Bermuda introduces new outsourcing guidance
Bermuda introduces new outsourcing guidance
The Bermuda Monetary Authority (the Authority) issued guidance notes on 28 June 2019 setting out new outsourcing guidance for Relevant Licenced Entities (RLE). The new guidance will place a significant burden on RLEs to meet compliance in advance of the proposed implementation date on 1 May, 2020.
The Bermuda Monetary Authority (The Authority) issued guidance notes on 28 June 2019 setting out new outsourcing guidance for Relevant Licensed Entities (RLE), which are defined as any Bank, Credit Union, Trust Company, Corporate Service Provider, Money Service Business, Investment Business, Fund Administrator and the Bermuda Stock Exchange. The new guidance replaces existing guidance on outsourcing for Banks and Deposit Companies published in May 2017 and is in response to the Authority seeing an increase in the use of outsourcing by RLEs in Bermuda over the last three years. The Authority expects this to continue in the future resulting in the need to ensure that risks from outsourcing are appropriately managed and mitigated. The new guidance will place a significant burden on RLEs to meet compliance in advance of the proposed implementation date on 1 May 2020. Read the full paper.
1 October 2019 to 3 January 2020 – comprehensive material outsourcing submission required for all material outsourcing arrangements
30 April 2020 – formal written attestation stating that the existing material outsourcing arrangements identified complies with the new guidance
What is deemed to be “outsourcing” under the new guidance
Outsourcing is an arrangement in which the RLE uses a third-party to perform activities on an ongoing basis that are integral to the provision of services by the RLE itself and that would otherwise be undertaken by the licensed entity.
Purchased services which do not form part of the services and activities provided by that RLE and the provision of standardised services such as office equipment and stationary are not deemed to be outsourcing under the guidance.
Where a trust company acting as trustee arranges the supply of investment management services to a trust, this could fall within this definition depending on individual circumstances. If the ongoing monitoring of the performance of the investment management company providing these services to the trust is outsourced by the trust company acting as trustee to another third-party provider, this would constitute an outsourcing.
This guidance applies to all outsourcing arrangements except those explicitly covered by guidance notes 5.149 to 5.174 inclusive contained in ‘Guidance Notes for AML-ATF Regulated Financial Institutions on AML and ATF 2016 (BMA) Notice 2016’.
What constitutes a “material outsourcing” under the guidance?
Material outsourcing is an arrangement where critical activities as determined by senior management have been outsourced to a third party. An activity is regarded as critical if a defect or failure in the provision or performance of that activity would materially impact a licensed entities:
- business operations, reputation or financial performance; or
- ability to manage risk; or
- Compliance with all applicable laws and regulations.
Defining what constitutes outsourcing and then material outsourcing by management will be essential in developing a risk based approach to managing outsourcing risk. As not all activities outsourced will be critical activities, management will need to determine the factors that should be used when determining criticality. For example, defining criticality on the basis of how long a service is not available before it damages reputation, causes a regulatory breach or incurs material financial penalties could be the appropriate metric for determining the criticality. Metrics used to determine materiality will need to be formalised, and be clearly articulated in the policy and procedures.
What does the proposed guidance contain?
The guidance covers the Authority’s general expectations regarding the policies and procedures that management should have in place to manage risk from all outsourcing, both material and non-material. It will require RLEs to review their existing outsourcing policies and procedures to ensure compliance with this new guidance. In particular, it will require RLEs to have policies and procedures that:
- Establishes a risk appetite for outsourcing;
- Sets out the criteria for what constitutes material outsourcing;
- The risk evaluation process as to whether an activity should be outsourced.
The Authority will expect to see clear evidence of a risk evaluation process having been undertaken by the RLE prior to entering into an outsourcing arrangement that clearly articulates the rationale as to why the outsourcing option was/is being pursued. This evaluation will need to set out the benefits of the outsourcing and how any risks arising from it are to be mitigated/managed.
Due diligence and selection process of an outsource service provider;
An RLE considering an outsourcing arrangement should undertake due diligence on the service provider
under consideration. This due diligence should include, but not be limited to evaluating that the service provider:
- Has the quantity and quality of staff with the requisite skills and experience to effectively deliver the outsourced activities,
- Has the appropriate technology, cyber security, operational infrastructure, and financial capacity of the service provider
- Has appropriate data security to protect confidential information relating to the RLE and its clients
- Has an appropriate risk management framework and controls
- Has appropriate Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP)
- Will provide access to all documents and data relating to the outsourced activity to the RLE, its auditors and its competent authority, as well as access to the business premises of the outsourcing service provider.
- Contingency plans in the event this service provider was unable to provide the outsourced activity for any reason should be considered.
Structure and content of the outsourcing arrangement between the RLE and the serviceprovider;
The guidance will require RLEs to review their existing service level agreements to ensure compliance with this new guidance. The RLE and the outsourcing service provider are required to execute a legally binding written agreement setting out the contractual terms and conditions governing relationships, obligations, responsibilities, rights and expectations of the contracting parties in the outsourcing arrangement. The content of this written agreement should explicitly address any issues identified in the RLE’s risk evaluation and due diligence of the service provider. While it will depend on the activity being outsourced, the Authority has set out a significant number of obligations on the service provider in this guidance. For example; impose an obligation on the service provider to:
- regularly update the RLE on the adequateness of its Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP);
- update the RLE on any material changes in its BCP/DRP that would affect the provision of the RLE’s activity; and
- Undertake regular testing of its BCP/DRP (in conjunction with the RLE if requested) and to disclose the results of these tests to the RLE.
The ongoing management and monitoring of the outsourcing arrangement post-implementation.
Post-contract signing, the Authority will expect the RLE to be able to demonstrate that it is monitoring all its outsourcing arrangements. The level of monitoring for each outsourcing activity should be proportionate to the risks to the RLE from that arrangement.
Additionally, the Authority requires that all RLEs, where they have material outsourcing activities, to obtain prior approval from the Authority before entering into these agreements. RLEs will have to submit an application to the Authority to seek prior approval by the 3 January 2020 or the RLE has the option for the CEO to write to the Authority formally attesting that existing material outsourcing arrangements comply with the new guidance. Where attestations are made, the Authority will be subsequently verified through ongoing supervisory programs post implementation. These attestations are to reach the Authority no later than 30 April 2020.
The Authority places significant emphasis in the guidance on the need to submit a complete and comprehensive application demonstrating compliance with this guidance. The Authority will review all submissions when first submitted and if deemed to be incomplete submissions they will be returned and the pre-approval route will no longer be available for that outsourcing. The RLE will only have the option to utilise the attestation route from that point onwards.
Senior management will also need to assess whether the provision of innovative technology supporting its business including but not limited to Artificial Intelligence, Distributed Ledger Technology or cloud services by a third-party constitutes an outsourcing and, if so, whether that constitutes a material outsourcing. The risks arising from the provision of these innovative technologies by a third-party to the RLE will be similar to other types of outsourcing. Where senior management does consider the supply of these innovative technologies to constitute outsourcing, then these guidelines apply.
Post implementation of this guidance, all new proposals to outsource material activities must be submitted by the RLE to the Authority in writing at least 60 calendar days in advance of the date on which the RLE would wish the outsourcing to commence. Prior to submission, the Authority would expect the new proposal to have been Board approved.
The Authority would expect the proposal for a new material outsourcing to contain at a minimum a high-level summary explaining the reasons the RLE wishes to enter into an outsourcing with this service provider including:
- Details of the service provider and, where applicable, its regulator;
- The proposed start date of the outsourcing arrangement;
- Details and documentation of the risk evaluation and due diligence undertaken on this service provider by the RLE;
- Any specific risks arising from this proposal identified by the RLE, and how the RLE proposes to mitigate and manage that risk on an ongoing basis;
- A contingency plan in the event the RLE has to terminate this contract for poor or non-performance;
- A draft of the outsourcing agreement between the RLE and service provider; and
- Details on how the RLE proposes to monitor this outsourcing post approval and contract signing.
How can KPMG help?
KPMG’s Outsourcing Risk Management framework and methodology can assist you in achieving compliance with the new guidance in advance of the implementation date of 1 May 2020.
We can help:
- Perform a compliance gap analysis
- Develop a risk management framework to ensure ongoing compliance with the proposed guidance
- Review existing policies and procedures to ensure compliance with the proposed guidance
- Review whether any existing outsourcing arrangements are material or not
- Assist with the completion of the comprehensive material outsourcing submission to the Authority
- Assist with the preparation of the formal written attestations stating that the existing material outsourcing identified complies with this new guidance.
Please contact us for more information or to set up an appointment.
© 2021 KPMG, a group of Bermuda limited liability companies and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.
For more detail about the structure of the KPMG global organization please visit https://home.kpmg/governance.