Skip to main content

C. Internal Governance – Outsourcing Policy and Register

1. Prior to the Outsourcing of services and on an ongoing basis, VASPs should establish and maintain comprehensive Outsourcing policies, contingency plans and Outsourcing risk management programmes [Outsourcing Policy].
2. Outsourcing Policy.
 
  a. An Outsourcing Policy should include, but not be limited to the following—
 
    i. the framework for a comprehensive assessment of risks involved in Outsourcing and identifying whether a proposed Outsourcing is a Material Outsourcing or not;
    ii. procedures for identifying, measuring, managing, mitigating, controlling and reporting the risks of an Outsourcing arrangement and any conflicts of interest;
    iii. the objectives of the Outsourcing and criteria for approving an Outsourcing arrangement;
    iv. procedures that clearly identify the Staff involved in the VASP and their roles and responsibilities with regard to Outsourcing arrangements;
    v. procedures that clearly identify the responsibilities of each party in respect of the Outsourcing and in particular what responsibilities have been retained by the VASP;
    vi. procedures to deal effectively with any act or omission by the Service Provider that leads, or might lead, to a breach of any law or regulation, and enact required remediation measures promptly; and
    vii. a review mechanism to ensure the Outsourcing policy can be updated as necessary to align with industry and regulatory developments as well as the VASP’s strategic development needs.
 
  b. VASPs must maintain a comprehensive register of all Outsourcing arrangements, including both those of the VASP itself and its Group, which must include the following key information for each Outsourcing arrangement, at a minimum—
 
    i. the name of each Service Provider;
    ii. a description of the scope of the Outsourced service;
    iii. location where the Outsourced service is being performed;
    iv. start and end date of the Outsourcing agreement;
    v. key points of contact for the Service Provider;
    vi. whether the Outsourcing arrangement is a Material Outsourcing;
    vii. whether the Outsourcing involves storage or processing of Personal Data [beyond the exchange of business contact information between the VASP and the Service Provider for administration purposes]; and
    viii. whether the Outsourcing arrangement involves any confidential information.
 
3. Oversight of Outsourcing – monitoring the service.
 
  a. VASPs must manage identified risks associated with the Outsourcing activity and such Service Provider’s compliance with its contractual obligations as well as managing their relationship with the Service Provider, having regard to the risks presented by the Outsourced activity to the ongoing business of the VASP and its regulatory obligations.
  b. Monitoring should be assigned to Staff with appropriate expertise and cover the Service Provider’s contractual performance, financial soundness and risk profile, any material issues encountered in the provision of services and any remedial steps and mitigation measures taken in respect thereof. The monitoring and control processes and procedures of VASPs should be subject to regular reviews and audits to evaluate effectiveness and adequacy.