Guidelines on the Outsourcing of Material Functions - Securities ...

PROPERTY OF THE SECURITIES COMMISSION OF THE BAHAMAS 

SUPERVISORY AND REGULATORY GUIDE: OUTSOURCING GUIDELINE 

APPLICABLE LEGISLATION: 

SIA, 2011, 

IFA, 2003, 

FCSPA, 2000. 

DATE ISSUED: MAY 2012 

REFERENCE NUMBER: SPG1-0512 

OUTSOURCING OF MATERIAL FUNCTIONS GUIDELINES 

ISSUED FOR PUBLIC CONSULTATION


PROPOSED GUIDELINES FOR OUTSOURCING MAY 2012 

TABLE OF CONTENTS 

I. INTRODUCTION .................................................................................................................... 3 

II. PURPOSE ............................................................................................................................. 3 

III. APPLICABILITY .................................................................................................................... 3 

IV. EXECUTIVE SUMMARY ...................................................................................................... 4 

V. GENERAL GUIDELINES ON OUTSOURCING FOR REGISTRANTS ................................... 4 

VI. OUTSOURSING OF MATERIAL ACTIVITIES WITH REGARDS TO INVESTMENT FUNDS 

ADMINISTRATORS AND SENIOR MANAGEMENT .................................................................10 

VII. OFFSHORE OUTSOURCING ............................................................................................10 

VIII. THE OUTSOURCING AGREEMENT ................................................................................11 

X. BIBLIOGRAPHY – REFERENCES .......................................................................................13 

ANNEX I ...................................................................................................................................14 

ANNEX II ..................................................................................................................................15 

ANNEX III .................................................................................................................................17 

ANNEX IV .................................................................................................................................18 

ISSUED FOR PUBLIC CONSULTATION 

CONSULTATION ENDS 28 JUNE 2012 

2 | P a g e



I. INTRODUCTION 

The Securities Commission of The Bahamas (“the Commission”) is responsible for the 

administration of the Securities Industry Act, 2011 (SIA, 2011) and the Investment Funds Act, 

2003 (IFA, 2003), pursuant to which it supervises and regulates the activities of the investment 

funds, securities and capital markets. The Commission, having been appointed Inspector of 

Financial and Corporate Service Providers January 1, 2008, is also responsible for 

administering the Financial and Corporate Service Providers Act, 2000 (FCSPA 2000). 

The Commission’s mandate is to formulate principles to regulate and govern investment funds, 

securities and capital markets; maintain surveillance over investment funds, securities and 

capital markets ensuring orderly, fair and equitable dealings; create and promote conditions to 

ensure orderly growth and development of capital markets; and to advise the Minister of 

Finance regarding investment funds, securities and capital markets. In executing its mandate 

the Commission issues regulatory tools to facilitate the authorization of registrants and 

licensees, and compliance with their ongoing supervisory requirements. 

II. PURPOSE 

These guidelines will outline the minimum standards and principals that registrants are required 

to follow in relation to outsourcing and identify the major issues to be considered and the 

obligations of registered firms when entering into outsourcing agreements. 

III. APPLICABILITY 

Pursuant to Regulation 44 all regulated firms registered under Part V & VI of the SIA 2011, the 

IFA 2003 and the FCSPA 2000 should give notice to the Commission of its intent to enter into 

an outsourced arrangement and ensure that such arrangement complies with the standards 

detailed in the guideline. An entity seeking to apply this guideline should seek clarification from 

the Commission on any of the requirements. 

These guidelines apply to all material outsourcing arrangements. Registrants should review 

all outsourced arrangements that pre-existed the guideline to assess compliance with the 

standards. Where deficiencies are observed, registrants should immediately seek to rectify 

those deficiencies. Where the required changes cannot be made until the next contract period, 

the Commission expects that the registrant would have in place measures to mitigate against 

any potential risks. The firms should have in place an Action Plan identifying those steps that 

will be taken to address all deficiencies and the timing of such actions. Such a plan should be 

submitted to the Commission within one month of the issuance of this guideline for any existing 

arrangements with deficiencies and every time a deficiency is identified following a review 

(internal or external reviews.) Additionally, registrants should, within (6) six months of the 

issuance of this guideline, ensure that a notice on all material outsourcing arrangements is 

submitted to the Commission. 

For the purpose of this guideline, a material function will be defined as a function that has the 

potential to have a critical impact—both qualitative and quantitative—on a significant line of 

business of the registrant. Section VIII of this guideline sets out the assessment methodology 



3 | P a g e



for materiality. Applicants who may be uncertain as to whether a business activity that is to be 

outsourced would be regarded as “material” for the purposes of these guidelines should seek 

direction from the Commission. 

IV. EXECUTIVE SUMMARY 

Outsourcing is a significant component of the management of business by modern companies 

as it facilitates the rationalization of resources, people, material and funds. Registrants may 

seek to outsource functions so as to reduce costs, improve the quality of service to its clients, or 

centralize activities. However, it is important to ensure the delegation of functions does not 

reduce the protection available to investors, or result in or cause non-compliance with the 

legislation and regulatory requirements. 

The management of outsourcing has been a concern for many regional and international 

jurisdictions, resulting in the development of rules by the various regulators to govern this area. 

The International Organization of Securities Commissions (IOSCO) released principles to guide 

the management of outsourcing. These principles emphasize; 

conducting due diligence when selecting service providers and monitoring their 

performance; 

having a contract with the service provider; 

ensuring that service providers have adequate business continuity plans; 

specifying requirements for the security and confidentiality of information; 

ensuring termination provisions are in place; and 

ensuring that there is access to the books and records by the regulators and the client. 

These proposed Outsourcing <strong>Guidelines</strong> is in compliance with IOSCO Principals and have also 

been adapted by other international and regional jurisdictions. A review of (10) ten international 

and regional jurisdictions 1 revealed that outsourced arrangements are managed in many 

different ways. Most jurisdictions required outsourcing arrangements to be subject to the fit and 

proper requirements and an assessment of the service provider’s ability and willingness to 

perform the outsourced functions. Outsourcing arrangements are also permitted under their 

general rules that govern the initial authorization of the market and require the institution to seek 

specific regulatory approval before a function can be outsourced. 

V. GENERAL GUIDELINES ON OUTSOURCING FOR REGISTRANTS 

(1) What can be outsourced - Outsourcing arrangements must be limited to activities that are 

considered “material” or “core” to the business of the market. In addition to considering the 

materiality of the outsourcing arrangement to the market's core business, it has been identified, 

1 Australia, Barbados, Canada, Hong Kong, India, Jamaica, Malaysia, Singapore, the United Kingdom, and the 

United States 



4 | P a g e



that among others, the following factors should be considered when assessing outsourcing 

arrangements. 

• potential risks to the regulatory objectives of maintaining fair, orderly and 

transparent markets; 

• potential impact on price formation; 

• potential negative impacts on investor protection; 

• potential threats to the jurisdiction’s clearance and settlement system; 

This assessment should be used to protect the interests of clients and to ensure operational 

procedures and controls are in line with the registrant’s day-to-day operation. 

(2) Confidentiality - The registrant should take appropriate steps to ensure that service 

providers protect confidential information regarding the firm’s proprietary and other information, 

as well as their clients or investors from intentional or inadvertent disclosure to unauthorized 

individuals. To facilitate this; 

Registrants must take appropriate steps to confirm that confidential firm information is 

not misused or misappropriated. Provisions should be made in the contract to prohibit 

the outsourcing service provider and any subcontracted providers from using or 

disclosing the outsourcing firm’s proprietary information, except as necessary to provide 

the contracted services. 

Registrants should have controls in place to ensure that the requirements of customer 

data confidentiality are observed and proper safeguards are established to protect the 

integrity and confidentiality of customer information. 

Registrants should not undertake outsourcing arrangements that may result in the 

disclosure of client information to the service provider or any subcontracted provider 

without the prior consent of the client. 

Registrants should consider whether it is appropriate to notify customers that customer 

data may be transmitted to a service provider or a subcontracted provider, taking into 

account any regulatory or statutory provisions that may be applicable. Where registrants 

choose not to inform customers, registrants must be prepared to accept all resulting 

liability issues. 

(3) Governance - The ultimate responsibility and accountability for the proper management of 

the outsourced function and the associated risks of outsourcing remains with the registrant. The 

Board and senior management should ensure that there is an appropriate risk management 

framework for the management of outsourcing arrangements. 

Outsourcing cannot transfer the risks to the service provider and as such, firms should ensure 

that all risks associated with the activity are managed to the same extent that would be required 

if the activity was conducted in-house. 



5 | P a g e



The Board of Directors or delegated committee should; 

• Review and approve the policies governing outsourcing and review compliance 

against the policies on a regular basis; 

• Approve all material outsourcing arrangements; 

• Ensure that outsourcing arrangements are included in the scope of work of the 

audit function. Auditors should regularly review and report on compliance of the 

arrangement with applicable terms and conditions of the outsourcing agreement. 

All outsourcing arrangements must comply with all statutory requirements inter alia, 

requirements on anti-money laundering, and record keeping. A statement to this effect 

should be included in the Annual update. 

Registrants must be prepared to resume direct control of the outsourced activity in the 

event that it can no longer be outsourced. 

The registrant should have policies and procedures in place to address the additional 

risks arising from outsourcing a business activity. 

When a material outsourcing arrangement results in services being provided outside The 

Bahamas, registrants must address additional concerns linked to the economic and 

political environment, technological sophistication, and the legal and regulatory risk 

profile of the foreign jurisdiction(s), if any. 

A centralized list of all material outsourcing arrangements should be maintained. This list 

should contain relevant information namely, the name of the service provider, the location where 

the services are being provided, the expiry or renewal date of the contract or outsourcing 

agreement and the value of the contract or outsourcing agreement. The list should be updated 

when agreements are being amended, renewed, or terminated and should be a part of the 

senior management’s report. 

(4) Due Diligence - The registrant should conduct appropriate due diligence in selecting service 

providers. When renewing a contract or outsourcing arrangement, Registrants need to ensure 

that the outsourced firm has the ability, capacity and authorization required by law to perform 

the outsourced activities reliably and professionally. The due diligence process should include, 

(but is not limited to) an assessment of the: 

• financial soundness to perform the outsourcing assignment; 

• technical competence of the service provider to deliver the required services; 

• service provider’s internal control, reporting and monitoring environment; 

• business reputation, complaints, and pending litigation; 

• business continuity arrangements and contingency plans; 

• reliance on and success in dealing with subcontractors; 

• insurance coverage; 

• business objectives; and 



6 | P a g e



• human resource policies, service philosophies, business culture, and how they fit 

with those of the registrant. 

The due diligence process should be undertaken initially during the selection period and 

periodically as an ongoing monitoring initiative. The registrant should ensure that the 

information used for due diligence evaluation is current and should not be more than 

(12) twelve months old. 

Where the proposal to outsource to a third party (i.e. to an entity not affiliated or related 

to the registrant) the third party should be an entity in a jurisdiction acceptable to the 

Commission. It is expected that the due diligence conducted on the third party will 

include an assessment to ensure that the third party meets the ‘fit and proper’ criteria 

that is applied by the Commission to the registrant. It is the role of the compliance 

department or a compliance officer, and internal auditor, to ensure that the activities 

undertaken by third party providers, adheres to the regulated firm’s outsourcing policy. 

The due diligence process should have a clearly defined metrics, that will specify what 

the service level standards are, measure the service level against these standards and 

specify what service levels are required. There should also be a mechanism to identify 

and report instances of non-compliance or unsatisfactory performance to the outsourcing 

firm as well as the ability to assess the quality of services performed by the service 

provider on a regular basis. 

In assessing the effectiveness of the service provider the registered firm should 

consider; 

• the impact of the outsourcing arrangement on the finances, reputation and 

operations of the firm; 

• its ability to maintain important controls and meet supervisory regulatory 

requirements; 

• the cost of outsourcing the service; and 

• the degree of difficulty and time required to find an alternative service provider or 

return the outsourced activity in-house. (See XIII Annex III for additional 

information for conformity to IOCSO’s Principles on outsourcing of financial 

services for market intermediaries) 

(5) Anti-Money Laundering Requirements - Registrants must satisfy the Commission that 

outsourcing arrangements will not violate any statutory/prudential requirements on anti-money 

laundering or record keeping procedures. 

(6) Business Contingency and Continuity Arrangements - The registrant and its outsourced 

service providers should establish and maintain contingency and continuity plans. These plans 

should include disaster recovery and periodic testing of back-up facilities. Where a material 

function is outsourced, the registrant should ensure that its business continuity arrangements 

address foreseeable situations (either temporary or permanent) when the arrangement is 



7 | P a g e



suddenly terminated or when the service provider is unable to fulfill its obligations under the 

outsourcing agreement for any reason. In particular, a registrant should make provision in its 

business continuity arrangements for the retention of information 2 , ready access to all records 

necessary to allow it to sustain business operations, meet its statutory obligations, and provide 

such information as may be required by the Commission, to exercise its regulatory powers or 

perform its supervisory functions. (See XIII Annex III for additional information for conformity to 

IOCSO’s Principles on outsourcing of financial services for market intermediaries.) 

(7) Termination and Exit Management - Registrants should have a termination and exit 

management process in place in the event that an outsourced function is discontinued. 

Registrants are expected to take appropriate steps to manage all termination of 

outsourcing arrangements. These should include exit strategies to allow transfer of 

service, client data, and any other resources to another service provider or to the 

regulated firm itself. Provision of termination rights may include (but are not limited to) 

cases of the following; 

• insolvency; 

• liquidation or receivership; 

• change of ownership 

• failure to comply with regulatory requirements; and/or 

• poor performance. 

Registrants should submit a written notice to the Commission of dismissal or 

cancellation advising that it intends to terminate an outsourced arrangement within (30) 

thirty days before the final announcement of the termination. 

Registrants should require cooperation of the service provider upon termination. This 

cooperation should be clearly stated in the outsourcing arrangements that details the 

acquisition of full access to any relevant systems and documentations held at the 

outsourced firm relating to the activities carried out on behalf of the registrant. 

(8) Approval process for Outsourcing by the Commission - Registrants must inform the 

Commission in writing of any activity to be outsourced. 

Prior to entering into an agreement notification should be made to the Commission 

within (60) sixty days, to consider the proposal and must include, at a minimum, the 

following information; 

• the activities to be outsourced; 

• the name of the outsourcing service provider (indicating whether this firm is part 

of the registered firm’s group and its regulatory status, if any); and 

2 SIR Sec 20 Records location and retention requirement 



8 | P a g e



• the location where the outsource activity will be carried out whether in the 

Bahamas or outside of the Bahamas. 

The registrant must submit a written confirmation to the Commission from senior 

management stating that best practice has been utilized in the selection of the 

outsourced service provider, ensuring that the outsourcing of material functions 

guidelines have been followed and in line with the proposed outsourced activity. 

The Commission may impose, at its discretion, specific conditions on the outsourcing 

activities, in addition to those outlined in the guidelines. 

A written No Objection response to registrants should be received within (30) thirty days 

from the Commission. Should the Commission be satisfied with the registrant 

outsourcing the activity, the outsourcing agreement and the outsourced service provider, 

the agreement should be approved. 

The Commission should object by written response within (30) thirty days, to the 

following; 

• a proposed outsourcing arrangement; 

• the continued use of an outsourced service provider; or 

• to require the outsourcing arrangement to be terminated. 

(9) Access to Books, Records and Premises - The Commission, and the auditors of the 

registrant should have access to the books and records of the outsourced service provider 

relating to the activities outsourced. Additionally, the Commission may at any time conduct onsite 

inspections of the business. 3 Pursuant to Regulation 44 of the SIR 2012, the Commission is 

also permitted access to any information concerning the activities carried out on behalf of the 

registered firm, as if those records and information were held at the registered firm. 

Registrants should provide by way of contractual agreement with service providers, the 

Commission having access to books, records and outsourcing service providers in 

relation to outsourced activities. It should be ensured that the Commission has the right 

to obtain upon request, information regarding outsourced activities. 

Registrant’s contractual agreements should also provide for the registrant and its auditor 

to have access to and the rights to inspect the service provider’s books and records 

relating to the outsourced function. Where appropriate, the inspection can be performed 

by way of physical inspection at the service provider premises, or by way of delivery of 

books and records to the registrant or auditor. 

3 SIA 2011 Sec 45 (1) Compliance inspections – regulated persons 



9 | P a g e



The Commission should be notified if a service provider has plans to chain outsource 

any material functions of a registrant to another service providing entity. The 

Commission, the registrant and the auditor must also be granted access to the books 

and records of the subcontracted service provider. 

Registrants should notify the Commission of any adverse developments arising in 

outsourcing that could significantly affect their operations, including any event that could 

potentially lead to termination and early exit from the outsourcing arrangement; and 

provide such information as may be required by the Commission to exercise its 

regulatory powers or perform its supervisory functions. 

VI. OUTSOURSING OF MATERIAL ACTIVITIES WITH REGARDS TO INVESTMENT FUNDS 

ADMINISTRATORS AND SENIOR MANAGEMENT 

Administrators and senior managers of investment funds should not be permitted to 

outsource core administration activities such as – 

• strategic oversight; and 

• internal audit function; 

VII. OFFSHORE OUTSOURCING 

In addition to the general due diligence process outlined in Sec (4) of these guidelines, the 

Commission, in assessing whether to approve an application to outsource offshore material 

functions it should be expected, that the Board consider the risks which could arise from 

material functions being operated offshore, to include; 

country risk - the risk that overseas economic, political and/or social events which 

could impact upon the ability of the overseas service provider to continue to provide an 

outsourced service to the registrants; 

compliance (legal) risk - the risk that offshore arrangements will impact upon the 

registrant’s ability to comply with relevant Bahamian and overseas laws and regulations. 

contractual risk - the risk associated with registrant’s ability to enforce the offshore 

agreement may be limitedly or completely hindered; 

access risk - the risk relating to the Commission obtaining information and to retain 

records, is partly or completely hindered. This risk also refers to the potential difficulties 

or inability of the Commission to access the service provider and the material business 

activity being conducted. 

Where The Commission approves the offshore arrangement, these risks stated above should 

also be considered when conducting the ongoing monitoring and control of the material 

function/s. 

There are some specific risk management considerations that should be exercised when 

assessing, monitoring and controlling material functions outsourced to service providers when 

conducting the activities outside of The Bahamas. These considerations that registrants should 



10 | P a g e



consider with regards to the provisions in the outsourcing agreement should include (but are not 

limited to); 

Choice of law - Contracts should specify under which particular jurisdiction, contractual 

disputes will be resolved. The due diligence process should include an examination of 

the relevant overseas legislation and regulations by a suitably qualified expert to ensure 

that contractual provisions are recognized by the overseas jurisdiction and are able to be 

enforced in the chosen jurisdiction. 

Security and confidentiality of information - Registrants should ensure that 

contractual provisions in relation to data are of the same standard as those required of a 

domestic service provider and in accordance with requirements under Bahamian 

legislation and regulations. Contracts should also ensure that all information forwarded 

to the service provider by the registrant (as well as any information forwarded by the 

service provider to third parties in the course of providing that service, such as to a backup 

disaster recovery provider) remains the property of the registrant. 

Access to information/persons - Any agreement with a service provider should not 

restrict access to information by the Commission, external auditors, independent third 

parties or representatives of the registrant for the purposes of confirming the 

performance of the risk management systems. Legal due diligence undertaken prior to 

the execution of the contract should also ensure that there are no legal impediments to 

the Commission’s access to information and/or relevant persons employed by the 

Commission or service provider for the purposes of examining the organization in 

relation to the regulation of the registrant’s activities. Records should be maintained by 

the registrant in a Bahamian office and in English. These records should include (but 

are not limited to); 

• copies of the contractual agreement; 

• copies of the due diligence assessment and 

• copies of financial statements, reports and any other information the 

registrant/licensee considers critical to the ongoing monitoring and control of the 

outsourcing arrangement with the service provider. 

VIII. THE OUTSOURCING AGREEMENT 

The Commission expects that the outsourcing arrangement undertaken by way of construction 

be detailed and appropriate to the materiality of the outsourced activity and to the business of 

the outsourcing firm. The level of detail to the contents of the written agreement should reflect 

the level of monitoring, assessment, inspection, auditing required, the risks, the size and 

complexity of the outsourced service. Additionally the Commission expects the arrangement to 

be; 

A legally binding written document between the registrant and the outsourcing service 

provider stating clearly the defined activities and responsibilities to be outsourced by the 

registrant and service provider. 



11 | P a g e



Registrants should consider adopting measures to ensure that such agreements remain 

up-to-date and accurate and reflect the arrangements that are actually in operation. 

The contract at a minimum, should include, (but is not limited to) the following provisions; 

• defining the responsibilities of the registrant and the outsourcing service provider; 

• access to the records and information held by the outsourced agent/s; 

• audit and monitoring procedures; 

• legal compliance; 

• time limitations; 

• fees and payment structure; 

• firm and client confidentiality and security; 

• insurance, guarantees and indemnities; 

• business continuity provisions; 

• termination of contract, transfer of information and exit strategies; 

• Subcontracting, including the limitations or conditions, the extent it is permitted, 

and further obligations; 

• dispute settlement mechanism for cross-border outsourcing should be 

determined by the country’s law that governs the relationship within that 

particular jurisdiction and be outlined in the agreement procedures; and 

• obligation of the outsourced service provider, to provide, upon request records, 

information and/or any assistance concerning the outsourced activity to the 

registrant, its auditors and the Commission once it has received consent from its 

home supervisor to do so. 



12 | P a g e



X. BIBLIOGRAPHY – REFERENCES 

http://www.mas.gov.sg/resource/legislation_guidelines/risk_mgt/Outsourcing%20<strong>Guidelines</strong>.pdf 

http://www.osfi bsif.gc.ca/app/DocRepository/1/eng/guidelines/sound/guidelines/b10_e.pdf 

http://www.centralbankbahamas.com/download/065303200.pdf 

http://www.iosco.org/library/pubdocs/pdf/IOSCOPD299.pdf 

http://www.mas.gov.sg/resource/publications/consult_papers/2004/CP%20- 

%20<strong>Guidelines</strong>%20on%20Outsourcing%20120304%20Final.pdf 

http://www.iosco.org/library/statements/pdf/statements-9.pdf 

http://www.fsc.gi/download/adobe/GuidanceNote-Outsourcing.pdf 

http://www.bis.org/publ/joint12.pdf 

http://www.sc.com.my/eng/html/resources/guidelines/stockbroking/GL_outsourcing_110809.pdf 

http://www.fsa.go.jp/inter/ios/20090325/02.pdf 

http://www.centralbank.org.bb/Financial/Outsourcing_Guideline.pdf 

http://www.hkma.gov.hk/media/eng/doc/key-functions/banking-stability/supervisorypolicy-manual/SA-2.pdf 

http://www.sebi.gov.in/commreport/outsourcing.pdf 



13 | P a g e



ANNEX I 

Administrator: - a company that has been licensed by the Commission under the International 

Financial Authority (IFA) as a restricted or unrestricted investment fund administrator. 

Chain Outsourcing: - outsourcing where the outsourcing service provider subcontracts 

elements of the service to other providers. 

Core Investment Activities: - the final checking and release of the investment funds’ net asset 

value calculation and the maintenance of the shareholder register. 

Material activities: - 

• activities of such importance that any weakness or failure in the provision of 

these activities could have a significant effect on the regulated firm’s ability to 

meet its regulatory responsibilities and/or to continue in business; 

• key systems without which a regulated firm would be unable to deliver services to 

its clients, e.g. the sole means of providing a service; 

• any other activities requiring a license or authorization from the Commission; 

• any activity having a significant impact on a regulated firm’s risk management; 

and 

• the management of risks relating to these activities. 

In any case, what is considered as a critical or important function varies according to the 

circumstances and nature of the regulated firm and the specific arrangements contemplated. 

Outsourcing: - a registered firm entering into an arrangement with a third party service provider 

whereby that service provider will undertake a material business function, activity or process on 

behalf of the registered firm, which currently is, or could be undertaken by the registrant itself. 

Outsourcing Firm: - a registrant of the Commission that is the purchaser of the good, service, 

or facility provided by an outsourcing service provider. 

Outsourcing Service Provider: - the supplier of goods, services or facilities, and/or an 

affiliated entity within a registrant’s corporate group, or which may not be affiliated with the 

registrant or regulated by the Commission. 

Senior Management: - persons who effectively direct the business of a registered firm, this 

includes the firm’s board of directors and other persons who effectively direct the business of 

the firm. 

Registrant: - licensed and registered firms of the Commission. 



14 | P a g e



ANNEX II 

The outsourcing arrangements covered by these guidelines may involve the following areas: 

• Information technology – management and maintenance of systems (e.g., data entry 

and processing, applications development, programming, and coding); 

• Document processing (e.g., cheques, credit cards, bill payments); 

• Management of investments (e.g., portfolio management); 

• Research and marketing (e.g., product development, media relations, call centres, 

telemarketing); 

• Back office management (e.g., payroll processing, transactions and payment 

processing); 

• Professional services related to the business activities of the financial institution (e.g., 

internal audits, actuarial services, accounting); 

• Human resources (e.g., recruitment); 

However, these guidelines do not apply to the following: 

Courier services, regular mail, utilities, telephone; 

Procurement of specialized training; 

Discrete advisory services (e.g., legal services, certain investment advisory services that 

do not result directly in investment decisions, independent appraisals, trustees in 

bankruptcy); 

Purchase of goods, wares, commercially available software and other commodities; 

Independent audit reviews; 

Credit background and background investigation and information services; 

Market information services (e.g., Bloomberg, Moody’s); 

Independent consulting; 

Services the financial institution is not legally able to provide; 



15 | P a g e



Printing services; 

Repair and maintenance of fixed assets; 

Supply and service of leased telecommunication equipment; 

Travel agency and transportation services; 

Maintenance and support of licensed software; 

Temporary help and contract personnel; 

Specialized recruitment; 

External conferences; 

Clearing and settlement arrangements between members or participants of recognized 

clearing and settlement systems; 



16 | P a g e



ANNEX III 

Continuity at the Outsourcing Firm (IOSCO’S PRINCIPLES ON OUTSOURCING OF 

FINANCIAL SERVICES FOR MARKET INTERMEDIARIES) 

Means for Implementation 

Outsourcing firms are expected to take appropriate steps to require, in appropriate cases based 

on the materiality of the function that is being outsourced, that service providers have in place a 

comprehensive program. 

Specification of the security requirements of automated systems to be used by the 

service provider, including the technical and organizational measures that will be taken 

to protect firm and customer-related data. Appropriate care should be exercised to 

ensure that IT security protects the privacy of the outsourcing firm’s customers as 

mandated by law: 

Requirements that the service provider maintain appropriate measures to ensure 

security of both the outsourcing firm’s software as well as any software developed by the 

service provider for the use of the outsourcing firm; 

Specification of the rights of each party to change or require changes to security 

procedures and requirements and of the circumstances under which such changes 

might occur; 

Provisions that address the service provider’s emergency procedures and disaster 

recovery and contingency plans as well as any particular issues that may need to be 

addressed where the outsourcing firm is utilizing a foreign service provider. Where 

relevant, this may include the service provider’s responsibility for backing up and 

otherwise protecting program and data files, as well as regulatory reporting; 

Where appropriate, terms and conditions relevant to the use of subcontractors with 

respect to IT security, and appropriate steps to minimize the risks arising out of such 

subcontracting; 

Where appropriate, requirement of testing by the service provider of critical systems and 

back-up facilities on a periodic basis in order to review the ability of the service providers 

to perform adequately even under unusual physical and/or market conditions at the 

outsourcing firm, the service provider, or both, and to determine whether sufficient 

capacity exists under all relevant conditions; 

Requirement of disclosure by the service provider of breaches in security resulting in 

unauthorized intrusions (whether deliberate or accidental, and whether confirmed or not) 

that may affect the outsourcing firm or its customers, including a report of corrective 

action taken; and 

Provisions in the outsourcing firm’s own contingency plans that address circumstances 

in which one or more of its service providers fail to adequately perform their contractual 

obligations. Where relevant, this may include reporting by the outsourcing firm to its 

regulator. The outsourcing firm may need to require contractually information from the 

service provider to fulfill this obligation. 



17 | P a g e



ANNEX IV 

Due diligence in selection and monitoring of service provider and service provider's 

performance (IOSCO’S PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR 

MARKET INTERMEDIARIES) 

Means for Implementation 

Documenting processes and procedures that enable the outsourcing firm to assess, 

prior to selection, the third party service provider’s ability and capacity to perform the 

outsourced activities effectively, reliably, and to a high standard, including the service 

provider’s technical, financial and human resources capacity, together with any potential 

risk factors associated with using a particular service provider. 

Documenting processes and procedures that enable the outsourcing firm to monitor the 

third party service provider's performance and compliance with its contractual 

obligations, including processes and procedures that: 

• Clearly define metrics that will measure the service level, and specify what 

service levels are required; and 

• Establish measures to identify and report instances of non-compliance or 

unsatisfactory performance to the outsourcing firm as well as the ability to assess 

the quality of services performed by the service provider on a regular basis (see 

also topic 2). 

Implementing processes and procedures designed to help ensure that the service 

provider is in compliance with applicable laws and regulatory requirements in its 

jurisdiction, and that where there is a failure to perform duties required by statute or 

regulations, the outsourcing firm, to the extent required by law or regulation, reports the 

failure to its regulator and/or self regulatory organization and takes corrective actions.5 

For example, procedures may include: 

• The use of service delivery reports and the use of internal and external auditors 

to monitor, assess, and report to the outsourcing firm on performance; 

• The use of written service level agreements or the inclusion of specific service 

level provisions in contracts for service to achieve clarity of performance targets 

and measurements for third party service providers. 

With respect to outsourcing on a cross-border basis, in determining whether the use of a 

foreign service provider is appropriate, the outsourcing firm may, with respect to a 

function that is material to the firm, need to conduct enhanced due diligence that focuses 

on special compliance risks, including the ability to effectively monitor the foreign service 

provider, the ability to maintain the confidentiality of firm and customer information; and 

the ability to execute contingency plans and exit strategies where the service is being 

performed on a cross-border basis. 



18 | P a g e



The Securities Commission of The Bahamas 

3rd Floor, Charlotte House 

Charlotte Street 

P.O. Box N- 8347 

By fax to: (242) 356-6291/2 

By email to: info@scb.gov.bs 

Website: www.scb.gov.bs 



19 | P a g e

Guidelines on the Outsourcing of Material Functions - Securities ...

Create successful ePaper yourself

Delete template?

Save as template?