August 24, 2004

The Joint Forum, a working group of international bank regulators, has issued high-level principles on the topic of outsourcing in financial services. The principles are intended to guide firms and regulators to maintain high standards of corporate governance and risk management in an environment of rapid IT innovation and a high reliance on external service providers.

The Joint Forum consists of the Basel Committee on Banking Supervision, the International Organization of Securities Commissions, and the International Association of Insurance Supervisors.

In summary, regulated entities should:

- Assess whether and how activities can be appropriately outsourced, under the aegis of the board of directors. - Establish a comprehensive outsourcing risk management program. - Prevent outsourcing from impeding regulatory supervision or disrupting customer obligations. - Conduct appropriate due diligence when selecting third-party service providers. - Use written contracts to govern all material aspects of outsourcing relationships. - Establish and maintain contingency plans with service providers. - Ensure that confidential information is protected from unauthorized disclosure.

In addition, regulators are urged to: - Consider outsourcing arrangements as part of their ongoing assessments. - Consider the risks inherent in having multiple regulated entities outsourcing activities to a limited number of service providers.

On the last point, regulators have taken note of the potential vulnerability in having too many banks using too few service providers, or having several banks share a common disaster recovery site.

The report states: "When a limited number of outsourcing service providers (sometimes just one) provide outsourcing services to multiple regulated entities, operational risks are correspondingly concentrated, and may pose a systemic threat."

The Joint Forum recommends risk mitigation tools including adequate contingency planning by regulated entities, ongoing monitoring and awareness, supervisory programs and risk assessments.

The full publication is available at: http://www.bis.org/publ/joint09.pdf

This article originally appeared in Bank Systems & Technology eNEWS, a weekly e-mail newsletter. To order a free subscription, click here

ABOUT THE AUTHOR