations that help ensure that the operations of a
critical service provider are held to the same standards as the FMI would be if it
provided the same service. These expectations are specifically targeted at ensuring
Service Standards strong risk identification and management, robust information security management,
reliability and resilience of systems, effective technology planning, and strong
communications with users. (Users are the customers of the critical service provider,
12 IOSCOPD432 and include (an) FMI(s) and its/their participants, as relevant.)
Planning

12 IOSCOPD432
Proposed changes to a critical service provider’s technology should entail a thorough

and comprehensive consultation with the FMI and, where relevant, its participants. A
Technology Planning
critical service provider should regularly review its technology plans, including
assessments of its technologies and the processes it uses for implementing change.
13 REG SP4-57427 NA NA
A common platform firm must: (1) when relying on a third party for the performance of
operational functions which are critical for the performance of regulated activities, listed
14 FRA-FCA Handbook NA activities or ancillary services (in this chapter relevant services and activities) on a
continuous and satisfactory basis, ensure that it takes reasonable steps to avoid undue
additional operational risk;
Outsourcing Working Group -

15 Industry Response To FSA Dear NA NA
CEO Letter On Outsourcing
NIST Framework NA NA
16
Due Diligence
Board Of Directors Review summary of due diligence results and management’s recommendations to use third
parties that involve critical activities.
Ensure appropriate due diligence is conducted on potential third parties and present results
Senior Bank Management to the board when making recommendations to use third parties that involve critical
activities.
A bank should conduct due diligence on all potential third parties before selecting and
entering into contracts or relationships. A bank should not rely solely on experience with or
prior knowledge of the third party as a proxy for an objective, in-depth assessment of the
third party’s ability to perform the activity in compliance with all applicable laws and
regulations and in a safe and sound manner.
The bank should consider the following during due diligence:

Review the third party’s overall business strategy and goals to ensure they do not conflict
with those of the bank. Consider how the third party’s current and proposed strategic
business arrangements (such as mergers, acquisitions, divestitures, joint ventures, or joint
marketing initiatives) may affect the activity. Also consider reviewing the third party’s service
philosophies, quality initiatives, efficiency improvements, and employment policies and
practices.

Evaluate the third party’s legal and regulatory compliance program to determine whether
the third party has the necessary licenses to operate and the expertise, processes, and
controls to enable the bank to remain compliant with domestic and international laws and
regulations. Check compliance status with regulators and self-regulatory organizations as
appropriate.

Assess the third party’s financial condition, including reviews of the third party’s audited
financial statements. Evaluate growth, earnings, pending litigation, unfunded liabilities, and
other factors that may affect the third party’s overall financial stability. Depending on the
significance of the third-party relationship, the bank’s analysis may be as comprehensive as if
extending credit to the third party.

Evaluate the third party’s depth of resources and previous experience providing the specific
activity. Assess the third party’s reputation, including history of customer complaints or
litigation. Determine how long the third party has been in business, its market share for the
activities, and whether there have been significant changes in the activities offered or in its
business model. Conduct reference checks with external organizations and agencies such as
the industry associations, Better Business Bureau, Federal Trade Commission, state attorneys
general offices, state consumer affairs offices, and similar foreign authorities. Check U.S.
Securities and Exchange Commission or other regulatory filings. Review the third party’s
Web sites and other marketing materials to ensure that statements and assertions are in-line
with the bank’s expectations and do not overstate or misrepresent activities and capabilities.
Determine whether and how the third party plans to use the bank’s name and reputation in
marketing efforts.

Evaluate the third party’s normal fee structure and incentives for similar business
arrangements to determine if the fee structure and incentives would create burdensome
upfront fees or result in inappropriate risk taking by the third party or the bank.

Ensure the third party periodically conducts thorough background checks on its senior
management and employees as well as on subcontractors who may have access to critical
systems or confidential information. Ensure that third parties have policies and procedures in
place for removing employees who do not meet minimum background check requirements.
Due Diligence

Evaluate the effectiveness of the third party’s risk management program, including policies,
processes, and internal controls. Where applicable, determine whether the third party’s
internal audit function independently and effectively tests and reports on the third party’s
internal controls. Evaluate processes for escalating, remediating, and holding management
accountable for concerns identified during audits or other independent tests. If available,
review Service Organization Control (SOC) reports, prepared in accordance with the
American Institute of Certified Public Accountants Statement on Standards for Attestation
Engagements No. 16 (SSAE 16). Consider whether these reports contain sufficient
information to assess the third party’s risk or whether additional scrutiny is required through
an audit by the bank or other third party at the bank’s request. Consider any certification by
independent third parties for compliance with domestic or international internal control
standards (e.g., the National Institute of Standards and Technology and the International
1 OCC Bulletin 2013-29 Standards Organization).
Bank Employees who

directly manage 3rd part
relationships
Assess the third party’s information security program. Determine whether the third party
has sufficient experience in identifying, assessing, and mitigating known and emerging
threats and vulnerabilities. When technology is necessary to support service delivery, assess
the third party’s infrastructure and application security programs, including the software
development life cycle and results of vulnerability and penetration tests. Evaluate the third
party’s ability to implement effective and sustainable corrective actions to address
deficiencies discovered during testing.

Gain a clear understanding of the third party’s business processes and technology that will
be used to support the activity. When technology is a major component of the third-party
relationship, review both the bank’s and the third party’s information systems to identify
gaps in service-level expectations, technology, business process and management, or
interoperability issues. Review the third party’s processes for maintaining accurate
inventories of its technology and its subcontractors. Assess the third party’s change
management processes to ensure that clear roles, responsibilities, and segregation of duties
are in place. Understand the third party’s performance metrics for its information systems
and ensure they meet the bank’s expectations.

Assess the third party’s ability to respond to service disruptions or degradations resulting
from natural disasters, human error, or intentional physical or cyber attacks. Determine
whether the third party maintains disaster recovery and business continuity plans that
specify the time frame to resume activities and recover data. Review the third party’s
telecommunications redundancy and resilience plans and preparations for known and
emerging threats and vulnerabilities, such as wide-scale natural disasters, distributed denial
of service attacks, or other intentional or unintentional events. Review the results of
business continuity testing and performance during actual disruptions.

Review the third party’s incident reporting and management programs to ensure there are
clearly documented processes and accountability for identifying, reporting, investigating,
and escalating incidents. Ensure that the third party’s escalation and notification processes
meet the bank’s expectations and regulatory requirements.

Evaluate whether the third party has sufficient physical and environmental controls to
ensure the safety and security of its facilities, technology systems, and employees.

Review the third party’s program to train and hold employees accountable for compliance
with policies and procedures. Review the third party’s succession and redundancy planning
for key management and support personnel. Review training programs to ensure that the
third party’s staff is knowledgeable about changes in laws, regulations, technology, risk, and
other factors that may affect the quality of the activities provided.
Due Diligence

Evaluate the volume and types of subcontracted activities and the subcontractors’
geographic locations. Evaluate the third party’s ability to assess, monitor, and mitigate risks
from its use of subcontractors and to ensure that the same level of quality and controls
exists no matter where the subcontractors’ operations reside. Evaluate whether additional
concentration-related risks may arise from the third party’s reliance on subcontractors and, if
necessary, conduct similar due diligence on the third party’s critical subcontractors.

Verify that the third party has fidelity bond coverage to insure against losses attributable to
dishonest acts, liability coverage for losses attributable to negligent acts, and hazard
insurance covering fire, loss of data, and protection of documents. Determine whether the
third party has insurance coverage for its intellectual property rights, as such coverage may
not be available under a general commercial policy. The amounts of such coverage should be
commensurate with the level of risk involved with the third party’s operations and the type
of activities to be provided.

Obtain information regarding legally binding arrangements with subcontractors or other
parties in cases where the third party has indemnified itself, as such arrangements may
transfer risks to the bank. Evaluate the potential legal and financial implications to the bank
of these contracts between the third party and its subcontractors or other parties.
A financial institution should conduct an evaluation of and perform the necessary due
diligence for a prospective service provider prior to engaging the service provider. The depth
and formality of the due diligence performed will vary depending on the scope, complexity,
and
Enterprise Risk Page 4 of 12
Management Team/ importance of the planned outsourcing arrangement, the financial institution's familiarity
2 Fed Outsourcing Guidance Supplier Relationship with prospective service providers, and the reputation and industry standing of the service
Managers provider. Throughout the due diligence process, financial institution technical experts and
key stakeholders should be engaged in the review and approval process as needed. The
overall due diligence process includes a review of the service provider with regard to:
1. Business background, reputation, and strategy;
2. Financial performance and condition; and
3. Operations and internal controls.
Conducting thorough due diligence to verify that the service provider understands and is
capable of complying with Federal consumer financial law;
Supervised banks and
3 CFPB Bulletin on Service Providers nonbanks
Requesting and reviewing the service provider's policies, procedures, internal controls, and
training materials to ensure that the service provider conducts appropriate training and
oversight of employees or agents that have consumer contact or compliance responsibilities;
4 CPSS 115 NA NA
(1) Resilience risk – If an asset manager’s service provider was to suddenly fail and
thereforebe unable to provide their outsource services for an indefinite period, the asset
FCA Outsourcing In Asset Mgmt. managerin turn would not be able to continue the service it is contracted to provide to
5 Industry NA itscustomers. For example, investors may not be able to redeem their fund holdings at afair
and accurate valuation on a timely basis. Without viable contingency plans in place,this
scenario could result in detriment to the asset manager’s customers.
FFIEC Booklet on Technology Service

6 Providers Bank Examiners Risk based and Examination Frequency
Due Diligence
Perform ongoing due diligence on each current or prospective third party service provider
(including any sub-vendor) to determine if they are capable of preforming the activities
being outsourced and can achieve compliance with applicable securities laws and
7 FINRA 11-14 regulations and applicable FINRA and MSRB rules.
Formalized process for entering into contracts
Due Diligence Program Ongoing monitoring process
Required reporting to regulators
8 NASD NTM 05-48 Supervisory procedures are required when a member outsources covered activities and
must include a due diligence analysis of all of its current or prospective third-party service
providers to determine whether they are capable of performing the outsourced activities
9 ICI - FICCA Engagements NA NA
A Dealer Member should have a comprehensive outsourcing policy that guides the
performance of due diligence assessment(s) that will underlie decisions regarding whether,
and how, certain activities can be appropriately outsourced
 As part of the comprehensive outsourcing policy, an initial assessment should be made as

to whether the Dealer Member has the internal expertise that is necessary to perform the
due diligence assessment(s) and, if not, the Dealer Member should identify and obtain third
party expertise to perform or assist in the performance of the due diligence assessment(s)
10 IIROC Guidance On Outsourcing Due Diligence Oversight Dealer Members adopt formal due diligence policies and procedures relating to outsourcing
arrangements. To facilitate Dealer Members’ efficient assessment of individual proposed
outsourcing arrangements, it would be acceptable for Dealer Members to adopt policies and
procedures that acknowledge that the extent of due diligence work performed may be
proportionate to the materiality and risk of the functions/activities that are proposed to be
outsourced.
Documenting processes and procedures that enable the outsourcing firm to assess, prior to
selection, the third party service provider’s ability and capacity to perform the outsourced
activities effectively, reliably, and to a high standard, including the service provider’s
technical, financial and human resources capacity, together with any potential risk factors
associated with using a particular service provider.
It is important that outsourcing firms exercise due care, skill, and diligence in the
selection of third party service providers, so that they can be satisfied that the third
party service provider has the ability and capacity to undertake the provision of the
service effectively.
An outsourcing firm should conduct suitable due diligence processes in

selecting an appropriate third party service provider and in monitoring its ongoing
Due Dilligence performance.
Whatever level of outsourcing is utilized, outsourcing firms remain responsible for

conducting due diligence
As part of its reviews of these matters, an outsourcing firm should also take into
account whether additional issues are raised when the outsourcing is performed on a
cross-border basis.
Firms should consider several factors as they apply these principles to activities that
fall under the outsourcing definition. First, as discussed in section II.A, these
principles should be applied according to the degree of materiality of the outsourced
activity to the firm's business. Even where the activity is not material, the outsourcing
entity should consider the appropriateness of applying the principles. Second, as
discussed in section II.C, firms should consider any affiliation or other relationship
between the outsourcing entity and the service provider. While it is necessary to
apply the Outsourcing Principles to affiliated entities, it may be appropriate to adopt
them with some modification to account for the potential differing degrees of risk with
respect to intra-group outsourcing. Third, the firm may consider whether the service
provider is a regulated entity subject to independent supervision.
Third Party Assessment
Due Diligence

Third Party Assessment
With respect to the financial firm, transferring a function to a third party may have a
detrimental impact on the firm’s understanding of how the function is performed, with
a consequent loss of control. The lack of control over a firm’s proprietary and
customer-related information and software may also hinder the ability of an
outsourcing firm to maintain its proprietary and customer-related information and
software, and may also impact on the confidentiality of customer records. There is
the potential that the inappropriate selection of a service provider may lead to a
business disruption, with negative consequences for the outsourcing firm’s
customers, and, in certain instances, the potential for systemic risk to the market as
a whole.
For areas of business activity that are not restricted by the regulator, the outsourcing
firm should develop a process for determining the materiality of outsourcing
arrangements. The assessment of what is material is often a subjective one and
depends on the circumstances of the particular outsourcing firm. Factors to be
considered include, but are not limited to: Financial, reputational and operational
impact, provision of adequate services to an
outsourcing firm’s customers, losses to an outsourcing firm's customers on the
failure of a service provider to perform, ability and capacity of the outsourcing
firm to conform with regulatory requirements and changes in requirements, cost,
elationship between the outsourcing firm and the service provider, regulatory status
of the service provider, and the degree of difficulty and time required to select an
11 IOSCOPD187 alternative service provider or to bring the business activity in-house, if necessary.
The outsourcing firm should take appropriate measures to determine that:

(a) Procedures are in place to protect the outsourcing firm’s proprietary and
customer-related information and software; and
(b) Its service providers establish and maintain emergency procedures and a plan for
disaster recovery, with periodic testing of backup facilities.
Means for Implementation: Specification of the security requirements of automated

systems to be used by the service provider, including the technical and
organizational measures that will be taken to protect firm and customer-related data.
Appropriate care should be exercised to ensure that IT security protects the privacy
of the outsourcing firm’s customers as mandated by law:
• service provider maintain appropriate measures to ensure security of both the
outsourcing firm’s software as well as any software developed by the service
Information Technology
Security and Business provider for the use of the outsourcing firm
• Specification of the rights of each party to change or require changes to security
Continuity at the
Outsourcing Firm (Due procedures and requirements and of the circumstances under which such changes
might occur
Dilligence)
• Provisions that address the service provider’s emergency procedures and disaster
recovery and contingency plans as well as any particular issues that may need to be
addressed where the outsourcing firm is utilizing a foreign service provider. Where
relevant, this may include the service provider’s responsibility for backing up and
otherwise protecting program and data files, as well as regulatory reporting
• Where appropriate, terms and conditions relevant to the use of subcontractors with
respect to IT security, and appropriate steps to minimize the risks arising out of such
subcontracting
•Where appropriate, requirement of testing by the service provider of critical systems

and back-up facilities on a periodic basis in order to review the ability of the service
providers to perform adequately even under unusual physical and/or market
conditions at the outsourcing firm, the service provider, or both, and to determine
whether sufficient capacity exists under all relevant conditions
• Requirement of disclosure by the service provider of breaches in security resulting
in unauthorized intrusions (whether deliberate or accidental, and whether confirmed
or not) that may affect the outsourcing firm or its customers, including a report of
corrective action taken
• Provisions in the outsourcing firm’s own contingency plans that address
circumstances in which one or more of its service providers fail to adequately
perform their contractual obligations. Where relevant, this may include reporting by
the outsourcing firm to its regulator. The outsourcing firm may need to require
contractually information from the service provider to fulfill this obligation.
Due Diligence
As part of its reviews of these matters, an outsourcing firm should also take into
account whether additional issues are raised when the outsourcing is performed on a
cross-border basis.
The FMI remains ultimately responsible for its operations, including the five oversight
expectations outlined in Annex F of the Principles for financial market infrastructures.
An FMI may have a contractual arrangement with a third-party service provider that
performs, on a continuing basis, activities essential to the operations of the FMI. The
FMI Operations continuous, secure, and efficient delivery of these services by the third-party service
Oversight Expectations provider may be critical to the operations of the FMI or, in some cases, multiple
FMIs.
This assessment methodology mirrors the approach used in the CPSS-IOSCO,

Principles for financial market infrastructures: Disclosure framework and
Assessment methodology, December 2012.
A critical service provider should have effective processes and systems for
identifying and documenting risks, implementing controls to manage risks, and
making decisions to accept certain risks. A critical service provider may face risks
12 IOSCOPD432 Risk identification and related to information security, reliability and resilience, and technology planning, as
management well as legal and regulatory requirements pertaining to its corporate organisation and
conduct, relationships with customers, strategic decisions that affect its ability to
operate as a going concern, and dependencies on third parties.
Enterprise-wide risk-management framework
Dependencies on third parties
Governance of the enterprise-wide risk-management framework
Internal audit function
A critical service provider should have a robust information security framework that
appropriately manages its information security risks. The framework should include
sound policies and procedures to protect information from unauthorised disclosure,
ensure data integrity, and guarantee the availability of its services. In addition, a
Information security critical service provider should have policies and procedures for monitoring its
(Due Dilligence) compliance with its information security framework. This framework should also
include capacity planning policies and change-management practices. For example,
a critical service provider that plans to change its operations should assess the
implications of such a change on its information security arrangements.
The following should be taken into account where the service provider is not authorized or
registered in its home country and/or not subject to prudential supervision. 8.3.6 FCA (1)
The firm should examine, and be able to demonstrate, to what extent the service provider
may be subject to any form of voluntary regulation, including self-regulation in its home
state. (2) The firm should be able to satisfy the FCA that the service provider is committed
for the term of the outsourcing agreement to devoting sufficient, competent resources to
providing the service. (3) In addition to the requirement to ensure that a service provider
discloses any developments that may have a material impact on its ability to carry out the
outsourcing (¡ SYSC 8.1.8 R (6)), where the conditions are not met the
developments to be disclosed should include, but are not limited to:
(a) any adverse effect that any laws or regulations introduced in the service
provider's home country may have on its carrying on the outsourced
activity; and
(b) any changes to its capital reserve levels or its prudential risks.
(4) The firm should satisfy itself that the service provider is able to meet its liabilities as they
fall due and that it has positive net assets.
(5) The firm should require that the service provider prepares annual reports and accounts
which:
14 FRA-FCA Handbook (a) are in accordance with the service provider's national law which, in all material respects,
is the same as or equivalent to the international accounting standards;
(b) have been independently audited and reported on in accordance with the service
provider's national law which is the same as or equivalent to international auditing
standards.
14 FRA-FCA Handbook Due Diligence
(6) The firm should receive copies of each set of the audited annual report and accounts of
the service provider. If the service provider expects or knows its accounts of the service
provider. If the service provider expects or knows its auditor will qualify his report on the
audited report and accounts, or add an explanatory paragraph, the service provider should
be required to notify an explanatory paragraph, the service provider should be required to
notify the firm without delay.
(7) The firm should satisfy itself, and be able to demonstrate, that it has in place appropriate
procedures to ensure that it is fully aware of the service provider's controls for protecting
confidential information.
(8) In addition to the requirement at ¡ SYSC 8.1.8 R (10) that the service provider must
protect any confidential information relating to the firm or its clients, the outsourcing
agreement should require the service provider to notify the firm immediately if there is a
breach of confidentiality. The outsourcing agreement should be governed by the law and
subject to the jurisdiction of an EEA state.
OWG Document NA NA
15
NA NA
16 NIST Framework
Board Approve contracts prior to execution when a 3rd party relationship will involve critical
activities
Senior Bank Management Review and approve contracts with third parties.
Negotiate a contract that clearly specifies the rights and responsibilities of each party to the
contract.
Where problems are identified, the bank should seek to renegotiate the contract at the
earliest opportunity.
Ensure that the contract specifies the nature and scope of the arrangement. For example, a
third-party contract should specifically identify the frequency, content, and format of the
service, product, or function provided. Include in the contract, as applicable, such ancillary
services as software or other technology support and maintenance, employee training, and
customer service. Specify which activities the third party is to conduct, whether on or off the
bank’s premises, and describe the terms governing the use of the bank’s information,
facilities, personnel, systems, and equipment, as well as access to and use of the bank’s or
customers’ information. When dual employees will be used, clearly articulate their
responsibilities and reporting lines.7
Specify performance measures that define the expectations and responsibilities for both
parties including conformance with regulatory standards or rules. Such measures can be used
to motivate the third party’s performance, penalize poor performance, or reward outstanding
performance. Performance measures should not incentivize undesirable performance, such
as encouraging processing volume or speed without regard for accuracy, compliance
requirements, or adverse effects on customers. Industry standards for service-level
agreements may provide a reference point for standardized services, such as payroll
processing. For more customized activities, there may be no standard measures. Instead, the
bank and third party should agree on appropriate measures.
Ensure that the contract requires the third party to provide and retain timely, accurate, and
comprehensive information such as records and reports that allow bank management to
monitor performance, service levels, and risks. Stipulate the frequency and type of reports
required, for example: performance reports, control audits, financial statements, security
reports, BSA/AML and Office of Foreign Asset Control (OFAC) compliance responsibilities and
reports for monitoring potential suspicious activity, reports for monitoring customer
complaint activity, and business resumption testing reports.
Ensure that the contract sufficiently addresses

• the responsibilities and methods to address failures to adhere to the agreement including
the ability of both parties to the agreement to exit the relationship.
Ensure that the contract sufficiently addresses

• the prompt notification of financial difficulty, catastrophic events, and significant incidents
such as information breaches, data loss, service or system interruptions, compliance lapses,
enforcement actions, or other regulatory actions.
Ensure that the contract sufficiently addresses:

• the bank’s materiality thresholds and procedures for notifying the bank in writing whenever
service disruptions, security breaches, or other events pose a significant risk to the bank.

• notification to the bank before making significant changes to the contracted activities,
including acquisition, subcontracting, off-shoring, management or key personnel changes, or
implementing new or revised policies, processes, and information technology.

• the ability of the third party to resell, assign, or permit access to the bank’s data and
systems to other entities.

• the bank’s obligations to notify the third party if the bank implements strategic or
operational changes or experiences significant incidents that may affect the third party.

• notification to the bank before making significant changes to the contracted activities,
including acquisition, subcontracting, off-shoring, management or key personnel changes, or
implementing new or revised policies, processes, and information technology.
Ensure that the contract establishes the bank’s right to audit, monitor performance, and
require remediation when issues are identified. Generally, a third-party contract should
include provisions for periodic independent internal or external audits of the third party, and
relevant subcontractors, at intervals and scopes consistent with the bank’s in-house functions
to monitor performance with the contract. A bank should include in the contract the types
and frequency of audit reports the bank is entitled to receive from the third party (e.g.,
financial, SSAE 16, SOC 1, SOC 2, and SOC 3 reports, and security reviews). Consider whether
to accept audits conducted by the third party’s internal or external auditors. Reserve the
bank’s right to conduct its own audits of the third party’s activities or to engage an
independent party to perform such audits.
Ensure the contract addresses compliance with the specific laws, regulations, guidance, and
self-regulatory standards applicable to the activities involved, including provisions that
outline compliance with certain provisions of the Gramm-Leach-Bliley Act (GLBA) (including
privacy and safeguarding of customer information); BSA/AML; OFAC; and Fair Lending and
other consumer protection laws and regulations. Ensure that the contract requires the third
party to maintain policies and procedures which address the bank’s right to conduct periodic
reviews so as to verify the third party’s compliance with the bank’s policies and expectations.
Ensure that the contract states the bank has the right to monitor on an ongoing basis the
third party’s compliance with applicable laws, regulations, and policies and requires
remediation if issues arise.
Fully describe compensation, fees, and calculations for base services, as well as any fees
based on volume of activity and for special requests. Ensure the contracts do not include
burdensome upfront fees or incentives that could result in inappropriate risk taking by the
bank or third party. Indicate which party is responsible for payment of legal, audit, and
examination fees associated with the activities involved. Consider outlining cost and
responsibility for purchasing and maintaining hardware and software. Specify the conditions
under which the cost structure may be changed, including limits on any cost increases.
State whether and how the third party has the right to use the bank’s information,
technology, and intellectual property, such as the bank’s name, logo, trademark, and
copyrighted material. Indicate whether any records generated by the third party become the
bank’s property. Include appropriate warranties on the part of the third party related to its
acquisition of licenses for use of any intellectual property developed by other third parties. If
the bank purchases software, establish escrow agreements to provide for the bank’s access
to source code and programs under certain conditions (e.g., insolvency of the third party).
1 OCC Bulletin 2013-29
Bank Employees Who
Manage Third-party
relationships
Prohibit the third party and its subcontractors from using or disclosing the bank’s
information, except as necessary to provide the contracted activities or comply with legal
requirements. If the third party receives bank customers’ personally identifiable information,
the contract should ensure that the third party implements and maintains appropriate
security measures to comply with privacy regulations and regulatory guidelines. Specify when
and how the third party will disclose, in a timely manner, information security breaches that
have resulted in unauthorized intrusions or access that may materially affect the bank or its
customers. Stipulate that intrusion notifications include estimates of the effects on the bank
and specify corrective action to be taken by the third party. Address the powers of each party
to change security and risk management procedures and requirements, and resolve any
confidentiality and integrity issues arising out of shared use of facilities owned by the third
party. Stipulate whether and how often the bank and the third party will jointly practice
incident management plans involving unauthorized intrusions or other breaches in
confidentiality and integrity.
Ensure the contract provides for continuation of the business function in the event of
problems affecting the third party’s operations, including degradations or interruptions
resulting from natural disasters, human error, or intentional attacks. Stipulate the third party’s
responsibility for backing up and otherwise protecting programs, data, and equipment, and
for maintaining current and sound business resumption and contingency plans. Include
provisions—in the event of the third party’s bankruptcy, business failure, or business
interruption—for transferring the bank’s accounts or activities to another third party without
penalty.
Ensure that the contract requires the third party to provide the bank with operating
procedures to be carried out in the event business resumption and disaster recovery plans
are implemented. Include specific time frames for business resumption and recovery that
meet the bank’s requirements, and when appropriate, regulatory requirements. Stipulate
whether and how often the bank and the third party will jointly practice business resumption
and disaster recovery plans.
Consider including indemnification clauses that specify the extent to which the bank will be
held liable for claims that cite failure of the third party to perform, including failure of the
third party to obtain any necessary intellectual property licenses. Carefully assess
indemnification clauses that require the bank to hold the third party harmless from liability.
Stipulate that the third party is required to maintain adequate insurance, notify the bank of
material changes to coverage, and provide evidence of coverage where appropriate. Types of
insurance coverage may include fidelity bond coverage, liability coverage, hazard insurance,
and intellectual property insurance.
Consider whether the contract should establish a dispute resolution process (arbitration,
mediation, or other means) to resolve problems between the bank and the third party in an
expeditious manner, and whether the third party should continue to provide activities to the
bank during the dispute resolution period.
Determine whether the contract limits the third party’s liability and whether the proposed
limit is in proportion to the amount of loss the bank might experience because of the third
party’s failure to perform or to comply with applicable laws. Consider whether a contract
would subject the bank to undue risk of litigation, particularly if the third party violates or is
accused of violating intellectual property rights.
Ensure that the contract stipulates what constitutes default, identifies remedies and allows
opportunities to cure defaults, and stipulates the circumstances and responsibilities for
termination. Determine whether it includes a provision that enables the bank to terminate
the contract, upon reasonable notice and without penalty, in the event that the OCC formally
directs the bank to terminate the relationship. Ensure the contract permits the bank to
terminate the relationship in a timely manner without prohibitive expense. Include
termination and notification requirements with time frames to allow for the orderly
conversion to another third party. Provide for the timely return or destruction of the bank’s
data and other resources and ensure the contract provides for ongoing monitoring of the
third party after the contract terms are satisfied as necessary. Clearly assign all costs and
obligations associated with transition and termination.
Specify whether the bank or third party is responsible for responding to customer
complaints. If it is the third party’s responsibility, specify provisions that ensure that the third
party receives and responds timely to customer complaints and forwards a copy of each
complaint and response to the bank. The third party should submit sufficient, timely, and
usable information to enable the bank to analyze customer complaint activity and trends for
risk management purposes.
Stipulate when and how the third party should notify the bank of its intent to use a
subcontractor. Specify the activities that cannot be subcontracted or whether the bank
prohibits the third party from subcontracting activities to certain locations or specific
subcontractors. Detail the contractual obligations—such as reporting on the subcontractor’s
conformance with performance measures, periodic audit results, compliance with laws and
regulations, and other contractual obligations. State the third party’s liability for activities or
actions by its subcontractors and which party is responsible for the costs and resources
required for any additional monitoring and management of the subcontractors. Reserve the
right to terminate the contract without penalty if the third party’s subcontracting
arrangements do not comply with the terms of the contract.
Include in contracts with foreign-based third parties choice-of-law covenants and

jurisdictional covenants that provide for adjudication of all disputes between the parties
under the laws of a single, specific jurisdiction. Understand that such contracts and
covenants may be subject, however, to the interpretation of foreign courts relying on local
laws. Foreign courts and laws may differ substantially from U.S. courts and laws in the
application and enforcement of choice-of-law covenants, requirements on banks, protection
of privacy of customer information, and the types of information that the third party or
foreign governmental entities will provide upon request. Therefore, seek legal advice to
ensure the enforceability of all aspects of a proposed contract with a foreign-based third
party and other legal ramifications of each such arrangement.
In contracts with service providers, stipulate that the performance of activities by external
parties for the bank is subject to OCC examination oversight, including access to all work
papers, drafts, and other materials. The OCC treats as subject to 12 USC 1867(c) and 12 USC
1464(d)(7), situations in which a bank arranges, by contract or otherwise, for the
performance of any applicable functions of its operations.
Therefore, the OCC generally has the authority to examine and to regulate the functions or
operations performed or provided by third parties to the same extent as if they were
performed by the bank itself on its own premises.
Financial institutions should understand the service contract and legal issues associated with
proposed outsourcing arrangements. The terms of service agreements should be defined in
written contracts that have been reviewed by the financial institution's legal counsel prior to
execution. The characteristics of the business activity being outsourced and the service
provider's strategy for providing those services will determine the terms of the contract.
Elements of well-defined contracts and service agreements usually include:
• Scope: Contracts should clearly define the rights and responsibilities of each party,
including:
o Support, maintenance, and customer service; o Contract timeframes;
o Compliance with applicable laws, regulations, and regulatory guidance; o Training of
financial institution employees; o The ability to subcontract services;
o The distribution of any required statements or disclosures to the financial institution's
Legal and Supplier customers; Insurance coverage requirements; and
2 Fed Outsourcing Guidance o Terms governing the use of the financial institution's property, equipment, and staff.
Relationship Managers • Cost and compensation:
• Right to audit
• Establishment and monitoring of performance standards
• Confidentiality and security of information
• Ownership and license
• Indemnification
• Dispute resolution
• Limits on liability
• Insurance
• Customer complaints
• Business resumption and contingency plan of the service provider
• Foreign-based service providers
• Subcontracting
Financial institutions should understand the service contract and legal issues associated with
proposed outsourcing arrangements. The terms of service agreements should be defined in
written contracts that have been reviewed by the financial institution's legal counsel prior to
execution. The characteristics of the business activity being outsourced and the service
provider's strategy for providing those services will determine the terms of the contract.
Elements of well-defined contracts and service agreements usually include:
• Scope: Contracts should clearly define the rights and responsibilities of each party,
including:
o Support, maintenance, and customer service; o Contract timeframes;
o Compliance with applicable laws, regulations, and regulatory guidance; o Training of
financial institution employees; o The ability to subcontract services;
o The distribution of any required statements or disclosures to the financial institution's
customers; Insurance coverage requirements; and
2 Fed Outsourcing Guidance Legal and Supplier
Relationship Managers o Terms governing the use of the financial institution's property, equipment, and staff.
• Cost and compensation:
• Right to audit
• Establishment and monitoring of performance standards
• Confidentiality and security of information
• Ownership and license
• Indemnification
• Dispute resolution
• Limits on liability
• Insurance
• Customer complaints
• Business resumption and contingency plan of the service provider
• Foreign-based service providers
• Subcontracting
Supervised banks and Including in the contract with the service provider clear expectations about compliance, as
3 CFPB Bulletin on Service Providers well as appropriate and enforceable consequences for violating any compliance-related
nonbanks responsibilities, including engaging in unfair, deceptive, or abusive acts or practices;
4 CPSS 115 NA NA
5 FCA Outsourcing In Asset Mgmt. NA NA

Industry
6 FFIEC Booklet on Technology Service Bank Examiners To ensure the examined bank is reviewing the terms of the contract and measuring the
Providers supplier accordingly.
Clearing or carrying member firms must require their approval prior to any transfer of duties
by a 3rd party service provider to a sub-vendor.
Upon adoption of proposed FINRA Rule 3190, FINRA would expect each clearing or carrying
member firm to consider whether amendments or addendums to any such contracts would
7 FINRA 11-14 be necessary to comply with the rule’s requirements.
Ensure contracts specify oversight/supervisory role of the contracting firm
Requirements for vendor and/or 3rd parties to meet regulatory standards
Does not relieve contracting firm of risks and responsibilities to the vendor
The member should ensure that NASD and all other applicable regulators have the same
8 NASD NTM 05-48 Senior Management complete access to the service provider’s work product for the member, as would be the case
if the covered activities had been performed directly by the member.
A Dealer Member that has outsourced one or more activities should enter into written
outsourcing contracts that clearly describe all material aspects of the outsourcing
arrangements, including the rights, responsibilities and expectations of all parties
10 IIROC Guidance On Outsourcing Contract Requirements

10 IIROC Guidance On Outsourcing Contract Requirements Consider other legal requirements, such as privacy laws, that may apply when entering into
outsourcing arrangements.
Enter into written outsourcing contracts that clearly describe all material aspects of the
outsourcing arrangements, including the rights, responsibilities and expectations of all parties
There should be a legally binding written contract between the outsourcing

firm and each third party service provider, the nature and detail of which should be
appropriate to the materiality of the outsourced activity to the ongoing business of the
outsourcing firm.
A legally binding written contract between an outsourcing firm and a service provider
is an important management tool. Appropriate contractual provisions can reduce the
risks of non-performance or disagreements regarding the scope, nature, and quality
of the service to be provided. A written contract will help facilitate the monitoring of the
outsourced activities by the outsourcing firm and/or by securities regulators.
The contract may include, as applicable, provisions dealing with: Limitations or
The level ofifdetail
conditions, of the contents
any, on of the written
service provider's contract
ability should reflect
to subcontract, thethe
and, to level of
extent
11 IOSCOPD187 Contract Requirements monitoring,
subcontracting assessment,
is permitted,inspection and ifauditing
obligations, any, in required,
connectionastherewith,
well as theFirm
risks,
andsize
and
clientcomplexity of theDefining
confidentiality, outsourced the services involved.
responsibilities of the outsourcing firm and the
responsibilities of the service provider and subcontractors, if any, and how such
responsibilities will be monitored, Responsibilities relating to IT security, Payment
arrangements, Liability of the service provider to the outsourcing firm for
unsatisfactory performance or other breach of the agreement, Guarantees and
Regulated
indemnities, firms that engage
Obligation of theinservice
outsourcing
provider aretoexpected
provide, to takerequest,
upon appropriate steps to
records,
confirm thatand/or
information confidential firm and
assistance customeroutsourced
concerning informationactivities
is not misused or
to the outsourcing
misappropriated. Such steps
firm, its auditors and/or may include
its regulators, insertion of
Mechanisms to provisions in the contract
resolve disputes that might with
the service
arise under provider that: Prohibit
the outsourcing the service
arrangement, providercontinuity
Business and its agents from using
provisions, With or
disclosing
respect to the outsourcing
outsourcing on afirm’s proprietary
cross-border information
basis, choice oforlaw
thatprovisions,
of the firm’sTermination
customers, except
of the contract, as necessary
transfer to provide
of information and exit the strategies
contracted services; and Where
appropriate, including terms and conditions relevant to govern the use of
subcontractors with respect to firm and client confidentiality.
12 IOSCOPD432 NA NA
A common platform firm must ensure that the respective rights and obligations of the firm
and of the service provider are clearly allocated and set out in a written agreement.
A firm should only make an outsourcing proposal notification to the FCA after it has carried
out due diligence on the service provider and has had regard to the guidance carried out due
diligence on the service provider and has had regard to the guidance carried out due
diligence on the service provider and has had regard to the guidance set out in ¡ SYSC 8.3.
The FCA will expect a firm to only submit an outsourcing proposal notification in respect of a
service provider that the firm has determined is suitable to carry on the outsourcing activity.
If a firm has received no notice of objection or no request for further information from the
FCA within one month of the FCA receiving the notification, it may outsource the portfolio
management on the basis set out in the notification.
The FCA would use its powers under section 55J of the Act to vary a firm's permission if it
objected to such a notification.
The guidance set out in ■ SYSC 8.3 includes information on what the FCA will expect a firm
to check before the submission of a notification.
8.2.8 A notification under this section should include: (1) details on which of the conditions is
not met;
(2) if applicable, details and evidence of the service provider's authorization or
regulation including the regulator's contact details;
(3) the firm's proposals for meeting its obligations under this chapter on an
ongoing basis;
(4) why the firm wishes to outsource to the service provider;
(5) a draft of the outsourcing agreement between the service provider and the
firm;
14 FRA-FCA Handbook (6) the proposed start date of the outsourcing; and
(7) confirmation that the firm has had regard to the guidance in ¡ SYSC 8.3, or
if it has not, why not.
Where the FCA has not objected to the outsourcing agreement, the firm should have regard
to its obligations under ¡ SUP 15 which include making the FCA aware of any matters which
could affect the firm's ability to provide adequate services to its customers matters which
could affect the firm's ability to provide adequate services to its customers or could result in
serious detriment to its customers or where there has been material change in the
information previously provided to the FCA in relation to the outsourcing.
Section 8.2 : Outsourcing of portfolio management for retail clients to a non-EEA State
The following should be taken into account by a firm where there is no cooperation
agreement between the FCA and the supervisory authority of the service provider or there is
no supervisory authority of the service provider.
(1) The outsourcing agreement should ensure the firm can provide the FCA with any
information relating to the outsourced activity the FCA may require in order to carry out
effective supervision. The firm should therefore assess the extent to which the service
provider's regulator and/or local laws and regulations may restrict access to information
about the outsourced activity. Any such restriction should be described in the notification to
be sent to the FCA.
(2) The outsourcing agreement should require the service provider to provide the firm's
offices in the United Kingdom with all requested information required to meet the firm's
regulatory obligations. The FCA should be given an enforceable right under the agreement to
obtain such information from the firm and to require the service provider to provide the
information directly
OWG Document NA NA
15
NIST Framework NA NA
16
Ongoing Monitoring
Review the results of management’s ongoing monitoring of third-party relationships

involving critical activities.
Board Of Directors Ensure management takes appropriate actions to remedy significant deterioration in
performance or address changing risks or material issues identified through ongoing
monitoring.
Senior Bank Management Ensure ongoing monitoring of third parties, respond to issues when identified, and escalate
significant issues to the board.
A bank should review existing contracts periodically, particularly those involving critical
activities, to ensure they continue to address pertinent risk controls and legal protections.
Perform ongoing monitoring for the duration of the third-party relationship and ensure
compliance with contract terms and service level a agreements
Ongoing Monitoring should include the following:

• business strategy (including acquisitions, divestitures, joint ventures) and reputation
Bank Employees Who Manage Third- (including litigation) that may pose conflicting interests and impact its ability to meet
party relationships contractual obligations and service-level agreements.
• compliance with legal and regulatory requirements.
• financial condition.
• insurance coverage.
• key personnel and ability to retain essential knowledge in support of the activities.
• ability to effectively manage risk by identifying and addressing issues before they are cited
in audit reports.
• process for adjusting policies, procedures, and controls in response to changing threats
and new vulnerabilities and material breaches or other serious incidents.
• information technology used or the management of information systems.
• ability to respond to and recover from service disruptions or degradations and meet
business resilience expectations.
• reliance on, exposure to, or performance of subcontractors; location of subcontractors;
and the ongoing monitoring and control testing of subcontractors.
• agreements with other entities that may pose a conflict of interest or introduce reputation,
operational, or other risks to the bank.
• ability to maintain the confidentiality and integrity of the bank’s information and systems.
• volume, nature, and trends of consumer complaints, in particular those that indicate
compliance or risk management problems.
• ability to appropriately remediate customer complaints.
Financial institutions are responsible for ensuring that services provided by service providers
comply with applicable laws and regulations and are consistent with safe-and-sound banking
practices. Financial institutions should evaluate the adequacy of standards, policies, and
procedures. Depending on the characteristics of the outsourced activity, some or all of the
following may need to be reviewed:
2 Fed Outsourcing Guidance Supplier Risk Managers • Internal controls;
• Facilities management (such as access requirements or sharing of facilities);
• Training, including compliance training for staff;
• Security of systems (for example, data and equipment);
• Privacy protection of the financial institution's confidential information;
• Maintenance and retention of records;
• Business resumption and contingency planning;
• Systems development and maintenance;
• Service support and delivery;
• Employee background checks; and
• Adherence to applicable laws, regulations, and supervisory guidance
CFPB expects supervised banks and nonbanks to have an effective process for managing the
risks of service provider relationships.
Establishing internal controls and on-going monitoring to determine whether the service
provider is complying with Federal consumer financial law; and
3 CFPB Bulletin on Service Providers Supervised Banks and Nonbanks Requesting and reviewing the service provider's policies, procedures, internal controls, and
training materials to ensure that the service provider conducts appropriate training and
oversight of employees or agents that have consumer contact or compliance responsibilities;
Taking prompt action to address fully any problems identified through the monitoring
process, including terminating the relationship where appropriate.
Ongoing Monitoring
A critical service provider should reassess its risks, as well as the adequacy of its risk-
4 CPSS 115 Critical Service Provider management framework in addressing the identified risks, on an ongoing basis.
Should have policies and procedures for monitoring its compliance with its information
security framework.

Industry
6 FFIEC Booklet on Technology Service

Providers To measure the effectiveness of which a bank monitors their provider/ suppliers against
Bank Examiners scope, criticality, services provided.
An ongoing due diligence analysis of each current or prospective third-party service provider
is required to determine, at a minimum, whether: (1) the third-party service provider is
7 FINRA 11-14 Monitoring capable of performing the activities being outsourced; and (2) with
respect to any activities being outsourced, the member firm can achieve compliance with
applicable securities laws and regulations and applicable FINRA and MSRB rules.
Ongoing monitoring of the vendor and 3rd parties to ensure compliance with rules and regs
Ensure the vendor is capable of meeting obligations to the firm
After the member has selected a third-party service provider, the member has a continuing
responsibility to oversee, supervise, and monitor the service provider’s performance of
covered activities
8 NASD NTM 05-48
The member must have in place specific policies and procedures that will monitor the
service providers’ compliance with the terms of any agreements and assess the service
provider’s continued fitness and ability to perform the covered activities being outsourced.
9 ICI - FICCA Engagements
A Dealer Member that has outsourced one or more activities should establish and carry-out
a comprehensive outsourcing risk management program that monitors the risks associated
with:
A Dealer Member that has outsourced one or more activities should establish and carry-out
a comprehensive outsourcing risk management program that monitors the risks associated
with: the outsourced activities; and the outsourcing relationship entered into with the
service provider.
10 IIROC Guidance On Outsourcing Vendor Management
Perform outsourcing agreement reviews to ensure that the outsourced activities covered by
each outsourcing agreement are being performed in accordance with the agreement service
level requirements without exposing the Dealer Member to undue risk
Perform outsourcing agreement reviews to ensure that the outsourced activities covered by
each outsourcing agreement are being performed in accordance with the agreement service
level requirements without exposing the Dealer Member to undue risk
The outsourcing firm should also establish appropriate processes and procedures for
monitoring the performance of the third party service provider. In determining the
Monitoring Processes and
11 IOSCOPD187 appropriate level of monitoring processes and procedures, the outsourcing firm
Procedures
should consider the materiality of the outsourced activity to the ongoing business of
the outsourcing firm and its regulatory obligations, as discussed in the introduction to
these Principles.
Proposed changes to a critical service provider’s technology should entail a thorough

12 IOSCOPD432 Technology Reviews and comprehensive consultation with the FMI and, where relevant, its participants. A
critical service provider should regularly review its technology plans, including
assessments of its technologies and the processes it uses for implementing change.
GLBA and Regulation S-P require brokers, dealers, investment advisers registered with the
Commission, and investment companies to provide an annual notice of their privacy policies
and practices to their customers (and notice to consumers before sharing their nonpublic
personal information with nonaffiliated third parties outside certain exceptions)
Ongoing Monitoring
GLBA and Regulation S-P require brokers, dealers, investment advisers registered with the
Commission, and investment companies to provide an annual notice of their privacy policies
and practices to their customers (and notice to consumers before sharing their nonpublic
personal information with nonaffiliated third parties outside certain exceptions)
When we adopted the disposal rule, we also amended Regulation S-P to require that the
policies and procedures institutions must adopt under the safeguards rule be in writing.
Section 216 of the FACT Act amended the FCRA directed the Commission and other federal
13 REG SP4-57427 financial regulators to adopt regulations for the proper disposal of consumer information,
and provides that any person who maintains or possesses consumer information or any
compilation of consumer information derived from a consumer report for a business
purpose must properly dispose of the information. The disposal rule requires transfer agents
In order to provide clarity, the Disposal Rule Adopting Release included five examples
intended to provide guidance on disposal measures that would be deemed reasonable
under the disposal rule.
Registered with the Commission, as well as brokers and dealers other than notice-registered
broker-dealers, investment advisers registered with the Commission, and investment
companies that maintain or possess “consumer report information” for a business purpose,
to take “reasonable measures to protect against unauthorized access to or use of the
information in connection with its disposal.”
A management company must retain the necessary resources and expertise so as to monitor
effectively the activities carried out by third parties on the basis of an arrangement with the
firm, especially with regard to the management of the risk associated with those
arrangements
14 FRA-FCA Handbook
For the purposes of this chapter an operational function is regarded as critical or important
if a defect or failure in its performance would materially impair the continuing compliance of
a common platform firm with the conditions and obligations of its authorization or its other
obligations under the regulatory system, or its financial performance, or the soundness or
the continuity of its relevant services and activities.
OWG Document NA NA
15
Security Continuous Monitoring

(DE.CM): The information system and
assets are monitored at discrete DE.CM-6: External service provider activity is monitored to detect potential cybersecurity
intervals to identify cybersecurity events
events and verify the effectiveness of • COBIT 5 APO07.06 • ISO/IEC 27001:2013 A.14.2.7, A.15.2.1 • NIST SP 800-53 Rev. 4 CA-7,
16 NIST Framework protective measures. PS-7, SA-4, SA9, SI-4
Oversight & Accountability
Ensure an effective process is in place to manage risks related to third-party relationships in a manner consistent
with the bank’s strategic goals, organizational objectives, and risk appetite.
Approve the bank’s risk-based policies that govern the third-party risk management process and identify critical
activities.
Board Of Directors
Review and approve management plans for using third parties that involve critical activities.
Review summary of due diligence results and management’s recommendations to use third parties that involve
critical activities.
Approve contracts with third parties that involve critical activities.
Oversee enterprise-wide risk management and reporting of third-party relationships.
Review the results of the due diligence to determine whether the third party is able to meet the bank’s expectations
Senior Bank Management and whether the bank should proceed with the third-party relationship. If the results do not meet expectations,
management should recommend that the third party make appropriate changes, find an alternate third party,
conduct the activity in-house, or discontinue the activity.
Bank Employees Who Manage Third- Assigning clear roles and responsibilities for managing third-party relationships and integrating the bank’s third-
party relationships party risk management process with its enterprise risk management framework enables continuous oversight and
accountability.
While the activities necessary to implement an effective service provider risk management program can vary based
2 Fed Outsourcing Sr, Mgt on the scope and nature of a financial institution's outsourced activities, effective programs usually include the
Guidance following core elements:
A. Risk assessments;
B. Due diligence and selection of service providers;
C. Contract provisions and considerations;
D. Incentive compensation review;
E. Oversight and monitoring of service providers; and
F. Business continuity and contingency plans.
• The identification and management of risks should be overseen by the critical service provider’s board of directors
Board Of Directors (board).
• The board is expected to ensure an independent and professional internal audit function.
• Should ensure that it provides reliable and resilient operations to users, whether these operations are provided to
Critical Service Provider an FMI directly or to both an FMI and its participants. A critical service provider should have robust operations that
meet or exceed the needs of the FMI.
CFPB Bulletin on The mere fact that a supervised bank or nonbank enters into a business relationship with a service provider does
3 Service Providers Supervised bank and nonbank not absolve the supervised bank or nonbank of responsibility for complying with Federal consumer financial law to
avoid consumer harm.
A service provider that is unfamiliar with the legal requirements applicable to the products or services being offered,
or that does not make efforts to implement those requirements carefully and effectively, or that exhibits weak
Service Provider internal controls, can harm consumers and create potential liabilities for both the service provider and the entity
with which has a business relationship.
Supervised bank and nonbank Depending on the circumstances, legal responsibility may lie with the supervised bank or nonbank as well as with
the supervised service provider.
4 CPSS 115 NA NA
assess the effectiveness of their oversight arrangements to oversee critical activities

outsourced to a service provider, making sure the required expertise is in place
5 FCA Outsourcing In Asset Managers

Asset Mgmt. Industry (2) Oversight risk – If asset managers fail to oversee their service providers effectively, it
could result in poor outcomes for their customers. For example, if an asset manager fails
to detect pricing errors made by the service provider due to poor oversight, investors in
the fund could miss out on returns they should have received.
On oversight, we assessed the firms’ overall oversight frameworks and looked in depth at four
specific areas of outsourced investment operations where we considered there to be a risk of
errors or omissions potentially resulting in customer detriment, namely:
i. reconciliations of assets held with the custodian
ii. pricing and valuations of a portfolio or specific instruments
iii. corporate actions relating to instruments held (such as payment of dividends, rights issues,
meetings of shareholders etc) and
iv. trade processing
In the case of mandatory corporate actions, most asset managers relied on a monitoring and tracking system
provided by their service provider for automated capture of cash dividends and bonus issues. Firms applying more
effective oversight retained capacity to confirm that no
actions had been missed by the provider, despite it being an automated process, by either using off-the-shelf
systems or liaising directly with custodians.
To measure the effectiveness of which a bank has oversight and hold their suppliers accountable against their
against scope, criticality, and services provided.
FFIEC Booklet on
6 Technology Service Bank Examiners
Providers

To measure the effectiveness of which a bank has oversight and hold their suppliers accountable against their
against scope, criticality, and services provided.
FFIEC Booklet on
6 Technology Service Bank Examiners
Providers
Ensure compliance with applicable securities laws and regulations as well as FINRA and MSRB rules when
outsourcing functions and activities
7 FINRA 11-14 Senior Management Prohibits a member firm from delegating its responsibilities for, or control over, any functions or activities performed
by a third-party service provider.
No person can engage in activities that require registration and qualification under FINRA rules without obtaining
the necessary registrations and qualifications.
Risk Transference Firms not relieved of risks and responsibilities and need to ensure the vendor is in compliance with all laws and regs
Members should also include specific policies and procedures to determine whether any covered activities that the
member is contemplating outsourcing are appropriate for outsourcing . Firms may want to consider: financial ,
reputational , and operational impact on the member firm if the third-party service provider fails to perform; the
potential impact of outsourcing on the member’s provision of adequate services to its customers; and the impact of
outsourcing the activity on the ability and capacity of the member to conform with regulatory requirements and
8 NASD NTM 05-48 Senior Management changes in requirements. This is not meant to be an exclusive or exhaustive list of factors a member may need to
consider.
Prohibits a member firm from delegating its responsibilities for, or control over, any functions or activities performed
by a third-party service provider.
A member may never contract its supervisory and compliance activities away from its direct control.
Describe Management Oversight & Controls
9 ICI - FICCA Senior Management
Engagements Describe Responsibilities for risk governance & internal controls
Description and documentation of risk assessment processes
Dealer Members should adopt formal due diligence policies and procedures relating to outsourcing arrangements
Dealer Members should consider ensuring that the outsourcing arrangement with an affiliate includes procedures
designed to limit the access and control that affiliate employees, as well as Dealer Member employees who are
IIROC Guidance On dually employed by the affiliate, may have over Dealer Member and Dealer Member client account data, records
10 Outsourcing NA and assets.
The Dealer Member that has outsourced specific activities retains responsibility for ensuring that the activities are
performed properly and in compliance with relevant IIROC requirements. Outsourcing firms are expected to take
steps to ensure that they and their regulators have access to books and records of service providers concerning
outsourced activities, and that their regulators have the right to obtain, upon request, information concerning the
outsourced activities.
For purposes of this paper, “outsourcing” is defined as an event in which a

regulated outsourcing firm contracts with a service provider for the performance of any
aspect of the outsourcing firm's regulated or unregulated functions that could otherwise
Scope be undertaken by the entity itself. (In this paper, “outsourcing” is limited to the initial transfer of a function
from a regulated entity to a service provider. Further transfers of a function (or a part of that function) from
one third-party service provider to another are referred to herein as “subcontracting.” In this connection,
please note that in some jurisdictions, the initial outsourcing is also referred to as subcontracting.)
According to this definition, outsourcing would not cover purchasing contracts,

although as with outsourcing, firms should ensure that what they are buying is
appropriate for the intended purpose. Purchasing is defined as the acquisition from a
vendor of services, good or facilities without the transfer of the purchasing firm's nonpublic
proprietary or customer information.
Out of Scope Principle 23 of the Objectives and Principles for Securities Regulation requires that the issues identified
above be addressed. It states that “market intermediaries should be required to comply with standards for
11 IOSCOPD187 internal organizations and operational conduct that aim to protect the interests of clients, ensure proper
management of risk, and under which management of the intermediary accepts primary responsibility for
these matters”. The Objectives and Principles also note that “Effective policies and operational procedures
and controls in relation to the firm’s day-to-day business operations should be established.” See id. at
§12.5.
where outsourcing takes place by regulated entities, a firm’s control over the people and processes dealing
with the outsourced function may decrease. Nonetheless, regulators require that the outsourcing firm,
including its board of directors and senior management, remain fully responsible (towards clients and
Board of Directors and Senior regulatory authorities) for the outsourced function, as if the service was being performed in-house.
Management
Accordingly, management and the governing authority of the outsourcing firm should develop and
implement appropriate policies designed to achieve satisfaction of these Outsourcing principles,
periodically review the effectiveness of those policies, and address outsourcing risks in an effective and
timely manner.
The outsourcing firm, its management and its governing authority retains full legal liability and
Accountability accountability to the regulator for any and all functions that the firm may outsource to a service provider to
the same extent as if the service were provided inhouse.
Where a third-party service provider operates other lines of business or provides other services that are
not essential or important to the operation of an FMI, these activities are out of scope of the assessment
against the oversight expectations of Annex F.
Out of Scope
Out of Scope
Where a third-party service provider operates other lines of business or provides other services that are
not essential or important to the operation of an FMI, these activities are out of scope of the assessment
against the oversight expectations of Annex F.
This assessment focuses only on the critical services provided by a third-party service provider to an FMI.
Under this assessment methodology for Annex F, a rating for each oversight expectation can be assigned
along the same framework developed for the CPSS-IOSCO Principles for financial market infrastructures:
Disclosure framework and Assessment methodology report. The rating framework is built on the gravity
and urgency of the need to remedy identified issues of concern.
CPSS-IOSCO Principles for financial market infrastructures: Disclosure framework and

Assessment methodology - December 2012 (Rating Framework) Observed: The authorities
fulfil the responsibility. Any identified gaps and shortcomings are not issues of concern and are minor,
In Scope Oversight Expectations manageable and of a nature that the authorities could consider taking them up in the normal conduct of
(Ratings) their activities.
12 IOSCOPD432 Broadly observed: The authorities broadly fulfil the responsibility. The assessment has identified one or
more issues of concern that the authorities should address and follow up on in a defined timeline.
Partly observed: The authorities partly fulfil the responsibility. The assessment has identified one or more
issues of concern that could become serious if not addressed promptly. The authorities to which these
concerns apply should accord a high priority to addressing these issues.
Not observed: The authorities do not fulfil the responsibility. The assessment has identified one or more
serious issues of concern that warrant immediate action. Therefore, the authorities to which these
concerns apply should accord the highest priority to addressing these issues.
Not applicable: The responsibility does not apply to the authorities because of the particular institutional
framework or other conditions faced by the authorities with respect to this responsibility.
The identification and management of risks should be overseen by the critical service provider’s board of
Board of Directors directors (board) and assessed by an independent, internal audit function that can communicate clearly its
assessments to relevant board members. The board is expected to ensure an independent and
professional internal audit function.
The internal audit function should be reviewed to ensure it adheres to the principles of a professional
organisation that governs audit practice and behaviour (such as the Institute of Internal Auditors) and is
Internal Audit able to independently assess inherent risks as well as the design and effectiveness of risk-management
processes and internal controls. The internal audit function should also ensure that its assessments are
communicated clearly to relevant board members.
If a firm outsources critical or important operational functions or any

relevant services and activities, it remains fully responsible for discharging
all of its obligations under the regulatory system and must comply, in
particular, with the following conditions:
(1) the outsourcing must not result in the delegation by senior
personnel of their responsibility;
(2) the relationship and obligations of the firm towards its clients
under the regulatory system must not be altered;
(3) the conditions with which the firm must comply in order to be
authorized, and to remain so, must not be undermined;
(4) none of the other conditions subject to which the firm's
authorization was granted must be removed or modified.
[Note: article 14(1) of the MiFID implementing Directive]
14 FRA-FCA Handbook
A common platform firm must in particular take the necessary steps to ensure that the following conditions are
satisfied: 8.1.8 FCA PRA
(1) the service provider must have the ability, capacity, and any authorization required by law to perform the
outsourced functions, services or activities reliably and professionally;
(2) the service provider must carry out the outsourced services effectively, and to this end the firm must establish
methods for assessing the standard of performance of the service provider;
(3) the service provider must properly supervise the carrying out of the outsourced functions, and adequately
manage the risks associated with the outsourcing;
(4) appropriate action must be taken if it appears that the service provider may not be carrying out the functions
effectively and in compliance with applicable laws and regulatory requirements;
(5) the firm must retain the necessary expertise to supervise the outsourced functions effectively and to manage the
risks associated with the outsourcing , and must supervise those functions and manage those risks;
(6) the service provider must disclose to the firm any development that may have a material impact on its ability to
carry out the outsourced functions effectively and in compliance with applicable laws and regulatory requirements;
(7) the firm must be able to terminate the arrangement for the outsourcing where necessary without detriment to
the continuity and quality of its provision of services to clients;
(8) the service provider must co-operate with the appropriate regulator and any other relevant competent authority
in connection with the outsourced activities; 8 ¡ Release 147 œ March 2014 8.1.8 SYSC 8 : Outsourcing Section
8.1 : General outsourcing requirements PAGE 4(9) the firm, its auditors, the appropriate regulator and any other
relevant competent authority must have effective access to data
14 FRA-FCA Handbook related to the outsourced activities, as well as to the business
premises of the service provider; and the appropriate regulator
and any other relevant competent authority must be able to exercise
those rights of access;
(10) the service provider must protect any confidential information
relating to the firm and its clients;
(11) the firm and the service provider must establish, implement and
maintain a contingency plan for disaster recovery and periodic
testing of backup facilities where that is necessary having regard
to the function, service or activity that has been outsourced.
[Note: article 14(2) second paragraph of the MiFID implementing
(9) the firm, its auditors, the appropriate regulator and any other relevant competent authority must have effective
access to data related to the outsourced activities, as well as to the business premises of the service provider; and
the appropriate regulator and any other relevant competent authority must be able to exercise those rights of
access;
(10) the service provider must protect any confidential information relating to the firm and its clients;
(11) the firm and the service provider must establish, implement and maintain a contingency plan for disaster
recovery and periodic testing of backup facilities where that is necessary having regard to the function, service or
activity that has been outsourced.
[Note: article 14(2) second paragraph of the MiFID implementing Directive .A management company must retain the
necessary resources and
expertise so as to monitor effectively the activities carried out by third 8.1.13 FCA parties on the basis of an
arrangement with the firm, especially with
regard to the management of the risk associated with those arrangements.
OWG Document NA NA
15
3.3 Communicating Cybersecurity Requirements with Stakeholders
The Framework provides a common language to communicate requirements among interdependent stakeholders
responsible for the delivery of essential critical infrastructure services. Examples include:
•
An organization may utilize a Target Profile to express cybersecurity risk management requirements to an external
service provider (e.g., a cloud provider to which it is exporting data).
•
An organization may express its cybersecurity state through a Current Profile to report results or to compare with
acquisition requirements.
•
A critical infrastructure owner/operator, having identified an external partner on whom that infrastructure depends,
may use a Target Profile to convey required Categories and Subcategories.
•
A critical infrastructure sector may establish a Target Profile that can be used among its constituents as an initial
baseline Profile to build their tailored Target Profiles.
NIST Framework
Asset Management (ID.AM): The data, ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g.,
NIST Framework personnel, devices, systems, and suppliers, customers, partners) are established
facilities that enable the organization to • COBIT 5 APO01.02, DSS06.03 • ISA 62443-2-1:2009 4.3.2.3.3 • ISO/IEC 27001:2013 A.6.1.1
achieve business purposes are
identified and managed consistent with
their relative importance to business
objectives and the organization’s risk
strategy
Business Environment (ID.BE): The

organization’s mission, objectives, ID.BE-4: Dependencies and critical functions for delivery of critical services are established
stakeholders, and activities are • ISO/IEC 27001:2013 A.11.2.2, A.11.2.3, A.12.1.3 • NIST SP 800-53 Rev. 4 CP-8, PE-9, PE-11, PM-8, SA-14
understood and prioritized; this
information is used to inform
cybersecurity roles, responsibilities,
and risk management decisions.
Awareness and Training (PR.AT): The

organization’s personnel and partners PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand roles & responsibilities
are provided cybersecurity awareness
education and are adequately trained
to perform their information security-
related duties and responsibilities
consistent with related policies,
16 procedures, and agreements
Termination
Terminate arrangements with 3rd parties that do not meet expectations or no longer align
Senior Bank Management with the banks strategic goals, objectives or risk appetite. Ensure that relationships terminate
in an efficient manner, whether the activities are transitioned to another third party or in-
house, or discontinued.
Recommend termination of arrangements with 3rd parties that do not meet expectations or
no longer align with the banks strategic goals, objectives or risk appetite.

Bank Employees who directly
manage 3rd party
relationships Develop a plan to transition to an alternate vendor or bring a service in house if there are no
alternate 3rd parties to dilute risk in the event of a contract default or termination. The plan
should cover:
• capabilities, resources, and the time frame required to transition the activity while still
managing legal, regulatory, customer, and other impacts that might arise.
• risks associated with data retention and destruction, information system connections and
access control issues, or other control concerns that require additional risk management and
monitoring during and after the end of the third-party relationship.
• handling of joint intellectual property developed during the course of the arrangement.
• reputation risks to the bank if the termination happens as a result of the third party’s
inability to meet expectations.
2 Fed Outsourcing Guidance

Legal, Supplier Relationship Maintain an exit strategy, including a pool of comparable service providers, in the event that
Manager a contracted service provider is unable to perform.
Taking prompt action to address fully any problems identified through the monitoring
3 CFPB Bulletin on Service Providers Supervised banks and process, including terminating the relationship where appropriate.
nonbanks
4 CPSS 115 NA NA
As the majority of service providers are part of G-SIFIs13, they will have recovery and
resolution plans (RRPs) or ‘living wills’ in place. RRPs are designed to help regulatory
authorities develop plans to resolve failing G-SIFIs in an orderly manner. We found that a lot
of asset managers are keen to incorporate the RRP of their service provider’s group within
5 FCA Outsourcing In Asset Mgmt. Industry NA their emergency exit plans. However, asset managers should be mindful that the existence of
an RRP does not
automatically mean that the current service they receive will continue uninterrupted if the
group experiences severe financial distress. We continue to keep in close contact with the
PRAon the development of G-SIFI’s RRPs.
6 FFIEC Booklet on Technology Service Bank Examiners To measure the effectiveness of which a bank has an exit strategy in event of suppliers
Providers disruption or inadequate level of service oversight
7 FINRA 11-14 NA NA
8 NASD NTM 05-48 NA NA
An outsourcing firm is expected to have a written, legally binding contract between itself and
the third party service provider, appropriate to the materiality of the outsourced activity to
10 IIROC Guidance On Outsourcing the ongoing business of the firm. The contract may include, as applicable, provisions dealing
with.. Termination of the contract, transfer of information and exit strategies
Outsourcing firms are expected to take appropriate steps to manage termination of
Vendor Management outsourcing arrangements.
Outsourcing with third party service providers should include contractual provisions
relating to termination of the contract and appropriate exit strategies
11 IOSCOPD187 Termination Guidance

Termination
This risk needs to be managed by an agreement between the firm and the service
provider taking into account factors such as when an arrangement can be terminated,
what will occur on termination and strategies for managing the transfer of the activity
back to the firm or to another party.
11 IOSCOPD187 Termination Guidance
Means for Implementation: Termination rights, e.g., in case of insolvency, liquidation
or receivership, change in ownership, failure to comply with regulatory requirements,
or poor performance; Minimum periods before an announced termination can take
effect to allow an orderly transition to another provider or to the firm itself, and to
provide for the return of customer-related data, and any other resources; The clear
delineation of ownership of intellectual property following the contract’s termination,
and specifications relating to the transfer of information back to the outsourcing firm.
12 IOSCOPD432 NA NA
NA
14 FRA-FCA Handbook NA
OWG Document NA
15 NA
NA NA
16 NIST Framework
Senior Bank Management Ensure appropriate documentation and reporting throughout the life cycle for all third-party
relationships.
Maintain appropriate documentation throughout lifecycle to include: • a current inventory of

all third-party relationships, which should clearly identify those relationships that involve
1 OCC Bulletin 2013-29 Bank Employees who critical activities and delineate the risks posed by those relationships across the bank.10
directly manage 3rd party • approved plans for the use of third-party relationships.
relationships • due diligence results, findings, and recommendations.
• analysis of costs associated with each activity or third-party relationship, including any
indirect costs assumed by the bank.
• executed contracts.
• regular risk management and performance reports required and received from the third
party (e.g., audit reports, security reviews, and reports indicating compliance with service-
level agreements).
• regular reports to the board and senior management on the results of internal control
testing and ongoing monitoring of third parties involved in critical activities.
• regular reports to the board and senior management on the results of independent
reviews of the bank’s overall risk management process.
Financial institutions are responsible for ensuring that services provided by service providers
comply with applicable laws and regulations and are consistent with safe-and-sound banking
practices. Financial institutions should evaluate the adequacy of standards, policies, and
procedures. Depending on the characteristics of the outsourced activity, some or all of the
following may need to be reviewed:
• Internal controls;
• Facilities management (such as access requirements or sharing of facilities);
• Training, including compliance training for staff;
2 Fed Outsourcing Guidance Supplier Risk Managers
• Security of systems (for example, data and equipment);
• Privacy protection of the financial institution's confidential information;
• Maintenance and retention of records;
• Business resumption and contingency planning;
• Systems development and maintenance;
• Service support and delivery;
• Employee background checks; and
• Adherence to applicable laws, regulations, and supervisory guidance
3 CFPB Bulletin on Service Providers NA NA
• A critical service provider is expected to identify and manage relevant operational and
financial risks to its critical services and ensure that its risk-management processes are
effective.
• Should have effective processes and systems for identifying and documenting risks,
implementing controls to manage risks, and making decisions to accept certain risks.
• Should reassess its risks, as well as the adequacy of its risk-management framework in
addressing the identified risks, on an ongoing basis.
• Should have a robust information security framework that appropriately manages its
information security risks. The framework should include sound policies and procedures to
4 CPSS 115 Critical Service Provider protect information from unauthorized disclosure, ensure data integrity, and guarantee the
availability of its services.
4 CPSS 115 Critical Service Provider
• This framework should also include capacity planning policies and change-management
practices. For example, a critical service provider that plans to change its operations should
assess the implications of such a change on its information security arrangements.
• Any operational incidents should be recorded and reported to the Financial Market
Infrastructure (FMI) and the FMI’s regulator, supervisor, or overseer. Incidents should be
analyzed promptly by the critical service provider in order to prevent recurrences that could
have greater implications.
5 FCA Outsourcing In Asset Mgmt. Industry NA NA
FFIEC Booklet on Technology Service To measure the effectiveness of which a bank documents and reports on suppliers
6 Bank Examiners
Providers performance and delivery of service.
A Clearing or Carrying member firm must notify FINRA within 30 calendar days after entering
into any outsourcing agreement with a 3rd party service provider to perform any function or
Person designated with activity related to the firms business as a regulated broker dealer. Notification must include
responsibility for FINRA the function being performed, the identity and location of the 3rd party service provider, the
7 FINRA 11-14 notifications identity of the 3rd party service providers regulator( if any) and a description of any
affiliation between the firm and the 3rd party service provider.
A Clearing or carrying member must maintain a copy of each outsourcing agreement

notification to FINRA and any underlying written agreement(s) with the 3rd party service
provider.
Regulatory Reporting Report all applicable outsourcing contracts within 30 days to FINRA
A Dealer Member should inform IIROC of any new outsourcing arrangements involving core
Dealer Member activities that are being entered into by a Dealer Member, in accordance
with IIROC Rules Notice 10-0060
maintain a centralized list, along with copies of related agreements, of the outsource service
providers to which core Dealer Member activities have been outsourced
where practical and/or available (such as special purpose reports regularly prepared by
external auditors for outsource service providers5), obtain and provide to IIROC a report on
the adequacy of internal controls for each outsource arrangement relating to a core Dealer
Member activity and include as part of its business continuity planning, plans that address
the scenario where one or more major outsource service providers undergo a business
disruption. Requirement for the outsourcing firm to monitor the third party service
provider's performance and compliance with its contractual obligations, including processes
and procedures that:
• Clearly define metrics that will measure the service level, and specify what service levels
Management are required; and
• Establish measures to identify and report instances of non-compliance or unsatisfactory
performance to the outsourcing firm as well as the ability to assess the quality of services
performed by the service provider on a regular basis
Describe the following:

- Whether or not the company uses subservice providers or subcontractors
- The primary partners or subcontractors
- Location: onsite, offsite, offshore
- Employee Background Checks
- Compliance awareness training
- Assessment process for subservice providers' or subcontractors' business continuity /
disaster recovery plans
- The company's policy / practice related to subcontractors, including the following:
- How long has this been in practice
- Communications protocols
- The conditions under which subcontractors are used
- How subcontractors are trained and held to the company's standards (e.g., privacy
protection)
- Whether the contractor has a SSAE 16 report or other form of external oversight report.
In not, how the company gains comfort with the subcontractors control environment.
10 IIROC Guidance On Outsourcing
Company should have an "Information Security Policy" that contains provisions describing
impact on, and applicability to, third-parties (subcontractors).
- Controls should address monitoring compliance and awareness and training.
Company should have a "Document Retention and Recordkeeping Policy" that includes
controls that address the process for subcontractor / vendor compliance.
Company should have controls that address the process for "Security Master Setup and
Maintenance" that include controls that address process for oversight of subservice
providers (e.g., user control considerations at sub accounting platforms where these controls
may be performed)
Company should have controls that address "Transaction Processing - Financial and
Nonfinancial" that include controls that address oversight of subservice providers (e.g., user
control considerations at sub accounting platforms where controls may be performed).
Company should have controls that address "Subaccount Billing, Invoice Processing" that
include controls that address oversight of subservice providers.
Company should have controls that address "Fee Calculations" that include controls that
address oversight of subservice providers.
Company should have controls that address "Information Technology (including Internet &
VRU)" that include controls that address Third-party providers the company uses for
Information Technology Services.
Company should have controls that address "Blue Sky Reporting" that include controls that
address oversight of subservice providers.
Documenting processes and procedures that enable the outsourcing firm to

assess, prior to selection, the third party service provider’s ability and capacity to
perform the outsourced activities effectively, reliably, and to a high standard, including
the service provider’s technical, financial and human resources capacity, together
with any potential risk factors associated with using a particular service provider.
11 IOSCOPD187 Program Documentation

Documenting processes and procedures that enable the outsourcing firm to

monitor the third party service provider's performance and compliance with its
contractual obligations, including processes and procedures that: Clearly define
metrics that will measure the service level, and specify what service levels are
required, Establish measures to identify and report instances of non-compliance or
unsatisfactory performance to the outsourcing firm as well as the ability to assess the
quality of services performed by the service provider on a regular basis,
Implementing processes and procedures designed to help ensure that the service
11 IOSCOPD187 Program Documentation provider is in compliance with applicable laws and regulatory requirements in its
jurisdiction, and that where there is a failure to perform duties required by statute or
regulations, the outsourcing firm, to the extent required by law or regulation, reports
the failure to its regulator and/or selfregulatory organization and takes corrective
actions (service delivery reports and the use of internal and external auditors to
monitor, assess, and report to the outsourcing firm on performance / written service
level agreements or the inclusion of specific service level provisions in contracts for
service to achieve clarity of performance targets and measurements for third party
service providers), With respect to outsourcing on a cross-border basis, in
determining whether the use of a foreign service provider is appropriate, the
outsourcing firm may, with respect to a function that is material to the firm, need to
conduct enhanced due diligence that focuses on special compliance risks, including
the ability to effectively monitor the foreign service provider, the ability to maintain the
confidentiality of firm and customer information; and the ability to execute
contingency plans and exit strategies where the service is being performed on a
cross-border basis.
A critical service provider should ensure that it provides reliable and resilient
operations to users, whether these operations are provided to an FMI directly or to
both an FMI and its participants. A critical service provider should have robust
operations that meet or exceed the needs of the FMI. Any operational incidents
should be recorded and reported to the FMI and the FMI’s regulator, supervisor, or
overseer. Incidents should be analysed promptly by the critical service provider in
order to prevent recurrences that could have greater implications.
In addition, a critical service provider should have robust business continuity and
disaster recovery objectives and plans. These plans should include routine business
continuity testing and a review of these test results to assess the risk of a major
Incident Reporting / operational disruption.
Testing Results / Defined
12 IOSCOPD432
Roles / Crisi In particular, a critical service provider should provide the FMI and, where
Communications Plan appropriate, its participants with sufficient information so that users clearly
understand their roles and responsibilities, enabling them to manage adequately their
risks related to their use of the services provided. Useful information for users
typically includes, but is not limited to, information concerning the critical service
provider’s management processes, controls, and independent reviews of the
effectiveness of these processes and controls.
As a part of its communication procedures and processes, a critical service provider

should have mechanisms to consult with users and the broader market on any
technical changes to its operations that may affect its risk profile, including incidences
of absent or non-performing risk controls of services. In addition, a critical service
provider should have a crisis communication plan to handle operational disruptions to
its services.
(1) In addition to the requirements set out in the MiFID outsourcing

rules, when a MiFID investment firm outsources the investment
service of portfolio management to retail clients to a service
provider located in a non-EEA state, it must ensure that the
following conditions are satisfied:
(a) the service provider must be authorized or registered in its
home country to provide that service and must be subject to
prudential supervision;
(b) there must be an appropriate cooperation agreement between
14 FRA-FCA Handbook the FCA and the supervisor in the non-EEA state ;
(in this chapter the "conditions").
(2) In addition to complying with the common platform outsourcing
rules, if one or both of the conditions are not satisfied, a MiFID
investment firm may enter into such an outsourcing only if it gives
prior notification in writing to the FCA containing adequate details
of the proposed outsourcing and the FCA does not object to that
arrangement within a reasonable time following receipt of that
notification.
[Note: article 15(2) and (4) of the MiFID implementing Directive]
(3) For the purposes of this rule a "reasonable time" is within one
month of receipt of a notification. However, the FCA may seek
further information from the MiFID investment firm in relation
to the outsourcing proposal if this is necessary to enable the FCA
to make a decision. Any effect this may have on the FCA's response
time will be notified to the MiFID investment firm and that revised
response time will constitute a reasonable time for the purposes
of this rule.
OWG Document NA NA
15
NA NA
16 NIST Framework
Independent Review
Board Of Directors Review results of periodic independent reviews of the bank’s third-party risk management
process.
Ensure periodic independent reviews of third-party relationships that involve critical

activities and of the bank’s third-party risk management process. Analyze the results, take
appropriate actions, and report results to the board. Reviews may include: • ensuring third-
party relationships align with the bank’s business strategy.
Senior Bank Management • identifying, assessing, managing, and reporting on risks of third-party relationships.
1 OCC Bulletin 2013-29 • responding to material breaches, service disruptions, or other material issues.
• identifying and managing risks associated with complex third-party relationships, including
foreign-based third parties and subcontractors.
• involving multiple disciplines across the bank as appropriate during each phase of the third-
party risk management life cycle.11
• ensuring appropriate staffing and expertise to perform due diligence and ongoing
monitoring and management of third parties.
• ensuring oversight and accountability for managing third-party relationships (e.g., whether
roles and responsibilities are clearly defined and assigned and whether the individuals
possess the requisite expertise, resources, and authority).
• ensuring that conflicts of interest or appearances of conflicts of interest do not exist when
selecting or overseeing third parties.
• identifying and managing concentration risks that may arise from relying on a single third
party for multiple activities, or from geographic concentration of business due to either
direct contracting or subcontracting agreements to the same locations.
Bank Employees who directly

manage 3rd party relationships
Respond to material weaknesses identified by independent reviews.
Financial institutions should refer to existing guidance on the engagement of independent

public accounting firms and other outside professionals to perform work that has been
traditionally carried out by internal auditors.
2002 specifically prohibits a registered public accounting firm from performing certain non-
audit services for a public company client for whom it performs financial statement audits.
Risk management activities: Financial institutions may outsource various risk management
2 Fed Outsourcing Guidance Enterprise Risk Management and
Supplier Relationship Managers activities, such as aspects of interest rate risk and model risk management. Financial
institutions should require service providers to provide information that demonstrates
developmental evidence explaining the product components, design, and intended use, to
determine whether the products and/or services are appropriate for the institution's
exposures
and risks
3 CFPB Bulletin on Service Providers NA NA
4 CPSS 115 Independent, internal audit Identification and management of risks should be assessed by an independent, internal
function audit function that can communicate clearly its assessments to relevant board members.

Industry
6 FFIEC Booklet on Technology Service Bank Examiners To measure the effectiveness of which a supplier is independently reviewed to ensure client
Providers contract/ compliance adherence.
7 FINRA 11-14 NA NA

Independent Review
9 ICI - FICCA Engagements

Whether the contractor has a SSAE 16 report or other form of external oversight report. In
not, how the company gains comfort with the subcontractors control environment.
Where practical and/or available (such as special purpose reports regularly prepared by
external auditors for outsource service providers5), obtain and provide to IIROC a report on
the adequacy of internal controls for each outsource arrangement relating to a core Dealer
Member activity;
10 IIROC Guidance On Outsourcing
The guidance specifies that the registrant firm and its regulator and auditors should have the
same access to the work product of a third-party service provider as they would if the firm
itself performed the activities. Firms should ensure this access is provided and should include
Audit Requirements a provision requiring it in any contract entered into with a service provider.
11 IOSCOPD187 NA NA
Adherence to these expectations (outlined in Annex F of the Principles for financial

market infrastructures) can be achieved in one of two ways, at the discretion of the
authority: (a) the authority monitors adherence to the expectations itself in a direct
relationship with the critical service provider or (b) the authority communicates the
standards to the FMI, which obtains assurances from its critical service providers that
they comply with the expectations.
Third Party Compliance with

12 IOSCOPD432 Where permitted under the applicable legal framework, a regulator, supervisor, or
Expectations Review
overseer of an FMI may choose to assess an FMI’s critical service provider against
these expectations to promote robust payment systems that are systemically
important, central securities depositories, securities settlement systems, central
counterparties, and trade repositories. Such assessments are intended to provide an
assurance of quality of service that FMIs would seek from their critical service
providers as part of their compliance with broader CPSS-IOSCO principles.
14 FRA-FCA Handbook NA NA
Industry response to FSA Enhanced Supplier Guidelines for Financial Institutions. Key area of
Enterprise Risk Management and
OWG Document Supplier Relationship Managers focus around supplier management: Oversight, Exit Planning and Standardization. Each
15 institution will need to decide on implementation plan.
NA NA
16 NIST Framework
Supervisory Review
Assess the bank’s ability to oversee and manage its relationships.

Highlight and discuss material risks and any deficiencies in the bank’s risk management
process with the board of directors and senior management
Carefully review the bank’s plans for appropriate and sustainable remediation of such
deficiencies, particularly those associated with the oversight of third parties that involve
critical activities.
Follow existing guidance for citing deficiencies in supervisory findings and reports of
examination, and recommend appropriate supervisory actions.
Consider the findings when assigning the management component of the Federal Financial
1 OCC Bulletin 2013-29 OCC Examiners Institutions Examination Council’s (FFIEC) Uniform Financial Institutions Rating System
(CAMELS ratings).12
Reflect the associated risks in their overall assessment of the bank’s risk profile
When circumstances warrant, the OCC may use its authority to examine the functions or
operations performed by a third party on the bank’s behalf. Such examinations may evaluate
safety and soundness risks, the financial and operational viability of the third party to fulfill
its contractual obligations, compliance with applicable laws and regulations, including
consumer protection, fair lending, BSA/AML and OFAC laws, and whether the third party
engages in unfair or deceptive acts or practices in violation of federal or applicable state law.
To effectively monitor contractual requirements, financial institutions should establish

acceptable performance metrics that the business line or relationship management
determines to be indicative of acceptable performance levels. Financial institutions should
ensure that personnel with oversight and management responsibilities for service providers
have the appropriate level of expertise and stature to manage the outsourcing arrangement.
Enterprise Risk The oversight process, including the level and frequency of management reporting, should
2 Fed Outsourcing Guidance Management and Supplier be risk-focused. Higher risk service providers may require more frequent assessment and
Relationship Managers monitoring and may require financial institutions to designate individuals or a group as a
point of contact for those service providers. Financial institutions should tailor and
implement risk mitigation plans for higher risk service providers that may include processes
such as additional reporting by the service provider or heightened monitoring by the
financial institution. Further, more frequent and stringent monitoring is necessary for service
providers that exhibit performance, financial, compliance, or control concerns. For lower risk
service providers, the level of monitoring can be lessened.
Title X authorizes the CFPB to examine and obtain reports from supervised banks and
nonbanks for compliance with Federal consumer financial law and for other related purposes
and also to exercise its enforcement authority when violations of the law are identified.
Title X grants the CFPB supervisory and enforcement authority over supervised service
providers, which includes the authority to examine the operations of service providers on
3 CFPB Bulletin on Service Providers CFPB site.
The CFPB will exercise the full extent of its supervision authority over supervised service
providers, including its authority to examine for compliance with Title X's prohibition on
unfair, deceptive, or abusive acts or practices.
The CFPB will also exercise its enforcement authority against supervised service providers as
appropriate.
• A critical service provider is expected to implement and maintain appropriate policies and
procedures, and devote sufficient resources to ensure the confidentiality and integrity of
information and the availability of its critical services in order to fulfil the terms of its
4 CPSS 115 Critical Service Providers relationship with an Financial Market Infrastructure (FMI).
• Should have a robust information security framework that appropriately manages its
information security risks.

Industry
Ensure TSP can meet contractual and regulatory obligations

6 FFIEC Booklet on Technology Service Vendor Management
Providers To measure the overall effectiveness of which a bank supplier framework and program
Supervisory Review
6 FFIEC Booklet on Technology Service Vendor Management

Providers
Perform required remediation's for risks/gaps identified
7 FINRA 11-14 NA NA
10 IIROC Guidance On Outsourcing IIROC intends to focus its

regulatory resources on
the review of material
outsourcing arrangements
involving core activities.
In some jurisdictions, as discussed below, regulators impose restrictions on the
outsourcing of certain functions where they believe the outsourcing introduces an
unacceptable risk or is critical to the function of an intermediary.
regulators expect that they will have complete access to books and records
concerning an outsourcing firm’s activities, even if such documents are in the custody
of the firm’s service provider. Regulators must also take account of possible
operational and systemic risks that may exist in the event that multiple regulated
entities use a common service provider.
the relevant regulator may impose sanctions and penalties on a regulated entity in its
jurisdiction for violations of statutory and regulatory requirements that resulted in
whole or in part from the failure of a service provider (whether licensed or unlicensed)
to perform its contractual obligations for the outsourcing firm.
Regulatory Action
Outsourcing firms should also be aware of and comply with local mechanisms that
may have been put in place to implement these Principles. Such mechanisms may
take the form of government regulation, regulations imposed by non-government
statutory regulators, industry codes or practices, or some combination of these items.
The outsourcing firm must retain the competence and ability to be able to ensure that
the firm complies with all regulatory requirements. Moreover, outsourcing must not be
permitted to impair the regulator’s ability to exercise its statutory responsibilities, such
as the proper supervision and audit of the firm. Regulators should also consider the
implications that the use of unlicensed service providers may have on the regulator’s
ability to supervise properly securities activities in their jurisdiction. Such concerns
may be heightened in instances where the outsourcing firm delegates to the service
provider the authority to act in the name of the outsourcing firm.
The regulator, the outsourcing firm, and its auditors should have access to the books
and records of service providers relating to the outsourced activities and the regulator
should be able to obtain promptly, upon request, information concerning activities that
are relevant to regulatory oversight.
Regulator's and
Intermediary’s Access to
Books and Records,
Including Rights of
Inspection.
Supervisory Review
As set forth in IOSCO Principle 12.7, the regulator should have the right to inspect
books and records of regulated entities. Accordingly, regulators should be able, upon
request, to obtain promptly any books and records pertaining to the regulated activity,
irrespective of whether they are in the possession of the outsourcing firm or the third
party service provider, and to obtain additional information concerning regulated
activities performed by the service provider. A regulator’s access to such books and
records may be direct or indirect, though the outsourcing firm should always maintain
direct access to such books and records. This may include a requirement that the
books and records be maintained in the regulator’s jurisdiction, or that the service
provider agrees to send originals or copies of the books and records to the
regulator’s jurisdiction
upon request. Moreover, in order to facilitate the regulator’s access to books and
records as well as to maintain orderly business operations of the outsourcing firms,
arrangements between outsourcing firms and service providers should seek to
ensure that the outsourcing firms have appropriate access to books and records and
other information where it is in the custody of a third party.
Regulator's and
Books and Records,
Including Rights of Means for Implementation: Contractual provisions by which the outsourcing firm
Inspection. (including its auditor) has access to, and a right of inspection of, the service
provider's books and records dealing with outsourced activities, and similar access to
the books and records of any subcontractor. Where appropriate, these may include
physical inspections at the premises of the service provider, delivery of books and
records or copies of books and records to the outsourcing firm or
its auditor, or inspections that utilize electronic technology (i.e., “virtual inspections”);
Contractual provisions by which the service provider is required to make books,
records, and other information about regulated activities by the
service provider available to the regulator upon request and, in addition, to comply
with any requirements in the outsourcing firm’s jurisdiction to provide periodic reports
11 IOSCOPD187 to the regulator.
Where appropriate, taking action against outsourcing firms for the failure to provide
books and records required in that jurisdiction, without regard to whether the
regulated entity has transferred possession of required books and records to one or
more of its service providers; Imposing specific requirements concerning access to
books and records that are held by a service provider and which are necessary for
the authority to perform its oversight and supervisory functions with respect to
regulated entities in its jurisdiction. These may possibly include requiring that records
be maintained in the regulator’s jurisdiction, allowing for a right of inspection, or
requiring that the service provider agree to send originals or
copies of the books and records to the regulator’s jurisdiction upon request
The outsourcing firm should take appropriate steps to require that service
providers protect confidential information regarding the outsourcing firm’s proprietary
and other information, as well as the outsourcing firm’s clients from intentional or
inadvertent disclosure to unauthorized individuals. Unauthorized disclosure of
confidential firm and customer information could have a
number of negative consequences. Such unauthorized disclosure could result in
damage to the firm’s reputation, financial losses, and the loss of or risk to proprietary
information (including the firm’s trade secrets). In addition, unauthorized disclosure
could result in the disclosure of private and sensitive information about individuals
Client Confidentiality Iss
who have a reasonable expectation of privacy, and might also result in a material
financial loss to a firm’s customers. In addition to the potential harm to a firm’s
customers, an unauthorized disclosure could also result in the outsourcing firm
having financial liability to its customers and/or its regulators, possibly affecting the
firm’s solvency. Where appropriate, regulators may choose to review the protections
that are in place between the outsourcing firm and the service provider and, in
addition, may choose to review the measures that are in place between a service
provider and its agents that may have an impact on the data and/or its use, so that
there are no unauthorized disclosures among the various service providers.
Supervisory Review
Regulators should be cognizant of the risks posed where one service

provider provides outsourcing services to multiple regulated entities. Where multiple
outsourcing firms use a common service provider, operational risks are
correspondingly concentrated, and may pose a threat of systemic risk. For example,
if the service provider suddenly and unexpectedly becomes unable to perform
services that are critical to the business of a significant number of regulated
Concentration of Outsouroutsourcing firms, each of the regulated entities will be similarly disabled.
Alternatively, if multiple outsourcing firms depend upon the same provider of business
continuity services (e.g., a common disaster recovery site), a disruption that affects a
large number of those entities may result in a lack of capacity for the business
continuity services. Each of these scenarios may result in follow-on effects on
markets that depend on participation by the outsourcing firms, or on public
confidence.
Taking steps to become aware of cases where a significant proportion of

their regulated entities rely upon a single service provider to provide critical
functions. This could include, where appropriate, a monitoring program and/or a risk
assessment methodology, and the collection of routine information on outsourcing
arrangements from outsourcing firms and/or service providers. In this regard,
regulators should be cognizant of the potential that subcontracting by service
Regulators should conside
providers of a particular function may itself result in concentration risk; Tailoring their
examination programs or related activities in light of concentrations of outsourcing
activity. Where a regulator has identified a possible concentration risk issue,
outsourcing firms should consider taking steps to ensure, to the degree practicable,
that the service provider has adequate capacity to meet the needs of all outsourcing
firms, both during normal operations as well as unusual circumstances (e.g., unusual
market activity, physical disaster).
Typically, this assessment would be conducted (or commanded) by the critical service
provider itself which would then make the (self-)assessment available to the FMI and
the latter's regulatory authority. The assessment methodology relies on key questions
for each oversight expectation, which address the critical service provider’s approach
or framework to managing risks. These questions are neither intended to serve purely
as a checklist nor to be exhaustive. Regulators, supervisors, and overseers of FMIs
could, at their discretion, pose additional questions as needed to address the
particulars of the FMI, its critical service providers, or other relevant issues.
The key questions seek answers as to whether the critical service provider's policies
and procedures in the identified areas are clear and comprehensive, and how these
are documented, reviewed and updated. A critical service provider may find it
beneficial to disclose its answers to the key questions in the assessment
methodology in order to help authorities, FMIs and, where relevant, their participants
enhance their understanding of the risks involved in using the critical service
provider’s services.
12 IOSCOPD432
If a critical service provider provides critical services to multiple FMIs, authorities of

the respective FMIs could cooperate with each other in assessing the critical service
provider against these expectations. Where such cooperation is set up, authorities
should observe the guidance provided in Responsibility E of the CPSS-IOSCO
Principles for financial market infrastructures, the CPSS Central bank oversight of
payment and settlement systems, and the IOSCO Principles regarding cross-border
supervisory cooperation, as appropriate. (CPSS Central bank oversight of payment
and settlement systems, May 2005, and the IOSCO Principles regarding cross-
border supervisory cooperation, May 2010.)
The authority of an FMI might have limited direct access to a critical service provider
of that FMI when the critical service provider resides in another country. In such case,
the authority can either convey its requirements through the abovementioned cross-
border supervisory cooperation, or communicate its requirements via the FMI over
which it has authority.
Supervisory Review
A common platform firm must: not undertake the outsourcing of important operational
functions in such a way as to impair materially:(a) the quality of its internal control; and(b)
the ability of the appropriate regulator to monitor the firm's compliance with all obligations
under the regulatory system and, if different, of a competent authority to monitor the firm's
compliance with all obligations under MiFID.
14 FRA-FCA Handbook NA
A common platform firm must make available on request to the appropriate

regulator and any other relevant competent authority all information
8.1.11
FCA PRA
necessary to enable the appropriate regulator and any other relevant
competent authority to supervise the compliance of the performance of
the outsourced activities with the requirements of the regulatory system.
Enterprise Risk Industry response to FSA Enhanced Supplier Guidelines for Financial Institutions. Key area of
OWG Document Management and Supplier focus around supplier management: Oversight, Exit Planning and Standardization. Each
Relationship Managers institution will need to decide on implementation plan.
15
NA NA
16 NIST Framework
Other
1 OCC Bulletin 2013-29 NA NA
Suspicious Activity Report (SAR) reporting functions: The confidentiality of suspicious

activity reporting makes the outsourcing of any SAR-related function more complex.
Financial institutions need to identify and monitor the risks associated with using service
providers to perform certain suspicious activity reporting functions in compliance with the
Bank Secrecy Act (BSA). Financial institution management should ensure they understand
the risks associated with such an arrangement and any BSA-specific guidance in this area.
Foreign-based service providers: Financial institutions should ensure that foreign-based
Enterprise Risk Management service providers are in compliance with applicable U.S. laws, regulations, and regulatory
2 Fed Outsourcing Guidance and Supplier Relationship guidance. Financial institutions may also want to consider laws and regulations of the
Managers foreign-based provider's country or regulatory authority regarding the financial institution's
ability to perform on-site review of the service provider's operations. In addition, financial
institutions should consider the authority or ability of home country supervisors to gain
access to the financial institution's customer information while examining the foreign-based
service provider.
Internal audit: Financial institutions should refer to existing guidance on the engagement of
independent public accounting firms and other outside professionals to perform
work that has been traditionally carried out by internal auditors.
3 CFPB Bulletin on Service Providers Supervised banks and

nonbanks To limit the potential for statutory or regulatory violations and related consumer harm,
supervised banks and nonbanks should take steps to ensure that their business
arrangements with service providers do not present unwarranted risks to consumers.
BCP:
• A critical service provider is expected to implement appropriate policies and procedures,
and devote sufficient resources to ensure that its critical services are available, reliable, and
resilient. Its business continuity management and disaster recovery plans should therefore
support the timely resumption of its critical services in the event of an outage so that the
service provided fulfils the terms of its agreement with an FMI.
• In addition, a critical service provider should have robust business continuity and disaster
recovery objectives and plans. These plans should include routine business continuity testing
and a review of these test results to assess the risk of a major operational disruption.
4 CPSS 115 Critical Service Provider

COMMUNICATION:
• A critical service provider is expected to be transparent to its users and provide them
sufficient information to enable users to understand clearly their roles and responsibilities in
managing risks related to their use of a critical service provider.
• Should have effective customer communication procedures and processes. In particular, a
critical service provider should provide the FMI and, where appropriate, its participants with
sufficient information so that users clearly understand their roles and responsibilities,
enabling them to manage adequately their risks related to their use of the services provided.
• Useful information for users typically includes, but is not limited to, information
concerning the critical service provider’s management processes, controls, and independent
reviews of the effectiveness of these processes and controls.
• Should have mechanisms to consult with users and the broader market on any technical
changes to its operations that may affect its risk profile, including incidences of absent or
non-performing risk controls of services.
• Should have a crisis communication plan to handle operational disruptions to its services.
enhance their contingency plans for the failure of a service provider providing critical
activities, taking into account industry-led guiding principles where applicable
Other
Some of the asset managers said they were comfortable with not
having a contingency plan in place at all because their service providers
are part of systemically important banking groups that are too big to
fail and therefore the respective governments would bail them out.
This assertion is inconsistent with the Prudential Regulation Authority’s
(PRA’s) focus on the ability of systemically important global groups to be
wound-down and resolved in a controlled manner. It is also a breach of
FCA requirements, as set out in SYSC 8, to not adequately manage the
risks associated with outsourcing a critical activity.
As most asset managers are likely to move to a new service provider if their incumbent
provider
were to fail, firms should consider if they have not already:
• how their contingency planning would allow them to continue to service their customers
during the interim period whilst the transfer takes place, and
• if appropriate, how their ability to transfer between providers can be improved
There are other steps that asset managers are taking to enhance their readiness for a failure
of their service provider. Most importantly, asset managers are beginning to devise and put
in place exit plans that focus on the continuation of service to their customers in the event
of a failure of their service provider. Recent findings show that for asset managers to provide
FCA Outsourcing In Asset Mgmt. continuity of service whilst exiting from one service provider and moving to another at short
5 Asset Managers notice they require:
Industry
• a detailed understanding of their asset manager’s operational exposure to their service
provider(s)
• identification of the outsourced activities that are essential to ensure a basic level of
service to customers, and
• knowledge of how, where and at what regularity the essential activities are expected to be
carried out and how they are to be overseen
11 For example, Service Level Agreements and operating model overviews.
12 For example, by having in place a Memorandum of Understanding.
When devising exit plans, asset managers should consider whether the plan should be:
• a subset of current BCP subject to similar controls, such as updating and testing the plan
on a periodic basis and
• formalised with the service provider at the outset of a contractual relationship or as soon
as reasonably possible, including agreement on which activities should be transferred to a
new service provider as a priority if applicable
Asset managers should consider adopting the guiding principles on exit planning proposed
by the OWG where appropriate. This should improve an asset manager’s ability to exit an
outsourcing contract in an orderly and efficient manner not only when there has been a
failure of the incumbent service provider.
As the majority of service providers are part of G-SIFIs13, they will have recovery and
resolution plans (RRPs) or ‘living wills’ in place. RRPs are designed to help regulatory
authorities develop plans to resolve failing G-SIFIs in an orderly manner. We found that a lot
of asset managers are keen to incorporate the RRP of their service provider’s group within
their emergency exit plans. However, asset managers should be mindful that the existence
of an RRP does not
automatically mean that the current service they receive will continue uninterrupted if the
group experiences severe financial distress. We continue to keep in close contact with the
PRA on the development of G-SIFI’s RRPs.
We have found that some asset managers are improving their surveillance of their service
providers’ financial position. Information gathered as part of this oversight could, for
example, potentially act as a forewarning of deteriorating credit-worthiness. The guiding
principles for oversight models proposed by the OWG include ongoing surveillance.
13 Global
6 FFIEC Booklet on Technology Service NA NA
Providers
Designated Supervisory A clearing or carrying member firm must vest an associated person of the firm with the
Position (Properly Registered authority and responsibility for the following activities:
Associated Person) (1) the movement of customer or proprietary cash or securities;
(2) the preparation of net capital or reserve formula computations; and
7 FINRA 11-14 (3) the adoption or execution of compliance or risk management systems.
The execution can be outsourced as long as the supervision remains within the firm.
Senior Management Rule excepts ministerial activities performed on behalf of a member firm, unless otherwise
prohibited by applicable securities laws and regulations or applicable FINRA and MSRB rules,
and clarifies that its provisions would not restrict activities performed pursuant to a carrying
agreement approved under FINRA Rule 4311 (Carrying Agreements)
8 NASD NTM 05-48 Senior Management Rule allows a member to outsource certain activities that support the performance of its
supervisory and compliance responsibilities

Other
IIROC rules effectively prohibit the outsourcing of most client-facing activities of the Dealer
Member (all of which would be considered to be “core” activities) including:
• a Registered Representative’s assessment of the information collected from the client to
ensure that the information is current, complete and accurate and that they comply with
their “know your client” obligation [Dealer Member Rules 39.3; 1300.1(a); 2500,
Introduction; 2500, Part II and 2700, Part II]; a Registered Representative’s performance of
10 IIROC Guidance On Outsourcing suitability assessments [Dealer Member Rules 39.3; 1300.1(p) through (s) and 2500,
Introduction]; a Designated complaints officer’s oversight of the handling of client
complaints [Dealer Member Rule 2500B, Section 3]; and various compliance and supervision
requirements, relating to client facing activities, that must be performed by Approved
Persons of the Dealer Member [
Non-core activities of the Dealer Member that are eligible to be outsourced under the
applicable IIROC Dealer Member Rules, and that would not give rise to regulatory concern if
they were outsourced, include the following:
 office service management activities;
 the procurement of external consultant services; and
 human resources management activities.
In some jurisdictions, as discussed below, regulators impose restrictions on the
outsourcing of certain functions where they believe the outsourcing introduces an
unacceptable risk or is critical to the function of an intermediary.
regulators expect that they will have complete access to books and records
concerning an outsourcing firm’s activities, even if such documents are in the
custody of the firm’s service provider. Regulators must also take account of possible
operational and systemic risks that may exist in the event that multiple regulated
entities use a common service provider.
the relevant regulator may impose sanctions and penalties on a regulated entity in its
jurisdiction for violations of statutory and regulatory requirements that resulted in
whole or in part from the failure of a service provider (whether licensed or
unlicensed) to perform its contractual obligations for the outsourcing firm.
Regulatory Action Outsourcing firms should also be aware of and comply with local mechanisms that
may have been put in place to implement these Principles. Such mechanisms may
take the form of government regulation, regulations imposed by non-government
statutory regulators, industry codes or practices, or some combination of these
items.
The outsourcing firm must retain the competence and ability to be able to ensure
that the firm complies with all regulatory requirements. Moreover, outsourcing must
not be permitted to impair the regulator’s ability to exercise its statutory
responsibilities, such as the proper supervision and audit of the firm. Regulators
should also consider the implications that the use of unlicensed service providers
may have on the regulator’s ability to supervise properly securities activities in their
jurisdiction. Such concerns may be heightened in instances where the outsourcing
firm delegates to the service provider the authority to act in the name of the
outsourcing firm.
The regulator, the outsourcing firm, and its auditors should have access to the books
and records of service providers relating to the outsourced activities and the
regulator should be able to obtain promptly, upon request, information concerning
activities that are relevant to regulatory oversight.
Regulator's and
Books and Records,
Including Rights of
Inspection.
Other
As set forth in IOSCO Principle 12.7, the regulator should have the right to inspect
books and records of regulated entities. Accordingly, regulators should be able, upon
request, to obtain promptly any books and records pertaining to the regulated
activity, irrespective of whether they are in the possession of the outsourcing firm or
the third party service provider, and to obtain additional information concerning
regulated activities performed by the service provider. A regulator’s access to such
books and records may be direct or indirect, though the outsourcing firm should
always maintain direct access to such books and records. This may include a
requirement that the books and records be maintained in the regulator’s jurisdiction,
or that the service provider agrees to send originals or copies of the books and
records to the regulator’s jurisdiction
upon request. Moreover, in order to facilitate the regulator’s access to books and
records as well as to maintain orderly business operations of the outsourcing firms,
arrangements between outsourcing firms and service providers should seek to
ensure that the outsourcing firms have appropriate access to books and records and
other information where it is in the custody of a third party.
Regulator's and
Books and Records,
Including Rights of
Means for Implementation: Contractual provisions by which the outsourcing firm
Inspection.
(including its auditor) has access to, and a right of inspection of, the service
provider's books and records dealing with outsourced activities, and similar access
to the books and records of any subcontractor. Where appropriate, these may
include physical inspections at the premises of the service provider, delivery of books
and records or copies of books and records to the outsourcing firm or
its auditor, or inspections that utilize electronic technology (i.e., “virtual inspections”);
Contractual provisions by which the service provider is required to make books,
records, and other information about regulated activities by the
service provider available to the regulator upon request and, in addition, to comply
with any requirements in the outsourcing firm’s jurisdiction to provide periodic reports
11 IOSCOPD187 to the regulator.
Where appropriate, taking action against outsourcing firms for the failure to provide
books and records required in that jurisdiction, without regard to whether the
regulated entity has transferred possession of required books and records to one or
more of its service providers; Imposing specific requirements concerning access to
books and records that are held by a service provider and which are necessary for
the authority to perform its oversight and supervisory functions with respect to
regulated entities in its jurisdiction. These may possibly include requiring that records
be maintained in the regulator’s jurisdiction, allowing for a right of inspection, or
requiring that the service provider agree to send originals or
copies of the books and records to the regulator’s jurisdiction upon request
The outsourcing firm should take appropriate steps to require that service
providers protect confidential information regarding the outsourcing firm’s proprietary
and other information, as well as the outsourcing firm’s clients from intentional or
inadvertent disclosure to unauthorized individuals. Unauthorized disclosure of
confidential firm and customer information could have a
number of negative consequences. Such unauthorized disclosure could result in
damage to the firm’s reputation, financial losses, and the loss of or risk to proprietary
information (including the firm’s trade secrets). In addition, unauthorized disclosure
could result in the disclosure of private and sensitive information about individuals
Client Confidentiality Issues
who have a reasonable expectation of privacy, and might also result in a material
financial loss to a firm’s customers. In addition to the potential harm to a firm’s
customers, an unauthorized disclosure could also result in the outsourcing firm
having financial liability to its customers and/or its regulators, possibly affecting the
firm’s solvency. Where appropriate, regulators may choose to review the protections
that are in place between the outsourcing firm and the service provider and, in
addition, may choose to review the measures that are in place between a service
provider and its agents that may have an impact on the data and/or its use, so that
there are no unauthorized disclosures among the various service providers.
Other
Regulators should be cognizant of the risks posed where one service

provider provides outsourcing services to multiple regulated entities. Where multiple
outsourcing firms use a common service provider, operational risks are
correspondingly concentrated, and may pose a threat of systemic risk. For example,
if the service provider suddenly and unexpectedly becomes unable to perform
services that are critical to the business of a significant number of regulated
Concentration of Outsourcingoutsourcing firms, each of the regulated entities will be similarly disabled.
Alternatively, if multiple outsourcing firms depend upon the same provider of
business continuity services (e.g., a common disaster recovery site), a disruption
that affects a large number of those entities may result in a lack of capacity for the
business continuity services. Each of these scenarios may result in follow-on effects
on markets that depend on participation by the outsourcing firms, or on public
confidence.
Taking steps to become aware of cases where a significant proportion of

their regulated entities rely upon a single service provider to provide critical
functions. This could include, where appropriate, a monitoring program and/or a risk
assessment methodology, and the collection of routine information on outsourcing
arrangements from outsourcing firms and/or service providers. In this regard,
regulators should be cognizant of the potential that subcontracting by service
Regulators should consider thproviders of a particular function may itself result in concentration risk; Tailoring their
examination programs or related activities in light of concentrations of outsourcing
activity. Where a regulator has identified a possible concentration risk issue,
outsourcing firms should consider taking steps to ensure, to the degree practicable,
that the service provider has adequate capacity to meet the needs of all outsourcing
firms, both during normal operations as well as unusual circumstances (e.g., unusual
market activity, physical disaster).
Typically, this assessment would be conducted (or commanded) by the critical

service provider itself which would then make the (self-)assessment available to the
FMI and the latter's regulatory authority. The assessment methodology relies on key
questions for each oversight expectation, which address the critical service
provider’s approach or framework to managing risks. These questions are neither
intended to serve purely as a checklist nor to be exhaustive. Regulators,
supervisors, and overseers of FMIs could, at their discretion, pose additional
questions as needed to address the particulars of the FMI, its critical service
providers, or other relevant issues.
The key questions seek answers as to whether the critical service provider's policies
and procedures in the identified areas are clear and comprehensive, and how these
are documented, reviewed and updated. A critical service provider may find it
beneficial to disclose its answers to the key questions in the assessment
methodology in order to help authorities, FMIs and, where relevant, their participants
enhance their understanding of the risks involved in using the critical service
provider’s services.
12 IOSCOPD432
If a critical service provider provides critical services to multiple FMIs, authorities of

the respective FMIs could cooperate with each other in assessing the critical service
provider against these expectations. Where such cooperation is set up, authorities
should observe the guidance provided in Responsibility E of the CPSS-IOSCO
Principles for financial market infrastructures, the CPSS Central bank oversight of
payment and settlement systems, and the IOSCO Principles regarding cross-border
supervisory cooperation, as appropriate. (CPSS Central bank oversight of payment
and settlement systems, May 2005, and the IOSCO Principles regarding cross-
border supervisory cooperation, May 2010.)
The authority of an FMI might have limited direct access to a critical service provider
of that FMI when the critical service provider resides in another country. In such
case, the authority can either convey its requirements through the abovementioned
cross-border supervisory cooperation, or communicate its requirements via the FMI
over which it has authority.
11 IOSCOPD187 TBD TBD
12 IOSCOPD432 TBD TBD
Other
A common platform firm must:(1) when relying on a third party for the performance of
operational
functions which are critical for the performance of regulated
activities, listed activities or ancillary services (in this chapter
relevant services and activities) on a continuous and
satisfactory basis, ensure that it takes reasonable steps to avoid
undue additional operational risk;
Without prejudice to the status of any other function, the following
functions will not be considered as critical or important for the purposes
of this chapter:
(1) the provision to the firm of advisory services, and other services
which do not form part of the relevant services and activities of
the firm, including the provision of legal advice to the firm, the
14 FRA-FCA Handbook
training of personnel of the firm, billing services and the security
of the firm's premises and personnel;
(2) the purchase of standardized services, including market information
services and the provision of price feeds ;
(3) the recording and retention of relevant telephone conversations or
electronic communications subject to ¡ COBS 11.8.
If a common platform firm and the service provider are members of the
same group, the firm may, for the purpose of complying with ■ SYSC 8.1.7 R
to ■ SYSC 8.1.11 R and ■ SYSC 8.2 and ■ SYSC 8.3, take into account the
extent to which the common platform firm controls the service provider
or has the ability to influence its actions.
OWG Document NA NA
15
Tier 1: Partial: External Participation – An organization may not have the processes in place
to participate in coordination or collaboration with other entities.
Tier 2: Risk Informed: External Participation – The organization knows its role in the larger
ecosystem, but has not formalized its capabilities to interact and share information
externally.
2.2 Framework
Implementation Tiers
Tier 3: Repeatable: External Participation – The organization understands its dependencies
and partners and receives information from these partners that enables collaboration and
risk-based management decisions within the organization in response to events.
16 NIST Framework Tier 4: Adaptive: External Participation – The organization manages risk and actively shares
information with partners to ensure that accurate, current information is being distributed
and consumed to improve cybersecurity before a cybersecurity event occurs.
Awareness and training Awareness and training measures: Service providers that provide cybersecurity-related
measures services for the organization are informed about the organization’s applicable privacy
policies
Communications (RS.CO):
Response activities are
coordinated with internal and
RS.CO-5: Voluntary information sharing occurs with external stakeholders to achieve broader
external stakeholders, as cybersecurity situational awareness
appropriate, to include
external support from law
enforcement agencies.
R Y
A N
C
I
R,A
R,C
R,I
R,A,C
R,C,I
R,A,C,I
A,C
A,C,I
A,I
C,I
N/A

Third Party Regulation Mapping Matrix

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Third Party Regulation Mapping Matrix

Загружено:

Авторское право:

Overview of the Spreadsheet

"Top-level RACI" Tab:

"Planning" through "Other" Tabs:

Regulatory Guideline/Bulletin Link

1 OCC Bulletin 2013-29 http://www.occ.gov/news-issuances/bulletins/2013/bulletin-2013-29.html

2 Federal Reserve – Guidance on Managing http://www.federalreserve.gov/bankinforeg/srletters/sr1319.htm

3 CFPB Bulletin on Service Providers http://files.consumerfinance.gov/f/201204_cfpb_bulletin_service-providers.pdf

4 CPSS 115 http://www.bis.org/publ/cpss115.pdf

5 FCA Outsourcing In Asset Mgmt. Industry http://www.fca.org.uk/static/documents/thematic-reviews/tr13-10.pdf

6 FFIEC – Supervision of TSP (10/2012) http://ithandbook.ffiec.gov/it-booklets/supervision-of-technology-service-providers-(tsp).aspx

7 FINRA – Notice to Members 11-14

8 NASD NTM 05-48 http://www.finra.org/web/groups/industry/@ip/@reg/@notice/documents/notices/p014735.pdf

9 ICI - FICCA Engagements http://www.ici.org/pdf/27847.pdf

10 IIROC – Notice 14-0012 http://www.iiroc.ca/Documents/2014/1fd5248a-56d7-4e8e-b755-95f91a434985_en.pdf

13 GLB / Reg S-P – Privacy of Customer http://www.sec.gov/rules/final/34-42974.htm

14 Senior Management Arrangements, http://fshandbook.info/FS/html/handbook/SYSC/8

Outsourcing Working Group - Industry

16 NIST Framework On Cybersecurity http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf

17 Federal Reserve SR 14-1/14-1A http://www.federalreserve.gov/bankinforeg/srletters/SR1401.htm

Regulatory Guideline/Bulletin Link

IOSCOPD187 AND IOSCOPD432

Federal Reserve Senior Outsourcing

Supervisory Review of TSPs ü ü ü ü ü ü ü ü ü ü

Regulatory Guideline/Bulletin Function Compliance Points

Supervised banks and

FCA Outsourcing In Asset

7 FINRA 11-14 Program Development

Regulatory Guideline/Bulletin Function Compliance Points

Development of due diligence and oversight processes

Describe the following:

As part of the comprehensive outsourcing policy, an initial assessment should be made as to

Establish and carry-out a comprehensive outsourcing risk management program that

Regulatory Guideline/Bulletin Function Compliance Points

Proposed changes to a critical service provider’s technology should entail a thorough

Outsourcing Working Group -

Regulatory Guideline/Bulletin Function Compliance Points

The bank should consider the following during due diligence:

The bank should consider the following during due diligence:

The bank should consider the following during due diligence:

The bank should consider the following during due diligence:

The bank should consider the following during due diligence:

The bank should consider the following during due diligence:

Regulatory Guideline/Bulletin Function Compliance Points

The bank should consider the following during due diligence:

Bank Employees who

The bank should consider the following during due diligence:

The bank should consider the following during due diligence:

The bank should consider the following during due diligence:

The bank should consider the following during due diligence:

The bank should consider the following during due diligence:

Regulatory Guideline/Bulletin Function Compliance Points

The bank should consider the following during due diligence:

The bank should consider the following during due diligence:

The bank should consider the following during due diligence:

FFIEC Booklet on Technology Service

Regulatory Guideline/Bulletin Function Compliance Points

9 ICI - FICCA Engagements NA NA

 As part of the comprehensive outsourcing policy, an initial assessment should be made as

An outsourcing firm should conduct suitable due diligence processes in

Whatever level of outsourcing is utilized, outsourcing firms remain responsible for

Regulatory Guideline/Bulletin Function Compliance Points

The outsourcing firm should take appropriate measures to determine that:

Means for Implementation: Specification of the security requirements of automated

•Where appropriate, requirement of testing by the service provider of critical systems

Regulatory Guideline/Bulletin Function Compliance Points

This assessment methodology mirrors the approach used in the CPSS-IOSCO,