PIB 6.8 PIB 6.8 Outsourcing
PIB 6.8.1 PIB 6.8.1
Authorised Firmmust establish and maintain appropriate systems and controls to manage its outsourcing risk.Derived from RM111/2012 (Made 15th October 2012). [VER20/12-12]
PIB 6.8.1 Guidance1.
GEN RulesGEN 5.3.21 and GEN 5.3.22 set out the DFSArequirements on outsourcing by Authorised Firms. This section complements the requirements in the GENmodule and contains guidance on managing the Operational Riskassociated with outsourcing arrangements.2. The assessment of outsourcing risk at an Authorised Firmmay depend on several factors, including the scope and materiality of the outsourced activity, how well the Authorised Firmmanages, monitors and controls outsourcing risk (including its general management of Operational Risk), and how well the service provider manages and controls the potential risks of the operation.3. Factors that an Authorised Firmshould consider in establishing outsourcing arrangements include the following:a. the financial, reputational and operational impact on the Authorised Firmof the failure of a service provider to perform adequately the activity;b. potential losses to an Authorised Firm'scustomers and counterparts in the event of a service provider failure;c. the consequences of outsourcing the activity on the ability and capacity of the Authorised Firmto conform with regulatory requirements and changes in such requirements;d. the interrelationship of the outsourced activity with other activities within the Authorised Firm;e. the cost associated with the outsourcing;f. any affiliation or other relationship between the Authorised Firmand the service provider;g. the regulatory status of the service provider;h. the degree of difficulty and time required to select an alternative service provider or to bring the business activity in-house, if necessary;i. the complexity of the outsourcing arrangement. For example, the ability to control the risks where more than one service provider collaborates to deliver an end-to-end outsourcing solution; andj. any data protection, security and other risks which may be adversely affected by the geographical location of an outsourcing service provider. To this end, Specific Riskmanagement expertise in assessing country risk related, for example, to political or legal conditions, could be required when entering into and managing outsourcing arrangements that are taken outside of the home country.Derived from RM111/2012 (Made 15th October 2012). [VER20/12-12]