• CTRL Chapter 8 CTRL Chapter 8 Outsourcing

    Note for Chapter 8

    Under this Chapter, the governing body of a firm is responsible for the firm’s outsourcing policy (see rule 8.1.3) and the firm’s senior management is responsible for implementing that policy (see rule 8.2.2).

     

    Derived from QFCRA RM/2020-4 (as from 1st July 2021)

    • CTRL Part 8.1 CTRL Part 8.1 Outsourcing generally

      • CTRL 8.1.1 Application of Chapter 8

        This Chapter does not apply to the outsourcing of a function by an authorised firm if the functions are outsourced by the firm under COLL, PRIV or CAPI.

        Note Each of COLL, PRIV and CAPI contains separate outsourcing rules for the outsourcing of functions by authorised firms to which those rules apply.

         

        Derived from QFCRA RM/2020-4 (as from 1st July 2021)

      • CTRL 8.1.2 Meaning of outsourcing

        In these rules:

        outsourcing, for an authorised firm, means any arrangement that involves the firm relying on a separate service provider (including a member of the firm’s corporate group) for the exercise of a function that relates to a regulated activity of the firm and would otherwise be exercised by the firm, but does not include the following arrangements:

        (a) arrangements to provide advisory services (such as the provision of legal advice), audit services, personnel training services, billing services, and physical security;
        (b) supply arrangements and functions (including, for example, the supply of electricity or water and the provision of catering and cleaning services);
        (c) the purchase of standardised services (such as, for example, market information services and the provision of prices);
        (d) the appointment of a group employee to exercise a controlled function for the firm.

         

        Derived from QFCRA RM/2020-4 (as from 1st July 2021)

      • CTRL 8.1.3 Obligation to have outsourcing policy

        (1) An authorised firm’s governing body must establish and maintain an outsourcing policy.
        (2) The policy must at least provide for:
        (a) whether the firm will outsource any function at all; and
        (b) what functions may be outsourced.
        Note Appropriate records must be kept of policies and procedures — see GENE, rule 6.1.1.
        (3) A policy that the firm will not outsource any function satisfies subrule (1).
        (4) The governing body must review, at least once in every 2 years, the firm’s outsourcing policy and procedures, including:
        (a) its procedures for:
        (i) assessing the feasibility of a proposed outsourcing and the risks that the outsourcing poses to the firm’s business; and
        (ii) costing any proposed material outsourcing; and
        Note Material outsourcing is defined in rule 8.2.1.
        (b) the criteria for selecting service providers.
        (5) In this rule and rule 8.1.4, a reference to a firm’s governing body is a reference to the board, membership, committee, body (whatever it is called) or individual (however the responsibility might have been delegated) that has responsibility for the outsourcing policy.
        Examples for subrule (5)
        For a firm that is part of a corporate group, the governing body that might have responsibility for outsourcing policy might be:
        • a committee that is responsible for the place where the firm is located
        • the firm’s senior executive function
        • any other body or person that has such responsibility.

         

        Derived from QFCRA RM/2020-4 (as from 1st July 2021)

      • CTRL 8.1.4 Responsibility for outsourced functions

        (1) The outsourcing of a function by an authorised firm does not relieve the firm’s governing body from any obligation in relation to the function under the law applicable in the QFC.
        (2) The governing body remains responsible for ensuring:
        (a) that all requirements are complied with in relation to the function; and
        (b) that the function is otherwise properly exercised.
        (3) The governing body must exercise due skill, care and diligence in carrying out its obligations in relation to outsourced functions.
        Note For the use of the term ‘governing body’ in this rule, see rule 8.1.3 (5).

         

        Derived from QFCRA RM/2020-4 (as from 1st July 2021)

      • CTRL 8.1.5 Outsourcing arrangements

        (1) An authorised firm may enter into an outsourcing arrangement only if:
        (a) the firm’s governing body has approved the firm’s outsourcing policy; and
        (b) the arrangement:
        (i) is permitted by the policy;
        (ii) will not reduce the firm’s ability to fulfil its obligations to depositors, policyholders, clients and other stakeholders;
        (iii) will not increase the firm’s risk of non-compliance with the law applicable in the QFC or any other applicable law; and
        (iv) will not affect the Regulatory Authority’s ability to appropriately supervise the firm.
        Example for paragraph (c) (iii)
        The place where the service provider is located, or that place’s legal system, could prevent the Authority from appropriately supervising the firm.
        (2) The outsourcing arrangement must be in writing.

         

        Derived from QFCRA RM/2020-4 (as from 1st July 2021)

      • CTRL 8.1.6 Review of outsourcing of controlled functions

        (1) This rule applies if an authorised firm outsources the exercise of a controlled function.
        (2) The senior management of the firm must review the arrangements for the outsourcing every year, to ensure that the independence, objectivity and effectiveness of the exercise of the function are not adversely affected.
        (3) The senior management must report the results of the review to the firm’s governing body.
        Note The outsourcing of a function by an authorised firm does not relieve the firm from any obligation in relation to the function (see rule 8.1.4 (1)). The firm’s governing body is ultimately responsible for ensuring that the firm carries out the firm’s obligations under these rules (see rule 1.2.1).

         

        Derived from QFCRA RM/2020-4 (as from 1st July 2021)

    • CTRL Part 8.2 CTRL Part 8.2 Material outsourcing arrangements

      • CTRL 8.2.1 Meaning of material outsourcing

        In these rules:

        material outsourcing, for an authorised firm, means the outsourcing of a function of such importance that weakness or failure in the exercise of the function would cast serious doubt on:

        (a) the firm’s ability to comply with:
        (i) any regulations, rules or principles; or
        (ii) any condition, restriction or requirement of its authorisation;
        (b) its financial performance or position; or
        (c) its ability to continue in business.

        Note The outsourcing of the internal audit function is a material outsourcing — see rule 6.4.2 (3).

         

        Derived from QFCRA RM/2020-4 (as from 1st July 2021)

      • CTRL 8.2.2 Due skill in material outsourcing arrangements

        (1) The senior management of an authorised firm must exercise due skill, care and diligence in selecting, entering into, managing and exiting from a material outsourcing arrangement.
        (2) Before entering into a material outsourcing arrangement, the senior management:
        (a) must assess the risks that the outsourcing poses to the firm’s business; and
        (b) must satisfy themselves that the service provider selected has the ability and capacity to perform the relevant function reliably and professionally at the start and during the life cycle of the outsourcing.
        (3) For this rule, the senior management must take into account at least the following matters:
        (a) whether the service provider is regulated, to what extent, and by whom;
        (b) whether the function is subject to specific regulation or supervision;
        (c) the risk that the service provider’s service may become unavailable because of the number of other persons using the service provider;
        (d) the financial stability and expertise of the service provider;
        (e) any conflict of interest that might arise from the provision of the function by the service provider.

         

        Derived from QFCRA RM/2020-4 (as from 1st July 2021)

      • CTRL 8.2.3 Written agreement for material outsourcing arrangements

        (1) The written agreement (required by rule 8.1.5 (2)) between an authorised firm and a service provider for a material outsourcing arrangement must require the service provider:
        (a) to deal with the Regulatory Authority in an open and co-operative way in relation to matters relating to the firm under the material outsourcing; and
        (b) to grant the Authority access to the firm’s books, records and data in the possession or control of the service provider.
        Guidance
        The Authority expects firms to be able to demonstrate that the outsourced function is being performed effectively. The Authority may seek documentary evidence relating to the performance of the service provider.
        (2) The agreement must include, if appropriate, provisions as to:
        (a) the law applicable to the agreement;
        (b) the reporting or notification requirements on the service provider and the means for measuring quantitative and qualitative performance by the service provider;
        (c) access by the firm, its internal auditors, external auditors or actuaries to the firm’s books, records and data while they are in the possession or control of the service provider;
        (d) the obligation to protect confidential information and personal data (that is, any information relating to an individual who can be identified, directly or indirectly, in particular by reference to an identification number or to 1 or more factors specific to the individual’s physical, physiological, mental, economic, cultural or social identity);
        (e) the rules for subcontracting, if the arrangement permits it;
        (f) the termination rights of each party; and
        (g) contingency arrangements.

        Note Rule 8.2.6 requires contingency arrangements to be made to allow the business of the firm to continue in the event of a significant loss of services from the service provider.

         

        Derived from QFCRA RM/2020-4 (as from 1st July 2021)

      • CTRL 8.2.4 Regulatory Authority to be notified of certain matters

        (1) An authorised firm must not enter into a material outsourcing arrangement unless it gives the Regulatory Authority at least 30 business days’ prior written notice of its intention to enter into the arrangement.
        (2) If the arrangement permits subcontracting to a third party, the firm must give the Authority notice of that fact.

         

        Derived from QFCRA RM/2020-4 (as from 1st July 2021)

      • CTRL 8.2.5 Additional information about material outsourcing arrangements

        (1) The Regulatory Authority may, by written notice to an authorised firm, require the firm to give the Authority, within a stated reasonable period, information about a material outsourcing arrangement (or proposed material outsourcing arrangement) that the Authority reasonably needs to enable it to decide whether the arrangement complies with this Chapter.
        (2) The power given by this rule is additional to the Authority’s other powers.
        Note See for example FSR, article 48 (Powers to obtain documents and information).

         

        Derived from QFCRA RM/2020-4 (as from 1st July 2021)

      • CTRL 8.2.6 Contingency arrangements

        (1) An authorised firm that enters into a material outsourcing arrangement must make comprehensive contingency arrangements to allow its business to continue in the event of a significant loss of services from the service provider.
        (2) The contingency arrangements must include:
        (a) an exit strategy; and
        (b) if appropriate, provision for partial exit and step-in.
        (3) The contingency arrangements must cover at least the following:
        (a) a significant loss of resources at the service provider;
        (b) financial failure of the service provider;
        (c) unexpected termination of the outsourcing arrangement.

         

        Derived from QFCRA RM/2020-4 (as from 1st July 2021)