IOSCO outsourcing principles updated to ensure operational resilience
- Published: Thursday, 28 October 2021 07:44
The Board of the International Organization of Securities Commissions (IOSCO) has published a set of updated outsourcing principles for regulated entities that outsource tasks to service providers. IOSCO says that since the publication of IOSCO´s principles on outsourcing for market intermediaries in 2005 and for markets in 2009, new developments in markets and technology have focused regulatory attention on risks related to outsourcing and the need to ensure the operational resilience of regulated entities. Moreover, the effects of the COVID-19 highlight the need to maintain business continuity in situations where external and often unforeseen shocks impact firms and their service providers.
The updated Principles on Outsourcing are based on the earlier Outsourcing Principles for Market Intermediaries and for Markets, but their application has been expanded.
The revised principles comprise a set of fundamental precepts and seven principles.
The fundamental precepts cover issues such as the definition of outsourcing, the assessment of materiality and criticality, their application to affiliates, the treatment of sub-contracting and outsourcing on a cross-border basis.
The seven principles set out expectations for regulated entities that outsource tasks and include guidance for implementation. The principles cover the following areas:
- Due diligence in the selection and monitoring of a service provider and its performance
- The contract with a service provider
- Information security, business resilience, business continuity and disaster recovery
- Confidentiality issues
- Concentration of outsourcing arrangements
- Access to data, premises, personnel and associated rights of inspection
- Termination of outsourcing arrangements.
The Report also briefly addresses the impact of COVID-19 on outsourcing and operational resilience and includes an annex that describes how outsourcing integrates with cloud computing and how CRAs use and incorporate outsourcing and cloud computing in their organizational strategies and structures.