CTRL 8.1.3 Obligation to have outsourcing policy

(1) An authorised firm’s governing body must establish and maintain an outsourcing policy.
(2) The policy must at least provide for:
(a) whether the firm will outsource any function at all; and
(b) what functions may be outsourced.
Note Appropriate records must be kept of policies and procedures — see GENE, rule 6.1.1.
(3) A policy that the firm will not outsource any function satisfies subrule (1).
(4) The governing body must review, at least once in every 2 years, the firm’s outsourcing policy and procedures, including:
(a) its procedures for:
(i) assessing the feasibility of a proposed outsourcing and the risks that the outsourcing poses to the firm’s business; and
(ii) costing any proposed material outsourcing; and
Note Material outsourcing is defined in rule 8.2.1.
(b) the criteria for selecting service providers.
(5) In this rule and rule 8.1.4, a reference to a firm’s governing body is a reference to the board, membership, committee, body (whatever it is called) or individual (however the responsibility might have been delegated) that has responsibility for the outsourcing policy.
Examples for subrule (5)
For a firm that is part of a corporate group, the governing body that might have responsibility for outsourcing policy might be:
• a committee that is responsible for the place where the firm is located
• the firm’s senior executive function
• any other body or person that has such responsibility.


Derived from QFCRA RM/2020-4 (as from 1st July 2021)