Good practices for managing outsourcing risks
These good practices are intended as recommendations as to how financial institutions can translate the requirement to manage outsourcing risks, e.g. in case of cloud computing. They are one of the results of our 2017 thematic examination into management of outsourcing risks.
These "Good practices for managing outsourcing risks" are relevant for the following sectors: banks, clearing institutions, investment institutions and managers of investment institutions, payment institutions, exchange institutions and electronic money institutions.
In 2017, we conducted a thematic examination of outsourcing risks at banks, investment firms, managers of investment funds and payment institutions. We expect financial institutions to manage their material activities effectively, irrespective of whether they have outsourced them and regardless of whether they have outsourced them within their own group or to a third party. The good practices document advises financial institutions on how to organise this effectively. Outsourcing of activities is a dynamic area that continues developing: since 1 July 2018 new EBA Recommendations on outsourcing to cloud service providers have for instance been in place.
Section 3:17 of the Wft stipulates that the business activities of financial institutions must be controlled and business processes and risks must be managed effectively. Financial institutions that intend to outsource activities and business processes are required to comply with Section 3:18 of the Wft. Chapter 5 of the Decree on Prudential Rules for Financial Undertakings (Besluit prudentiële regels - Bpr) details the requirements set for outsourcing of activities.
1. Outsourcing: risk assessment
Financial institutions must have an outsourcing strategy in place. When planning to outsource activities, financial institutions are required to perform a risk analysis and take appropriate measures to mitigate risks.
- If activities are outsourced, the financial institution remains responsible for the operational management of these activities. The institution must therefore actively monitor the service level.
- If activities are not outsourced, the institution does not profit from the knowledge and scale of the service provider. The financial institution then complies with the set requirements (e.g. IT security) by itself, and ensures that it remains competitive as far as costs are concerned.
- Some functions, formulating policies and strategy in particular, and the management of risk control and internal supervision, cannot be outsourced.
2. Policy process
Financial institutions that outsource activities must have general policies in place that pertain to all aspects of outsourcing, including non-material outsourcing. The outsourcing policy describes the risks attached to outsourcing and how these risks are managed. The outsourcing policy must be updated at regular intervals and approved by the institution's management board.
3. Regulatory requirements
Outsourcing of activities to a service provider may not impede supervision of a financial institution. The institution is required to inform the supervisory authority about all material activities outsourced to service providers. All financial institutions are required to inform DNB about initiatives in the area of cloud computing, regardless of the materiality of said activities. Institutions are required to provide this information to DNB in time, in order to allow us to examine whether an institution's intended outsourcing meets with prudential objections, and to take the appropriate action if necessary. DNB keeps a register of all current outsourcing contracts to cloud services providers. Financial institutions are also required to adequately manage the risks associated with outsourcing to subcontractors.
The outsourcing agreement must include a clause to the effect that supervisory authorities have the right to examine and are given direct access to relevant data and offices if necessary.
4. Selection of service providers
The selection of service providers is preceded by a risk assessment including concentration and legal risks, a due diligence investigation of the provider and the approval of the management board of the institution. The institution must consider the risks and the necessary mitigating measures associated with different scenarios, e.g. one where the external service provider is temporarily or permanently incapable of delivering the services agreed. If financial institutions decide to outsource activities outside the EEA, they should pay extra attention to data protection and effective supervision.
5. Review of service providers
During the term of the agreement, financial institutions are required to review the service provider at regular intervals. These reviews must include evaluations of changes at the service provider, e.g. a major change in the ownership structure, the strategy, or the profitability of the service provider. The financial institution must be aware of material developments at the service provider impacting the degree to which the latter complies with its commitments towards its ordering customers.
It is important that financial institutions foster key competences within their own organisation. This enables them to instruct and audit the service provider adequately, and to take direct control of the outsourced activity in a worst-case scenario. The outsourcing institution appoints organisational units or individuals responsible for auditing and managing all outsourced activities.
6. Management information
Outsourcing may not hamper the institution's management in managing and monitoring its activities. The financial institution must therefore monitor the operational and concentration risks accompanying outsourcing of activities. Its risk management function must compile and report management information at least once a quarter.
This management information should enable the institution's senior management to control effectively the risks associated with all outsourced activities.
7. Quality of the agreement
All outsourcing to third parties must be documented in a written agreement. This agreement must include a clear description of the activity to be outsourced. It must also specify the reporting requirements of the service provider. When outsourcing material activities, the financial institution must include in the agreement a clause that provides for termination and cancellation of the agreement. This enables the financial institution to contract out activities to another service provider, or to accommodate these services in-house.
8. Business continuity management
Outsourced material activities are part of the institution's business continuity management. This entails that continuity measures must be taken, both at the service provider and at the financial institution, including exit planning, possibly in a joint effort with other financial institutions. This also involves periodic verification of continuity measures, where necessary with the service provider's active involvement.
9. Critical data
If the financial institution has rules in place relating to confidentiality of specific data, the service provider must guarantee the confidentiality of data at at least the same level. The institution must include the protection of critical data in its risk assessment. Agreements governing outsourcing must also include clauses pertaining to data protection. Financial institutions must also monitor the service provider's access to critical data, e.g. with the help of security logs or other monitoring instruments.
10. Service level reports
The financial institution must verify that the outsourced activities continue to comply with the performance and quality standards prevailing for internal execution of activities. The financial institution continuously monitors and assesses the adequacy of the services provided, in order to enable prompt recovery measures if necessary. These assessment must be based on a combination of quantitative and qualitative key performance indicators and on recent operational data provided by the service provider.
11. Assurance reports
The outsourcing agreement must include the obligation for the service provider to provide assurance reports about its internal control framework at regular intervals. This can be done by means of an audit to be performed at the service provider on behalf of the financial institution. Or the service provider can provide an assurance report certified by an independent assurance provider. We expect outsourced activities to also fall within the scope of an institution's internal audit function.