Skip to main content

B. Risk Assessment, Due Diligence and Controls

1. Risk based approach. VARA recognises that Outsourcing arrangements exhibit a varying degree of risk and expects VASPs to take this into account in assessing and managing the relevant risks. Measures taken by a VASP must be commensurate with the degree of risk associated with the Outsourcing arrangements. Material Outsourcings shall be subject to additional requirements as set out in this Part IV of this Company Rulebook.
2. Risk assessments.
  a. VASPs should have a process to assess the risk in relation to each Outsourcing arrangement they propose to enter into [including the variation or renewal of Outsourcing arrangements] and to identify if any such Outsourcing constitutes a Material Outsourcing. This assessment should be conducted prior to the commencement of an Outsourcing relationship and at least annually for the duration of such relationship.
  b. In respect of Outsourcing arrangements, the assessment of risk is dependent on the specific circumstances of each VASP. In assessing risk, factors that should be considered include but are not limited to the following—
    i. impact on the financial position, business operation, continuity of services, clients’ best interests, and reputation of the VASP upon the Service Provider’s failure to perform;
    ii. impact of the Outsourced activity on the ability of the VASP to comply with legal and regulatory requirements;
    iii. the scope, complexity and criticality of the service to be Outsourced;
    iv. impact of the Outsourced activity on internal control Functions of the VASP;
    v. cost of Outsourcing as a proportion to the total operating costs of the VASP;
    vi. the regulatory status of the Service Provider;
    vii. risks that are relevant to the geographical location of a Service Provider, including but not limited to those contained in Rule IV.F of this Company Rulebook; and
    viii. the degree of difficulty and time required to find an alternative Service Provider or to bring the Outsourced service in-house.
3. Due diligence.
  a. Prior to selecting a Service Provider, VASPs must perform detailed due diligence in relation to the Service Provider to ensure that the Service Provider has the ability and capacity to undertake the provision of the Outsourcing effectively, reliably and to a high standard. This should include an assessment of the Service Provider’s quality of services, technical, managerial and human resources capacity, financial soundness, reputation and experience, licensing or regulatory status, extent of reliance on and control of subcontractors, compatibility with the VASP’s corporate culture and business strategies, familiarity with the Virtual Asset industry and capacity to keep pace with innovation in the market. Other considerations that may be relevant include aggregate exposure to a particular Service Provider, costs and possible conflicts of interest.
  b. During the conduct of an Outsourcing, VASPs should regularly [and in any event at least annually and as circumstances warrant] review the selected Service Provider to ascertain whether the Service Provider remains competent to provide the Outsourced service to the standards required.