INMA S1.3.7 Outsourcing risk

(1) Outsourcing risk is the risk of loss resulting from the non-performance, or poor performance, by a service provider of a function outsourced to the service provider under a material outsourcing arrangement (within the meaning of CTRL).

Note 1 For the meaning of material outsourcing — see CTRL, glossary.

Note 2 An INMA firm must assess the risks that a material outsourcing arrangement poses to its business (see CTRL, rule 8.2.2 (2) (a)) and the governing body of the firm must review, at least once every year, the firm’s outsourcing arrangements for assessing the feasibility of a proposed outsourcing arrangement and the risks that the outsourcing poses to the firm’s business (see CTRL, rule 8.1.3 (4) (a) (i)).
(2) Outsourcing can bring significant benefits in terms of efficiency, cost reduction and risk management. However, the process of implementing outsourcing arrangements and the outsourcing relationship itself may expose an INMA firm to additional risk. Therefore, it is important that INMA firms supervise outsourced activities.

Note CTRL, rule 8.2.4 (1) requires an INMA firm to inform the Regulatory Authority before entering into a material outsourcing arrangement.
(3) Intra-group outsourcing might be thought to be subject to lower risks than using service providers from outside a corporate group. However, it is not risk-free, and an INMA firm should still assess the associated risks and make appropriate arrangements to manage them.
(4) An INMA firm’s risk management policy should include processes and procedures for identifying, assessing, managing and mitigating outsourcing risk. The risk management policy should include processes and procedures for:
(a) negotiating contracts for outsourcing;
(b) identifying, assessing and managing risks that may arise from the outsourcing;
(c) procedures for managing the outsourcing service providers; and
(d) mitigating any associated risks.
(5) In negotiating a contract with a service provider or in assessing an existing contract, an INMA firm should consider matters that are relevant to risk management, including the following:
(a) setting and monitoring authority limits and referral requirements;
(b) the identification and assessment of performance targets;
(c) procedures for evaluation of performance against targets;
(d) provisions for remedial action;
(e) the reporting requirements imposed on the service provider (including the content and frequency of reports);
(f) the ability of the firm and its external auditors to obtain access to the service provider and their records;
(g) the protection of intellectual property rights;
(h) the protection of customers’ and the firm’s confidentiality;
(i) the adequacy of any guarantees, indemnities or insurance cover that the service provider agrees to provide;
(j) the ability of the service provider to provide continuity of business;
(k) the arrangements to change, or terminate, the agreement.
Derived from QFCRA RM/2014-4 (as from 1st January 2015)
Amended by QFCRA RM/2021-1 (as from 1st July 2021).