Entire Section

  • PIB 6.8 PIB 6.8 Outsourcing

    • PIB 6.8.1 PIB 6.8.1

      An Authorised Firm must establish and maintain appropriate systems and controls to manage its outsourcing risk.

      Derived from RM111/2012 (Made 15th October 2012). [VER20/12-12]

      • PIB 6.8.1 Guidance

        1. GEN Rules GEN 5.3.21 and GEN 5.3.22 set out the DFSA requirements on outsourcing by Authorised Firms. This section complements the requirements in the GEN module and contains guidance on managing the Operational Risk associated with outsourcing arrangements.
        2. The assessment of outsourcing risk at an Authorised Firm may depend on several factors, including the scope and materiality of the outsourced activity, how well the Authorised Firm manages, monitors and controls outsourcing risk (including its general management of Operational Risk), and how well the service provider manages and controls the potential risks of the operation.
        3. Factors that an Authorised Firm should consider in establishing outsourcing arrangements include the following:
        a. the financial, reputational and operational impact on the Authorised Firm of the failure of a service provider to perform adequately the activity;
        b. potential losses to an Authorised Firm's customers and counterparts in the event of a service provider failure;
        c. the consequences of outsourcing the activity on the ability and capacity of the Authorised Firm to conform with regulatory requirements and changes in such requirements;
        d. the interrelationship of the outsourced activity with other activities within the Authorised Firm;
        e. the cost associated with the outsourcing;
        f. any affiliation or other relationship between the Authorised Firm and the service provider;
        g. the regulatory status of the service provider;
        h. the degree of difficulty and time required to select an alternative service provider or to bring the business activity in-house, if necessary;
        i. the complexity of the outsourcing arrangement. For example, the ability to control the risks where more than one service provider collaborates to deliver an end-to-end outsourcing solution; and
        j. any data protection, security and other risks which may be adversely affected by the geographical location of an outsourcing service provider. To this end, Specific Risk management expertise in assessing country risk related, for example, to political or legal conditions, could be required when entering into and managing outsourcing arrangements that are taken outside of the home country.
        Derived from RM111/2012 (Made 15th October 2012). [VER20/12-12]