October 27, 2021
The Board of the International Organization of Securities Commissions (IOSCO) today published a set of updated outsourcing principles for regulated entities that outsource tasks to service providers.
Since the publication of IOSCO´s principles on outsourcing for market intermediaries in 2005 and for markets in 2009, new developments in markets and technology have focused regulatory attention on risks related to outsourcing and the need to ensure the operational resilience of regulated entities.
Moreover, the effects of the COVID-19 highlight the need to maintain business continuity in situations where external and often unforeseen shocks impact firms and their service providers.
The updated Principles on Outsourcing are based on the earlier Outsourcing Principles for Market Intermediaries and for Markets, but their application has been expanded and now includes trading venues, intermediaries market participants acting on a proprietary basis and credit rating agencies. 1 While financial market infrastructures (FMIs) are outside the scope of the Principles, FMIs may consider applying the Principles. IOSCO will be engaging with the CPMI on these outsourcing issues as part of the future joint CPMI-IOSCO work programme.
The revised principles comprise a set of fundamental precepts and seven principles.
The fundamental precepts cover issues such as the definition of outsourcing, the assessment of materiality and criticality, their application to affiliates, the treatment of sub-contracting and outsourcing on a cross-border basis.
The seven principles set out expectations for regulated entities that outsource tasks and include guidance for implementation. The principles cover the following areas:
• Due diligence in the selection and monitoring of a service provider and its performance • The contract with a service provider
• Information security, business resilience, continuity and disaster recovery
• Confidentiality Issues
• Concentration of outsourcing arrangements
• Access to data, premises, personnel and associated rights of inspection
• Termination of outsourcing arrangements
The Report also briefly addresses the impact of COVID-19 on outsourcing and operational resilience and includes an annex that describes how outsourcing integrates with cloud computing and how CRAs use and incorporate outsourcing and cloud computing in their organizational strategies and structures.