• Trustees Corporate Supervision

Dec 6, 2021

IOSCO issues final report on outsourcing principles

Global standards blueprint for financial markets published

In October the International Organization of Securities Commissions (“IOSCO”) published a 47-page final report entitled Principles on Outsourcing (“Report”).  IOSCO’s website states that:

[It] is the international body that brings together the world's securities regulators and is recognized as the global standard setter for the securities sector. IOSCO develops, implements and promotes adherence to internationally recognized standards for securities regulation. It works intensively with the G20 and the Financial Stability Board (FSB) on the global regulatory reform agenda.

Based in Madrid, Spain, the organisation was set up in April 1983 and as of December 2021 had 230 members (130 ordinary, 32 associate, and 68 affiliated).  New Zealand’s FMA is classified as an ordinary member, which IOSCO defines as “the national securities commissions or similar governmental bodies with significant authority over securities or derivatives markets in their respective jurisdictions.”  Members actively contribute to the research, findings, conclusions and recommendations of IOSCO and then implement these results within their own jurisdictions.  IOSCO’s latest pronouncements on outsourcing are unlikely to be an exception and the consequences will be felt within New Zealand’s financial markets.

IOSCO’s Report has been issued in response to a big surge in regulated financial sector outsourcing practices over the past decade and with that surge an increase in types and magnitudes of potential risks that outsourcing could pose, particularly where regulators lack visibility or authority over outsourced entities.  The core of the problem is summed up as follows:

A wide range of tasks are outsourced by regulated entities to service providers. These commonly outsourced tasks include information technology (IT), operation/support of exchanges and trading platforms, regulatory reporting, and other control functions such as real-time trade monitoring and audits. Other examples include joint ventures and strategic alliances aimed at facilitating trading (e.g., the shared use of analytical, legal, compliance, internal controls, IT, and other support functions for critical tasks within a group of entities). In the over-the-counter (OTC) derivatives sector, outsourced post trade tasks typically include trade matching and confirmation, portfolio reconciliation and compression, collateral management, trade reporting, credit limit checks, and custody of assets.

It is increasingly commonplace for regulated entities to use third-party service providers to carry out, or otherwise support, some of their regulated business activities. The benefits of outsourcing include lowering costs, increasing automation to speed up tasks and reduce the need for manual intervention, and providing flexibility to allow regulated entities to rapidly adjust both to the scope and scale of their activities. However, while outsourcing can deliver benefits, it may also raise concerns about risk management and compliance when such tasks are outsourced to entities that are not regulated and/or are based in different jurisdictions. In particular, it can diminish regulators’ ability to regulate or supervise certain functions within firms or other regulated entities.

(Report, p. 4)

Precepts and principles

To tackle this problem, IOSCO propounds a precepts/principles model, based on nine fundamental precepts and seven outsourcing principles (the latter are listed in summary format in Appendix 1).  The principles themselves should not arouse any controversy as stated and if anything are straightforwardly obvious concerning best practices that should always apply between regulated financial market participants and their outsourced service providers.  As always, though, the devil is in the detail.  Fortunately substantial interpretational guidance in respect of the principles is provided in the Report’s chapter 5, which runs to 18 pages.  It is in this section that the compliance officers of regulated entities are likely to find the nut-and-bolts of how they are to ensure that outsourcing is being set up and conducted appropriately to meet international best practice standards, including on a risk management basis.

Within the New Zealand financial markets context, the question nonetheless arises as to whether all FMCA-regulated entities are actually applying each of these principles to the letter.   Given that IOSCO, to which the FMA belongs, has now set out what the outsourcing principles are, and explained how they are meant to be applied in practice, there is little reason for FMCA-regulated entities in New Zealand not to make certain that they are instituting and adhering to these principles as appropriate, if this has not been done already.  Their Supervisors should be following up on this matter to ensure that due compliance with the outsourcing principles is actually happening.

The precepts precede the principles in the organisation of the Report and are discussed in Chapter 4.  Therein some interesting topics are covered off that reflect contemporary developments in global financial market outsourcing.  The list below represents a sampling of what is included:

  • The immense scope of what now counts as outsourcing
  • Potential risks and challenges in control, data and technology, operational resilience, concentration, and supervisory aspects of outsourcing
  • Materiality and criticality criteria
  • Affiliate versus external outsourcing
  • Cross-border outsourcing
  • Sub-outsourcing, where outsourced service providers subcontract tasks to external entities

In case readers of the Report get stuck on any terminology used whilst poring over the precepts and principles, there is an helpful glossary provided in Chapter 3.  For example:

“material task” - a task that comprises or affects a significant proportion of the activities, operations, client or market relationships and would introduce a material or unacceptable level of risk to the entity if the tasks were to fail.

“outsourcing” - a business practice in which a regulated entity uses a service provider to perform tasks, functions, processes, services or activities (collectively, “tasks”) that would otherwise be undertaken by the regulated entity itself.

“regulated entities” - trading venues, market intermediaries and market participants acting on a proprietary basis, and credit rating agencies that are regulated under the relevant legal regime of a jurisdiction.

(Ibid., p. 8)

Case study on cloud computing

Many organisations have moved or are moving across to cloud computing, defined in the Report as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”  The Report examines cloud computing in detail within the specific context of credit rating agencies (CRAs), but in the process provides an excellent concise outline of what cloud computing entails as a form of outsourcing.  For those who have been wondering what the cloud is all about, the Report’s explanation could be a good place to start.  Also illuminating is the analysis provided of what surveyed CRAs have to say about their experiences of cloud computing.  FMCA-regulated entities considering moving over to cloud computing could benefit from studying this section of the Report (pp. 41-6).

Local antecedents

The FMA has its own requirements concerning outsourcing arrangements.  These requirements are outlined in the Licensing Application Guide for Managed investment scheme (MIS) manager Part B3.  Split into two parts, the subject of outsourcing covers custody (pp. 23-4), which is a mandatory, arm’s-length form of outsourcing for a MIS Manager to acquire, and other outsourcing (pp. 31-2), which represents the optional forms and comes with the comment that, “You must ensure outsourced functions are adequate, effective and comply with your licence obligations.” 

Within the context of an FMA license application guide, the outsourcing requirements are posed as checklists which a MIS Manager license applicant would need to work through methodically in order to determine what was relevant to put before the regulator’s consideration.  Comparison of these sections with the principles of the Report indicates consonancy of thinking behind them. 


“IOSCO publishes many superb resources that have direct relevance to New Zealand’s financial markets and presents state-of-the-art topics that often front-run actual implementation requirements in our own country,” said Matthew Band, General Manager of Corporate Trustee Services at Trustees Executors.

“The IOSCO final report Principles on Outsourcing is no exception, and can be thoroughly recommended to FMCA-regulated entities in respect of reviewing, fine-tuning and implementing their own approaches to outsourcing.”

“There will no doubt be such entities who study the Report and find to their satisfaction they are compliant with all relevant parts; however, there could also be entities who discover thereby where their gaps and vulnerabilities lie, especially around risk management and awareness of what to be on the lookout for.”

“The Report is potentially highly useful for applications to governance, management, compliance, and compliance assurance programmes (CAPs) where outsourcing is relied upon by FMCA-regulated entities, which within the New Zealand situation is widespread practice.”

“One constructive activity that the Report could generate for FMCA-regulated entities would be to compile a checklist based upon its seven principles and their interpretive underlay for use as a practical tool to employ when onboarding a new outsourced service provider or when reviewing an existing arrangement.”

“Licensed Supervisors will also find the Report relevant to their monitoring and oversight activities.”

“What the Report has to teach would of course need to dovetail in with existing legal obligations concerning outsourcing as conducted by regulated entities such as FMA-licensed MIS Managers.”

For comment or more information, or to be added to the free email subscriber list of “The Supervisor”, please contact Matt at [email protected].

Appendix 1: IOSCO’s Seven Principles on Outsourcing

Principle 1: A regulated entity should conduct suitable due diligence processes in selecting an appropriate service provider and in monitoring its ongoing performance.

Principle 2: A regulated entity should enter into a legally binding written contract with each service provider, the nature and detail of which should be appropriate to the materiality or criticality of the outsourced task to the business of the regulated entity.

Principle 3: A regulated entity should take appropriate steps to ensure both the regulated entity and any service provider establish procedures and controls to protect the regulated entity’s proprietary and client-related information and software and to ensure a continuity of service to the regulated entity, including a plan for disaster recovery with periodic testing of backup facilities.

Principle 4: A regulated entity should take appropriate steps to ensure that service providers protect confidential information and data related to the regulated entity and its clients, from intentional or inadvertent unauthorised disclosure to third parties.

Principle 5: A regulated entity should be aware of the risks posed, and should manage them effectively, where it is dependent on a single service provider for material or critical outsourced tasks or where it is aware that one service provider provides material or critical outsourcing services to multiple regulated entities including itself.

Principle 6: A regulated entity should take appropriate steps to ensure that its regulator, its auditors, and itself are able to obtain promptly, upon request, information concerning outsourced tasks that is relevant to contractual compliance and/or regulatory oversight including, as necessary, access to the data, IT systems, premises and personnel of service providers relating to the outsourced tasks.

Principle 7: A regulated entity should include written provisions relating to the termination of outsourced tasks in its contract with service providers and ensure that it maintains appropriate exit strategies.

(Ibid., p. 2)

Recent blogs