Академический Документы
Профессиональный Документы
Культура Документы
This spreadsheet is meant to analyze the current list of rules, regulations and guidelines pertaining to third-party suppliers. A d
found on Tab 2 of this worksheet. Additionally, the SIFMA Vendor Working Group recommends a life-cycle approach to supplie
The tabs on this worksheet represent the life-cycle phases as defined by the Office Of the Comptroller Of the Currency (OCC).
This workbook can also be used to help a firm profile itself against the requirements set forth by the OCC. The RACI method ha
to help companies determine who is involved regarding a specific compliance point and their role. If no one is involved then th
highlighted as an item requiring a corrective action plan. The roles in the RACI profiling method are:
Responsible: This is a person, who performs a task or work and he/she is responsible for the work.
Accountable: the primary person in charge of the task or work (e.g. department/division head) .
Consulted: Person, who gives feedback and contributes when required.
Informed: Person in charge who needs to know the action or decision taken.
Columns C through V are suggested functions/business units that are involved in third-party supplier management. Feel free t
to fit your firm. Use the drop down selection to determine what role a department may have with the compliance point. Som
perform multiple roles. Also, select N/A if you feel the function does not apply to you. Follow this practice across the tabs and
developed your "profile". Please note there is no scoring since there is no industry function to perform comparisons.
Scroll to column E and determine if the compliance point is performed at your company. If not, highlight the cell in red. This w
a project plan to bring your firm into compliance. If your firm feels that this does not apply, use the comments column to docu
Columns F through U are suggested functions/business units that are involved in third-party supplier management. Feel free t
to fit your firm. Use the drop down selection to determine what role a department may have with the compliance point. Som
perform multiple roles. Also, select N/A if you feel the function does not apply to you. Follow this practice across the tabs and
developed your "profile". Please note there is no scoring since there is no industry function to perform comparisons.
Also, since many firms use some sort of system, spreadsheet or tool, to support their supplier risk program, technology modific
needed to ensure compliance. The ability to extract compliance information will be just as important as performing the functio
"N" to any of the quesitons regarding system functionality, that is the basis for a development project to bring a firm's technolo
List Of Documents
11 IOSCOPD187 http://www.bis.org/press/p131218a.htm
12 IOSCOPD432 http://www.iosco.org/library/pubdocs/pdf/IOSCOPD432.pdf
Planning ü ü ü ü ü ü ü ü ü ü ü ü
Due Diligence ü ü ü ü ü ü ü ü ü ü ü ü
Contract Negotiation ü ü ü ü ü ü ü ü ü
Ongoing Monitoring ü ü ü ü ü ü ü ü ü ü ü ü ü
Oversight & Accountability ü ü ü ü ü ü ü ü ü ü ü ü ü ü
Termination ü ü ü ü ü ü ü ü
Documentation and
Reporting ü ü ü ü ü ü ü ü ü ü
Independent Review ü ü ü ü ü ü ü ü
Other ü ü ü ü ü ü ü ü ü ü ü
* As per the text of the rule, the financial companies in scope are: Bank of America Corporation, Bank of New York Mellon Corporation, PLC, Citigroup Inc., Goldman Sachs Group, Inc., JPMorgan Chase & Co., Morgan Stanley, State Street Corporation, and Wells Fargo & Company.
Business Support Functions
Is this
compliance
point
performed at Business Business Business Procurem
TPS Life-cycle Phases Legal
Unit #1 Unit #2 Unit #3 ent
your
company?
(Y/N)
Planning
Due Diligence
Contract Negotiation
Ongoing Monitoring
Oversight and Accountability
Termination
Documentation and Reporting
Independent Review
Supervisory Review of TSPs
Other
upport Functions Sector / Region Enterprise/Corporate Functions
Third
Regional Region Senior
Compl. Accounts Sector ESRM Party Ent. Risk Info.
SRM SRM Manage
Payable SRM Group Credit Mgmt Security
Head Utility ment Risk
Functions System Capabilities
Complian Evidence
Existing ce Easily
CoB Capabilit Evidence Extractab Comments
y? Exists in le?
System?
Planning
Terminate arrangements with 3rd parties that do not meet expectations or no longer align
with the banks strategic goals, objectives or risk appetite. Ensure that relationships
Senior Bank Management terminate in an efficient manner, whether the activities are transitioned to another third
party or in-house, or discontinued.
Recommend termination of arrangements with 3rd parties that do not meet expectations or
no longer align with the banks strategic goals, objectives or risk appetite.
1 OCC Bulletin 2013-29 Develop a plan to transition to an alternate vendor or bring a service in house if there are
no alternate 3rd parties to dilute risk in the event of a contract default or termination. The
Bank Employees who directly plan should cover:
manage 3rd party relationships • capabilities, resources, and the time frame required to transition the activity while still
managing legal, regulatory, customer, and other impacts that might arise.
• risks associated with data retention and destruction, information system connections and
access control issues, or other control concerns that require additional risk management and
monitoring during and after the end of the third-party relationship.
• handling of joint intellectual property developed during the course of the arrangement.
• reputation risks to the bank if the termination happens as a result of the third party’s
inability to meet expectations.
Sr. Bank Mgmt./ Enterprise Govern and monitor supplier contracts to ensure that they are adherent to supplier
2 Fed Outsourcing Guidance Risk Management Team/ compliance/ controls. Where need, have an exit strategy and terminate contracts with
Supplier Relationship minimal impact to business operations and services.
Managers
The critical service provider is expected to have in place robust methods to plan for the
entire lifecycle of the use of technologies and the selection of technological standards.
Should have effective technology planning that minimizes overall operational risk and
enhances operational performance. Planning entails a comprehensive information
technology strategy that considers the entire lifecycle for the use of technologies and a
4 CPSS 115 Critical Service Provider process for selecting standards when deploying and managing a service.
Proposed changes to a critical service provider’s technology should entail a thorough and
comprehensive consultation with the FMI and, where relevant, its participants. A critical
service provider should regularly review its technology plans, including assessments of its
technologies and the processes it uses for implementing change.
FFIEC Booklet on Technology To outline bank examiners TPA supervisory guidelines: Risk Tiers, Frequency, Composite
6 Service Providers Bank Examiners Ratings to measure the effectives of a suppliers compliance and adherence. Key areas of
focus include: Audit, Management, Development and Acquisition, Support and Delivery.
Establish and maintain a supervisory system and written procedures for any functions or
activities performed by a third party service provider that are reasonably designed to
achieve compliance with applicable securities laws and regulations and applicable FINRA
and MSRB rules.
7 FINRA 11-14 Program Development Clearing or Carrying member firms must have supervisory procedures that enable the firm
to take prompt corrective action when necessary to achieve compliance with applicable
securities laws and regulations and applicable FINRA and MSRB rules.
A Dealer Member should have a comprehensive outsourcing policy that guides the
performance of due diligence assessment(s) that will underlie decisions regarding whether,
and how, certain activities can be appropriately outsourced
Ensure that third-party service providers have adequate safeguards for keeping
information confidential and, where appropriate, for recovering from a business
disruption;
Conduct ongoing reviews of the quality of outsourced services;
Develop and test a business continuity plan to minimize disruption to the firm’s
business and its clients if the third-party service provider does not deliver the
11 IOSCOPD187 Program Requirements
services satisfactorily; and,
The following Principles set out regulators’ expectations for outsourcing firms. These
principles should be applied according to the degree of materiality of the outsourced
activity to the ongoing business of the outsourcing firm and its regulatory obligations.
Even where the activity is not material, the outsourcing firm should consider the
appropriateness of applying the principles.
Annex F outlines five oversight expectations that help ensure that the operations of a
critical service provider are held to the same standards as the FMI would be if it
provided the same service. These expectations are specifically targeted at ensuring
Service Standards strong risk identification and management, robust information security management,
reliability and resilience of systems, effective technology planning, and strong
communications with users. (Users are the customers of the critical service provider,
12 IOSCOPD432 and include (an) FMI(s) and its/their participants, as relevant.)
Planning
13 REG SP4-57427 NA NA
A common platform firm must: (1) when relying on a third party for the performance of
operational functions which are critical for the performance of regulated activities, listed
14 FRA-FCA Handbook NA activities or ancillary services (in this chapter relevant services and activities) on a
continuous and satisfactory basis, ensure that it takes reasonable steps to avoid undue
additional operational risk;
NIST Framework NA NA
16
Due Diligence
Board Of Directors Review summary of due diligence results and management’s recommendations to use third
parties that involve critical activities.
Ensure appropriate due diligence is conducted on potential third parties and present results
Senior Bank Management to the board when making recommendations to use third parties that involve critical
activities.
A bank should conduct due diligence on all potential third parties before selecting and
entering into contracts or relationships. A bank should not rely solely on experience with or
prior knowledge of the third party as a proxy for an objective, in-depth assessment of the
third party’s ability to perform the activity in compliance with all applicable laws and
regulations and in a safe and sound manner.
A financial institution should conduct an evaluation of and perform the necessary due
diligence for a prospective service provider prior to engaging the service provider. The depth
and formality of the due diligence performed will vary depending on the scope, complexity,
and
Enterprise Risk Page 4 of 12
Management Team/ importance of the planned outsourcing arrangement, the financial institution's familiarity
2 Fed Outsourcing Guidance Supplier Relationship with prospective service providers, and the reputation and industry standing of the service
Managers provider. Throughout the due diligence process, financial institution technical experts and
key stakeholders should be engaged in the review and approval process as needed. The
overall due diligence process includes a review of the service provider with regard to:
1. Business background, reputation, and strategy;
2. Financial performance and condition; and
3. Operations and internal controls.
Conducting thorough due diligence to verify that the service provider understands and is
capable of complying with Federal consumer financial law;
Supervised banks and
3 CFPB Bulletin on Service Providers nonbanks
Requesting and reviewing the service provider's policies, procedures, internal controls, and
training materials to ensure that the service provider conducts appropriate training and
oversight of employees or agents that have consumer contact or compliance responsibilities;
4 CPSS 115 NA NA
(1) Resilience risk – If an asset manager’s service provider was to suddenly fail and
thereforebe unable to provide their outsource services for an indefinite period, the asset
FCA Outsourcing In Asset Mgmt. managerin turn would not be able to continue the service it is contracted to provide to
5 Industry NA itscustomers. For example, investors may not be able to redeem their fund holdings at afair
and accurate valuation on a timely basis. Without viable contingency plans in place,this
scenario could result in detriment to the asset manager’s customers.
Perform ongoing due diligence on each current or prospective third party service provider
(including any sub-vendor) to determine if they are capable of preforming the activities
being outsourced and can achieve compliance with applicable securities laws and
7 FINRA 11-14 regulations and applicable FINRA and MSRB rules.
Formalized process for entering into contracts
Due Diligence Program Ongoing monitoring process
Required reporting to regulators
8 NASD NTM 05-48 Supervisory procedures are required when a member outsources covered activities and
must include a due diligence analysis of all of its current or prospective third-party service
providers to determine whether they are capable of performing the outsourced activities
A Dealer Member should have a comprehensive outsourcing policy that guides the
performance of due diligence assessment(s) that will underlie decisions regarding whether,
and how, certain activities can be appropriately outsourced
10 IIROC Guidance On Outsourcing Due Diligence Oversight Dealer Members adopt formal due diligence policies and procedures relating to outsourcing
arrangements. To facilitate Dealer Members’ efficient assessment of individual proposed
outsourcing arrangements, it would be acceptable for Dealer Members to adopt policies and
procedures that acknowledge that the extent of due diligence work performed may be
proportionate to the materiality and risk of the functions/activities that are proposed to be
outsourced.
Documenting processes and procedures that enable the outsourcing firm to assess, prior to
selection, the third party service provider’s ability and capacity to perform the outsourced
activities effectively, reliably, and to a high standard, including the service provider’s
technical, financial and human resources capacity, together with any potential risk factors
associated with using a particular service provider.
It is important that outsourcing firms exercise due care, skill, and diligence in the
selection of third party service providers, so that they can be satisfied that the third
party service provider has the ability and capacity to undertake the provision of the
service effectively.
Firms should consider several factors as they apply these principles to activities that
fall under the outsourcing definition. First, as discussed in section II.A, these
principles should be applied according to the degree of materiality of the outsourced
activity to the firm's business. Even where the activity is not material, the outsourcing
entity should consider the appropriateness of applying the principles. Second, as
discussed in section II.C, firms should consider any affiliation or other relationship
between the outsourcing entity and the service provider. While it is necessary to
apply the Outsourcing Principles to affiliated entities, it may be appropriate to adopt
them with some modification to account for the potential differing degrees of risk with
respect to intra-group outsourcing. Third, the firm may consider whether the service
provider is a regulated entity subject to independent supervision.
Third Party Assessment
Due Diligence
With respect to the financial firm, transferring a function to a third party may have a
detrimental impact on the firm’s understanding of how the function is performed, with
a consequent loss of control. The lack of control over a firm’s proprietary and
customer-related information and software may also hinder the ability of an
outsourcing firm to maintain its proprietary and customer-related information and
software, and may also impact on the confidentiality of customer records. There is
the potential that the inappropriate selection of a service provider may lead to a
business disruption, with negative consequences for the outsourcing firm’s
customers, and, in certain instances, the potential for systemic risk to the market as
a whole.
For areas of business activity that are not restricted by the regulator, the outsourcing
firm should develop a process for determining the materiality of outsourcing
arrangements. The assessment of what is material is often a subjective one and
depends on the circumstances of the particular outsourcing firm. Factors to be
considered include, but are not limited to: Financial, reputational and operational
impact, provision of adequate services to an
outsourcing firm’s customers, losses to an outsourcing firm's customers on the
failure of a service provider to perform, ability and capacity of the outsourcing
firm to conform with regulatory requirements and changes in requirements, cost,
elationship between the outsourcing firm and the service provider, regulatory status
of the service provider, and the degree of difficulty and time required to select an
11 IOSCOPD187 alternative service provider or to bring the business activity in-house, if necessary.
As part of its reviews of these matters, an outsourcing firm should also take into
account whether additional issues are raised when the outsourcing is performed on a
cross-border basis.
The FMI remains ultimately responsible for its operations, including the five oversight
expectations outlined in Annex F of the Principles for financial market infrastructures.
An FMI may have a contractual arrangement with a third-party service provider that
performs, on a continuing basis, activities essential to the operations of the FMI. The
FMI Operations continuous, secure, and efficient delivery of these services by the third-party service
Oversight Expectations provider may be critical to the operations of the FMI or, in some cases, multiple
FMIs.
A critical service provider should have effective processes and systems for
identifying and documenting risks, implementing controls to manage risks, and
making decisions to accept certain risks. A critical service provider may face risks
12 IOSCOPD432 Risk identification and related to information security, reliability and resilience, and technology planning, as
management well as legal and regulatory requirements pertaining to its corporate organisation and
conduct, relationships with customers, strategic decisions that affect its ability to
operate as a going concern, and dependencies on third parties.
Enterprise-wide risk-management framework
Dependencies on third parties
Governance of the enterprise-wide risk-management framework
Internal audit function
A critical service provider should have a robust information security framework that
appropriately manages its information security risks. The framework should include
sound policies and procedures to protect information from unauthorised disclosure,
ensure data integrity, and guarantee the availability of its services. In addition, a
Information security critical service provider should have policies and procedures for monitoring its
(Due Dilligence) compliance with its information security framework. This framework should also
include capacity planning policies and change-management practices. For example,
a critical service provider that plans to change its operations should assess the
implications of such a change on its information security arrangements.
13 REG SP4-57427 NA NA
The following should be taken into account where the service provider is not authorized or
registered in its home country and/or not subject to prudential supervision. 8.3.6 FCA (1)
The firm should examine, and be able to demonstrate, to what extent the service provider
may be subject to any form of voluntary regulation, including self-regulation in its home
state. (2) The firm should be able to satisfy the FCA that the service provider is committed
for the term of the outsourcing agreement to devoting sufficient, competent resources to
providing the service. (3) In addition to the requirement to ensure that a service provider
discloses any developments that may have a material impact on its ability to carry out the
outsourcing (¡ SYSC 8.1.8 R (6)), where the conditions are not met the
developments to be disclosed should include, but are not limited to:
(a) any adverse effect that any laws or regulations introduced in the service
provider's home country may have on its carrying on the outsourced
activity; and
(b) any changes to its capital reserve levels or its prudential risks.
(4) The firm should satisfy itself that the service provider is able to meet its liabilities as they
fall due and that it has positive net assets.
(5) The firm should require that the service provider prepares annual reports and accounts
which:
14 FRA-FCA Handbook (a) are in accordance with the service provider's national law which, in all material respects,
is the same as or equivalent to the international accounting standards;
(b) have been independently audited and reported on in accordance with the service
provider's national law which is the same as or equivalent to international auditing
standards.
14 FRA-FCA Handbook Due Diligence
(6) The firm should receive copies of each set of the audited annual report and accounts of
the service provider. If the service provider expects or knows its accounts of the service
provider. If the service provider expects or knows its auditor will qualify his report on the
audited report and accounts, or add an explanatory paragraph, the service provider should
be required to notify an explanatory paragraph, the service provider should be required to
notify the firm without delay.
(7) The firm should satisfy itself, and be able to demonstrate, that it has in place appropriate
procedures to ensure that it is fully aware of the service provider's controls for protecting
confidential information.
(8) In addition to the requirement at ¡ SYSC 8.1.8 R (10) that the service provider must
protect any confidential information relating to the firm or its clients, the outsourcing
agreement should require the service provider to notify the firm immediately if there is a
breach of confidentiality. The outsourcing agreement should be governed by the law and
subject to the jurisdiction of an EEA state.
OWG Document NA NA
15
NA NA
16 NIST Framework
Contract Negotiation
Board Approve contracts prior to execution when a 3rd party relationship will involve critical
activities
Senior Bank Management Review and approve contracts with third parties.
Negotiate a contract that clearly specifies the rights and responsibilities of each party to the
contract.
Where problems are identified, the bank should seek to renegotiate the contract at the
earliest opportunity.
Ensure that the contract specifies the nature and scope of the arrangement. For example, a
third-party contract should specifically identify the frequency, content, and format of the
service, product, or function provided. Include in the contract, as applicable, such ancillary
services as software or other technology support and maintenance, employee training, and
customer service. Specify which activities the third party is to conduct, whether on or off the
bank’s premises, and describe the terms governing the use of the bank’s information,
facilities, personnel, systems, and equipment, as well as access to and use of the bank’s or
customers’ information. When dual employees will be used, clearly articulate their
responsibilities and reporting lines.7
Specify performance measures that define the expectations and responsibilities for both
parties including conformance with regulatory standards or rules. Such measures can be used
to motivate the third party’s performance, penalize poor performance, or reward outstanding
performance. Performance measures should not incentivize undesirable performance, such
as encouraging processing volume or speed without regard for accuracy, compliance
requirements, or adverse effects on customers. Industry standards for service-level
agreements may provide a reference point for standardized services, such as payroll
processing. For more customized activities, there may be no standard measures. Instead, the
bank and third party should agree on appropriate measures.
Ensure that the contract requires the third party to provide and retain timely, accurate, and
comprehensive information such as records and reports that allow bank management to
monitor performance, service levels, and risks. Stipulate the frequency and type of reports
required, for example: performance reports, control audits, financial statements, security
reports, BSA/AML and Office of Foreign Asset Control (OFAC) compliance responsibilities and
reports for monitoring potential suspicious activity, reports for monitoring customer
complaint activity, and business resumption testing reports.
Ensure that the contract establishes the bank’s right to audit, monitor performance, and
require remediation when issues are identified. Generally, a third-party contract should
include provisions for periodic independent internal or external audits of the third party, and
relevant subcontractors, at intervals and scopes consistent with the bank’s in-house functions
to monitor performance with the contract. A bank should include in the contract the types
and frequency of audit reports the bank is entitled to receive from the third party (e.g.,
financial, SSAE 16, SOC 1, SOC 2, and SOC 3 reports, and security reviews). Consider whether
to accept audits conducted by the third party’s internal or external auditors. Reserve the
bank’s right to conduct its own audits of the third party’s activities or to engage an
independent party to perform such audits.
Ensure the contract addresses compliance with the specific laws, regulations, guidance, and
self-regulatory standards applicable to the activities involved, including provisions that
outline compliance with certain provisions of the Gramm-Leach-Bliley Act (GLBA) (including
privacy and safeguarding of customer information); BSA/AML; OFAC; and Fair Lending and
other consumer protection laws and regulations. Ensure that the contract requires the third
party to maintain policies and procedures which address the bank’s right to conduct periodic
reviews so as to verify the third party’s compliance with the bank’s policies and expectations.
Ensure that the contract states the bank has the right to monitor on an ongoing basis the
third party’s compliance with applicable laws, regulations, and policies and requires
remediation if issues arise.
Fully describe compensation, fees, and calculations for base services, as well as any fees
based on volume of activity and for special requests. Ensure the contracts do not include
burdensome upfront fees or incentives that could result in inappropriate risk taking by the
bank or third party. Indicate which party is responsible for payment of legal, audit, and
examination fees associated with the activities involved. Consider outlining cost and
responsibility for purchasing and maintaining hardware and software. Specify the conditions
under which the cost structure may be changed, including limits on any cost increases.
State whether and how the third party has the right to use the bank’s information,
technology, and intellectual property, such as the bank’s name, logo, trademark, and
copyrighted material. Indicate whether any records generated by the third party become the
bank’s property. Include appropriate warranties on the part of the third party related to its
acquisition of licenses for use of any intellectual property developed by other third parties. If
the bank purchases software, establish escrow agreements to provide for the bank’s access
to source code and programs under certain conditions (e.g., insolvency of the third party).
1 OCC Bulletin 2013-29
Bank Employees Who
Manage Third-party
relationships
Prohibit the third party and its subcontractors from using or disclosing the bank’s
information, except as necessary to provide the contracted activities or comply with legal
requirements. If the third party receives bank customers’ personally identifiable information,
the contract should ensure that the third party implements and maintains appropriate
security measures to comply with privacy regulations and regulatory guidelines. Specify when
and how the third party will disclose, in a timely manner, information security breaches that
have resulted in unauthorized intrusions or access that may materially affect the bank or its
customers. Stipulate that intrusion notifications include estimates of the effects on the bank
and specify corrective action to be taken by the third party. Address the powers of each party
to change security and risk management procedures and requirements, and resolve any
confidentiality and integrity issues arising out of shared use of facilities owned by the third
party. Stipulate whether and how often the bank and the third party will jointly practice
incident management plans involving unauthorized intrusions or other breaches in
confidentiality and integrity.
Contract Negotiation
Ensure the contract provides for continuation of the business function in the event of
problems affecting the third party’s operations, including degradations or interruptions
resulting from natural disasters, human error, or intentional attacks. Stipulate the third party’s
responsibility for backing up and otherwise protecting programs, data, and equipment, and
for maintaining current and sound business resumption and contingency plans. Include
provisions—in the event of the third party’s bankruptcy, business failure, or business
interruption—for transferring the bank’s accounts or activities to another third party without
penalty.
Ensure that the contract requires the third party to provide the bank with operating
procedures to be carried out in the event business resumption and disaster recovery plans
are implemented. Include specific time frames for business resumption and recovery that
meet the bank’s requirements, and when appropriate, regulatory requirements. Stipulate
whether and how often the bank and the third party will jointly practice business resumption
and disaster recovery plans.
Consider including indemnification clauses that specify the extent to which the bank will be
held liable for claims that cite failure of the third party to perform, including failure of the
third party to obtain any necessary intellectual property licenses. Carefully assess
indemnification clauses that require the bank to hold the third party harmless from liability.
Stipulate that the third party is required to maintain adequate insurance, notify the bank of
material changes to coverage, and provide evidence of coverage where appropriate. Types of
insurance coverage may include fidelity bond coverage, liability coverage, hazard insurance,
and intellectual property insurance.
Consider whether the contract should establish a dispute resolution process (arbitration,
mediation, or other means) to resolve problems between the bank and the third party in an
expeditious manner, and whether the third party should continue to provide activities to the
bank during the dispute resolution period.
Determine whether the contract limits the third party’s liability and whether the proposed
limit is in proportion to the amount of loss the bank might experience because of the third
party’s failure to perform or to comply with applicable laws. Consider whether a contract
would subject the bank to undue risk of litigation, particularly if the third party violates or is
accused of violating intellectual property rights.
Ensure that the contract stipulates what constitutes default, identifies remedies and allows
opportunities to cure defaults, and stipulates the circumstances and responsibilities for
termination. Determine whether it includes a provision that enables the bank to terminate
the contract, upon reasonable notice and without penalty, in the event that the OCC formally
directs the bank to terminate the relationship. Ensure the contract permits the bank to
terminate the relationship in a timely manner without prohibitive expense. Include
termination and notification requirements with time frames to allow for the orderly
conversion to another third party. Provide for the timely return or destruction of the bank’s
data and other resources and ensure the contract provides for ongoing monitoring of the
third party after the contract terms are satisfied as necessary. Clearly assign all costs and
obligations associated with transition and termination.
Specify whether the bank or third party is responsible for responding to customer
complaints. If it is the third party’s responsibility, specify provisions that ensure that the third
party receives and responds timely to customer complaints and forwards a copy of each
complaint and response to the bank. The third party should submit sufficient, timely, and
usable information to enable the bank to analyze customer complaint activity and trends for
risk management purposes.
Contract Negotiation
Stipulate when and how the third party should notify the bank of its intent to use a
subcontractor. Specify the activities that cannot be subcontracted or whether the bank
prohibits the third party from subcontracting activities to certain locations or specific
subcontractors. Detail the contractual obligations—such as reporting on the subcontractor’s
conformance with performance measures, periodic audit results, compliance with laws and
regulations, and other contractual obligations. State the third party’s liability for activities or
actions by its subcontractors and which party is responsible for the costs and resources
required for any additional monitoring and management of the subcontractors. Reserve the
right to terminate the contract without penalty if the third party’s subcontracting
arrangements do not comply with the terms of the contract.
In contracts with service providers, stipulate that the performance of activities by external
parties for the bank is subject to OCC examination oversight, including access to all work
papers, drafts, and other materials. The OCC treats as subject to 12 USC 1867(c) and 12 USC
1464(d)(7), situations in which a bank arranges, by contract or otherwise, for the
performance of any applicable functions of its operations.
Therefore, the OCC generally has the authority to examine and to regulate the functions or
operations performed or provided by third parties to the same extent as if they were
performed by the bank itself on its own premises.
Financial institutions should understand the service contract and legal issues associated with
proposed outsourcing arrangements. The terms of service agreements should be defined in
written contracts that have been reviewed by the financial institution's legal counsel prior to
execution. The characteristics of the business activity being outsourced and the service
provider's strategy for providing those services will determine the terms of the contract.
Elements of well-defined contracts and service agreements usually include:
• Scope: Contracts should clearly define the rights and responsibilities of each party,
including:
o Support, maintenance, and customer service; o Contract timeframes;
o Compliance with applicable laws, regulations, and regulatory guidance; o Training of
financial institution employees; o The ability to subcontract services;
o The distribution of any required statements or disclosures to the financial institution's
Legal and Supplier customers; Insurance coverage requirements; and
2 Fed Outsourcing Guidance o Terms governing the use of the financial institution's property, equipment, and staff.
Relationship Managers • Cost and compensation:
• Right to audit
• Establishment and monitoring of performance standards
• Confidentiality and security of information
• Ownership and license
• Indemnification
• Dispute resolution
• Limits on liability
• Insurance
• Customer complaints
• Business resumption and contingency plan of the service provider
• Foreign-based service providers
• Subcontracting
Contract Negotiation
Financial institutions should understand the service contract and legal issues associated with
proposed outsourcing arrangements. The terms of service agreements should be defined in
written contracts that have been reviewed by the financial institution's legal counsel prior to
execution. The characteristics of the business activity being outsourced and the service
provider's strategy for providing those services will determine the terms of the contract.
Elements of well-defined contracts and service agreements usually include:
• Scope: Contracts should clearly define the rights and responsibilities of each party,
including:
o Support, maintenance, and customer service; o Contract timeframes;
o Compliance with applicable laws, regulations, and regulatory guidance; o Training of
financial institution employees; o The ability to subcontract services;
o The distribution of any required statements or disclosures to the financial institution's
customers; Insurance coverage requirements; and
2 Fed Outsourcing Guidance Legal and Supplier
Relationship Managers o Terms governing the use of the financial institution's property, equipment, and staff.
• Cost and compensation:
• Right to audit
• Establishment and monitoring of performance standards
• Confidentiality and security of information
• Ownership and license
• Indemnification
• Dispute resolution
• Limits on liability
• Insurance
• Customer complaints
• Business resumption and contingency plan of the service provider
• Foreign-based service providers
• Subcontracting
Supervised banks and Including in the contract with the service provider clear expectations about compliance, as
3 CFPB Bulletin on Service Providers well as appropriate and enforceable consequences for violating any compliance-related
nonbanks responsibilities, including engaging in unfair, deceptive, or abusive acts or practices;
4 CPSS 115 NA NA
6 FFIEC Booklet on Technology Service Bank Examiners To ensure the examined bank is reviewing the terms of the contract and measuring the
Providers supplier accordingly.
Clearing or carrying member firms must require their approval prior to any transfer of duties
by a 3rd party service provider to a sub-vendor.
Upon adoption of proposed FINRA Rule 3190, FINRA would expect each clearing or carrying
member firm to consider whether amendments or addendums to any such contracts would
7 FINRA 11-14 be necessary to comply with the rule’s requirements.
Ensure contracts specify oversight/supervisory role of the contracting firm
Requirements for vendor and/or 3rd parties to meet regulatory standards
Does not relieve contracting firm of risks and responsibilities to the vendor
The member should ensure that NASD and all other applicable regulators have the same
8 NASD NTM 05-48 Senior Management complete access to the service provider’s work product for the member, as would be the case
if the covered activities had been performed directly by the member.
A Dealer Member that has outsourced one or more activities should enter into written
outsourcing contracts that clearly describe all material aspects of the outsourcing
arrangements, including the rights, responsibilities and expectations of all parties
10 IIROC Guidance On Outsourcing Contract Requirements Consider other legal requirements, such as privacy laws, that may apply when entering into
outsourcing arrangements.
Enter into written outsourcing contracts that clearly describe all material aspects of the
outsourcing arrangements, including the rights, responsibilities and expectations of all parties
12 IOSCOPD432 NA NA
13 REG SP4-57427 NA NA
A common platform firm must ensure that the respective rights and obligations of the firm
and of the service provider are clearly allocated and set out in a written agreement.
A firm should only make an outsourcing proposal notification to the FCA after it has carried
out due diligence on the service provider and has had regard to the guidance carried out due
diligence on the service provider and has had regard to the guidance carried out due
diligence on the service provider and has had regard to the guidance set out in ¡ SYSC 8.3.
The FCA will expect a firm to only submit an outsourcing proposal notification in respect of a
service provider that the firm has determined is suitable to carry on the outsourcing activity.
If a firm has received no notice of objection or no request for further information from the
FCA within one month of the FCA receiving the notification, it may outsource the portfolio
management on the basis set out in the notification.
The FCA would use its powers under section 55J of the Act to vary a firm's permission if it
objected to such a notification.
The guidance set out in ■ SYSC 8.3 includes information on what the FCA will expect a firm
to check before the submission of a notification.
Contract Negotiation
8.2.8 A notification under this section should include: (1) details on which of the conditions is
not met;
(2) if applicable, details and evidence of the service provider's authorization or
regulation including the regulator's contact details;
(3) the firm's proposals for meeting its obligations under this chapter on an
ongoing basis;
(4) why the firm wishes to outsource to the service provider;
(5) a draft of the outsourcing agreement between the service provider and the
firm;
14 FRA-FCA Handbook (6) the proposed start date of the outsourcing; and
(7) confirmation that the firm has had regard to the guidance in ¡ SYSC 8.3, or
if it has not, why not.
Where the FCA has not objected to the outsourcing agreement, the firm should have regard
to its obligations under ¡ SUP 15 which include making the FCA aware of any matters which
could affect the firm's ability to provide adequate services to its customers matters which
could affect the firm's ability to provide adequate services to its customers or could result in
serious detriment to its customers or where there has been material change in the
information previously provided to the FCA in relation to the outsourcing.
Section 8.2 : Outsourcing of portfolio management for retail clients to a non-EEA State
The following should be taken into account by a firm where there is no cooperation
agreement between the FCA and the supervisory authority of the service provider or there is
no supervisory authority of the service provider.
(1) The outsourcing agreement should ensure the firm can provide the FCA with any
information relating to the outsourced activity the FCA may require in order to carry out
effective supervision. The firm should therefore assess the extent to which the service
provider's regulator and/or local laws and regulations may restrict access to information
about the outsourced activity. Any such restriction should be described in the notification to
be sent to the FCA.
(2) The outsourcing agreement should require the service provider to provide the firm's
offices in the United Kingdom with all requested information required to meet the firm's
regulatory obligations. The FCA should be given an enforceable right under the agreement to
obtain such information from the firm and to require the service provider to provide the
information directly
OWG Document NA NA
15
NIST Framework NA NA
16
Ongoing Monitoring
Senior Bank Management Ensure ongoing monitoring of third parties, respond to issues when identified, and escalate
significant issues to the board.
A bank should review existing contracts periodically, particularly those involving critical
activities, to ensure they continue to address pertinent risk controls and legal protections.
Perform ongoing monitoring for the duration of the third-party relationship and ensure
compliance with contract terms and service level a agreements
Financial institutions are responsible for ensuring that services provided by service providers
comply with applicable laws and regulations and are consistent with safe-and-sound banking
practices. Financial institutions should evaluate the adequacy of standards, policies, and
procedures. Depending on the characteristics of the outsourced activity, some or all of the
following may need to be reviewed:
2 Fed Outsourcing Guidance Supplier Risk Managers • Internal controls;
• Facilities management (such as access requirements or sharing of facilities);
• Training, including compliance training for staff;
• Security of systems (for example, data and equipment);
• Privacy protection of the financial institution's confidential information;
• Maintenance and retention of records;
• Business resumption and contingency planning;
• Systems development and maintenance;
• Service support and delivery;
• Employee background checks; and
• Adherence to applicable laws, regulations, and supervisory guidance
CFPB expects supervised banks and nonbanks to have an effective process for managing the
risks of service provider relationships.
Establishing internal controls and on-going monitoring to determine whether the service
provider is complying with Federal consumer financial law; and
3 CFPB Bulletin on Service Providers Supervised Banks and Nonbanks Requesting and reviewing the service provider's policies, procedures, internal controls, and
training materials to ensure that the service provider conducts appropriate training and
oversight of employees or agents that have consumer contact or compliance responsibilities;
Taking prompt action to address fully any problems identified through the monitoring
process, including terminating the relationship where appropriate.
Ongoing Monitoring
A critical service provider should reassess its risks, as well as the adequacy of its risk-
4 CPSS 115 Critical Service Provider management framework in addressing the identified risks, on an ongoing basis.
Should have policies and procedures for monitoring its compliance with its information
security framework.
An ongoing due diligence analysis of each current or prospective third-party service provider
is required to determine, at a minimum, whether: (1) the third-party service provider is
7 FINRA 11-14 Monitoring capable of performing the activities being outsourced; and (2) with
respect to any activities being outsourced, the member firm can achieve compliance with
applicable securities laws and regulations and applicable FINRA and MSRB rules.
Ongoing monitoring of the vendor and 3rd parties to ensure compliance with rules and regs
Ensure the vendor is capable of meeting obligations to the firm
After the member has selected a third-party service provider, the member has a continuing
responsibility to oversee, supervise, and monitor the service provider’s performance of
covered activities
8 NASD NTM 05-48
The member must have in place specific policies and procedures that will monitor the
service providers’ compliance with the terms of any agreements and assess the service
provider’s continued fitness and ability to perform the covered activities being outsourced.
A Dealer Member that has outsourced one or more activities should establish and carry-out
a comprehensive outsourcing risk management program that monitors the risks associated
with:
A Dealer Member that has outsourced one or more activities should establish and carry-out
a comprehensive outsourcing risk management program that monitors the risks associated
with: the outsourced activities; and the outsourcing relationship entered into with the
service provider.
10 IIROC Guidance On Outsourcing Vendor Management
Perform outsourcing agreement reviews to ensure that the outsourced activities covered by
each outsourcing agreement are being performed in accordance with the agreement service
level requirements without exposing the Dealer Member to undue risk
Perform outsourcing agreement reviews to ensure that the outsourced activities covered by
each outsourcing agreement are being performed in accordance with the agreement service
level requirements without exposing the Dealer Member to undue risk
The outsourcing firm should also establish appropriate processes and procedures for
monitoring the performance of the third party service provider. In determining the
Monitoring Processes and
11 IOSCOPD187 appropriate level of monitoring processes and procedures, the outsourcing firm
Procedures
should consider the materiality of the outsourced activity to the ongoing business of
the outsourcing firm and its regulatory obligations, as discussed in the introduction to
these Principles.
GLBA and Regulation S-P require brokers, dealers, investment advisers registered with the
Commission, and investment companies to provide an annual notice of their privacy policies
and practices to their customers (and notice to consumers before sharing their nonpublic
personal information with nonaffiliated third parties outside certain exceptions)
Ongoing Monitoring
GLBA and Regulation S-P require brokers, dealers, investment advisers registered with the
Commission, and investment companies to provide an annual notice of their privacy policies
and practices to their customers (and notice to consumers before sharing their nonpublic
personal information with nonaffiliated third parties outside certain exceptions)
When we adopted the disposal rule, we also amended Regulation S-P to require that the
policies and procedures institutions must adopt under the safeguards rule be in writing.
Section 216 of the FACT Act amended the FCRA directed the Commission and other federal
13 REG SP4-57427 financial regulators to adopt regulations for the proper disposal of consumer information,
and provides that any person who maintains or possesses consumer information or any
compilation of consumer information derived from a consumer report for a business
purpose must properly dispose of the information. The disposal rule requires transfer agents
In order to provide clarity, the Disposal Rule Adopting Release included five examples
intended to provide guidance on disposal measures that would be deemed reasonable
under the disposal rule.
Registered with the Commission, as well as brokers and dealers other than notice-registered
broker-dealers, investment advisers registered with the Commission, and investment
companies that maintain or possess “consumer report information” for a business purpose,
to take “reasonable measures to protect against unauthorized access to or use of the
information in connection with its disposal.”
A management company must retain the necessary resources and expertise so as to monitor
effectively the activities carried out by third parties on the basis of an arrangement with the
firm, especially with regard to the management of the risk associated with those
arrangements
14 FRA-FCA Handbook
For the purposes of this chapter an operational function is regarded as critical or important
if a defect or failure in its performance would materially impair the continuing compliance of
a common platform firm with the conditions and obligations of its authorization or its other
obligations under the regulatory system, or its financial performance, or the soundness or
the continuity of its relevant services and activities.
OWG Document NA NA
15
Ensure an effective process is in place to manage risks related to third-party relationships in a manner consistent
with the bank’s strategic goals, organizational objectives, and risk appetite.
Approve the bank’s risk-based policies that govern the third-party risk management process and identify critical
activities.
Board Of Directors
Review and approve management plans for using third parties that involve critical activities.
Review summary of due diligence results and management’s recommendations to use third parties that involve
critical activities.
Approve contracts with third parties that involve critical activities.
1 OCC Bulletin 2013-29
Oversee enterprise-wide risk management and reporting of third-party relationships.
Review the results of the due diligence to determine whether the third party is able to meet the bank’s expectations
Senior Bank Management and whether the bank should proceed with the third-party relationship. If the results do not meet expectations,
management should recommend that the third party make appropriate changes, find an alternate third party,
conduct the activity in-house, or discontinue the activity.
Bank Employees Who Manage Third- Assigning clear roles and responsibilities for managing third-party relationships and integrating the bank’s third-
party relationships party risk management process with its enterprise risk management framework enables continuous oversight and
accountability.
While the activities necessary to implement an effective service provider risk management program can vary based
2 Fed Outsourcing Sr, Mgt on the scope and nature of a financial institution's outsourced activities, effective programs usually include the
Guidance following core elements:
A. Risk assessments;
B. Due diligence and selection of service providers;
C. Contract provisions and considerations;
D. Incentive compensation review;
E. Oversight and monitoring of service providers; and
F. Business continuity and contingency plans.
• The identification and management of risks should be overseen by the critical service provider’s board of directors
Board Of Directors (board).
• The board is expected to ensure an independent and professional internal audit function.
• Should ensure that it provides reliable and resilient operations to users, whether these operations are provided to
Critical Service Provider an FMI directly or to both an FMI and its participants. A critical service provider should have robust operations that
meet or exceed the needs of the FMI.
CFPB Bulletin on The mere fact that a supervised bank or nonbank enters into a business relationship with a service provider does
3 Service Providers Supervised bank and nonbank not absolve the supervised bank or nonbank of responsibility for complying with Federal consumer financial law to
avoid consumer harm.
A service provider that is unfamiliar with the legal requirements applicable to the products or services being offered,
or that does not make efforts to implement those requirements carefully and effectively, or that exhibits weak
Service Provider internal controls, can harm consumers and create potential liabilities for both the service provider and the entity
with which has a business relationship.
Supervised bank and nonbank Depending on the circumstances, legal responsibility may lie with the supervised bank or nonbank as well as with
the supervised service provider.
4 CPSS 115 NA NA
On oversight, we assessed the firms’ overall oversight frameworks and looked in depth at four
specific areas of outsourced investment operations where we considered there to be a risk of
errors or omissions potentially resulting in customer detriment, namely:
i. reconciliations of assets held with the custodian
ii. pricing and valuations of a portfolio or specific instruments
iii. corporate actions relating to instruments held (such as payment of dividends, rights issues,
meetings of shareholders etc) and
iv. trade processing
In the case of mandatory corporate actions, most asset managers relied on a monitoring and tracking system
provided by their service provider for automated capture of cash dividends and bonus issues. Firms applying more
effective oversight retained capacity to confirm that no
actions had been missed by the provider, despite it being an automated process, by either using off-the-shelf
systems or liaising directly with custodians.
To measure the effectiveness of which a bank has oversight and hold their suppliers accountable against their
against scope, criticality, and services provided.
FFIEC Booklet on
6 Technology Service Bank Examiners
Providers
Oversight & Accountability
Ensure compliance with applicable securities laws and regulations as well as FINRA and MSRB rules when
outsourcing functions and activities
7 FINRA 11-14 Senior Management Prohibits a member firm from delegating its responsibilities for, or control over, any functions or activities performed
by a third-party service provider.
No person can engage in activities that require registration and qualification under FINRA rules without obtaining
the necessary registrations and qualifications.
Risk Transference Firms not relieved of risks and responsibilities and need to ensure the vendor is in compliance with all laws and regs
Members should also include specific policies and procedures to determine whether any covered activities that the
member is contemplating outsourcing are appropriate for outsourcing . Firms may want to consider: financial ,
reputational , and operational impact on the member firm if the third-party service provider fails to perform; the
potential impact of outsourcing on the member’s provision of adequate services to its customers; and the impact of
outsourcing the activity on the ability and capacity of the member to conform with regulatory requirements and
8 NASD NTM 05-48 Senior Management changes in requirements. This is not meant to be an exclusive or exhaustive list of factors a member may need to
consider.
Prohibits a member firm from delegating its responsibilities for, or control over, any functions or activities performed
by a third-party service provider.
A member may never contract its supervisory and compliance activities away from its direct control.
Describe Management Oversight & Controls
9 ICI - FICCA Senior Management
Engagements Describe Responsibilities for risk governance & internal controls
Description and documentation of risk assessment processes
Dealer Members should adopt formal due diligence policies and procedures relating to outsourcing arrangements
Dealer Members should consider ensuring that the outsourcing arrangement with an affiliate includes procedures
designed to limit the access and control that affiliate employees, as well as Dealer Member employees who are
IIROC Guidance On dually employed by the affiliate, may have over Dealer Member and Dealer Member client account data, records
10 Outsourcing NA and assets.
The Dealer Member that has outsourced specific activities retains responsibility for ensuring that the activities are
performed properly and in compliance with relevant IIROC requirements. Outsourcing firms are expected to take
steps to ensure that they and their regulators have access to books and records of service providers concerning
outsourced activities, and that their regulators have the right to obtain, upon request, information concerning the
outsourced activities.
Out of Scope Principle 23 of the Objectives and Principles for Securities Regulation requires that the issues identified
above be addressed. It states that “market intermediaries should be required to comply with standards for
11 IOSCOPD187 internal organizations and operational conduct that aim to protect the interests of clients, ensure proper
management of risk, and under which management of the intermediary accepts primary responsibility for
these matters”. The Objectives and Principles also note that “Effective policies and operational procedures
and controls in relation to the firm’s day-to-day business operations should be established.” See id. at
§12.5.
where outsourcing takes place by regulated entities, a firm’s control over the people and processes dealing
with the outsourced function may decrease. Nonetheless, regulators require that the outsourcing firm,
including its board of directors and senior management, remain fully responsible (towards clients and
Board of Directors and Senior regulatory authorities) for the outsourced function, as if the service was being performed in-house.
Management
Accordingly, management and the governing authority of the outsourcing firm should develop and
implement appropriate policies designed to achieve satisfaction of these Outsourcing principles,
periodically review the effectiveness of those policies, and address outsourcing risks in an effective and
timely manner.
The outsourcing firm, its management and its governing authority retains full legal liability and
Accountability accountability to the regulator for any and all functions that the firm may outsource to a service provider to
the same extent as if the service were provided inhouse.
Where a third-party service provider operates other lines of business or provides other services that are
not essential or important to the operation of an FMI, these activities are out of scope of the assessment
against the oversight expectations of Annex F.
Out of Scope
Oversight & Accountability
Out of Scope
Where a third-party service provider operates other lines of business or provides other services that are
not essential or important to the operation of an FMI, these activities are out of scope of the assessment
against the oversight expectations of Annex F.
This assessment focuses only on the critical services provided by a third-party service provider to an FMI.
Under this assessment methodology for Annex F, a rating for each oversight expectation can be assigned
along the same framework developed for the CPSS-IOSCO Principles for financial market infrastructures:
Disclosure framework and Assessment methodology report. The rating framework is built on the gravity
and urgency of the need to remedy identified issues of concern.
The identification and management of risks should be overseen by the critical service provider’s board of
Board of Directors directors (board) and assessed by an independent, internal audit function that can communicate clearly its
assessments to relevant board members. The board is expected to ensure an independent and
professional internal audit function.
The internal audit function should be reviewed to ensure it adheres to the principles of a professional
organisation that governs audit practice and behaviour (such as the Institute of Internal Auditors) and is
Internal Audit able to independently assess inherent risks as well as the design and effectiveness of risk-management
processes and internal controls. The internal audit function should also ensure that its assessments are
communicated clearly to relevant board members.
13 REG SP4-57427 NA NA
14 FRA-FCA Handbook
Oversight & Accountability
A common platform firm must in particular take the necessary steps to ensure that the following conditions are
satisfied: 8.1.8 FCA PRA
(1) the service provider must have the ability, capacity, and any authorization required by law to perform the
outsourced functions, services or activities reliably and professionally;
(2) the service provider must carry out the outsourced services effectively, and to this end the firm must establish
methods for assessing the standard of performance of the service provider;
(3) the service provider must properly supervise the carrying out of the outsourced functions, and adequately
manage the risks associated with the outsourcing;
(4) appropriate action must be taken if it appears that the service provider may not be carrying out the functions
effectively and in compliance with applicable laws and regulatory requirements;
(5) the firm must retain the necessary expertise to supervise the outsourced functions effectively and to manage the
risks associated with the outsourcing , and must supervise those functions and manage those risks;
(6) the service provider must disclose to the firm any development that may have a material impact on its ability to
carry out the outsourced functions effectively and in compliance with applicable laws and regulatory requirements;
(7) the firm must be able to terminate the arrangement for the outsourcing where necessary without detriment to
the continuity and quality of its provision of services to clients;
(8) the service provider must co-operate with the appropriate regulator and any other relevant competent authority
in connection with the outsourced activities; 8 ¡ Release 147 œ March 2014 8.1.8 SYSC 8 : Outsourcing Section
8.1 : General outsourcing requirements PAGE 4(9) the firm, its auditors, the appropriate regulator and any other
relevant competent authority must have effective access to data
14 FRA-FCA Handbook related to the outsourced activities, as well as to the business
premises of the service provider; and the appropriate regulator
and any other relevant competent authority must be able to exercise
those rights of access;
(10) the service provider must protect any confidential information
relating to the firm and its clients;
(11) the firm and the service provider must establish, implement and
maintain a contingency plan for disaster recovery and periodic
testing of backup facilities where that is necessary having regard
to the function, service or activity that has been outsourced.
[Note: article 14(2) second paragraph of the MiFID implementing
(9) the firm, its auditors, the appropriate regulator and any other relevant competent authority must have effective
access to data related to the outsourced activities, as well as to the business premises of the service provider; and
the appropriate regulator and any other relevant competent authority must be able to exercise those rights of
access;
(10) the service provider must protect any confidential information relating to the firm and its clients;
(11) the firm and the service provider must establish, implement and maintain a contingency plan for disaster
recovery and periodic testing of backup facilities where that is necessary having regard to the function, service or
activity that has been outsourced.
[Note: article 14(2) second paragraph of the MiFID implementing Directive .A management company must retain the
necessary resources and
expertise so as to monitor effectively the activities carried out by third 8.1.13 FCA parties on the basis of an
arrangement with the firm, especially with
regard to the management of the risk associated with those arrangements.
OWG Document NA NA
15
3.3 Communicating Cybersecurity Requirements with Stakeholders
The Framework provides a common language to communicate requirements among interdependent stakeholders
responsible for the delivery of essential critical infrastructure services. Examples include:
•
An organization may utilize a Target Profile to express cybersecurity risk management requirements to an external
service provider (e.g., a cloud provider to which it is exporting data).
•
An organization may express its cybersecurity state through a Current Profile to report results or to compare with
acquisition requirements.
•
A critical infrastructure owner/operator, having identified an external partner on whom that infrastructure depends,
may use a Target Profile to convey required Categories and Subcategories.
•
A critical infrastructure sector may establish a Target Profile that can be used among its constituents as an initial
baseline Profile to build their tailored Target Profiles.
NIST Framework
Oversight & Accountability
Asset Management (ID.AM): The data, ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g.,
NIST Framework personnel, devices, systems, and suppliers, customers, partners) are established
facilities that enable the organization to • COBIT 5 APO01.02, DSS06.03 • ISA 62443-2-1:2009 4.3.2.3.3 • ISO/IEC 27001:2013 A.6.1.1
achieve business purposes are
identified and managed consistent with
their relative importance to business
objectives and the organization’s risk
strategy
Terminate arrangements with 3rd parties that do not meet expectations or no longer align
Senior Bank Management with the banks strategic goals, objectives or risk appetite. Ensure that relationships terminate
in an efficient manner, whether the activities are transitioned to another third party or in-
house, or discontinued.
Recommend termination of arrangements with 3rd parties that do not meet expectations or
no longer align with the banks strategic goals, objectives or risk appetite.
4 CPSS 115 NA NA
As the majority of service providers are part of G-SIFIs13, they will have recovery and
resolution plans (RRPs) or ‘living wills’ in place. RRPs are designed to help regulatory
authorities develop plans to resolve failing G-SIFIs in an orderly manner. We found that a lot
of asset managers are keen to incorporate the RRP of their service provider’s group within
5 FCA Outsourcing In Asset Mgmt. Industry NA their emergency exit plans. However, asset managers should be mindful that the existence of
an RRP does not
automatically mean that the current service they receive will continue uninterrupted if the
group experiences severe financial distress. We continue to keep in close contact with the
PRAon the development of G-SIFI’s RRPs.
6 FFIEC Booklet on Technology Service Bank Examiners To measure the effectiveness of which a bank has an exit strategy in event of suppliers
Providers disruption or inadequate level of service oversight
7 FINRA 11-14 NA NA
An outsourcing firm is expected to have a written, legally binding contract between itself and
the third party service provider, appropriate to the materiality of the outsourced activity to
10 IIROC Guidance On Outsourcing the ongoing business of the firm. The contract may include, as applicable, provisions dealing
with.. Termination of the contract, transfer of information and exit strategies
Outsourcing firms are expected to take appropriate steps to manage termination of
Vendor Management outsourcing arrangements.
Outsourcing with third party service providers should include contractual provisions
relating to termination of the contract and appropriate exit strategies
This risk needs to be managed by an agreement between the firm and the service
provider taking into account factors such as when an arrangement can be terminated,
what will occur on termination and strategies for managing the transfer of the activity
back to the firm or to another party.
11 IOSCOPD187 Termination Guidance
Means for Implementation: Termination rights, e.g., in case of insolvency, liquidation
or receivership, change in ownership, failure to comply with regulatory requirements,
or poor performance; Minimum periods before an announced termination can take
effect to allow an orderly transition to another provider or to the firm itself, and to
provide for the return of customer-related data, and any other resources; The clear
delineation of ownership of intellectual property following the contract’s termination,
and specifications relating to the transfer of information back to the outsourcing firm.
12 IOSCOPD432 NA NA
13 REG SP4-57427 NA NA
NA
14 FRA-FCA Handbook NA
OWG Document NA
15 NA
NA NA
16 NIST Framework
Documentation and Reporting
Senior Bank Management Ensure appropriate documentation and reporting throughout the life cycle for all third-party
relationships.
Financial institutions are responsible for ensuring that services provided by service providers
comply with applicable laws and regulations and are consistent with safe-and-sound banking
practices. Financial institutions should evaluate the adequacy of standards, policies, and
procedures. Depending on the characteristics of the outsourced activity, some or all of the
following may need to be reviewed:
• Internal controls;
• Facilities management (such as access requirements or sharing of facilities);
• Training, including compliance training for staff;
2 Fed Outsourcing Guidance Supplier Risk Managers
• Security of systems (for example, data and equipment);
• Privacy protection of the financial institution's confidential information;
• Maintenance and retention of records;
• Business resumption and contingency planning;
• Systems development and maintenance;
• Service support and delivery;
• Employee background checks; and
• Adherence to applicable laws, regulations, and supervisory guidance
• A critical service provider is expected to identify and manage relevant operational and
financial risks to its critical services and ensure that its risk-management processes are
effective.
• Should have effective processes and systems for identifying and documenting risks,
implementing controls to manage risks, and making decisions to accept certain risks.
• Should reassess its risks, as well as the adequacy of its risk-management framework in
addressing the identified risks, on an ongoing basis.
• Should have a robust information security framework that appropriately manages its
information security risks. The framework should include sound policies and procedures to
4 CPSS 115 Critical Service Provider protect information from unauthorized disclosure, ensure data integrity, and guarantee the
availability of its services.
Documentation and Reporting
• This framework should also include capacity planning policies and change-management
practices. For example, a critical service provider that plans to change its operations should
assess the implications of such a change on its information security arrangements.
• Any operational incidents should be recorded and reported to the Financial Market
Infrastructure (FMI) and the FMI’s regulator, supervisor, or overseer. Incidents should be
analyzed promptly by the critical service provider in order to prevent recurrences that could
have greater implications.
FFIEC Booklet on Technology Service To measure the effectiveness of which a bank documents and reports on suppliers
6 Bank Examiners
Providers performance and delivery of service.
A Clearing or Carrying member firm must notify FINRA within 30 calendar days after entering
into any outsourcing agreement with a 3rd party service provider to perform any function or
Person designated with activity related to the firms business as a regulated broker dealer. Notification must include
responsibility for FINRA the function being performed, the identity and location of the 3rd party service provider, the
7 FINRA 11-14 notifications identity of the 3rd party service providers regulator( if any) and a description of any
affiliation between the firm and the 3rd party service provider.
A Dealer Member should inform IIROC of any new outsourcing arrangements involving core
Dealer Member activities that are being entered into by a Dealer Member, in accordance
with IIROC Rules Notice 10-0060
maintain a centralized list, along with copies of related agreements, of the outsource service
providers to which core Dealer Member activities have been outsourced
where practical and/or available (such as special purpose reports regularly prepared by
external auditors for outsource service providers5), obtain and provide to IIROC a report on
the adequacy of internal controls for each outsource arrangement relating to a core Dealer
Member activity and include as part of its business continuity planning, plans that address
the scenario where one or more major outsource service providers undergo a business
disruption. Requirement for the outsourcing firm to monitor the third party service
provider's performance and compliance with its contractual obligations, including processes
and procedures that:
• Clearly define metrics that will measure the service level, and specify what service levels
Management are required; and
• Establish measures to identify and report instances of non-compliance or unsatisfactory
performance to the outsourcing firm as well as the ability to assess the quality of services
performed by the service provider on a regular basis
Documentation and Reporting
Company should have an "Information Security Policy" that contains provisions describing
impact on, and applicability to, third-parties (subcontractors).
- Controls should address monitoring compliance and awareness and training.
Company should have a "Document Retention and Recordkeeping Policy" that includes
controls that address the process for subcontractor / vendor compliance.
Company should have controls that address the process for "Security Master Setup and
Maintenance" that include controls that address process for oversight of subservice
providers (e.g., user control considerations at sub accounting platforms where these controls
may be performed)
Company should have controls that address "Transaction Processing - Financial and
Nonfinancial" that include controls that address oversight of subservice providers (e.g., user
control considerations at sub accounting platforms where controls may be performed).
Company should have controls that address "Subaccount Billing, Invoice Processing" that
include controls that address oversight of subservice providers.
Company should have controls that address "Fee Calculations" that include controls that
address oversight of subservice providers.
Company should have controls that address "Information Technology (including Internet &
VRU)" that include controls that address Third-party providers the company uses for
Information Technology Services.
Company should have controls that address "Blue Sky Reporting" that include controls that
address oversight of subservice providers.
A critical service provider should ensure that it provides reliable and resilient
operations to users, whether these operations are provided to an FMI directly or to
both an FMI and its participants. A critical service provider should have robust
operations that meet or exceed the needs of the FMI. Any operational incidents
should be recorded and reported to the FMI and the FMI’s regulator, supervisor, or
overseer. Incidents should be analysed promptly by the critical service provider in
order to prevent recurrences that could have greater implications.
In addition, a critical service provider should have robust business continuity and
disaster recovery objectives and plans. These plans should include routine business
continuity testing and a review of these test results to assess the risk of a major
Incident Reporting / operational disruption.
Testing Results / Defined
12 IOSCOPD432
Roles / Crisi In particular, a critical service provider should provide the FMI and, where
Communications Plan appropriate, its participants with sufficient information so that users clearly
understand their roles and responsibilities, enabling them to manage adequately their
risks related to their use of the services provided. Useful information for users
typically includes, but is not limited to, information concerning the critical service
provider’s management processes, controls, and independent reviews of the
effectiveness of these processes and controls.
13 REG SP4-57427 NA NA
Documentation and Reporting
OWG Document NA NA
15
NA NA
16 NIST Framework
Independent Review
Board Of Directors Review results of periodic independent reviews of the bank’s third-party risk management
process.
4 CPSS 115 Independent, internal audit Identification and management of risks should be assessed by an independent, internal
function audit function that can communicate clearly its assessments to relevant board members.
6 FFIEC Booklet on Technology Service Bank Examiners To measure the effectiveness of which a supplier is independently reviewed to ensure client
Providers contract/ compliance adherence.
7 FINRA 11-14 NA NA
Where practical and/or available (such as special purpose reports regularly prepared by
external auditors for outsource service providers5), obtain and provide to IIROC a report on
the adequacy of internal controls for each outsource arrangement relating to a core Dealer
Member activity;
10 IIROC Guidance On Outsourcing
The guidance specifies that the registrant firm and its regulator and auditors should have the
same access to the work product of a third-party service provider as they would if the firm
itself performed the activities. Firms should ensure this access is provided and should include
Audit Requirements a provision requiring it in any contract entered into with a service provider.
11 IOSCOPD187 NA NA
13 REG SP4-57427 NA NA
14 FRA-FCA Handbook NA NA
Industry response to FSA Enhanced Supplier Guidelines for Financial Institutions. Key area of
Enterprise Risk Management and
OWG Document Supplier Relationship Managers focus around supplier management: Oversight, Exit Planning and Standardization. Each
15 institution will need to decide on implementation plan.
NA NA
16 NIST Framework
Supervisory Review
Carefully review the bank’s plans for appropriate and sustainable remediation of such
deficiencies, particularly those associated with the oversight of third parties that involve
critical activities.
Follow existing guidance for citing deficiencies in supervisory findings and reports of
examination, and recommend appropriate supervisory actions.
Consider the findings when assigning the management component of the Federal Financial
1 OCC Bulletin 2013-29 OCC Examiners Institutions Examination Council’s (FFIEC) Uniform Financial Institutions Rating System
(CAMELS ratings).12
Reflect the associated risks in their overall assessment of the bank’s risk profile
When circumstances warrant, the OCC may use its authority to examine the functions or
operations performed by a third party on the bank’s behalf. Such examinations may evaluate
safety and soundness risks, the financial and operational viability of the third party to fulfill
its contractual obligations, compliance with applicable laws and regulations, including
consumer protection, fair lending, BSA/AML and OFAC laws, and whether the third party
engages in unfair or deceptive acts or practices in violation of federal or applicable state law.
Title X authorizes the CFPB to examine and obtain reports from supervised banks and
nonbanks for compliance with Federal consumer financial law and for other related purposes
and also to exercise its enforcement authority when violations of the law are identified.
Title X grants the CFPB supervisory and enforcement authority over supervised service
providers, which includes the authority to examine the operations of service providers on
3 CFPB Bulletin on Service Providers CFPB site.
The CFPB will exercise the full extent of its supervision authority over supervised service
providers, including its authority to examine for compliance with Title X's prohibition on
unfair, deceptive, or abusive acts or practices.
The CFPB will also exercise its enforcement authority against supervised service providers as
appropriate.
• A critical service provider is expected to implement and maintain appropriate policies and
procedures, and devote sufficient resources to ensure the confidentiality and integrity of
information and the availability of its critical services in order to fulfil the terms of its
4 CPSS 115 Critical Service Providers relationship with an Financial Market Infrastructure (FMI).
• Should have a robust information security framework that appropriately manages its
information security risks.
7 FINRA 11-14 NA NA
the relevant regulator may impose sanctions and penalties on a regulated entity in its
jurisdiction for violations of statutory and regulatory requirements that resulted in
whole or in part from the failure of a service provider (whether licensed or unlicensed)
to perform its contractual obligations for the outsourcing firm.
Regulatory Action
Outsourcing firms should also be aware of and comply with local mechanisms that
may have been put in place to implement these Principles. Such mechanisms may
take the form of government regulation, regulations imposed by non-government
statutory regulators, industry codes or practices, or some combination of these items.
The outsourcing firm must retain the competence and ability to be able to ensure that
the firm complies with all regulatory requirements. Moreover, outsourcing must not be
permitted to impair the regulator’s ability to exercise its statutory responsibilities, such
as the proper supervision and audit of the firm. Regulators should also consider the
implications that the use of unlicensed service providers may have on the regulator’s
ability to supervise properly securities activities in their jurisdiction. Such concerns
may be heightened in instances where the outsourcing firm delegates to the service
provider the authority to act in the name of the outsourcing firm.
The regulator, the outsourcing firm, and its auditors should have access to the books
and records of service providers relating to the outsourced activities and the regulator
should be able to obtain promptly, upon request, information concerning activities that
are relevant to regulatory oversight.
Regulator's and
Intermediary’s Access to
Books and Records,
Including Rights of
Inspection.
Supervisory Review
As set forth in IOSCO Principle 12.7, the regulator should have the right to inspect
books and records of regulated entities. Accordingly, regulators should be able, upon
request, to obtain promptly any books and records pertaining to the regulated activity,
irrespective of whether they are in the possession of the outsourcing firm or the third
party service provider, and to obtain additional information concerning regulated
activities performed by the service provider. A regulator’s access to such books and
records may be direct or indirect, though the outsourcing firm should always maintain
direct access to such books and records. This may include a requirement that the
books and records be maintained in the regulator’s jurisdiction, or that the service
provider agrees to send originals or copies of the books and records to the
regulator’s jurisdiction
upon request. Moreover, in order to facilitate the regulator’s access to books and
records as well as to maintain orderly business operations of the outsourcing firms,
arrangements between outsourcing firms and service providers should seek to
ensure that the outsourcing firms have appropriate access to books and records and
other information where it is in the custody of a third party.
Regulator's and
Intermediary’s Access to
Books and Records,
Including Rights of Means for Implementation: Contractual provisions by which the outsourcing firm
Inspection. (including its auditor) has access to, and a right of inspection of, the service
provider's books and records dealing with outsourced activities, and similar access to
the books and records of any subcontractor. Where appropriate, these may include
physical inspections at the premises of the service provider, delivery of books and
records or copies of books and records to the outsourcing firm or
its auditor, or inspections that utilize electronic technology (i.e., “virtual inspections”);
Contractual provisions by which the service provider is required to make books,
records, and other information about regulated activities by the
service provider available to the regulator upon request and, in addition, to comply
with any requirements in the outsourcing firm’s jurisdiction to provide periodic reports
11 IOSCOPD187 to the regulator.
Where appropriate, taking action against outsourcing firms for the failure to provide
books and records required in that jurisdiction, without regard to whether the
regulated entity has transferred possession of required books and records to one or
more of its service providers; Imposing specific requirements concerning access to
books and records that are held by a service provider and which are necessary for
the authority to perform its oversight and supervisory functions with respect to
regulated entities in its jurisdiction. These may possibly include requiring that records
be maintained in the regulator’s jurisdiction, allowing for a right of inspection, or
requiring that the service provider agree to send originals or
copies of the books and records to the regulator’s jurisdiction upon request
The outsourcing firm should take appropriate steps to require that service
providers protect confidential information regarding the outsourcing firm’s proprietary
and other information, as well as the outsourcing firm’s clients from intentional or
inadvertent disclosure to unauthorized individuals. Unauthorized disclosure of
confidential firm and customer information could have a
number of negative consequences. Such unauthorized disclosure could result in
damage to the firm’s reputation, financial losses, and the loss of or risk to proprietary
information (including the firm’s trade secrets). In addition, unauthorized disclosure
could result in the disclosure of private and sensitive information about individuals
Client Confidentiality Iss
who have a reasonable expectation of privacy, and might also result in a material
financial loss to a firm’s customers. In addition to the potential harm to a firm’s
customers, an unauthorized disclosure could also result in the outsourcing firm
having financial liability to its customers and/or its regulators, possibly affecting the
firm’s solvency. Where appropriate, regulators may choose to review the protections
that are in place between the outsourcing firm and the service provider and, in
addition, may choose to review the measures that are in place between a service
provider and its agents that may have an impact on the data and/or its use, so that
there are no unauthorized disclosures among the various service providers.
Supervisory Review
Typically, this assessment would be conducted (or commanded) by the critical service
provider itself which would then make the (self-)assessment available to the FMI and
the latter's regulatory authority. The assessment methodology relies on key questions
for each oversight expectation, which address the critical service provider’s approach
or framework to managing risks. These questions are neither intended to serve purely
as a checklist nor to be exhaustive. Regulators, supervisors, and overseers of FMIs
could, at their discretion, pose additional questions as needed to address the
particulars of the FMI, its critical service providers, or other relevant issues.
The key questions seek answers as to whether the critical service provider's policies
and procedures in the identified areas are clear and comprehensive, and how these
are documented, reviewed and updated. A critical service provider may find it
beneficial to disclose its answers to the key questions in the assessment
methodology in order to help authorities, FMIs and, where relevant, their participants
enhance their understanding of the risks involved in using the critical service
provider’s services.
12 IOSCOPD432
The authority of an FMI might have limited direct access to a critical service provider
of that FMI when the critical service provider resides in another country. In such case,
the authority can either convey its requirements through the abovementioned cross-
border supervisory cooperation, or communicate its requirements via the FMI over
which it has authority.
13 REG SP4-57427 NA NA
Supervisory Review
A common platform firm must: not undertake the outsourcing of important operational
functions in such a way as to impair materially:(a) the quality of its internal control; and(b)
the ability of the appropriate regulator to monitor the firm's compliance with all obligations
under the regulatory system and, if different, of a competent authority to monitor the firm's
compliance with all obligations under MiFID.
14 FRA-FCA Handbook NA
Enterprise Risk Industry response to FSA Enhanced Supplier Guidelines for Financial Institutions. Key area of
OWG Document Management and Supplier focus around supplier management: Oversight, Exit Planning and Standardization. Each
Relationship Managers institution will need to decide on implementation plan.
15
NA NA
16 NIST Framework
Other
BCP:
• A critical service provider is expected to implement appropriate policies and procedures,
and devote sufficient resources to ensure that its critical services are available, reliable, and
resilient. Its business continuity management and disaster recovery plans should therefore
support the timely resumption of its critical services in the event of an outage so that the
service provided fulfils the terms of its agreement with an FMI.
• In addition, a critical service provider should have robust business continuity and disaster
recovery objectives and plans. These plans should include routine business continuity testing
and a review of these test results to assess the risk of a major operational disruption.
• Should have mechanisms to consult with users and the broader market on any technical
changes to its operations that may affect its risk profile, including incidences of absent or
non-performing risk controls of services.
• Should have a crisis communication plan to handle operational disruptions to its services.
enhance their contingency plans for the failure of a service provider providing critical
activities, taking into account industry-led guiding principles where applicable
Other
Some of the asset managers said they were comfortable with not
having a contingency plan in place at all because their service providers
are part of systemically important banking groups that are too big to
fail and therefore the respective governments would bail them out.
This assertion is inconsistent with the Prudential Regulation Authority’s
(PRA’s) focus on the ability of systemically important global groups to be
wound-down and resolved in a controlled manner. It is also a breach of
FCA requirements, as set out in SYSC 8, to not adequately manage the
risks associated with outsourcing a critical activity.
As most asset managers are likely to move to a new service provider if their incumbent
provider
were to fail, firms should consider if they have not already:
• how their contingency planning would allow them to continue to service their customers
during the interim period whilst the transfer takes place, and
• if appropriate, how their ability to transfer between providers can be improved
There are other steps that asset managers are taking to enhance their readiness for a failure
of their service provider. Most importantly, asset managers are beginning to devise and put
in place exit plans that focus on the continuation of service to their customers in the event
of a failure of their service provider. Recent findings show that for asset managers to provide
FCA Outsourcing In Asset Mgmt. continuity of service whilst exiting from one service provider and moving to another at short
5 Asset Managers notice they require:
Industry
• a detailed understanding of their asset manager’s operational exposure to their service
provider(s)
• identification of the outsourced activities that are essential to ensure a basic level of
service to customers, and
• knowledge of how, where and at what regularity the essential activities are expected to be
carried out and how they are to be overseen
11 For example, Service Level Agreements and operating model overviews.
12 For example, by having in place a Memorandum of Understanding.
When devising exit plans, asset managers should consider whether the plan should be:
• a subset of current BCP subject to similar controls, such as updating and testing the plan
on a periodic basis and
• formalised with the service provider at the outset of a contractual relationship or as soon
as reasonably possible, including agreement on which activities should be transferred to a
new service provider as a priority if applicable
Asset managers should consider adopting the guiding principles on exit planning proposed
by the OWG where appropriate. This should improve an asset manager’s ability to exit an
outsourcing contract in an orderly and efficient manner not only when there has been a
failure of the incumbent service provider.
As the majority of service providers are part of G-SIFIs13, they will have recovery and
resolution plans (RRPs) or ‘living wills’ in place. RRPs are designed to help regulatory
authorities develop plans to resolve failing G-SIFIs in an orderly manner. We found that a lot
of asset managers are keen to incorporate the RRP of their service provider’s group within
their emergency exit plans. However, asset managers should be mindful that the existence
of an RRP does not
automatically mean that the current service they receive will continue uninterrupted if the
group experiences severe financial distress. We continue to keep in close contact with the
PRA on the development of G-SIFI’s RRPs.
We have found that some asset managers are improving their surveillance of their service
providers’ financial position. Information gathered as part of this oversight could, for
example, potentially act as a forewarning of deteriorating credit-worthiness. The guiding
principles for oversight models proposed by the OWG include ongoing surveillance.
13 Global
6 FFIEC Booklet on Technology Service NA NA
Providers
Designated Supervisory A clearing or carrying member firm must vest an associated person of the firm with the
Position (Properly Registered authority and responsibility for the following activities:
Associated Person) (1) the movement of customer or proprietary cash or securities;
(2) the preparation of net capital or reserve formula computations; and
7 FINRA 11-14 (3) the adoption or execution of compliance or risk management systems.
The execution can be outsourced as long as the supervision remains within the firm.
Senior Management Rule excepts ministerial activities performed on behalf of a member firm, unless otherwise
prohibited by applicable securities laws and regulations or applicable FINRA and MSRB rules,
and clarifies that its provisions would not restrict activities performed pursuant to a carrying
agreement approved under FINRA Rule 4311 (Carrying Agreements)
8 NASD NTM 05-48 Senior Management Rule allows a member to outsource certain activities that support the performance of its
supervisory and compliance responsibilities
IIROC rules effectively prohibit the outsourcing of most client-facing activities of the Dealer
Member (all of which would be considered to be “core” activities) including:
• a Registered Representative’s assessment of the information collected from the client to
ensure that the information is current, complete and accurate and that they comply with
their “know your client” obligation [Dealer Member Rules 39.3; 1300.1(a); 2500,
Introduction; 2500, Part II and 2700, Part II]; a Registered Representative’s performance of
10 IIROC Guidance On Outsourcing suitability assessments [Dealer Member Rules 39.3; 1300.1(p) through (s) and 2500,
Introduction]; a Designated complaints officer’s oversight of the handling of client
complaints [Dealer Member Rule 2500B, Section 3]; and various compliance and supervision
requirements, relating to client facing activities, that must be performed by Approved
Persons of the Dealer Member [
Non-core activities of the Dealer Member that are eligible to be outsourced under the
applicable IIROC Dealer Member Rules, and that would not give rise to regulatory concern if
they were outsourced, include the following:
office service management activities;
the procurement of external consultant services; and
human resources management activities.
In some jurisdictions, as discussed below, regulators impose restrictions on the
outsourcing of certain functions where they believe the outsourcing introduces an
unacceptable risk or is critical to the function of an intermediary.
regulators expect that they will have complete access to books and records
concerning an outsourcing firm’s activities, even if such documents are in the
custody of the firm’s service provider. Regulators must also take account of possible
operational and systemic risks that may exist in the event that multiple regulated
entities use a common service provider.
the relevant regulator may impose sanctions and penalties on a regulated entity in its
jurisdiction for violations of statutory and regulatory requirements that resulted in
whole or in part from the failure of a service provider (whether licensed or
unlicensed) to perform its contractual obligations for the outsourcing firm.
Regulatory Action Outsourcing firms should also be aware of and comply with local mechanisms that
may have been put in place to implement these Principles. Such mechanisms may
take the form of government regulation, regulations imposed by non-government
statutory regulators, industry codes or practices, or some combination of these
items.
The outsourcing firm must retain the competence and ability to be able to ensure
that the firm complies with all regulatory requirements. Moreover, outsourcing must
not be permitted to impair the regulator’s ability to exercise its statutory
responsibilities, such as the proper supervision and audit of the firm. Regulators
should also consider the implications that the use of unlicensed service providers
may have on the regulator’s ability to supervise properly securities activities in their
jurisdiction. Such concerns may be heightened in instances where the outsourcing
firm delegates to the service provider the authority to act in the name of the
outsourcing firm.
The regulator, the outsourcing firm, and its auditors should have access to the books
and records of service providers relating to the outsourced activities and the
regulator should be able to obtain promptly, upon request, information concerning
activities that are relevant to regulatory oversight.
Regulator's and
Intermediary’s Access to
Books and Records,
Including Rights of
Inspection.
Other
As set forth in IOSCO Principle 12.7, the regulator should have the right to inspect
books and records of regulated entities. Accordingly, regulators should be able, upon
request, to obtain promptly any books and records pertaining to the regulated
activity, irrespective of whether they are in the possession of the outsourcing firm or
the third party service provider, and to obtain additional information concerning
regulated activities performed by the service provider. A regulator’s access to such
books and records may be direct or indirect, though the outsourcing firm should
always maintain direct access to such books and records. This may include a
requirement that the books and records be maintained in the regulator’s jurisdiction,
or that the service provider agrees to send originals or copies of the books and
records to the regulator’s jurisdiction
upon request. Moreover, in order to facilitate the regulator’s access to books and
records as well as to maintain orderly business operations of the outsourcing firms,
arrangements between outsourcing firms and service providers should seek to
ensure that the outsourcing firms have appropriate access to books and records and
other information where it is in the custody of a third party.
Regulator's and
Intermediary’s Access to
Books and Records,
Including Rights of
Means for Implementation: Contractual provisions by which the outsourcing firm
Inspection.
(including its auditor) has access to, and a right of inspection of, the service
provider's books and records dealing with outsourced activities, and similar access
to the books and records of any subcontractor. Where appropriate, these may
include physical inspections at the premises of the service provider, delivery of books
and records or copies of books and records to the outsourcing firm or
its auditor, or inspections that utilize electronic technology (i.e., “virtual inspections”);
Contractual provisions by which the service provider is required to make books,
records, and other information about regulated activities by the
service provider available to the regulator upon request and, in addition, to comply
with any requirements in the outsourcing firm’s jurisdiction to provide periodic reports
11 IOSCOPD187 to the regulator.
Where appropriate, taking action against outsourcing firms for the failure to provide
books and records required in that jurisdiction, without regard to whether the
regulated entity has transferred possession of required books and records to one or
more of its service providers; Imposing specific requirements concerning access to
books and records that are held by a service provider and which are necessary for
the authority to perform its oversight and supervisory functions with respect to
regulated entities in its jurisdiction. These may possibly include requiring that records
be maintained in the regulator’s jurisdiction, allowing for a right of inspection, or
requiring that the service provider agree to send originals or
copies of the books and records to the regulator’s jurisdiction upon request
The outsourcing firm should take appropriate steps to require that service
providers protect confidential information regarding the outsourcing firm’s proprietary
and other information, as well as the outsourcing firm’s clients from intentional or
inadvertent disclosure to unauthorized individuals. Unauthorized disclosure of
confidential firm and customer information could have a
number of negative consequences. Such unauthorized disclosure could result in
damage to the firm’s reputation, financial losses, and the loss of or risk to proprietary
information (including the firm’s trade secrets). In addition, unauthorized disclosure
could result in the disclosure of private and sensitive information about individuals
Client Confidentiality Issues
who have a reasonable expectation of privacy, and might also result in a material
financial loss to a firm’s customers. In addition to the potential harm to a firm’s
customers, an unauthorized disclosure could also result in the outsourcing firm
having financial liability to its customers and/or its regulators, possibly affecting the
firm’s solvency. Where appropriate, regulators may choose to review the protections
that are in place between the outsourcing firm and the service provider and, in
addition, may choose to review the measures that are in place between a service
provider and its agents that may have an impact on the data and/or its use, so that
there are no unauthorized disclosures among the various service providers.
Other
The key questions seek answers as to whether the critical service provider's policies
and procedures in the identified areas are clear and comprehensive, and how these
are documented, reviewed and updated. A critical service provider may find it
beneficial to disclose its answers to the key questions in the assessment
methodology in order to help authorities, FMIs and, where relevant, their participants
enhance their understanding of the risks involved in using the critical service
provider’s services.
12 IOSCOPD432
The authority of an FMI might have limited direct access to a critical service provider
of that FMI when the critical service provider resides in another country. In such
case, the authority can either convey its requirements through the abovementioned
cross-border supervisory cooperation, or communicate its requirements via the FMI
over which it has authority.
13 REG SP4-57427 NA NA
Other
13 REG SP4-57427 NA NA
A common platform firm must:(1) when relying on a third party for the performance of
operational
functions which are critical for the performance of regulated
activities, listed activities or ancillary services (in this chapter
relevant services and activities) on a continuous and
satisfactory basis, ensure that it takes reasonable steps to avoid
undue additional operational risk;
Without prejudice to the status of any other function, the following
functions will not be considered as critical or important for the purposes
of this chapter:
(1) the provision to the firm of advisory services, and other services
which do not form part of the relevant services and activities of
the firm, including the provision of legal advice to the firm, the
14 FRA-FCA Handbook
training of personnel of the firm, billing services and the security
of the firm's premises and personnel;
(2) the purchase of standardized services, including market information
services and the provision of price feeds ;
[Note: article 13(2) of the MiFID implementing Directive]
(3) the recording and retention of relevant telephone conversations or
electronic communications subject to ¡ COBS 11.8.
If a common platform firm and the service provider are members of the
same group, the firm may, for the purpose of complying with ■ SYSC 8.1.7 R
to ■ SYSC 8.1.11 R and ■ SYSC 8.2 and ■ SYSC 8.3, take into account the
extent to which the common platform firm controls the service provider
or has the ability to influence its actions.
[Note: article 14(4) of the MiFID implementing Directive]
OWG Document NA NA
15
Tier 1: Partial: External Participation – An organization may not have the processes in place
to participate in coordination or collaboration with other entities.
Tier 2: Risk Informed: External Participation – The organization knows its role in the larger
ecosystem, but has not formalized its capabilities to interact and share information
externally.
2.2 Framework
Implementation Tiers
Tier 3: Repeatable: External Participation – The organization understands its dependencies
and partners and receives information from these partners that enables collaboration and
risk-based management decisions within the organization in response to events.
16 NIST Framework Tier 4: Adaptive: External Participation – The organization manages risk and actively shares
information with partners to ensure that accurate, current information is being distributed
and consumed to improve cybersecurity before a cybersecurity event occurs.
Awareness and training Awareness and training measures: Service providers that provide cybersecurity-related
measures services for the organization are informed about the organization’s applicable privacy
policies
Communications (RS.CO):
Response activities are
coordinated with internal and
RS.CO-5: Voluntary information sharing occurs with external stakeholders to achieve broader
external stakeholders, as cybersecurity situational awareness
appropriate, to include
external support from law
enforcement agencies.
R Y
A N
C
I
R,A
R,C
R,I
R,A,C
R,C,I
R,A,C,I
A,C
A,C,I
A,I
C,I
N/A