The Guidelines are Clear – P3
(This is Part 3 of a three-part analysis)
Following our introduction to the MFSA 2020 publication “Guidance on Technology Arrangements, ICT and Security Risk Management and Outsourcing Arrangements” carried in our May Newsletter, and a continuation in July edition. The following is the final part of the feature which deals with the last section of the MFSA Guidance Report Title 5 – Outsourcing Arrangements. To those entities that are not regulated entities and which do not fall under the specific provisions of this guidance note, the relevance of the guidance Note is that it represents what the current local best practices in the field. These should serve as a useful benchmark to organisations, large and small, which then need to determine the extent to which the provisions apply to their operations.
Clauses under Title 5 in the MFSA Guidance report specific the internal governance arrangements, with specific mention of sound risk management, that a licence holder should implement when they outsource important functions or processes such as cloud based services. This section refers to Licence Holders responsibilities in relation to outsourcing and highlight specific areas which must be carefully managed. These include outsourcing arrangements with service providers within the group, or where operational tasks of internal control are outsourced, where full responsibility for compliance with all regulatory requirements and the effective application of these Guidance is required. It identifies situations where operational monitoring of outsourcing is centralised and Licence Holders are required to ensure that, at least for outsourced critical or important functions, both independent monitoring of the service provider and appropriate oversight by each Licence Holder is possible. The Guidance require Licence Holders to ensure that their Management Body is duly informed of relevant planned changes regarding service providers. These need to be monitored on an on-going basis with particular attention to risk analysis, including legal risks, compliance with regulatory requirements and the impact on service levels, to enable them to assess the impact of planned changes. The Guidance call for the maintenance of a comprehensive register of all existing outsourcing arrangements, as referred to in 5.9.1. This register should include all outsourcing arrangements, and should be accompanied with relevant exit plans for any critical or important function that has been outsourced.
Assessment of outsourcing arrangements is another important area covered by the MFSA Guidance Report requiring Licence Holders to establish whether an arrangement with a third party falls under the definition of outsourcing. Within this assessment, consideration should be given to whether the outsourced function is performed on a recurrent or an ongoing basis and whether this function would normally fall within their scope of functions. For service providers delivering multiple functions, it requires Licence Holders to consider all aspects of the arrangements to determine the nature, scale and complexity of arrangements with third parties. In such instances, the principle of proportionality and materiality of the function outsourced must be taken into account.
The MFSA Guidance distinguish between general support services and outsourcing of critical and important activities. Activities such statutory audit, marketing information services, global network infrastructures are not considered as outsourced services. It goes on to define a function as critical or important, and amongst others includes situations:
b) where a defect or failure in its performance would materially impair their financial performance, or the soundness or continuity of their financial services and activities; and
c) when operational tasks of internal control functions are outsourced (e.g. managed cybersecurity service for small and medium-sized businesses), unless the assessment establishes that a failure to provide the outsourced function or the inappropriate provision of the outsourced function would not have an adverse impact on the effectiveness of the internal control function;
In this context, when assessing whether an outsourcing arrangement relates to a function that is critical or important, Licence Holders should consider, together with the outcome of the risk assessment including amongst other factors:
a) whether the outsourcing arrangement is directly connected to the provision of the financial services for which they are authorised;
c) the potential impact of the outsourcing arrangements on the service provider’ ability to
i. Identify, monitor and manage all risks;
ii. Comply with all legal and regulatory requirements;
iii. Conduct appropriate audits regarding the outsourced function; and
d) The potential impact of the services provided to its clients.
Governance of Outsourcing
The Guidance Report then deals with the importance of comprehensive governance frameworks and sound governance arrangements. It requires Licence Holders to “identify, assess, monitor and manage all risks resulting from arrangements with third parties to which they are or might be exposed, including outsourcing arrangements”.
The Governance framework should deal with establishing valid governance frameworks built on clearly defined outsourcing policies. It calls for a Licence Holder that has outsourcing arrangements in place or plans on entering into such arrangements to approve, regularly review and update a written outsourcing policy and ensure its implementation, as applicable, on an individual or group basis.
The Guidance Report requires that outsourcing policy should be in accordance with relevant sectoral Guidance on internal governance and should include the main phases of the life cycle of outsourcing arrangements and define the principles, roles and responsibilities, and processes in relation to outsourcing. The outsourcing policy should amongst other situations differentiate between outsourcing of critical or important functions and other outsourcing arrangements as well as outsourcing to service providers that are authorised by a competent authority and those that are not.
Governance deals with conflicts of interest and the Guidance Report identifies how Licence Holders should identify, assess and manage conflicts of interest regarding their outsourcing arrangements. It identifies the situation where outsourcing creates a material conflict of interest, including between entities within a group or institutional protection scheme, and Licence Holders are expected to take appropriate measures to manage those conflicts of interest.
The Governance framework needs to address business continuity plans to ensure that Licence Holders “should have in place, maintain and periodically test appropriate business continuity plans with regard to outsourced critical or important functions. Licence Holders within a group or institutional protection scheme may rely on centrally established business continuity plans regarding their outsourced functions”.
The Guidance Report contends that the governance framework must include a strong internal audit activities implemented on the basis of a risk-based approach and the independent review of outsourced activities. The audit plan and programme should include, in particular, the outsourcing arrangements of critical or important functions.
Governance framework – documentation requirements
As part of their risk management framework, Licence Holders should maintain an updated register of information on all outsourcing arrangements at the authorised firm. Where applicable, they should appropriately document all current outsourcing arrangements, distinguishing between the outsourcing of critical or important functions and other outsourcing arrangements. The Guidance Report provides details of the minimum data to be collected and maintained in the register. It details the manner in which access to such information bis to be provided to the relevant authorities.
Outsourcing process – Pre-outsourcing analysis
The Guidance Report requires outsourcing to be well planned and executed and before entering into any outsourcing arrangements, it requires Licence Holders to assess if the outsourcing arrangement concerns a critical or important function, and if the supervisory conditions for outsourcing are met. In this context they are required to identify and assess all the relevant risks of the outsourcing arrangement and undertake appropriate due diligence on the prospective service provider as well as identifying and assessing any conflicts of interest that the outsourcing may cause.
Outsourcing process – Contractual phase
The rights and obligations of the Licence Holder and the service provider should be clearly allocated and set out in a written agreement which should clearly define the outsourced service and related support services as well as full details of the terms and conditions of delivery and implementation. The agreement should define clearly the agreed service levels, which should include precise quantitative and qualitative performance targets for the outsourced function, to allow for timely and independent monitoring of the service(s) received, so that appropriate corrective action can be taken without undue delay if the agreed service levels are not met.
The Guidance Report requires clarity on the reporting obligations of the service provider, including the communication by the service provider of any development that may have a to effectively carry out the critical or important function in line with the agreed service levels and in compliance with applicable laws and regulatory requirements and, as appropriate, the obligations to submit reports of the internal audit function of the service provider.
Outsourcing process – monitoring and oversight of outsourcing arrangements
The MFSA Guidance Report requires Licence Holders to monitor, on an ongoing basis, the performance of the service providers with regard to all outsourcing arrangements on a risk-based approach, taking into account the principle of proportionality. It calls for particular attention to the outsourcing and sub-outsourcing of critical or important functions, including that the availability, integrity and security of data and information is ensured. This in turn requires monitoring and oversight mechanisms which include, but are not limited to the management of service provider incidents, clear definition of roles and responsibilities of the parties in relation to all the IT (including cybersecurity) and non-IT processes affected by the outsourcing arrangement and ongoing and independent verifications of the Service Level Agreements.
Outsourcing process exit strategies
In conclusion, the Guidance Report requires Licence
Holders to have a documented exit strategy when outsourcing critical or
important functions that is in line with their outsourcing policy and business
continuity plans. These should take into account a number of factors including:
the possibility of the termination of outsourcing arrangements; the failure of
the service provider and the deterioration of the quality of the function
provided and actual or potential business disruptions caused by the inappropriate
or failed provision of the function.
This feature does not
purport to be a comprehensive analysis of the MFSA Guidance on Technology
Arrangements, ICT and Security Risk Management and Outsourcing Arrangements,
but is a subjective selection of issues raised in this report that could well
present a set of benchmarks to non-regulated businesses in their efforts to
better manage their own technology arrangements.