IOSCO Requests Comments on Updated Outsourcing Guidelines

IOSCO requested comments on updated principles for regulated entities that outsource functions.

The proposed principles build on the 2005 Outsourcing Principles for Market Intermediaries and the 2009 Outsourcing Principles for Markets, expanded to cover "trading venues, market intermediaries, proprietary trading firms, credit rating agencies, and financial market infrastructure entities."

The revisions to the principles include "fundamental precepts" (along with related guidance) that in-scope entities are expected to follow with respect to outsourcing arrangements. These "precepts cover issues such as the definition of outsourcing, the assessment of materiality and criticality, affiliates, sub-contracting and outsourcing on a cross-border basis."

The principles include:

1. conducting due diligence processes in choosing a service provider, and in monitoring its ongoing performance;

2. entering into a legally binding written contract with each service provider;

3. ensuring the protection of the regulated entity's proprietary and client-related information and a continuity of service to the regulated entity, including a plan for disaster recovery with periodic testing;

4. protecting confidential information and data related to the regulated entity and its clients from disclosure to third parties;

5. managing the risks of dependence on a single service provider;

6. ensuring that its regulator, its auditors, and itself are able to obtain promptly, upon request, information concerning outsourced tasks relevant to regulatory oversight; and

7. including written provisions regarding the termination of outsourced tasks with service providers and maintaining exit strategies.

Comments on the guidance must be submitted by October 1, 2020.