The Joint Forum, a consortium of banking, securities and insurance sector organizations, just released a 28-page PDF document titled, "Outsourcing in Financial Services," which spells out the risks that outsourcing poses to financial sector companies. The report offers a set of nine principles outlining the issues that should be considered. The first seven cover the responsibilities of regulated entities when they outsource their activities. The last two cover regulatory roles and responsibilities.
1. A regulated entity seeking to outsource activities should have in place a comprehensive policy to guide the assessment of whether and how those activities can be appropriately outsourced. The board of directors or equivalent body retains responsibility for the outsourcing policy and related overall responsibility for activities undertaken under that policy.
2. The regulated entity should establish a comprehensive outsourcing risk management programme to address the outsourced activities and the relationship with the service provider.
3. The regulated entity should ensure that outsourcing arrangements neither diminish its ability to fulfil its obligations to customers and regulators, nor impede effective supervision by regulators.
4. The regulated entity should conduct appropriate due diligence in selecting third-party service providers.
5. Outsourcing relationships should be governed by written contracts that clearly describe all material aspects of the outsourcing arrangement, including the rights, responsibilities and expectations of all parties.
6. The regulated entity and its service providers should establish and maintain contingency plans, including a plan for disaster recovery and periodic testing of backup facilities.
7. The regulated entity should take appropriate steps to require that service providers protect confidential information of both the regulated entity and its clients from intentional or inadvertent disclosure to unauthorised persons.
8. Regulators should take into account outsourcing activities as an integral part of their ongoing assessment of the regulated entity.
Regulators should assure themselves by appropriate means that any outsourcing arrangements do not hamper the ability of a regulated entity to meet its regulatory requirements.
9. Regulators should be aware of the potential risks posed where the outsourced activities of multiple regulated entities are concentrated within a limited number of service providers.
You can read the expanded explanations for each principle in the source document. (Some of them — such as number 7, on protecting confidential data, are truly slim pickin's.) But here, let's look at number 5, on written contracts, which provides a fairly well-rounded outline for any type of contract on outsourcing..
The full write-up says:
Outsourcing relationships should be governed by written contracts that clearly describe all material aspects of the outsourcing arrangement, including the rights, responsibilities and expectations of all parties.
Outsourcing arrangements should be governed by a clearly written contract, the nature and detail of which should be appropriate to the materiality of the outsourced activity in relation to the ongoing business of the regulated entity. A written contract is an important management tool and appropriate contractual provisions can reduce the risk of non-performance or disagreements regarding the scope, nature and quality of the service to be provided. Some key provisions of this contract would be that:
The contract should clearly define what activities are going to be outsourced, including appropriate service and performance levels. The service provider’s ability to meet performance requirements in both quantitative and qualitative terms should be assessable in advance;
The contract should neither prevent nor impede the regulated entity from meeting its respective regulatory obligations, nor the regulator from exercising its regulatory powers;
The regulated entity must ensure it has the ability to access all books, records and information relevant to the outsourced activity in the service provider;
The contract should provide for the continuous monitoring and assessment by the regulated entity of the service provider so that any necessary corrective measures can be taken immediately;
A termination clause and minimum periods to execute a termination provision, if deemed necessary, should be included. The latter would allow the outsourced services to be transferred to another third-party service provider or to be incorporated into the regulated entity. Such a clause should include provisions relating to insolvency or other material changes in the corporate form, and clear delineation of ownership of intellectual property following termination, including transfers of information back to the regulated entity (see principle VI below) and other duties that continue to have an effect after the termination of the contract;
Material issues unique to the outsourcing arrangement should be meaningfully addressed. For example, where the service provider is located abroad, should include choice-of-law provisions and agreement covenants and covenants that provide for adjudication of disputes between the parties laws of a specific jurisdiction;
The contract should include, where appropriate, conditions of subcontracting third-party service provider for all or part of an outsourced activity. In cases it should require approval by the regulated entity of the use of subcontractors by the third-party service provider for all or part of a serviced activity or activity delivered. More generally, the contract should provide the regulated entity ability to maintain a similar control over the risks when a service provider to other third parties as in the original direct outsourcing arrangement.