BackRich TextPrint

You need the Flash plugin.

Download Macromedia Flash Player



  • Chapter RM-7 Outsourcing Risk

    • RM-7.1 Outsourcing Risk

      • RM-7.1.1

        Investment firm licensees must identify all material outsourcing contracts and ensure that the risks associated with such contracts are adequately controlled. In particular, investment firm licensees must comply with the specific requirements set out in this Chapter.

        Adopted: July 2007

      • RM-7.1.2

        Outsourcing means an arrangement whereby a third party performs on behalf of a licensee an activity that was previously undertaken by the licensee itself (or in the case of a new activity, one which ordinarily would have been performed internally by the licensee). Examples of services that are typically outsourced include data processing, cloud services, customer call centres and back-office related activities.

        Amended: October 2017
        Adopted: July 2007

      • RM-7.1.3

        For purposes of RM-7.1.1, a contract is 'material' where, if it failed in any way, it would pose significant risks to the on-going operations of a licensee, its reputation and/or the quality of service provided to its clients. For instance, the outsourcing of all or a substantial part of functions such as customer sales and relationship management, settlements and processing, IT and data processing and financial control, would normally be considered "material". Management should carefully consider whether a proposed outsourcing arrangement falls under this Module's definition of "material". If in doubt, management should consult with the CBB.

        Adopted: July 2007

      • RM-7.1.3A

        For outsourcing services that are not considered material outsourcing arrangements, licenses must submit a written notification to the CBB before committing to the new outsourcing arrangement.

        Added: October 2017

      • RM-7.1.4

        Investment firm licensees must retain ultimate responsibility for functions or activities that are outsourced. In particular, licensees must ensure that they continue to meet all their regulatory obligations with respect to outsourced activities.

        Adopted: July 2007

      • RM-7.1.5

        Investment firm licensees must not contract out their regulatory obligations and must take reasonable care to supervise the discharge of outsourced functions, if any.

        Adopted: July 2007

      • Supervisory Approach

        • RM-7.1.6

          Investment firm licensees must seek the CBB's prior written approval before committing to a new material outsourcing arrangement.

          Amended: October 2017
          Amended: July 2008
          Adopted: July 2007

        • RM-7.1.7

          Investment firm licensees may not outsource their core business function or activities to third parties.

          Adopted: July 2010

        • RM-7.1.8

          The prior approval request in RM-7.1.6 must:

          (a) Be made in writing to the licensee's normal supervisory contact; and
          (b) Contain sufficient detail to demonstrate that relevant issues raised in this Chapter have been addressed; and
          (c) Be made at least 6 weeks before the licensee intends to commit to the arrangement.
          Amended: July 2010
          Amended: July 2008
          Adopted: July 2007

        • RM-7.1.9

          The CBB will review the information provided and provide a definitive response within a reasonable period of time of receiving the request for approval referred to in Paragraph RM-7.1.8. The CBB may also contact home or host supervisors to seek their comments — in such cases, the period of time is also subject to the speed of their response.

          Amended: October 2017
          Amended: January 2016
          Amended: July 2013
          Amended: July 2010
          Adopted: July 2007

        • RM-7.1.9A

          The CBB's approach to approving requests for outsourcing arrangements will also consider whether the investment firm licensee has engaged in considerable outsourcing of its activities, a practice which the CBB does not favour.

          Added: July 2013

        • RM-7.1.10

          Once an activity has been outsourced, a licensee must continue to monitor the associated risks and the effectiveness of its mitigating controls.

          Amended: July 2010
          Adopted: July 2007

        • RM-7.1.11

          Investment firm licensees must immediately inform their normal supervisory contact at the CBB of any material problems encountered with an outsourcing provider. The CBB may direct the investment firm licensee to make alternative arrangements for the outsourced activity.

          Amended: October 2017
          Amended: July 2010
          Adopted: July 2007

        • RM-7.1.11A

          The CBB reserves the right to require a licensee to terminate or make alternative outsourcing arrangements if, among other reasons, the confidentiality of its customer information was, or is likely to be, breached or the ability of the CBB to carry out its supervisory functions in view of the outsourcing arrangement cannot be assured or executed.

          Added: October 2017

        • RM-7.1.12

          The CBB requires ongoing access to the outsourced activity, which it may occasionally want to examine itself, through management meetings or on-site examinations.

          Amended: July 2010
          Adopted: July 2007

      • Risk Assessment

        • RM-7.1.13

          Investment firm licensees must undertake a thorough risk assessment of an outsourcing proposal, before formally notifying the submitting the request for approval to CBB and committing itself to an agreement.

          Amended: October 2017
          Amended: July 2010
          Adopted: July 2007

        • RM-7.1.14

          Before entering into, or significantly changing, an outsourcing arrangement, a licensee should:

          (a) Analyse how the arrangement will fit with its organisation and reporting structure; business strategy; overall risk profile; and ability to meet its regulatory obligations;
          (b) Consider whether the agreements establishing the arrangement will allow it to monitor and control its operational risk exposure relating to the outsourcing;
          (c) Conduct appropriate due diligence of the service provider's financial stability and expertise;
          (d) Consider how it will ensure a smooth transition of its operations from its current arrangements to a new or changed outsourcing arrangement (including what will happen on the termination of the contract);
          (e) Consider any concentration risk implications such as the business continuity implications that may arise if a single service provider is used by several firms; and
          (f) Analyse the outsourcing provider's financial soundness, its technical competence, its commitment to the arrangement, its reputation, its adherence to international standards and the associated country risk.
          Amended: October 2017
          Amended: July 2010
          Adopted: July 2007

        • RM-7.1.15

          In negotiating its contract with a service provider, a licensee should have regard to:

          (a) Reporting or notification requirements it may wish to impose on the service provider;
          (b) Whether sufficient access will be available to its internal auditors, external auditors and to the CBB;
          (c) Information ownership rights, confidentiality agreements and Chinese walls to protect client and other information (including arrangements at the termination of the contract);
          (d) The adequacy of any guarantees and indemnities;
          (e) The extent to which the service provider must comply with the licensee's policies and procedures (covering, for example, information security);
          (f) The extent to which a service provider will provide business continuity for outsourcing operations, and whether exclusive access to its resources is agreed;
          (g) The need for continued availability of software following difficulty at a third party supplier; and
          (h) The processes for making changes to the outsourcing arrangement (for example, changes in processing volumes, activities and other contractual terms) and the conditions under which the licensee or service provider can choose to change or terminate the outsourcing arrangement, such as where there is:
          (i) A change of ownership or control (including insolvency or receivership) of the service provider or firm;
          (ii) Significant change in the business operations (including sub-contracting) of the service provider or firm; or
          (iii) Inadequate provision of services that may lead to the firm being unable to meet its regulatory obligations.
          Amended: July 2010
          Adopted: July 2007

        • RM-7.1.16

          Investment firm licensees must maintain and regularly review contingency plans to enable them to set up alternative arrangements — with minimum disruption to business — should the outsourcing contract be suddenly terminated or the outsourcing provider fail. This may involve the identification of alternative outsourcing providers or the provision of the service in-house. These plans should consider how long the transition would take and what interim arrangements would apply.

          Amended: July 2010
          Adopted: July 2007

        • RM-7.1.17

          A licensee must nominate a relevant approved person within the licensee to handle the responsibility of the day-to-day relationship with the outsourcing provider and to ensure that relevant risks are addressed. The CBB should be informed of the designated individual as part of the written prior approval required under Rule RM-7.1.6. Any subsequent replacement of such person must also be notified to the CBB.

          Amended: October 2017
          Amended: July 2010
          Amended: October 2009
          Amended: July 2008
          Adopted: July 2007

        • RM-7.1.18

          All material outsourcing arrangements by an investment firm licensee must be the subject of a legally enforceable contract. Where the outsourcing provider interacts directly with a licensee's customers, the contract must — where relevant — reflect the licensee's own standards regarding client care. Once an outsourcing agreement has been entered into, licensees must regularly review the suitability of the outsourcing provider and the on-going impact of the agreement on their risk profile and systems and controls framework.

          Amended: July 2010
          Adopted: July 2007

    • RM-7.2 Outsourcing Agreement

      • RM-7.2.1

        The activities to be outsourced and respective contractual liabilities and obligations of the outsourcing provider and licensee must be clearly specified in an outsourcing agreement. This agreement must — amongst other things — address the issues identified below in this Section.

        Adopted: July 2007

      • Control Over Outsourced Activities

        • RM-7.2.2

          The Board and management of licensees are held ultimately responsible by the CBB for the adequacy of systems and controls in outsourced activities. Investment firm licensees must therefore ensure they have adequate mechanisms for monitoring the performance of, and managing the relationship with, the outsourcing provider.

          Adopted: July 2007

        • RM-7.2.3

          Clear reporting and escalation mechanisms must be specified in the agreement.

          Adopted: July 2007

        • RM-7.2.4

          Where an outsourcing provider in turn decides to sub-contract to other providers, CBB prior written approval must be obtained, and the original provider must remain contractually liable to the licensee for the quality and level of service agreed, and its obligations to the licensee must remain unchanged.

          Amended: October 2017
          Adopted: July 2007

      • Customer Data Confidentiality

        • RM-7.2.5

          Investment firm licensees must ensure that outsourcing agreements comply with all applicable legal requirements regarding client confidentiality.

          Adopted: July 2007

        • RM-7.2.6

          Investment firm licensees must ensure that the outsourcing provider implements adequate safeguards and procedures.

          Adopted: July 2007

        • RM-7.2.7

          For the purposes of RM-7.2.6, the implementation of adequate safeguards would include the proper segregation of client data from those belonging to other clients of the outsourcing provider. Outsourcing providers should give suitable undertakings that the company and its staff will comply with all applicable confidentiality rules. Licensees should have contractual rights to take action against the service provider in the event of breach of confidentiality.

          Adopted: July 2007

        • RM-7.2.8

          Investment firm licensees must ensure that they retain title under any outsourcing agreements for data, information and records that form part of the prudential records of the licensee.

          Adopted: July 2007

        • RM-7.2.9

          Investment firm licensees must assess the impact of using an overseas-based outsourcing provider on their ability to maintain customer data confidential, for instance, because of the powers of local authorities to access such data.

          Adopted: July 2007

      • Access to Information

        • RM-7.2.10

          Outsourcing agreements must ensure that the investment firm licensee's internal and external auditors have timely access to any relevant information they may require to fulfil their responsibilities. Such access must allow them to conduct on-site examinations of the outsourcing provider, if required.

          Adopted: July 2007

        • RM-7.2.11

          Investment firm licensees must also ensure that the CBB inspectors and appointed experts have timely access to any relevant information they may reasonably require to fulfil its responsibilities under the law. Such access must allow the CBB to conduct on-site examinations of the outsourcing provider, if required.

          Amended: October 2017
          Adopted: July 2007

        • RM-7.2.12

          Where the outsourcing provider is based overseas, the outsourcing provider must confirm in the outsourcing agreement that there are no regulatory or legal impediments to either the licensee's internal and external auditors, or the CBB inspectors and appointed experts, having the access described in RM-7.2.10 and RM-7.2.11 above. Should such restrictions be imposed, the licensee must communicate this fact to the CBB as soon as it becomes aware of the matter.

          Amended: October 2017
          Adopted: July 2007

        • RM-7.2.13

          The outsourcing provider must commit itself, in the outsourcing agreement, to informing the licensee of any developments that may have a material impact on its ability to meet its obligations. These may include, for example, relevant control weaknesses identified by the outsourcing provider's internal or external auditors, and material adverse developments in the financial performance of the outsourcing provider.

          Adopted: July 2007

      • Business Continuity

        • RM-7.2.14

          Investment firm licensees must ensure that service providers maintain, regularly review and test plans to ensure continuity in the provision of the outsourced service.

          Adopted: July 2007

        • RM-7.2.15

          Investment firm licensees must have an adequate understanding of the outsourcing provider's contingency arrangements, to understand the implications for the licensee's own contingency arrangements.

          Adopted: July 2007

      • Termination

        • RM-7.2.16

          Investment firm licensees must have a right to terminate the agreement should the outsourcing provider:

          (a) Undergo a change of ownership (whether direct or indirect) that poses a potential conflict of interest;
          (b) Becomes insolvent; or
          (c) Goes into liquidation or administration.
          Adopted: July 2007

        • RM-7.2.17

          Termination under any other circumstances allowed under the agreement must give investment firm licensees a sufficient notice period in which they can effect a smooth transfer of the service to another provider or bring it back in-house.

          Adopted: July 2007

        • RM-7.2.18

          In the event of termination, for whatever reason, the agreement must provide for the return of all client data — where required by investment firm licenses — or destruction of the records.

          Amended: October 2017
          Adopted: July 2007

      • Cloud services

        • RM-7.2.19

          For the purpose of outsourcing of cloud services, licensees must ensure that, at a minimum, the following security measures are in place:

          (a) Customer information must be encrypted and licensees must ensure that all encryption keys or similar forms of authentication are kept secure within the licensee's control;
          (b) A secure audit trail must be maintained for all actions performed at the cloud services outsourcing provider;
          (c) A comprehensive change management procedure must be developed to account for future changes to technology with adequate testing of such changes;
          (d) The licensee's data must be logically segregated from other entities data at the outsourcing service provider's platform;
          (e) The cloud service provider must provide information on measures taken at its platform to ensure adequate information security, data security and confidentiality, including but not limited to forms of protection available against unauthorized access and incident management process in cases of data breach or data loss; and
          (f) The right to release customer information/data in case of foreign government/court orders must be the sole responsibility of the licensee, subject to the CBB Law.
          Added: October 2017

    • RM-7.3 Intra-group Outsourcing

      • RM-7.3.1

        As with outsourcing to non-group companies, the Board and management of licensees are held ultimately responsible by the CBB for the adequacy of systems and controls in activities outsourced to group companies.

        Adopted: July 2007

      • RM-7.3.2

        However, the degree of formality required — in terms of contractual agreements and control mechanisms — for outsourcing within a licensee's group is likely to be less, because of common management and enhanced knowledge of other group companies.

        Adopted: July 2007

      • RM-7.3.3

        Investment firm licensees must obtain CBB prior written approval before committing to a material intra-group outsourcing. The request for approval must be made in writing to the licensee's normal supervisory contact at least 6 weeks prior to committing to the outsourcing, and must set out a summary of the proposed outsourcing, its rationale, and an analysis of its associated risks and proposed mitigating controls.

        Amended: October 2017
        Amended: April 2008
        Adopted: July 2007

      • RM-7.3.4

        The CBB will respond to the request for approval in Paragraph RM-7.3.3 in the same manner and timescale as set out in Paragraph RM-7.1.9 and will also consider the issue of considerable outsourcing as outlined in Paragraph RM-7.1.9A.

        Amended: October 2017
        Amended: July 2013
        Amended: April 2008
        Adopted: July 2007

      • RM-7.3.5

        The CBB expects, as a minimum, an agreed statement of the standard of service to be provided by the group provider, including a clear statement of responsibilities allocated between the group provider and licensee.

        Adopted: July 2007

      • RM-7.3.6

        The CBB also expects a licensee's management to have addressed the issues of customer confidentiality, access to information and business continuity.

        Adopted: July 2007

      • RM-7.3.7

        Investment firm licensees may not outsource their core business activities, including the internal audit function, to their group. The outsourcing of certain functions is subject to the provisions of Modules RM (Risk Management), HC (High-Level Controls) and FC (Financial Crime).

        Adopted: October 2009

    • RM-7.4 Internal Audit Outsourcing

      • RM-7.4.1

        Licensees may not outsource their internal audit function to the same firm that acts as their external auditors.

        Amended: October 2009
        Adopted: July 2007

      • RM-7.4.2

        Licensees may outsource their internal audit function for a maximum period of one year, following which a licensee is expected to establish an internal audit function commensurate with the nature, scale and complexity of its business.

        Amended: October 2009
        Adopted: July 2007

      • RM-7.4.2A

        All requests to outsource the internal audit function must be supported by a board resolution or ratified by the audit committee.

        Added: January 2013

      • RM-7.4.3

        The CBB will only consider a licensee not having a separate internal audit function where its activities are limited in scale and complexity. In such case, it may continue to outsource this function for a period determined by the CBB.

        Amended: October 2009
        Adopted: July 2007

      • RM-7.4.4

        In all circumstances, Board and management of licensees must retain responsibility for ensuring that an adequate internal audit programme is implemented, and will be held accountable in this respect by the CBB.

        Amended: July 2013
        Amended: October 2009
        Adopted: July 2007

      • RM-7.4.5

        Due to the critical importance of an effective internal audit function to a licensee's control framework, all proposals to outsource internal audit operations are to be considered 'material outsourcing agreements'.

        Amended: October 2012
        Amended: October 2009
        Adopted: July 2007

Back to top