Guidelines on the Outsourcing of Material Functions - Securities ...
Guidelines on the Outsourcing of Material Functions - Securities ...
Guidelines on the Outsourcing of Material Functions - Securities ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
PROPERTY OF THE SECURITIES COMMISSION OF THE BAHAMAS<br />
SUPERVISORY AND REGULATORY GUIDE: OUTSOURCING GUIDELINE<br />
APPLICABLE LEGISLATION:<br />
SIA, 2011,<br />
IFA, 2003,<br />
FCSPA, 2000.<br />
DATE ISSUED: MAY 2012<br />
REFERENCE NUMBER: SPG1-0512<br />
OUTSOURCING OF MATERIAL FUNCTIONS GUIDELINES<br />
ISSUED FOR PUBLIC CONSULTATION
PROPERTY OF THE SECURITIES COMMISSION OF THE BAHAMAS<br />
PROPOSED GUIDELINES FOR OUTSOURCING MAY 2012<br />
TABLE OF CONTENTS<br />
I. INTRODUCTION .................................................................................................................... 3<br />
II. PURPOSE ............................................................................................................................. 3<br />
III. APPLICABILITY .................................................................................................................... 3<br />
IV. EXECUTIVE SUMMARY ...................................................................................................... 4<br />
V. GENERAL GUIDELINES ON OUTSOURCING FOR REGISTRANTS ................................... 4<br />
VI. OUTSOURSING OF MATERIAL ACTIVITIES WITH REGARDS TO INVESTMENT FUNDS<br />
ADMINISTRATORS AND SENIOR MANAGEMENT .................................................................10<br />
VII. OFFSHORE OUTSOURCING ............................................................................................10<br />
VIII. THE OUTSOURCING AGREEMENT ................................................................................11<br />
X. BIBLIOGRAPHY – REFERENCES .......................................................................................13<br />
ANNEX I ...................................................................................................................................14<br />
ANNEX II ..................................................................................................................................15<br />
ANNEX III .................................................................................................................................17<br />
ANNEX IV .................................................................................................................................18<br />
ISSUED FOR PUBLIC CONSULTATION<br />
CONSULTATION ENDS 28 JUNE 2012<br />
2 | P a g e
PROPERTY OF THE SECURITIES COMMISSION OF THE BAHAMAS<br />
PROPOSED GUIDELINES FOR OUTSOURCING MAY 2012<br />
I. INTRODUCTION<br />
The <strong>Securities</strong> Commissi<strong>on</strong> <strong>of</strong> The Bahamas (“<strong>the</strong> Commissi<strong>on</strong>”) is resp<strong>on</strong>sible for <strong>the</strong><br />
administrati<strong>on</strong> <strong>of</strong> <strong>the</strong> <strong>Securities</strong> Industry Act, 2011 (SIA, 2011) and <strong>the</strong> Investment Funds Act,<br />
2003 (IFA, 2003), pursuant to which it supervises and regulates <strong>the</strong> activities <strong>of</strong> <strong>the</strong> investment<br />
funds, securities and capital markets. The Commissi<strong>on</strong>, having been appointed Inspector <strong>of</strong><br />
Financial and Corporate Service Providers January 1, 2008, is also resp<strong>on</strong>sible for<br />
administering <strong>the</strong> Financial and Corporate Service Providers Act, 2000 (FCSPA 2000).<br />
The Commissi<strong>on</strong>’s mandate is to formulate principles to regulate and govern investment funds,<br />
securities and capital markets; maintain surveillance over investment funds, securities and<br />
capital markets ensuring orderly, fair and equitable dealings; create and promote c<strong>on</strong>diti<strong>on</strong>s to<br />
ensure orderly growth and development <strong>of</strong> capital markets; and to advise <strong>the</strong> Minister <strong>of</strong><br />
Finance regarding investment funds, securities and capital markets. In executing its mandate<br />
<strong>the</strong> Commissi<strong>on</strong> issues regulatory tools to facilitate <strong>the</strong> authorizati<strong>on</strong> <strong>of</strong> registrants and<br />
licensees, and compliance with <strong>the</strong>ir <strong>on</strong>going supervisory requirements.<br />
II. PURPOSE<br />
These guidelines will outline <strong>the</strong> minimum standards and principals that registrants are required<br />
to follow in relati<strong>on</strong> to outsourcing and identify <strong>the</strong> major issues to be c<strong>on</strong>sidered and <strong>the</strong><br />
obligati<strong>on</strong>s <strong>of</strong> registered firms when entering into outsourcing agreements.<br />
III. APPLICABILITY<br />
Pursuant to Regulati<strong>on</strong> 44 all regulated firms registered under Part V & VI <strong>of</strong> <strong>the</strong> SIA 2011, <strong>the</strong><br />
IFA 2003 and <strong>the</strong> FCSPA 2000 should give notice to <strong>the</strong> Commissi<strong>on</strong> <strong>of</strong> its intent to enter into<br />
an outsourced arrangement and ensure that such arrangement complies with <strong>the</strong> standards<br />
detailed in <strong>the</strong> guideline. An entity seeking to apply this guideline should seek clarificati<strong>on</strong> from<br />
<strong>the</strong> Commissi<strong>on</strong> <strong>on</strong> any <strong>of</strong> <strong>the</strong> requirements.<br />
These guidelines apply to all material outsourcing arrangements. Registrants should review<br />
all outsourced arrangements that pre-existed <strong>the</strong> guideline to assess compliance with <strong>the</strong><br />
standards. Where deficiencies are observed, registrants should immediately seek to rectify<br />
those deficiencies. Where <strong>the</strong> required changes cannot be made until <strong>the</strong> next c<strong>on</strong>tract period,<br />
<strong>the</strong> Commissi<strong>on</strong> expects that <strong>the</strong> registrant would have in place measures to mitigate against<br />
any potential risks. The firms should have in place an Acti<strong>on</strong> Plan identifying those steps that<br />
will be taken to address all deficiencies and <strong>the</strong> timing <strong>of</strong> such acti<strong>on</strong>s. Such a plan should be<br />
submitted to <strong>the</strong> Commissi<strong>on</strong> within <strong>on</strong>e m<strong>on</strong>th <strong>of</strong> <strong>the</strong> issuance <strong>of</strong> this guideline for any existing<br />
arrangements with deficiencies and every time a deficiency is identified following a review<br />
(internal or external reviews.) Additi<strong>on</strong>ally, registrants should, within (6) six m<strong>on</strong>ths <strong>of</strong> <strong>the</strong><br />
issuance <strong>of</strong> this guideline, ensure that a notice <strong>on</strong> all material outsourcing arrangements is<br />
submitted to <strong>the</strong> Commissi<strong>on</strong>.<br />
For <strong>the</strong> purpose <strong>of</strong> this guideline, a material functi<strong>on</strong> will be defined as a functi<strong>on</strong> that has <strong>the</strong><br />
potential to have a critical impact—both qualitative and quantitative—<strong>on</strong> a significant line <strong>of</strong><br />
business <strong>of</strong> <strong>the</strong> registrant. Secti<strong>on</strong> VIII <strong>of</strong> this guideline sets out <strong>the</strong> assessment methodology<br />
ISSUED FOR PUBLIC CONSULTATION<br />
CONSULTATION ENDS 28 JUNE 2012<br />
3 | P a g e
PROPERTY OF THE SECURITIES COMMISSION OF THE BAHAMAS<br />
PROPOSED GUIDELINES FOR OUTSOURCING MAY 2012<br />
for materiality. Applicants who may be uncertain as to whe<strong>the</strong>r a business activity that is to be<br />
outsourced would be regarded as “material” for <strong>the</strong> purposes <strong>of</strong> <strong>the</strong>se guidelines should seek<br />
directi<strong>on</strong> from <strong>the</strong> Commissi<strong>on</strong>.<br />
IV. EXECUTIVE SUMMARY<br />
<strong>Outsourcing</strong> is a significant comp<strong>on</strong>ent <strong>of</strong> <strong>the</strong> management <strong>of</strong> business by modern companies<br />
as it facilitates <strong>the</strong> rati<strong>on</strong>alizati<strong>on</strong> <strong>of</strong> resources, people, material and funds. Registrants may<br />
seek to outsource functi<strong>on</strong>s so as to reduce costs, improve <strong>the</strong> quality <strong>of</strong> service to its clients, or<br />
centralize activities. However, it is important to ensure <strong>the</strong> delegati<strong>on</strong> <strong>of</strong> functi<strong>on</strong>s does not<br />
reduce <strong>the</strong> protecti<strong>on</strong> available to investors, or result in or cause n<strong>on</strong>-compliance with <strong>the</strong><br />
legislati<strong>on</strong> and regulatory requirements.<br />
The management <strong>of</strong> outsourcing has been a c<strong>on</strong>cern for many regi<strong>on</strong>al and internati<strong>on</strong>al<br />
jurisdicti<strong>on</strong>s, resulting in <strong>the</strong> development <strong>of</strong> rules by <strong>the</strong> various regulators to govern this area.<br />
The Internati<strong>on</strong>al Organizati<strong>on</strong> <strong>of</strong> <strong>Securities</strong> Commissi<strong>on</strong>s (IOSCO) released principles to guide<br />
<strong>the</strong> management <strong>of</strong> outsourcing. These principles emphasize;<br />
c<strong>on</strong>ducting due diligence when selecting service providers and m<strong>on</strong>itoring <strong>the</strong>ir<br />
performance;<br />
having a c<strong>on</strong>tract with <strong>the</strong> service provider;<br />
ensuring that service providers have adequate business c<strong>on</strong>tinuity plans;<br />
specifying requirements for <strong>the</strong> security and c<strong>on</strong>fidentiality <strong>of</strong> informati<strong>on</strong>;<br />
ensuring terminati<strong>on</strong> provisi<strong>on</strong>s are in place; and<br />
ensuring that <strong>the</strong>re is access to <strong>the</strong> books and records by <strong>the</strong> regulators and <strong>the</strong> client.<br />
These proposed <strong>Outsourcing</strong> <str<strong>on</strong>g>Guidelines</str<strong>on</strong>g> is in compliance with IOSCO Principals and have also<br />
been adapted by o<strong>the</strong>r internati<strong>on</strong>al and regi<strong>on</strong>al jurisdicti<strong>on</strong>s. A review <strong>of</strong> (10) ten internati<strong>on</strong>al<br />
and regi<strong>on</strong>al jurisdicti<strong>on</strong>s 1 revealed that outsourced arrangements are managed in many<br />
different ways. Most jurisdicti<strong>on</strong>s required outsourcing arrangements to be subject to <strong>the</strong> fit and<br />
proper requirements and an assessment <strong>of</strong> <strong>the</strong> service provider’s ability and willingness to<br />
perform <strong>the</strong> outsourced functi<strong>on</strong>s. <strong>Outsourcing</strong> arrangements are also permitted under <strong>the</strong>ir<br />
general rules that govern <strong>the</strong> initial authorizati<strong>on</strong> <strong>of</strong> <strong>the</strong> market and require <strong>the</strong> instituti<strong>on</strong> to seek<br />
specific regulatory approval before a functi<strong>on</strong> can be outsourced.<br />
V. GENERAL GUIDELINES ON OUTSOURCING FOR REGISTRANTS<br />
(1) What can be outsourced - <strong>Outsourcing</strong> arrangements must be limited to activities that are<br />
c<strong>on</strong>sidered “material” or “core” to <strong>the</strong> business <strong>of</strong> <strong>the</strong> market. In additi<strong>on</strong> to c<strong>on</strong>sidering <strong>the</strong><br />
materiality <strong>of</strong> <strong>the</strong> outsourcing arrangement to <strong>the</strong> market's core business, it has been identified,<br />
1 Australia, Barbados, Canada, H<strong>on</strong>g K<strong>on</strong>g, India, Jamaica, Malaysia, Singapore, <strong>the</strong> United Kingdom, and <strong>the</strong><br />
United States<br />
ISSUED FOR PUBLIC CONSULTATION<br />
CONSULTATION ENDS 28 JUNE 2012<br />
4 | P a g e
PROPERTY OF THE SECURITIES COMMISSION OF THE BAHAMAS<br />
PROPOSED GUIDELINES FOR OUTSOURCING MAY 2012<br />
that am<strong>on</strong>g o<strong>the</strong>rs, <strong>the</strong> following factors should be c<strong>on</strong>sidered when assessing outsourcing<br />
arrangements.<br />
• potential risks to <strong>the</strong> regulatory objectives <strong>of</strong> maintaining fair, orderly and<br />
transparent markets;<br />
• potential impact <strong>on</strong> price formati<strong>on</strong>;<br />
• potential negative impacts <strong>on</strong> investor protecti<strong>on</strong>;<br />
• potential threats to <strong>the</strong> jurisdicti<strong>on</strong>’s clearance and settlement system;<br />
This assessment should be used to protect <strong>the</strong> interests <strong>of</strong> clients and to ensure operati<strong>on</strong>al<br />
procedures and c<strong>on</strong>trols are in line with <strong>the</strong> registrant’s day-to-day operati<strong>on</strong>.<br />
(2) C<strong>on</strong>fidentiality - The registrant should take appropriate steps to ensure that service<br />
providers protect c<strong>on</strong>fidential informati<strong>on</strong> regarding <strong>the</strong> firm’s proprietary and o<strong>the</strong>r informati<strong>on</strong>,<br />
as well as <strong>the</strong>ir clients or investors from intenti<strong>on</strong>al or inadvertent disclosure to unauthorized<br />
individuals. To facilitate this;<br />
Registrants must take appropriate steps to c<strong>on</strong>firm that c<strong>on</strong>fidential firm informati<strong>on</strong> is<br />
not misused or misappropriated. Provisi<strong>on</strong>s should be made in <strong>the</strong> c<strong>on</strong>tract to prohibit<br />
<strong>the</strong> outsourcing service provider and any subc<strong>on</strong>tracted providers from using or<br />
disclosing <strong>the</strong> outsourcing firm’s proprietary informati<strong>on</strong>, except as necessary to provide<br />
<strong>the</strong> c<strong>on</strong>tracted services.<br />
Registrants should have c<strong>on</strong>trols in place to ensure that <strong>the</strong> requirements <strong>of</strong> customer<br />
data c<strong>on</strong>fidentiality are observed and proper safeguards are established to protect <strong>the</strong><br />
integrity and c<strong>on</strong>fidentiality <strong>of</strong> customer informati<strong>on</strong>.<br />
Registrants should not undertake outsourcing arrangements that may result in <strong>the</strong><br />
disclosure <strong>of</strong> client informati<strong>on</strong> to <strong>the</strong> service provider or any subc<strong>on</strong>tracted provider<br />
without <strong>the</strong> prior c<strong>on</strong>sent <strong>of</strong> <strong>the</strong> client.<br />
Registrants should c<strong>on</strong>sider whe<strong>the</strong>r it is appropriate to notify customers that customer<br />
data may be transmitted to a service provider or a subc<strong>on</strong>tracted provider, taking into<br />
account any regulatory or statutory provisi<strong>on</strong>s that may be applicable. Where registrants<br />
choose not to inform customers, registrants must be prepared to accept all resulting<br />
liability issues.<br />
(3) Governance - The ultimate resp<strong>on</strong>sibility and accountability for <strong>the</strong> proper management <strong>of</strong><br />
<strong>the</strong> outsourced functi<strong>on</strong> and <strong>the</strong> associated risks <strong>of</strong> outsourcing remains with <strong>the</strong> registrant. The<br />
Board and senior management should ensure that <strong>the</strong>re is an appropriate risk management<br />
framework for <strong>the</strong> management <strong>of</strong> outsourcing arrangements.<br />
<strong>Outsourcing</strong> cannot transfer <strong>the</strong> risks to <strong>the</strong> service provider and as such, firms should ensure<br />
that all risks associated with <strong>the</strong> activity are managed to <strong>the</strong> same extent that would be required<br />
if <strong>the</strong> activity was c<strong>on</strong>ducted in-house.<br />
ISSUED FOR PUBLIC CONSULTATION<br />
CONSULTATION ENDS 28 JUNE 2012<br />
5 | P a g e
PROPERTY OF THE SECURITIES COMMISSION OF THE BAHAMAS<br />
PROPOSED GUIDELINES FOR OUTSOURCING MAY 2012<br />
The Board <strong>of</strong> Directors or delegated committee should;<br />
• Review and approve <strong>the</strong> policies governing outsourcing and review compliance<br />
against <strong>the</strong> policies <strong>on</strong> a regular basis;<br />
• Approve all material outsourcing arrangements;<br />
• Ensure that outsourcing arrangements are included in <strong>the</strong> scope <strong>of</strong> work <strong>of</strong> <strong>the</strong><br />
audit functi<strong>on</strong>. Auditors should regularly review and report <strong>on</strong> compliance <strong>of</strong> <strong>the</strong><br />
arrangement with applicable terms and c<strong>on</strong>diti<strong>on</strong>s <strong>of</strong> <strong>the</strong> outsourcing agreement.<br />
All outsourcing arrangements must comply with all statutory requirements inter alia,<br />
requirements <strong>on</strong> anti-m<strong>on</strong>ey laundering, and record keeping. A statement to this effect<br />
should be included in <strong>the</strong> Annual update.<br />
Registrants must be prepared to resume direct c<strong>on</strong>trol <strong>of</strong> <strong>the</strong> outsourced activity in <strong>the</strong><br />
event that it can no l<strong>on</strong>ger be outsourced.<br />
The registrant should have policies and procedures in place to address <strong>the</strong> additi<strong>on</strong>al<br />
risks arising from outsourcing a business activity.<br />
When a material outsourcing arrangement results in services being provided outside The<br />
Bahamas, registrants must address additi<strong>on</strong>al c<strong>on</strong>cerns linked to <strong>the</strong> ec<strong>on</strong>omic and<br />
political envir<strong>on</strong>ment, technological sophisticati<strong>on</strong>, and <strong>the</strong> legal and regulatory risk<br />
pr<strong>of</strong>ile <strong>of</strong> <strong>the</strong> foreign jurisdicti<strong>on</strong>(s), if any.<br />
A centralized list <strong>of</strong> all material outsourcing arrangements should be maintained. This list<br />
should c<strong>on</strong>tain relevant informati<strong>on</strong> namely, <strong>the</strong> name <strong>of</strong> <strong>the</strong> service provider, <strong>the</strong> locati<strong>on</strong> where<br />
<strong>the</strong> services are being provided, <strong>the</strong> expiry or renewal date <strong>of</strong> <strong>the</strong> c<strong>on</strong>tract or outsourcing<br />
agreement and <strong>the</strong> value <strong>of</strong> <strong>the</strong> c<strong>on</strong>tract or outsourcing agreement. The list should be updated<br />
when agreements are being amended, renewed, or terminated and should be a part <strong>of</strong> <strong>the</strong><br />
senior management’s report.<br />
(4) Due Diligence - The registrant should c<strong>on</strong>duct appropriate due diligence in selecting service<br />
providers. When renewing a c<strong>on</strong>tract or outsourcing arrangement, Registrants need to ensure<br />
that <strong>the</strong> outsourced firm has <strong>the</strong> ability, capacity and authorizati<strong>on</strong> required by law to perform<br />
<strong>the</strong> outsourced activities reliably and pr<strong>of</strong>essi<strong>on</strong>ally. The due diligence process should include,<br />
(but is not limited to) an assessment <strong>of</strong> <strong>the</strong>:<br />
• financial soundness to perform <strong>the</strong> outsourcing assignment;<br />
• technical competence <strong>of</strong> <strong>the</strong> service provider to deliver <strong>the</strong> required services;<br />
• service provider’s internal c<strong>on</strong>trol, reporting and m<strong>on</strong>itoring envir<strong>on</strong>ment;<br />
• business reputati<strong>on</strong>, complaints, and pending litigati<strong>on</strong>;<br />
• business c<strong>on</strong>tinuity arrangements and c<strong>on</strong>tingency plans;<br />
• reliance <strong>on</strong> and success in dealing with subc<strong>on</strong>tractors;<br />
• insurance coverage;<br />
• business objectives; and<br />
ISSUED FOR PUBLIC CONSULTATION<br />
CONSULTATION ENDS 28 JUNE 2012<br />
6 | P a g e
PROPERTY OF THE SECURITIES COMMISSION OF THE BAHAMAS<br />
PROPOSED GUIDELINES FOR OUTSOURCING MAY 2012<br />
• human resource policies, service philosophies, business culture, and how <strong>the</strong>y fit<br />
with those <strong>of</strong> <strong>the</strong> registrant.<br />
The due diligence process should be undertaken initially during <strong>the</strong> selecti<strong>on</strong> period and<br />
periodically as an <strong>on</strong>going m<strong>on</strong>itoring initiative. The registrant should ensure that <strong>the</strong><br />
informati<strong>on</strong> used for due diligence evaluati<strong>on</strong> is current and should not be more than<br />
(12) twelve m<strong>on</strong>ths old.<br />
Where <strong>the</strong> proposal to outsource to a third party (i.e. to an entity not affiliated or related<br />
to <strong>the</strong> registrant) <strong>the</strong> third party should be an entity in a jurisdicti<strong>on</strong> acceptable to <strong>the</strong><br />
Commissi<strong>on</strong>. It is expected that <strong>the</strong> due diligence c<strong>on</strong>ducted <strong>on</strong> <strong>the</strong> third party will<br />
include an assessment to ensure that <strong>the</strong> third party meets <strong>the</strong> ‘fit and proper’ criteria<br />
that is applied by <strong>the</strong> Commissi<strong>on</strong> to <strong>the</strong> registrant. It is <strong>the</strong> role <strong>of</strong> <strong>the</strong> compliance<br />
department or a compliance <strong>of</strong>ficer, and internal auditor, to ensure that <strong>the</strong> activities<br />
undertaken by third party providers, adheres to <strong>the</strong> regulated firm’s outsourcing policy.<br />
The due diligence process should have a clearly defined metrics, that will specify what<br />
<strong>the</strong> service level standards are, measure <strong>the</strong> service level against <strong>the</strong>se standards and<br />
specify what service levels are required. There should also be a mechanism to identify<br />
and report instances <strong>of</strong> n<strong>on</strong>-compliance or unsatisfactory performance to <strong>the</strong> outsourcing<br />
firm as well as <strong>the</strong> ability to assess <strong>the</strong> quality <strong>of</strong> services performed by <strong>the</strong> service<br />
provider <strong>on</strong> a regular basis.<br />
In assessing <strong>the</strong> effectiveness <strong>of</strong> <strong>the</strong> service provider <strong>the</strong> registered firm should<br />
c<strong>on</strong>sider;<br />
• <strong>the</strong> impact <strong>of</strong> <strong>the</strong> outsourcing arrangement <strong>on</strong> <strong>the</strong> finances, reputati<strong>on</strong> and<br />
operati<strong>on</strong>s <strong>of</strong> <strong>the</strong> firm;<br />
• its ability to maintain important c<strong>on</strong>trols and meet supervisory regulatory<br />
requirements;<br />
• <strong>the</strong> cost <strong>of</strong> outsourcing <strong>the</strong> service; and<br />
• <strong>the</strong> degree <strong>of</strong> difficulty and time required to find an alternative service provider or<br />
return <strong>the</strong> outsourced activity in-house. (See XIII Annex III for additi<strong>on</strong>al<br />
informati<strong>on</strong> for c<strong>on</strong>formity to IOCSO’s Principles <strong>on</strong> outsourcing <strong>of</strong> financial<br />
services for market intermediaries)<br />
(5) Anti-M<strong>on</strong>ey Laundering Requirements - Registrants must satisfy <strong>the</strong> Commissi<strong>on</strong> that<br />
outsourcing arrangements will not violate any statutory/prudential requirements <strong>on</strong> anti-m<strong>on</strong>ey<br />
laundering or record keeping procedures.<br />
(6) Business C<strong>on</strong>tingency and C<strong>on</strong>tinuity Arrangements - The registrant and its outsourced<br />
service providers should establish and maintain c<strong>on</strong>tingency and c<strong>on</strong>tinuity plans. These plans<br />
should include disaster recovery and periodic testing <strong>of</strong> back-up facilities. Where a material<br />
functi<strong>on</strong> is outsourced, <strong>the</strong> registrant should ensure that its business c<strong>on</strong>tinuity arrangements<br />
address foreseeable situati<strong>on</strong>s (ei<strong>the</strong>r temporary or permanent) when <strong>the</strong> arrangement is<br />
ISSUED FOR PUBLIC CONSULTATION<br />
CONSULTATION ENDS 28 JUNE 2012<br />
7 | P a g e
PROPERTY OF THE SECURITIES COMMISSION OF THE BAHAMAS<br />
PROPOSED GUIDELINES FOR OUTSOURCING MAY 2012<br />
suddenly terminated or when <strong>the</strong> service provider is unable to fulfill its obligati<strong>on</strong>s under <strong>the</strong><br />
outsourcing agreement for any reas<strong>on</strong>. In particular, a registrant should make provisi<strong>on</strong> in its<br />
business c<strong>on</strong>tinuity arrangements for <strong>the</strong> retenti<strong>on</strong> <strong>of</strong> informati<strong>on</strong> 2 , ready access to all records<br />
necessary to allow it to sustain business operati<strong>on</strong>s, meet its statutory obligati<strong>on</strong>s, and provide<br />
such informati<strong>on</strong> as may be required by <strong>the</strong> Commissi<strong>on</strong>, to exercise its regulatory powers or<br />
perform its supervisory functi<strong>on</strong>s. (See XIII Annex III for additi<strong>on</strong>al informati<strong>on</strong> for c<strong>on</strong>formity to<br />
IOCSO’s Principles <strong>on</strong> outsourcing <strong>of</strong> financial services for market intermediaries.)<br />
(7) Terminati<strong>on</strong> and Exit Management - Registrants should have a terminati<strong>on</strong> and exit<br />
management process in place in <strong>the</strong> event that an outsourced functi<strong>on</strong> is disc<strong>on</strong>tinued.<br />
Registrants are expected to take appropriate steps to manage all terminati<strong>on</strong> <strong>of</strong><br />
outsourcing arrangements. These should include exit strategies to allow transfer <strong>of</strong><br />
service, client data, and any o<strong>the</strong>r resources to ano<strong>the</strong>r service provider or to <strong>the</strong><br />
regulated firm itself. Provisi<strong>on</strong> <strong>of</strong> terminati<strong>on</strong> rights may include (but are not limited to)<br />
cases <strong>of</strong> <strong>the</strong> following;<br />
• insolvency;<br />
• liquidati<strong>on</strong> or receivership;<br />
• change <strong>of</strong> ownership<br />
• failure to comply with regulatory requirements; and/or<br />
• poor performance.<br />
Registrants should submit a written notice to <strong>the</strong> Commissi<strong>on</strong> <strong>of</strong> dismissal or<br />
cancellati<strong>on</strong> advising that it intends to terminate an outsourced arrangement within (30)<br />
thirty days before <strong>the</strong> final announcement <strong>of</strong> <strong>the</strong> terminati<strong>on</strong>.<br />
Registrants should require cooperati<strong>on</strong> <strong>of</strong> <strong>the</strong> service provider up<strong>on</strong> terminati<strong>on</strong>. This<br />
cooperati<strong>on</strong> should be clearly stated in <strong>the</strong> outsourcing arrangements that details <strong>the</strong><br />
acquisiti<strong>on</strong> <strong>of</strong> full access to any relevant systems and documentati<strong>on</strong>s held at <strong>the</strong><br />
outsourced firm relating to <strong>the</strong> activities carried out <strong>on</strong> behalf <strong>of</strong> <strong>the</strong> registrant.<br />
(8) Approval process for <strong>Outsourcing</strong> by <strong>the</strong> Commissi<strong>on</strong> - Registrants must inform <strong>the</strong><br />
Commissi<strong>on</strong> in writing <strong>of</strong> any activity to be outsourced.<br />
Prior to entering into an agreement notificati<strong>on</strong> should be made to <strong>the</strong> Commissi<strong>on</strong><br />
within (60) sixty days, to c<strong>on</strong>sider <strong>the</strong> proposal and must include, at a minimum, <strong>the</strong><br />
following informati<strong>on</strong>;<br />
• <strong>the</strong> activities to be outsourced;<br />
• <strong>the</strong> name <strong>of</strong> <strong>the</strong> outsourcing service provider (indicating whe<strong>the</strong>r this firm is part<br />
<strong>of</strong> <strong>the</strong> registered firm’s group and its regulatory status, if any); and<br />
2 SIR Sec 20 Records locati<strong>on</strong> and retenti<strong>on</strong> requirement<br />
ISSUED FOR PUBLIC CONSULTATION<br />
CONSULTATION ENDS 28 JUNE 2012<br />
8 | P a g e
PROPERTY OF THE SECURITIES COMMISSION OF THE BAHAMAS<br />
PROPOSED GUIDELINES FOR OUTSOURCING MAY 2012<br />
• <strong>the</strong> locati<strong>on</strong> where <strong>the</strong> outsource activity will be carried out whe<strong>the</strong>r in <strong>the</strong><br />
Bahamas or outside <strong>of</strong> <strong>the</strong> Bahamas.<br />
The registrant must submit a written c<strong>on</strong>firmati<strong>on</strong> to <strong>the</strong> Commissi<strong>on</strong> from senior<br />
management stating that best practice has been utilized in <strong>the</strong> selecti<strong>on</strong> <strong>of</strong> <strong>the</strong><br />
outsourced service provider, ensuring that <strong>the</strong> outsourcing <strong>of</strong> material functi<strong>on</strong>s<br />
guidelines have been followed and in line with <strong>the</strong> proposed outsourced activity.<br />
The Commissi<strong>on</strong> may impose, at its discreti<strong>on</strong>, specific c<strong>on</strong>diti<strong>on</strong>s <strong>on</strong> <strong>the</strong> outsourcing<br />
activities, in additi<strong>on</strong> to those outlined in <strong>the</strong> guidelines.<br />
A written No Objecti<strong>on</strong> resp<strong>on</strong>se to registrants should be received within (30) thirty days<br />
from <strong>the</strong> Commissi<strong>on</strong>. Should <strong>the</strong> Commissi<strong>on</strong> be satisfied with <strong>the</strong> registrant<br />
outsourcing <strong>the</strong> activity, <strong>the</strong> outsourcing agreement and <strong>the</strong> outsourced service provider,<br />
<strong>the</strong> agreement should be approved.<br />
The Commissi<strong>on</strong> should object by written resp<strong>on</strong>se within (30) thirty days, to <strong>the</strong><br />
following;<br />
• a proposed outsourcing arrangement;<br />
• <strong>the</strong> c<strong>on</strong>tinued use <strong>of</strong> an outsourced service provider; or<br />
• to require <strong>the</strong> outsourcing arrangement to be terminated.<br />
(9) Access to Books, Records and Premises - The Commissi<strong>on</strong>, and <strong>the</strong> auditors <strong>of</strong> <strong>the</strong><br />
registrant should have access to <strong>the</strong> books and records <strong>of</strong> <strong>the</strong> outsourced service provider<br />
relating to <strong>the</strong> activities outsourced. Additi<strong>on</strong>ally, <strong>the</strong> Commissi<strong>on</strong> may at any time c<strong>on</strong>duct <strong>on</strong>site<br />
inspecti<strong>on</strong>s <strong>of</strong> <strong>the</strong> business. 3 Pursuant to Regulati<strong>on</strong> 44 <strong>of</strong> <strong>the</strong> SIR 2012, <strong>the</strong> Commissi<strong>on</strong> is<br />
also permitted access to any informati<strong>on</strong> c<strong>on</strong>cerning <strong>the</strong> activities carried out <strong>on</strong> behalf <strong>of</strong> <strong>the</strong><br />
registered firm, as if those records and informati<strong>on</strong> were held at <strong>the</strong> registered firm.<br />
Registrants should provide by way <strong>of</strong> c<strong>on</strong>tractual agreement with service providers, <strong>the</strong><br />
Commissi<strong>on</strong> having access to books, records and outsourcing service providers in<br />
relati<strong>on</strong> to outsourced activities. It should be ensured that <strong>the</strong> Commissi<strong>on</strong> has <strong>the</strong> right<br />
to obtain up<strong>on</strong> request, informati<strong>on</strong> regarding outsourced activities.<br />
Registrant’s c<strong>on</strong>tractual agreements should also provide for <strong>the</strong> registrant and its auditor<br />
to have access to and <strong>the</strong> rights to inspect <strong>the</strong> service provider’s books and records<br />
relating to <strong>the</strong> outsourced functi<strong>on</strong>. Where appropriate, <strong>the</strong> inspecti<strong>on</strong> can be performed<br />
by way <strong>of</strong> physical inspecti<strong>on</strong> at <strong>the</strong> service provider premises, or by way <strong>of</strong> delivery <strong>of</strong><br />
books and records to <strong>the</strong> registrant or auditor.<br />
3 SIA 2011 Sec 45 (1) Compliance inspecti<strong>on</strong>s – regulated pers<strong>on</strong>s<br />
ISSUED FOR PUBLIC CONSULTATION<br />
CONSULTATION ENDS 28 JUNE 2012<br />
9 | P a g e
PROPERTY OF THE SECURITIES COMMISSION OF THE BAHAMAS<br />
PROPOSED GUIDELINES FOR OUTSOURCING MAY 2012<br />
The Commissi<strong>on</strong> should be notified if a service provider has plans to chain outsource<br />
any material functi<strong>on</strong>s <strong>of</strong> a registrant to ano<strong>the</strong>r service providing entity. The<br />
Commissi<strong>on</strong>, <strong>the</strong> registrant and <strong>the</strong> auditor must also be granted access to <strong>the</strong> books<br />
and records <strong>of</strong> <strong>the</strong> subc<strong>on</strong>tracted service provider.<br />
Registrants should notify <strong>the</strong> Commissi<strong>on</strong> <strong>of</strong> any adverse developments arising in<br />
outsourcing that could significantly affect <strong>the</strong>ir operati<strong>on</strong>s, including any event that could<br />
potentially lead to terminati<strong>on</strong> and early exit from <strong>the</strong> outsourcing arrangement; and<br />
provide such informati<strong>on</strong> as may be required by <strong>the</strong> Commissi<strong>on</strong> to exercise its<br />
regulatory powers or perform its supervisory functi<strong>on</strong>s.<br />
VI. OUTSOURSING OF MATERIAL ACTIVITIES WITH REGARDS TO INVESTMENT FUNDS<br />
ADMINISTRATORS AND SENIOR MANAGEMENT<br />
Administrators and senior managers <strong>of</strong> investment funds should not be permitted to<br />
outsource core administrati<strong>on</strong> activities such as –<br />
• strategic oversight; and<br />
• internal audit functi<strong>on</strong>;<br />
VII. OFFSHORE OUTSOURCING<br />
In additi<strong>on</strong> to <strong>the</strong> general due diligence process outlined in Sec (4) <strong>of</strong> <strong>the</strong>se guidelines, <strong>the</strong><br />
Commissi<strong>on</strong>, in assessing whe<strong>the</strong>r to approve an applicati<strong>on</strong> to outsource <strong>of</strong>fshore material<br />
functi<strong>on</strong>s it should be expected, that <strong>the</strong> Board c<strong>on</strong>sider <strong>the</strong> risks which could arise from<br />
material functi<strong>on</strong>s being operated <strong>of</strong>fshore, to include;<br />
country risk - <strong>the</strong> risk that overseas ec<strong>on</strong>omic, political and/or social events which<br />
could impact up<strong>on</strong> <strong>the</strong> ability <strong>of</strong> <strong>the</strong> overseas service provider to c<strong>on</strong>tinue to provide an<br />
outsourced service to <strong>the</strong> registrants;<br />
compliance (legal) risk - <strong>the</strong> risk that <strong>of</strong>fshore arrangements will impact up<strong>on</strong> <strong>the</strong><br />
registrant’s ability to comply with relevant Bahamian and overseas laws and regulati<strong>on</strong>s.<br />
c<strong>on</strong>tractual risk - <strong>the</strong> risk associated with registrant’s ability to enforce <strong>the</strong> <strong>of</strong>fshore<br />
agreement may be limitedly or completely hindered;<br />
access risk - <strong>the</strong> risk relating to <strong>the</strong> Commissi<strong>on</strong> obtaining informati<strong>on</strong> and to retain<br />
records, is partly or completely hindered. This risk also refers to <strong>the</strong> potential difficulties<br />
or inability <strong>of</strong> <strong>the</strong> Commissi<strong>on</strong> to access <strong>the</strong> service provider and <strong>the</strong> material business<br />
activity being c<strong>on</strong>ducted.<br />
Where The Commissi<strong>on</strong> approves <strong>the</strong> <strong>of</strong>fshore arrangement, <strong>the</strong>se risks stated above should<br />
also be c<strong>on</strong>sidered when c<strong>on</strong>ducting <strong>the</strong> <strong>on</strong>going m<strong>on</strong>itoring and c<strong>on</strong>trol <strong>of</strong> <strong>the</strong> material<br />
functi<strong>on</strong>/s.<br />
There are some specific risk management c<strong>on</strong>siderati<strong>on</strong>s that should be exercised when<br />
assessing, m<strong>on</strong>itoring and c<strong>on</strong>trolling material functi<strong>on</strong>s outsourced to service providers when<br />
c<strong>on</strong>ducting <strong>the</strong> activities outside <strong>of</strong> The Bahamas. These c<strong>on</strong>siderati<strong>on</strong>s that registrants should<br />
ISSUED FOR PUBLIC CONSULTATION<br />
CONSULTATION ENDS 28 JUNE 2012<br />
10 | P a g e
PROPERTY OF THE SECURITIES COMMISSION OF THE BAHAMAS<br />
PROPOSED GUIDELINES FOR OUTSOURCING MAY 2012<br />
c<strong>on</strong>sider with regards to <strong>the</strong> provisi<strong>on</strong>s in <strong>the</strong> outsourcing agreement should include (but are not<br />
limited to);<br />
Choice <strong>of</strong> law - C<strong>on</strong>tracts should specify under which particular jurisdicti<strong>on</strong>, c<strong>on</strong>tractual<br />
disputes will be resolved. The due diligence process should include an examinati<strong>on</strong> <strong>of</strong><br />
<strong>the</strong> relevant overseas legislati<strong>on</strong> and regulati<strong>on</strong>s by a suitably qualified expert to ensure<br />
that c<strong>on</strong>tractual provisi<strong>on</strong>s are recognized by <strong>the</strong> overseas jurisdicti<strong>on</strong> and are able to be<br />
enforced in <strong>the</strong> chosen jurisdicti<strong>on</strong>.<br />
Security and c<strong>on</strong>fidentiality <strong>of</strong> informati<strong>on</strong> - Registrants should ensure that<br />
c<strong>on</strong>tractual provisi<strong>on</strong>s in relati<strong>on</strong> to data are <strong>of</strong> <strong>the</strong> same standard as those required <strong>of</strong> a<br />
domestic service provider and in accordance with requirements under Bahamian<br />
legislati<strong>on</strong> and regulati<strong>on</strong>s. C<strong>on</strong>tracts should also ensure that all informati<strong>on</strong> forwarded<br />
to <strong>the</strong> service provider by <strong>the</strong> registrant (as well as any informati<strong>on</strong> forwarded by <strong>the</strong><br />
service provider to third parties in <strong>the</strong> course <strong>of</strong> providing that service, such as to a backup<br />
disaster recovery provider) remains <strong>the</strong> property <strong>of</strong> <strong>the</strong> registrant.<br />
Access to informati<strong>on</strong>/pers<strong>on</strong>s - Any agreement with a service provider should not<br />
restrict access to informati<strong>on</strong> by <strong>the</strong> Commissi<strong>on</strong>, external auditors, independent third<br />
parties or representatives <strong>of</strong> <strong>the</strong> registrant for <strong>the</strong> purposes <strong>of</strong> c<strong>on</strong>firming <strong>the</strong><br />
performance <strong>of</strong> <strong>the</strong> risk management systems. Legal due diligence undertaken prior to<br />
<strong>the</strong> executi<strong>on</strong> <strong>of</strong> <strong>the</strong> c<strong>on</strong>tract should also ensure that <strong>the</strong>re are no legal impediments to<br />
<strong>the</strong> Commissi<strong>on</strong>’s access to informati<strong>on</strong> and/or relevant pers<strong>on</strong>s employed by <strong>the</strong><br />
Commissi<strong>on</strong> or service provider for <strong>the</strong> purposes <strong>of</strong> examining <strong>the</strong> organizati<strong>on</strong> in<br />
relati<strong>on</strong> to <strong>the</strong> regulati<strong>on</strong> <strong>of</strong> <strong>the</strong> registrant’s activities. Records should be maintained by<br />
<strong>the</strong> registrant in a Bahamian <strong>of</strong>fice and in English. These records should include (but<br />
are not limited to);<br />
• copies <strong>of</strong> <strong>the</strong> c<strong>on</strong>tractual agreement;<br />
• copies <strong>of</strong> <strong>the</strong> due diligence assessment and<br />
• copies <strong>of</strong> financial statements, reports and any o<strong>the</strong>r informati<strong>on</strong> <strong>the</strong><br />
registrant/licensee c<strong>on</strong>siders critical to <strong>the</strong> <strong>on</strong>going m<strong>on</strong>itoring and c<strong>on</strong>trol <strong>of</strong> <strong>the</strong><br />
outsourcing arrangement with <strong>the</strong> service provider.<br />
VIII. THE OUTSOURCING AGREEMENT<br />
The Commissi<strong>on</strong> expects that <strong>the</strong> outsourcing arrangement undertaken by way <strong>of</strong> c<strong>on</strong>structi<strong>on</strong><br />
be detailed and appropriate to <strong>the</strong> materiality <strong>of</strong> <strong>the</strong> outsourced activity and to <strong>the</strong> business <strong>of</strong><br />
<strong>the</strong> outsourcing firm. The level <strong>of</strong> detail to <strong>the</strong> c<strong>on</strong>tents <strong>of</strong> <strong>the</strong> written agreement should reflect<br />
<strong>the</strong> level <strong>of</strong> m<strong>on</strong>itoring, assessment, inspecti<strong>on</strong>, auditing required, <strong>the</strong> risks, <strong>the</strong> size and<br />
complexity <strong>of</strong> <strong>the</strong> outsourced service. Additi<strong>on</strong>ally <strong>the</strong> Commissi<strong>on</strong> expects <strong>the</strong> arrangement to<br />
be;<br />
A legally binding written document between <strong>the</strong> registrant and <strong>the</strong> outsourcing service<br />
provider stating clearly <strong>the</strong> defined activities and resp<strong>on</strong>sibilities to be outsourced by <strong>the</strong><br />
registrant and service provider.<br />
ISSUED FOR PUBLIC CONSULTATION<br />
CONSULTATION ENDS 28 JUNE 2012<br />
11 | P a g e
PROPERTY OF THE SECURITIES COMMISSION OF THE BAHAMAS<br />
PROPOSED GUIDELINES FOR OUTSOURCING MAY 2012<br />
Registrants should c<strong>on</strong>sider adopting measures to ensure that such agreements remain<br />
up-to-date and accurate and reflect <strong>the</strong> arrangements that are actually in operati<strong>on</strong>.<br />
The c<strong>on</strong>tract at a minimum, should include, (but is not limited to) <strong>the</strong> following provisi<strong>on</strong>s;<br />
• defining <strong>the</strong> resp<strong>on</strong>sibilities <strong>of</strong> <strong>the</strong> registrant and <strong>the</strong> outsourcing service provider;<br />
• access to <strong>the</strong> records and informati<strong>on</strong> held by <strong>the</strong> outsourced agent/s;<br />
• audit and m<strong>on</strong>itoring procedures;<br />
• legal compliance;<br />
• time limitati<strong>on</strong>s;<br />
• fees and payment structure;<br />
• firm and client c<strong>on</strong>fidentiality and security;<br />
• insurance, guarantees and indemnities;<br />
• business c<strong>on</strong>tinuity provisi<strong>on</strong>s;<br />
• terminati<strong>on</strong> <strong>of</strong> c<strong>on</strong>tract, transfer <strong>of</strong> informati<strong>on</strong> and exit strategies;<br />
• Subc<strong>on</strong>tracting, including <strong>the</strong> limitati<strong>on</strong>s or c<strong>on</strong>diti<strong>on</strong>s, <strong>the</strong> extent it is permitted,<br />
and fur<strong>the</strong>r obligati<strong>on</strong>s;<br />
• dispute settlement mechanism for cross-border outsourcing should be<br />
determined by <strong>the</strong> country’s law that governs <strong>the</strong> relati<strong>on</strong>ship within that<br />
particular jurisdicti<strong>on</strong> and be outlined in <strong>the</strong> agreement procedures; and<br />
• obligati<strong>on</strong> <strong>of</strong> <strong>the</strong> outsourced service provider, to provide, up<strong>on</strong> request records,<br />
informati<strong>on</strong> and/or any assistance c<strong>on</strong>cerning <strong>the</strong> outsourced activity to <strong>the</strong><br />
registrant, its auditors and <strong>the</strong> Commissi<strong>on</strong> <strong>on</strong>ce it has received c<strong>on</strong>sent from its<br />
home supervisor to do so.<br />
ISSUED FOR PUBLIC CONSULTATION<br />
CONSULTATION ENDS 28 JUNE 2012<br />
12 | P a g e
PROPERTY OF THE SECURITIES COMMISSION OF THE BAHAMAS<br />
PROPOSED GUIDELINES FOR OUTSOURCING MAY 2012<br />
X. BIBLIOGRAPHY – REFERENCES<br />
http://www.mas.gov.sg/resource/legislati<strong>on</strong>_guidelines/risk_mgt/<strong>Outsourcing</strong>%20<str<strong>on</strong>g>Guidelines</str<strong>on</strong>g>.pdf<br />
http://www.osfi bsif.gc.ca/app/DocRepository/1/eng/guidelines/sound/guidelines/b10_e.pdf<br />
http://www.centralbankbahamas.com/download/065303200.pdf<br />
http://www.iosco.org/library/pubdocs/pdf/IOSCOPD299.pdf<br />
http://www.mas.gov.sg/resource/publicati<strong>on</strong>s/c<strong>on</strong>sult_papers/2004/CP%20-<br />
%20<str<strong>on</strong>g>Guidelines</str<strong>on</strong>g>%20<strong>on</strong>%20<strong>Outsourcing</strong>%20120304%20Final.pdf<br />
http://www.iosco.org/library/statements/pdf/statements-9.pdf<br />
http://www.fsc.gi/download/adobe/GuidanceNote-<strong>Outsourcing</strong>.pdf<br />
http://www.bis.org/publ/joint12.pdf<br />
http://www.sc.com.my/eng/html/resources/guidelines/stockbroking/GL_outsourcing_110809.pdf<br />
http://www.fsa.go.jp/inter/ios/20090325/02.pdf<br />
http://www.centralbank.org.bb/Financial/<strong>Outsourcing</strong>_Guideline.pdf<br />
http://www.hkma.gov.hk/media/eng/doc/key-functi<strong>on</strong>s/banking-stability/supervisorypolicy-manual/SA-2.pdf<br />
http://www.sebi.gov.in/commreport/outsourcing.pdf<br />
ISSUED FOR PUBLIC CONSULTATION<br />
CONSULTATION ENDS 28 JUNE 2012<br />
13 | P a g e
PROPERTY OF THE SECURITIES COMMISSION OF THE BAHAMAS<br />
PROPOSED GUIDELINES FOR OUTSOURCING MAY 2012<br />
ANNEX I<br />
Administrator: - a company that has been licensed by <strong>the</strong> Commissi<strong>on</strong> under <strong>the</strong> Internati<strong>on</strong>al<br />
Financial Authority (IFA) as a restricted or unrestricted investment fund administrator.<br />
Chain <strong>Outsourcing</strong>: - outsourcing where <strong>the</strong> outsourcing service provider subc<strong>on</strong>tracts<br />
elements <strong>of</strong> <strong>the</strong> service to o<strong>the</strong>r providers.<br />
Core Investment Activities: - <strong>the</strong> final checking and release <strong>of</strong> <strong>the</strong> investment funds’ net asset<br />
value calculati<strong>on</strong> and <strong>the</strong> maintenance <strong>of</strong> <strong>the</strong> shareholder register.<br />
<strong>Material</strong> activities: -<br />
• activities <strong>of</strong> such importance that any weakness or failure in <strong>the</strong> provisi<strong>on</strong> <strong>of</strong><br />
<strong>the</strong>se activities could have a significant effect <strong>on</strong> <strong>the</strong> regulated firm’s ability to<br />
meet its regulatory resp<strong>on</strong>sibilities and/or to c<strong>on</strong>tinue in business;<br />
• key systems without which a regulated firm would be unable to deliver services to<br />
its clients, e.g. <strong>the</strong> sole means <strong>of</strong> providing a service;<br />
• any o<strong>the</strong>r activities requiring a license or authorizati<strong>on</strong> from <strong>the</strong> Commissi<strong>on</strong>;<br />
• any activity having a significant impact <strong>on</strong> a regulated firm’s risk management;<br />
and<br />
• <strong>the</strong> management <strong>of</strong> risks relating to <strong>the</strong>se activities.<br />
In any case, what is c<strong>on</strong>sidered as a critical or important functi<strong>on</strong> varies according to <strong>the</strong><br />
circumstances and nature <strong>of</strong> <strong>the</strong> regulated firm and <strong>the</strong> specific arrangements c<strong>on</strong>templated.<br />
<strong>Outsourcing</strong>: - a registered firm entering into an arrangement with a third party service provider<br />
whereby that service provider will undertake a material business functi<strong>on</strong>, activity or process <strong>on</strong><br />
behalf <strong>of</strong> <strong>the</strong> registered firm, which currently is, or could be undertaken by <strong>the</strong> registrant itself.<br />
<strong>Outsourcing</strong> Firm: - a registrant <strong>of</strong> <strong>the</strong> Commissi<strong>on</strong> that is <strong>the</strong> purchaser <strong>of</strong> <strong>the</strong> good, service,<br />
or facility provided by an outsourcing service provider.<br />
<strong>Outsourcing</strong> Service Provider: - <strong>the</strong> supplier <strong>of</strong> goods, services or facilities, and/or an<br />
affiliated entity within a registrant’s corporate group, or which may not be affiliated with <strong>the</strong><br />
registrant or regulated by <strong>the</strong> Commissi<strong>on</strong>.<br />
Senior Management: - pers<strong>on</strong>s who effectively direct <strong>the</strong> business <strong>of</strong> a registered firm, this<br />
includes <strong>the</strong> firm’s board <strong>of</strong> directors and o<strong>the</strong>r pers<strong>on</strong>s who effectively direct <strong>the</strong> business <strong>of</strong><br />
<strong>the</strong> firm.<br />
Registrant: - licensed and registered firms <strong>of</strong> <strong>the</strong> Commissi<strong>on</strong>.<br />
ISSUED FOR PUBLIC CONSULTATION<br />
CONSULTATION ENDS 28 JUNE 2012<br />
14 | P a g e
PROPERTY OF THE SECURITIES COMMISSION OF THE BAHAMAS<br />
PROPOSED GUIDELINES FOR OUTSOURCING MAY 2012<br />
ANNEX II<br />
The outsourcing arrangements covered by <strong>the</strong>se guidelines may involve <strong>the</strong> following areas:<br />
• Informati<strong>on</strong> technology – management and maintenance <strong>of</strong> systems (e.g., data entry<br />
and processing, applicati<strong>on</strong>s development, programming, and coding);<br />
• Document processing (e.g., cheques, credit cards, bill payments);<br />
• Management <strong>of</strong> investments (e.g., portfolio management);<br />
• Research and marketing (e.g., product development, media relati<strong>on</strong>s, call centres,<br />
telemarketing);<br />
• Back <strong>of</strong>fice management (e.g., payroll processing, transacti<strong>on</strong>s and payment<br />
processing);<br />
• Pr<strong>of</strong>essi<strong>on</strong>al services related to <strong>the</strong> business activities <strong>of</strong> <strong>the</strong> financial instituti<strong>on</strong> (e.g.,<br />
internal audits, actuarial services, accounting);<br />
• Human resources (e.g., recruitment);<br />
However, <strong>the</strong>se guidelines do not apply to <strong>the</strong> following:<br />
Courier services, regular mail, utilities, teleph<strong>on</strong>e;<br />
Procurement <strong>of</strong> specialized training;<br />
Discrete advisory services (e.g., legal services, certain investment advisory services that<br />
do not result directly in investment decisi<strong>on</strong>s, independent appraisals, trustees in<br />
bankruptcy);<br />
Purchase <strong>of</strong> goods, wares, commercially available s<strong>of</strong>tware and o<strong>the</strong>r commodities;<br />
Independent audit reviews;<br />
Credit background and background investigati<strong>on</strong> and informati<strong>on</strong> services;<br />
Market informati<strong>on</strong> services (e.g., Bloomberg, Moody’s);<br />
Independent c<strong>on</strong>sulting;<br />
Services <strong>the</strong> financial instituti<strong>on</strong> is not legally able to provide;<br />
ISSUED FOR PUBLIC CONSULTATION<br />
CONSULTATION ENDS 28 JUNE 2012<br />
15 | P a g e
PROPERTY OF THE SECURITIES COMMISSION OF THE BAHAMAS<br />
PROPOSED GUIDELINES FOR OUTSOURCING MAY 2012<br />
Printing services;<br />
Repair and maintenance <strong>of</strong> fixed assets;<br />
Supply and service <strong>of</strong> leased telecommunicati<strong>on</strong> equipment;<br />
Travel agency and transportati<strong>on</strong> services;<br />
Maintenance and support <strong>of</strong> licensed s<strong>of</strong>tware;<br />
Temporary help and c<strong>on</strong>tract pers<strong>on</strong>nel;<br />
Specialized recruitment;<br />
External c<strong>on</strong>ferences;<br />
Clearing and settlement arrangements between members or participants <strong>of</strong> recognized<br />
clearing and settlement systems;<br />
ISSUED FOR PUBLIC CONSULTATION<br />
CONSULTATION ENDS 28 JUNE 2012<br />
16 | P a g e
PROPERTY OF THE SECURITIES COMMISSION OF THE BAHAMAS<br />
PROPOSED GUIDELINES FOR OUTSOURCING MAY 2012<br />
ANNEX III<br />
C<strong>on</strong>tinuity at <strong>the</strong> <strong>Outsourcing</strong> Firm (IOSCO’S PRINCIPLES ON OUTSOURCING OF<br />
FINANCIAL SERVICES FOR MARKET INTERMEDIARIES)<br />
Means for Implementati<strong>on</strong><br />
<strong>Outsourcing</strong> firms are expected to take appropriate steps to require, in appropriate cases based<br />
<strong>on</strong> <strong>the</strong> materiality <strong>of</strong> <strong>the</strong> functi<strong>on</strong> that is being outsourced, that service providers have in place a<br />
comprehensive program.<br />
Specificati<strong>on</strong> <strong>of</strong> <strong>the</strong> security requirements <strong>of</strong> automated systems to be used by <strong>the</strong><br />
service provider, including <strong>the</strong> technical and organizati<strong>on</strong>al measures that will be taken<br />
to protect firm and customer-related data. Appropriate care should be exercised to<br />
ensure that IT security protects <strong>the</strong> privacy <strong>of</strong> <strong>the</strong> outsourcing firm’s customers as<br />
mandated by law:<br />
Requirements that <strong>the</strong> service provider maintain appropriate measures to ensure<br />
security <strong>of</strong> both <strong>the</strong> outsourcing firm’s s<strong>of</strong>tware as well as any s<strong>of</strong>tware developed by <strong>the</strong><br />
service provider for <strong>the</strong> use <strong>of</strong> <strong>the</strong> outsourcing firm;<br />
Specificati<strong>on</strong> <strong>of</strong> <strong>the</strong> rights <strong>of</strong> each party to change or require changes to security<br />
procedures and requirements and <strong>of</strong> <strong>the</strong> circumstances under which such changes<br />
might occur;<br />
Provisi<strong>on</strong>s that address <strong>the</strong> service provider’s emergency procedures and disaster<br />
recovery and c<strong>on</strong>tingency plans as well as any particular issues that may need to be<br />
addressed where <strong>the</strong> outsourcing firm is utilizing a foreign service provider. Where<br />
relevant, this may include <strong>the</strong> service provider’s resp<strong>on</strong>sibility for backing up and<br />
o<strong>the</strong>rwise protecting program and data files, as well as regulatory reporting;<br />
Where appropriate, terms and c<strong>on</strong>diti<strong>on</strong>s relevant to <strong>the</strong> use <strong>of</strong> subc<strong>on</strong>tractors with<br />
respect to IT security, and appropriate steps to minimize <strong>the</strong> risks arising out <strong>of</strong> such<br />
subc<strong>on</strong>tracting;<br />
Where appropriate, requirement <strong>of</strong> testing by <strong>the</strong> service provider <strong>of</strong> critical systems and<br />
back-up facilities <strong>on</strong> a periodic basis in order to review <strong>the</strong> ability <strong>of</strong> <strong>the</strong> service providers<br />
to perform adequately even under unusual physical and/or market c<strong>on</strong>diti<strong>on</strong>s at <strong>the</strong><br />
outsourcing firm, <strong>the</strong> service provider, or both, and to determine whe<strong>the</strong>r sufficient<br />
capacity exists under all relevant c<strong>on</strong>diti<strong>on</strong>s;<br />
Requirement <strong>of</strong> disclosure by <strong>the</strong> service provider <strong>of</strong> breaches in security resulting in<br />
unauthorized intrusi<strong>on</strong>s (whe<strong>the</strong>r deliberate or accidental, and whe<strong>the</strong>r c<strong>on</strong>firmed or not)<br />
that may affect <strong>the</strong> outsourcing firm or its customers, including a report <strong>of</strong> corrective<br />
acti<strong>on</strong> taken; and<br />
Provisi<strong>on</strong>s in <strong>the</strong> outsourcing firm’s own c<strong>on</strong>tingency plans that address circumstances<br />
in which <strong>on</strong>e or more <strong>of</strong> its service providers fail to adequately perform <strong>the</strong>ir c<strong>on</strong>tractual<br />
obligati<strong>on</strong>s. Where relevant, this may include reporting by <strong>the</strong> outsourcing firm to its<br />
regulator. The outsourcing firm may need to require c<strong>on</strong>tractually informati<strong>on</strong> from <strong>the</strong><br />
service provider to fulfill this obligati<strong>on</strong>.<br />
ISSUED FOR PUBLIC CONSULTATION<br />
CONSULTATION ENDS 28 JUNE 2012<br />
17 | P a g e
PROPERTY OF THE SECURITIES COMMISSION OF THE BAHAMAS<br />
PROPOSED GUIDELINES FOR OUTSOURCING MAY 2012<br />
ANNEX IV<br />
Due diligence in selecti<strong>on</strong> and m<strong>on</strong>itoring <strong>of</strong> service provider and service provider's<br />
performance (IOSCO’S PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR<br />
MARKET INTERMEDIARIES)<br />
Means for Implementati<strong>on</strong><br />
Documenting processes and procedures that enable <strong>the</strong> outsourcing firm to assess,<br />
prior to selecti<strong>on</strong>, <strong>the</strong> third party service provider’s ability and capacity to perform <strong>the</strong><br />
outsourced activities effectively, reliably, and to a high standard, including <strong>the</strong> service<br />
provider’s technical, financial and human resources capacity, toge<strong>the</strong>r with any potential<br />
risk factors associated with using a particular service provider.<br />
Documenting processes and procedures that enable <strong>the</strong> outsourcing firm to m<strong>on</strong>itor <strong>the</strong><br />
third party service provider's performance and compliance with its c<strong>on</strong>tractual<br />
obligati<strong>on</strong>s, including processes and procedures that:<br />
• Clearly define metrics that will measure <strong>the</strong> service level, and specify what<br />
service levels are required; and<br />
• Establish measures to identify and report instances <strong>of</strong> n<strong>on</strong>-compliance or<br />
unsatisfactory performance to <strong>the</strong> outsourcing firm as well as <strong>the</strong> ability to assess<br />
<strong>the</strong> quality <strong>of</strong> services performed by <strong>the</strong> service provider <strong>on</strong> a regular basis (see<br />
also topic 2).<br />
Implementing processes and procedures designed to help ensure that <strong>the</strong> service<br />
provider is in compliance with applicable laws and regulatory requirements in its<br />
jurisdicti<strong>on</strong>, and that where <strong>the</strong>re is a failure to perform duties required by statute or<br />
regulati<strong>on</strong>s, <strong>the</strong> outsourcing firm, to <strong>the</strong> extent required by law or regulati<strong>on</strong>, reports <strong>the</strong><br />
failure to its regulator and/or self regulatory organizati<strong>on</strong> and takes corrective acti<strong>on</strong>s.5<br />
For example, procedures may include:<br />
• The use <strong>of</strong> service delivery reports and <strong>the</strong> use <strong>of</strong> internal and external auditors<br />
to m<strong>on</strong>itor, assess, and report to <strong>the</strong> outsourcing firm <strong>on</strong> performance;<br />
• The use <strong>of</strong> written service level agreements or <strong>the</strong> inclusi<strong>on</strong> <strong>of</strong> specific service<br />
level provisi<strong>on</strong>s in c<strong>on</strong>tracts for service to achieve clarity <strong>of</strong> performance targets<br />
and measurements for third party service providers.<br />
With respect to outsourcing <strong>on</strong> a cross-border basis, in determining whe<strong>the</strong>r <strong>the</strong> use <strong>of</strong> a<br />
foreign service provider is appropriate, <strong>the</strong> outsourcing firm may, with respect to a<br />
functi<strong>on</strong> that is material to <strong>the</strong> firm, need to c<strong>on</strong>duct enhanced due diligence that focuses<br />
<strong>on</strong> special compliance risks, including <strong>the</strong> ability to effectively m<strong>on</strong>itor <strong>the</strong> foreign service<br />
provider, <strong>the</strong> ability to maintain <strong>the</strong> c<strong>on</strong>fidentiality <strong>of</strong> firm and customer informati<strong>on</strong>; and<br />
<strong>the</strong> ability to execute c<strong>on</strong>tingency plans and exit strategies where <strong>the</strong> service is being<br />
performed <strong>on</strong> a cross-border basis.<br />
ISSUED FOR PUBLIC CONSULTATION<br />
CONSULTATION ENDS 28 JUNE 2012<br />
18 | P a g e
PROPERTY OF THE SECURITIES COMMISSION OF THE BAHAMAS<br />
PROPOSED GUIDELINES FOR OUTSOURCING MAY 2012<br />
The <strong>Securities</strong> Commissi<strong>on</strong> <strong>of</strong> The Bahamas<br />
3rd Floor, Charlotte House<br />
Charlotte Street<br />
P.O. Box N- 8347<br />
By fax to: (242) 356-6291/2<br />
By email to: info@scb.gov.bs<br />
Website: www.scb.gov.bs<br />
ISSUED FOR PUBLIC CONSULTATION<br />
CONSULTATION ENDS 28 JUNE 2012<br />
19 | P a g e