Skip to Content
Whole SectionText only Print Print Manager Link

OM-3.5.1

The activities to be outsourced and respective contractual liabilities and obligations of the outsourcing provider and licensee must be clearly specified in an outsourcing agreement. This agreement must — amongst other things — address the following points:

(a) Control over outsourced activities
1. The Board and management of licensees are held ultimately responsible by the CBB for the adequacy of systems and controls in outsourced activities. Licensees must therefore ensure that they have adequate mechanisms for monitoring the performance of, and managing the relationship with, the outsourcing provider.
2. A service level agreementG ("SLA") — setting out the standards of service to be provided — must form part of the outsourcing agreement. Where the outsourcing provider interacts directly with a licensee's customers, the SLA must — where relevant — reflect the licensee's own standards regarding customer care.
3. Mechanisms for the regular monitoring by licensees of performance against the SLA and other targets, and for implementing remedies in case of any shortfalls, must also form part of the agreement.
4. Clear reporting and escalation mechanisms must be specified in the agreement.
5. Where an outsourcing provider in turn decides to sub-contract to other providers, CBB's prior written approval must be obtained, and the original provider must remain contractually liable to the licensee for the quality and level of service agreed, and its obligations to the licensee must remain unchanged.
(b) Customer data confidentiality
1. Licensees must ensure that outsourcing agreements comply with all applicable legal requirements regarding customer confidentiality.
2. Licensees must ensure that the outsourcing provider implements adequate safeguards and procedures. Amongst other things, customer data must be properly segregated from those belonging to other clients the outsourcing provider may have. Outsourcing providers must give suitable undertakings that the company and its staff will comply with all applicable confidentiality rules. Licensees must have contractual rights to take action against the service provider in the event of a breach of confidentiality.
3. Licensees must assess the impact of using an overseas-based outsourcing provider on their ability to maintain customer data confidentiality, for instance, because of the powers of local authorities to access such data.
(c) Access to information
1. Outsourcing agreements must ensure that the licensee's internal and external auditors have timely access to any relevant information they may require to fulfill their responsibilities. Such access must allow them to conduct on-site examinations of the outsourcing provider, if required.
2. Licensees must also ensure that the CBB inspectors and appointed expertsG have timely access to any relevant information they may reasonably require under the law. Such access must allow the CBB to conduct on-site examinations of the outsourcing provider, if required.
3. Where the outsourcing provider is based overseas, the outsourcing provider must confirm in the outsourcing agreement that there are no regulatory or legal impediments to either the licensee's internal and external auditors, or the CBB inspectors and appointed expertsG , having the access described above. Should such restrictions subsequently be imposed, the licensee must communicate this fact to the CBB as soon as it becomes aware of the matter.
4. The outsourcing provider must commit itself, in the outsourcing agreement, to informing the licensee of any developments that may have a material impact on its ability to meet its obligations. These may include, for example, relevant control weaknesses identified by the outsourcing provider's internal or external auditors, and material adverse developments in the financial performance of the outsourcing provider.
(d) Business continuity
1. Licensees must ensure that service providers maintain, regularly review and test plans to ensure continuity in the provision of the outsourced service.
2. Licensees must have an adequate understanding of the outsourcing provider's arrangements, to understand the implications for its own contingency arrangements (see Section OM-3.6).
(e) Termination
1. Licensees must have the right to terminate the agreement should the outsourcing provider undergo a change of ownership (whether direct or indirect) that poses a potential conflict of interestG ; becomes insolvent; or goes into liquidation or administration.
2. Termination under any other circumstances allowed under the agreement must give licensees a sufficient notice period in which they can effect a smooth transfer of the service to another provider or bring it back in-house.
3. In the event of termination, for whatever reason, the agreement must provide for the return of all customer data — where required by licensees — or destruction of the records.
Amended: October 2017
Amended: July 2011
Amended: January 2011
October 2007
Back to top