OutsourcingLouis P. PiergetiVP, IIROCMarch 29, 2011

IOSCO definition of outsourcing

“An event in which a regulated outsourcing firm contracts with a service provider for the performance of any aspect of the outsourcing firm’s regulated or unregulated functions that could otherwise be undertaken by the firm itself. It is intended to include only those services that were or can be delivered by internal staff and management…”

Key risks of outsourcing

Risk Major concerns

Strategic Risk • The third-party may conduct activities on its own behalf which are inconsistent with the overall strategic goals of the regulated entity.

• Failure to implement appropriate oversight of the outsource provider.• Inadequate expertise to oversee the service provider.

Reputation Risk • Poor service from third-party.• Third-party practices not in line with stated practices (ethical or otherwise)

of regulated entity.

Compliance Risk • Privacy laws are not complied with.• Consumer and prudential laws not adequately complied with.• Outsource provider has inadequate compliance systems and controls.

Operational Risk • Technology failure.• Inadequate financial capacity to fulfill obligations and/or provide remedies. • Inadequate internal controls leading to undetected errors or fraud.• Difficult/costly for firm to undertake inspections of the service providers

operations.

Key risks of outsourcing (cont’d)

Exit Strategy Risk • The risk that appropriate exit strategies are not in place. This could arise from over-reliance on one firm, the loss of relevant skills in the institution itself preventing it to bring the activity back in-house, and contracts which make a speedy exit prohibitively expensive.

• Limited ability to return services to home country due to lack of staff or loss of intellectual history.

Country Risk • Political, social and legal climate may create added risk.• Business continuity planning is more complex.

Contractual Risk • Ability to enforce contract.• For off shoring, choice of law is important.

Access Risk • Outsourcing arrangement hinders ability of regulated entity to provide timely data and other information to regulators.

• Additional layer of difficulty in regulator understanding activities of the outsource provider.

Concentration and Systemic Risk

• Overall industry has significant exposure to outsource provider. This concentration risk has a number of facets, including:

• Lack of control of individual firms over provider; and• Systemic risk to industry as a whole.

IOSCO 9 principles on outsourcing

1. Corporate governance

2. Risk management

3. No subrogation of regulatory responsibility

4. Due diligence

5. Contract

6. Business Continuity

7. Confidential Information

8. Regulatory Assessment

9. Concentration

Core or material outsourced functions

“Core functions” are defined as “critical or material to the ongoing viability of an entity as well as meeting its regulatory obligations to customers”.

Example of core functions

• Accounting • Compliance • Back-office operations• Information system management and maintenance • Registration of salespersons• Customer application processing and document

administration• Customer complaint handling• Collection of margin and overdue cash accounts• Research reports and market newsletters

NI 31-103 requirements on outsourcing

• Dealer Members remain responsible and accountable for all functions that they outsource to a service provider

– Cannot subrogate regulatory obligations to service provider

• Functions outsourced must be set out in a written legally binding contract

• Dealer Member must conduct and document due diligence analysis of third party service provider (including affiliates)

– Reputation

– Financial stability

– Internal controls and ability to deliver services

• Service provider must have safeguards in place to keep information confidential

• Dealer Member must conduct ongoing reviews of the quality of outsourced services

NI 31-103 requirements on outsourcing (cont’d)

• Service provider must develop and test a business continuity plan

• Arrangement must consider other legal requirements such as privacy laws

• Dealer Member, IIROC and auditors must have the same access to the work product of the third-party service provider as they would if the Dealer Member itself performed the activities.

– Dealer Member must ensure this access is provided and should include a provision requiring it in the contract with the service provider.

Required contract terms

• No subrogation of regulatory obligations.

• Rights of inspection and access to books, records and information relevant to the outsourced activity to Dealer Member, IIROC, and auditors.

• Define all activities outsourced and responsibilities of the parties.

• Establish precise service and performance levels and how they will be monitored.

• Service provider to immediately inform the Dealer Member of any material change in circumstances which could have a material impact on the provision of services.

• Agreement must cover the ownership of intellectual property and the protection of confidential information.

• Provision that requires prior consent of the Dealer Member to sub-outsourcing to other third-party providers.

• Cover termination and exit process to allow for transfer of the service to another service provider or to the Dealer Member itself.

Regulatory expectations on all outsourcing arrangements (including ICB)

• Dealer Members to provide IIROC with prior written notification of material changes to business model. This includes outsourcing of core functions to third party service providers.

• Dealer Members must comply with the requirements as a registrant under NI 31-103 and Policy 11.

• Dealer Members must maintain a control log of all outsourcing arrangements and copies of executed agreements on file for inspection upon request.

• IIROC must be granted unfettered access to the operations of service provider(s) during the course of any examination of the Dealer Member.

Rules and Guidance References

• IIROC Notice 10-0060 – Reporting of changes to business models dated March 2010.

• National Instrument 31-103 and Part 11 – Internal controls and systems.

• Principles on Outsourcing of Financial Services for Market Intermediaries, Chapter 1 – Technical Committee of the International Organizations of Securities Commission (IOSCO), February 2005.

• Superintendent of Financial Institutions (OSFI) revised Guideline B-10 on “Outsourcing of Business Activities, Functions and Processes” dated March 2009.

• FSA Handbook (Chapter 8) – Adoption of Markets in Financial

Instruments Directive (MiFID) Connect trade association industry guidance on outsourcing May 2010.