Do not submit attachments as HTML, PDF, GIFG, TIFF, PIF, ZIP or EXE files. 2. Facsimile Transmission. Send by facsimile transmission using the following fax
Missing: konsultieren | Must include: konsultieren
75 KB – 47 Pages
PAGE – 1 ============
Principles on Outsourcing Consultation Report The Board OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS CR01/2020 MAY 2020 This paper is for public consultation purposes only. It has not been approved for any oth er purpose by the IOSCO Board or any of its members.
PAGE – 2 ============
ii Copies of publications are available from: The International Organization of Securities Commissions website www.iosco.org © International Organization of Securities Commissions 2020. All rights reserve d. Brief excerpts may be reproduced or translated provided the source is stated.
PAGE – 3 ============
iii Foreword The Board of the International Organiz ation of Securities Commissions (IOSCO) has published this Consultation Report to receive feedback on these proposed principles for regulated entities that outsource tasks to service providers. How to Submit Comments Comments may be submitted by one of the three following methods on or before 1 October 2020. To help us process and review your comments more efficiently , please use only one method. Important : All comments will be made available publicly unless anonymity is specifically requested . Comments will be converted to PDF format and posted on the IOSCO website . Personal identifying information will not be edited from submissions. 1. Email Send comments to consultation [email protected] The subject line of your message must indicate ‚ Principles on Outsourcing .™ If you attach a document, indicate the sof tware used (e.g., WordPerfect, Microsoft WORD, ASCII text, etc) to create the attachment. Do not submit attachments as HTML, PDF, GIFG, TIFF, PIF, ZIP or EXE files. 2. Facsimile Transmission Send by facsimile transmission using the following fax number: + 34 (91) 555 93 68. 3. Paper Send 3 copies of your paper comment letter to: Giles Ward International Organization of Securities Commissions (IOSCO) Calle Oquendo 12 28006 Madrid Spain Your comment letter should indicate prominently that it is a ‚ Public Comment on Principles on Outsourcing .™
PAGE – 5 ============
1 Chapter 1 – Executive Summary IOSCO has undertaken work to gain a better understanding of recent developments in outsourcing and to update the existing IOSCO Principles on Outsourcing to address them . Committee 2 on Secondary Markets (C2) , Committee 3 on the Regulation of Financial Intermediaries (C3) , Committ ee 6 on Credit Rating Agencies (C6) , and Committee 7 on Derivatives (C7) participated in this joint project . Based on its fact -finding work, IOSCO has developed a common set of outsourcing principles . These principles are based on the earlier 2005 Outsourcing Principles for Market Intermediaries and the 2009 Outsourcing Principles for Markets , but their application is expanded to trading venues, market intermediaries , market participants acting on a proprietary basis, credit rating agencies and fina ncial market infrastructures. The revised outsourcing principles comprise a set of fundamental precepts and seven principles (the fiPrinciples on Outsourcingfl or fithese Principlesfl) . The fundamental precepts cover issues such as the definition of outsourcing, the assessment of materiality a nd criticality, affiliates, sub -contracting and outsourcing on a cross -border basis . The seven principles set out expectations for regulated entities that outsourc e tasks , along with guidance for implementation . They comprise : Principle 1: A regulated entity should conduct suitable due diligence processes in selecting an appropriate service provider and in monitoring its ongoing performance. Principle 2: A regulated entity should enter into a legally binding written contract with each service provider, the nature and detail of which should be appropriate to the materiality or criticality of the outsourced task to the business of the regulated entity. Principle 3: A regulated entity should take appropri ate steps to ensure both the regulated entity and any service provider establish procedures and controls to protect the regulated entity™s proprietary and client -related information and software and to ensure a continuity of service to the regulated entity , including a plan for disaster recovery with periodic testing of backup facilities . Principle 4: A regulated entity should take appropriate steps to ensure that service providers protect confidential information and data related to the regulated entity a nd its clients, from intentional or inadvertent unauthori sed disclosure to third parties . Principle 5: A regulated entity should be aware of the risks posed, and should manage them effectively, where it is dependent on a single service provider for materi al or critical outsourced tasks or where it is aware that one service provider provides material or critical outsourcing services to multiple regulated entities including itself. Principle 6: A regulated entity should take appropriate steps to ensure that its regulator, its auditors, and itself are able to obtain promptly, upon request, information concerning outsourced tasks that is relevant to contractual compliance and/or
PAGE – 6 ============
2 regulatory oversight including, as necessary, access to the data, IT systems, premi ses and personnel of service providers relating to the outsourced tasks . Principle 7: A regulated entity should include written provisions relating to the termination of outsourced tasks in its contract with service providers and ensure that it maintains appropriate exit strategies. The report contains sections on particular sector s and issues and Annex A provides a report on outsourcing among credit rating agencies, including the use of cloud computing . IOSCO invites responses to the questions in this report and comments on any other aspect of outsourcing that should be considered.
PAGE – 8 ============
4 market participants and increased levels of electronic trading and process automation have heightened the complexity of markets and the financial infrastructure and increased focu s on operat ional efficiency . There is a wide range of tasks that are outsourced in the securities and derivatives markets. Commonly outsourced tasks include information technology (IT), operation/support of exchanges and trading platforms, regulatory reporting , and other control functions such as real -time trade monitoring and audits. Other examples include joint ventures and strategic alliances aimed at facilitating trading (e.g. , the shared use of analytical, legal, compliance, internal controls, IT, and any other support functions for critical tasks within a group of entities). In the over -the -counter (OTC) derivatives sector, outsourced post trade tasks typically include trade matching and confirmation, portfolio reconciliation and compression, collateral manageme nt, trade reporting, credit limit checks, and custody of assets. It is increasingly commonplace for firms to use third party service providers to carry out, or otherwise support, some of their regulated business activities. While this approach can deliver economic benefits, it may also raise concerns about risk management and compliance when such tasks are outsourced to entities that are not regulated and/or are based in different jurisdictions. In particular , it can diminish regulators™ ability to regulate or supervise certain functions within firm s. Members of the Committees participating in this work surveyed or consulted industry participants in their respective jurisdictions and sectors for information regarding current outsourcing practices and how they have been impacted by recent changes . After their information gathering exercises, some IOSCO members reported that outsourced tasks are, in parts of some markets, concentrated in a small number of highly specialised, often IT -based companies. Consequ ently, some IOSCO members are concerned that disruption to the functioning of these companies could constitute a source of risk in the areas they serve. Therefore, a lthough outsourcing may bring substantial benefits to markets and their participants, it poses a number of important and evolving challenges and may have an impact on the effectiveness and integrity of markets. Based on their information gathering exercises, the Committees concluded that much of the content of the 2005 Principles and the 2009 Principles reports is still valid and gives helpful guidance to regulated entities on outsourcing . Accordingly, the Committees have merged the 2005 and 2009 Principles into the Principles on Outs ourcing set out in this Consultation Report . These Principles on Outsourcing retain the principles in prior reports whilst adapting and updating them and expanding their scope as appropriate . These Principles on Outsourcing are intended to be technology -neutral and provide regulated entities with sufficient flexibility to implement them according to the nature and size of their business model.
PAGE – 9 ============
5 Chapter 3 Œ Fundamental Precepts A. Scope of Application These Principles on Outsourcing apply to a wide range of regulated entities. Those regulated entities will vary in size, sophistication, products and services, and activities. The extent that they use outsourcing will differ. Accordingly, it is important that the Principles on Outsourcing are read in conjunction with the explanatory text and accompanying notes. Regulated entities should also consider whether they should clarify or renegotiate contracts with service providers to gain reasonable assurance that the ir outsourcing arrangements refl ect/adhere to the Principles on Outsourcing in an informed and proportionate manner . Neither IOSCO nor the Committees expect the issuance of updated Principles on Outsourcing to lead to an automatic renegotiation of contracts if existing arrangements are sufficient. When circumstances change or, on a periodic basis, regulated entities should assess and consider the adequacy of their existing contract s; for example, when they fall due for review or renewal, or when the regulatory framework for outsourcing h as evolved, or the nature of a firm™s business activities or client base has changed. The Principles on Outsourcing should apply to those regulated entities that are within the scope of the IOSCO Committees 2, 3, 6 , and 7 ; namely , trading venues, market intermediaries and market participants acting on a proprietary basis, credit rating agencies, and financial market infrastructures that are regulated under the relevant legal regime of a jurisdiction . More specifically , for the purposes of this repo rt: (i) fitrading venuesfl generally refers to exchanges or other multilateral trading facilities including, for example, alte rnative trading systems (ATSs) and multilateral trading facilities (MTFs). It also refers to the operator of a particular trading venue . IOSCO recogni ses that the concept of a fitrading venuefl differs among IOSCO member jurisdictions and the concept may, at the discretion of individual members (for their jurisdictions only ) also include other types of trading venues referred to by alterna tive nomenclatures . (ii) fimarket intermediaries and market participantsfl is applied as appropriate in the context of jurisdictional differences in regulatory scope and generally refers to those regulated entities, other than those that are trading venues, that are in the business of some or all of the following: executing orders in, or distributing, securities or derivatives ; proprietary trading or dealing on own account ; receiving and transmitting orders from or to third parties ; providing advice regarding sec urities or derivatives or the advisability of purchasing or selling securities or derivatives ; and underwriting of new issues or products.
PAGE – 10 ============
6 Some jurisdictions may regulate an entity as a market intermediary that simply provides advice regarding the value of securities or derivatives or the advisability of investing in, purchasing or selling such instruments. 3 (iii) ficredit rating agencyfl or fiCRAfl means an entity that is in the business of issuing credit ratings. fiCredit ratingfl or firatingfl means an assessment regarding the creditworthiness of an entity or obligation, expressed using an established and defined ranking system. (iv) fifinancial market infrastructuresfl means multilateral systems among participating institutions, including the operator of the financial market system, used for the purposes of clearing or settling or recording securities, derivatives, or other financial transactions, and trade repositories, entities which are defined as financial market infrastructures 4 and other regulated entit ies which may report or retain regulatory data. In this Consultation Report , the words fisecurities marketsfl are used, where the context permits, to refer compendiously to the various market sectors. In particular, where the context permits , they should be understood to include reference to the derivatives markets. The same applies to the use of the words fisecurities regulation fl. Q.1 Do you consider the scope of the application of the Principles to entities is clear? Ifnot, why not? B.Outsourcing In this Consultation Report fioutsourcingfl is considered to be a business practice in which a regulated entity uses a service provider to perform tasks, functions, processes, services or activities (collectively, fitasksfl) that would, or could in principle, otherwise be undertaken by the regulated entity itself . This may also be referred to as onshoring, offshoring, near -shoring or right -shoring, depending on the organisational context and the relationship with affiliates and service providers. The term fiservice providerfl is used throughout the Principles on Outsourcing to refer to both third party and affiliate service providers, regulated (whether or not by the same regulator with authority over the regulated entity) or unregulated. The service provider may itself either be regulated (whether or not by the same regulator with authority over the regulated entity), or unregulated. Outsourcing may include tasks that the regulated entity has not previously performed, where those tasks would reasonably be expected to be initiated by the regulated entity if they had not been outsourced to a third party . Outsourcing may also include tasks that the regulated entity does not have the capacity or resources to perform . This may occur in particular when a new regulated entity is established , or when an existing regulated entity enters a new area of business or becomes subject to a new regulatory requirement. For the purpose of these Principles, further transfers of an outsourced task (or a part of that task) f rom one service provider to another are referred to as fisubcontractingfl . I n some jurisdictions, the initial outsourcing by the regulated entity may be referred to as 34For purposes of this report, the term intermediary includes broker -dealers but not investment advisers in the U.S. securities sector. fiPrinciples for financial market infrastructuresfl (2012),
PAGE – 11 ============
7 subcontracting . For the purposes of this document , the difference between outsourcing and subcontracting is explained in Fundamental Precept I . Outsourcing does not cover purchasing contracts. Purchasing is defined as the acquisition from a vendor of services, good s or facilities without the transfer of, access to, or responsibility for the handling of the purchasing entity’s non-public proprietary or client information. For example, a trading venue may choose to use a service provider for the publication of executed trades , and it may also use an external provider of training services for its staff. The former would be considered an outsourcing arrangement whereas the latter would be a purchasing contract. CRAs are organisations that provide an assessment of the cred itworthiness of a company or a financial instrument. A CRA assesses the creditworthiness of an entity that is usually called an obligor or issuer . Obligors include entities such as corporations, financial institutions, insurance companies, or municipalitie s. Many CRAs are paid by the obligors they rate or by the issuers of the securities they rate. Some CRAs are, in addition, also paid by subscribers to their ratings services, which are usually investors. In either case, CRAs generally do not use the terms ficustomersfl or ficlientsfl to refer to issuers, obligors, subscribers , or investors. However, in the context of these Principles, reference to the term customer or client also applies to these parties. The Principles on Outsourcing are written to apply to ou tsourced tasks that pose risks to regulatory objectives . The interpretation or implementation of these Principles should correspond to the degree of materiality and criticality of the outsourced task to the regulated entity™s business and its regulatory ob ligations, unless otherwise mandated by the local regulatory requirements of the jurisdiction in which the regulated entity is operating . The Principles on Outsourcing apply regardless of whether outsourced tasks are performed by an affiliated entity of a corporate group or by an entity that is external to the corporate group . Q.2 Do you consider the concepts used to explain the application of the Principles on Outsourcing to be clear and adequate? If not, why not? C. Responsibility for Outsourcing The regulated entity retains full responsibility, legal liability , and accountability to the regulator for all tasks that it may outsource to a service provider to the same extent it would if the service were provided in -house. The regulatory re sponsibilities of the regulated entity and its management cannot be outsourced . Moreover, outsourcing should not be permitted to impair the regulator™s ability to perform its functions, including the proper supervision and examination of a regulated entity. Consistent with jurisdictions™ laws and regulations, a regulator may impose sanctions and penalties on a regulated entity for the regulated entity™s violations of statutory or regulatory requirements that have resulted in whole or in part from the failure of a service provider (whether it is regulated or unregulated) . Management and the governing body of the regulated entity should develop and implement appropriate policies and procedures reasonably designed to achieve the objectives of t hese Principles, to periodically review the effectiveness of those policies and procedures, and to address any identified outsourcing risks in an effective and timely manner.
75 KB – 47 Pages