Outsourcing Risk Management Guideline

April 2009

Introduction

Financial institutions rely on outsourcing to improve their efficiency and competitiveness by entrusting certain activities to service providers with additional resources and cutting-edge expertise. Outsourcing may enable certain financial institutions to reduce costs and others to focus more resources on core activities. However, the many advantages of outsourcing may be offset by risks to an institution’s financial condition, service quality and even its reputation. In some cases, financial institutions may be faced with additional expenses not covered in the outsourcing arrangement. They can also be impacted by an unsatisfactory performance by the service provider.

This guidelineA document that describes the steps that financial institutions can take to satisfy their legal obligation to follow sound and prudent management practices and sound commercial practices. sets out the AMF’s expectations with respect to sound outsourcing risk management practices. Under the various sector-based laws it administers, the AMF has the authorityInsurers Act, CQLR, c. A-32.1, section 463; Deposit institution and deposit protection Act, CQLR, c. I-13.2.2, section 42.2; Act respecting financial services cooperativesA legal person in which persons with common economic needs unite to form a deposit and financial services institution to meet those needs. , CQLR, c. C-67.3, section 565.1; Trust companies and savings companies Act, CQLR, c. S-29.02, section 254. to establish guidelines regarding sound and prudent management practicesA financial institution’s management practices ensuring good governance and compliance with the laws governing its activities, in particular, the assurance that the financial institution will maintain adequate assets to meet its liabilities as and when they become due and adequate capital to ensure its sustainability. for financial institutions.

The AMF’s expectations with regards to outsourcing risk management are based on the core principles and guidance issued by international bodies. In fact, the sound practices for the management and supervision of operational risk published by the Basel Committee on Banking Supervision include outsourcing risks among the new and growing risks threatening financial institutions.Basel Committee on Banking Supervision, Bank for International Settlements. Sound Practices for the Management and Supervision of Operational Risk, February 2003.

These sound practices urge financial institutions to view the risks of outsourcing as a significant operational risk and therefore integrate these into their overall risk management policiesA set of general principles adopted by a financial institution for conducting its activities in a given area. . As well, the insurance core principles issued by the International Association of Insurance Supervisors (IAIS) consider the disclosure of information on outsourcing arrangements as critical.International Association of Insurance Supervisors. Insurance Core Principles and Methodology, October 2003. The management of outsourcing risks is also one of the guiding principles adopted by the Joint Forum.Basel Committee on Banking Supervision, Joint Forum. Outsourcing in Financial Services, February 2005.

 

1. Risks related to outsourcing activities

The principles of sound outsourcing risk management proposed in this guideline apply to material outsourcing arrangementsAn outsourcing arrangement that may have a major impact on an institution’s financial condition, its operations and, ultimately, its reputation. . Any outsourcing arrangement that may have a major impact on an institution’s financial condition, its operations and, ultimately, its reputation is therefore considered to be material. The materiality of any outsourcing arrangement must be assessed according to the factors presented under section 2 of this guideline.

Outsourcing is defined as delegating to a service provider, over a defined period, the performance and management of a function, activity or process that is or could be undertaken by the financial institution itself.The obligations incumbent on a financial institution authorized under the various sector-based laws remain unaffected by the mere fact that it entrusts the exercise of part of them to a third party: Insurers Act, CQLR, c. A-32.1, section 45; Deposit institution and deposit protection Act, CQLR, c. I-13.2.2, section 28.6; Act respecting financial services cooperativesA legal person in which persons with common economic needs unite to form a deposit and financial services institution to meet those needs. , CQLR, c. C-67.3, section 29; Trust companies and savings companies Act, CQLR, c. S-29.02, section 6.14. It includes the notion of contracting outThe delegation of an activity and its management to an outside service provider. Contracting out consists in delegating an activity and its management to an outside service provider. Contracting out is characterized by three key elements: • the service provider is not a member of the financial groupRefers to any group of legal persons composed of a parent company (financial institution or holding company) and legal persons affiliated therewith. (outside service provider); • the activity contracted out frequently includes a transfer of assets for the durationThe number of years after which bond profitability is no longer affected by interest rate changes. of the arrangement; • a medium- to long-term relationship exists between the financial institution that contracts out and the selected service provider. and therefore incorporates a wider range of delegated relationships.

A service provider is an entity that offers outsourcing services to a financial institution for a consideration. The service provider may belong to the same financial group. In this regard, “members of the same financial group” include the financial institution’s subsidiaries, the financial institution’s direct or indirect controlling entity and subsidiaries of the controlling entity.

For the purposes of this guideline, services rendered between the entities of a “network,” defined herein as comprising credit unions, their federation, a guarantee fund and a financial services cooperative that acts as treasurer, are not considered outsourcing activities. Services provided by a federation and a guarantee fund to mutual insurance associations are also not captured by this guideline.

At last, for purposes of this guideline and barring a specific legislative provision to the contrary, all outsourcing arrangements entered into with a service provider acting outside Canada are considered to be off shoring.

 

2. Factors for determining materiality

The AMF expects the financial institution to identify factors used for assessing outsourcing arrangements materiality on the basis of its risk profileA financial institution’s overall level of risk exposure that is based on an evaluation of the risks inherent in the financial institution’s significant activities, its ability to manage risks, its financial condition and its commercial practices. as well as the type and size of its activities.

The financial institution should assess the importance of its various outsourcing arrangements in order to determine which arrangements are considered material and therefore covered by this guideline. This assessment can be based on the following materiality factors:

  • impact of a deficiency in the outsourced activity on the institution’s financial condition, operations or reputation;

  • cost of the outsourcing arrangement compared with the overall expenses assumed by the institution;

  • scope of the outsourced activity (as regards, for example, its contribution to revenues and profits);

  • degree of difficulty and time needed to replace the service provider or undertake the outsourced activity internally;

  • institution’s ability to comply with regulatory requirements when faced with issues related to the outsourced activity;

  • risk of concentration where the financial institution outsources several activities to a single provider.

A financial institution should consider all and substantially all outsourcing arrangements involving oversight functionsControl functions that are independent of the financial institution’s day-to-day operations, in particular, risk management, compliance and, where applicable, actuarial services. These functions are part of the second line of defense. as being material and thus subject to the provisions of this guideline. The following oversight functions are contemplated:

  • financial analysis;

  • compliance;

  • internal auditInternal audit ensures the systematic and independent assessment of all risk management, control and governance processes. It constitutes the third line of defense of a financial institution. ing;

  • risk management.

Moreover, a financial institution should pay special attention to outsourcing arrangements covering significant activities that have a major impact on the institution’s finances, operations and, ultimately, its reputation.

Similarly, the financial institution should also focus on outsourcing arrangements entered into with a service provider operating outside of Canada.

The financial institution should review the materiality of its outsourcing arrangements on a regular basis, or where these arrangements are renewed or renegotiated.

For its part, the AMF could require a financial institution to consider an agreement as being material in light of the AMF’s broad overview as part of its supervisory activities. For example, if the AMF believes that a systemic riskA financial risk is considered ‘systemic’ when there is a non-negligible probability of a major dysfunction in, or serious degradation of, the financial system that could ultimately lead to the collapse of the global economy. could arise where several financial institutions outsource to a single service provider (common industry service provider), it could ask a financial institution to consider such arrangements to be material.

 

3. Sound and prudent management of outsourcing risks

The AMF believes that financial institutions remain responsible for the compliance of outsourcing arrangements with the legal and regulatory requirements applicable to outsourced activities even where the execution and management of these activities are ensured by service providers.

Thus, the AMF expects the financial institution to adopt a policy and proceduresA set series of tasks to be performed. It is generally the result of imperatives that cannot be negotiated by the individual who applies it. for managing and monitoring its outsourcing arrangements and the related risks. The principles governing the sound management of risks related to outsourcing activities proposed by the AMF apply to material arrangements and are intended to help financial institutions mitigate their exposure to these risks. These principles are grouped together under three major axes:

3.1 Governance of outsourcing arrangements

A financial institution should provide the governance structures needed to manage and supervise the risks related to its outsourcing activities.

3.2 Management of outsourcing activities

Before entering into an outsourcing arrangement, a financial institution should assess the expediency of outsourcing and verify the service provider’s capabilities. All arrangements entered into must be documented and include terms for monitoring and controlling the outsourcing.

3.3 Management of outsourcing risks

A financial institution should have a policy and proceduresA set series of tasks to be performed. It is generally the result of imperatives that cannot be negotiated by the individual who applies it. for managing the risks related to its outsourcing activities. The policy and procedures should allow the financial institution, in particular, to identify, measure, mitigate and control those risks. The financial institution should ensure the continuity of the outsourced activities.

 

4. Governance of outsourcing arrangements

Principle 1: Responsibilities of board of directorsA body of elected or appointed individuals ultimately responsible for the governance and oversight of a financial institution. and senior managementThe group of individuals responsible for managing a financial institution on a day-to-day basis in accordance with the strategies and policies set by the board of directors.

The AMF believes that the management, monitoring and control of outsourcing risks should be supported by a reliable governance structure. A financial institution’s board of directors and senior management are ultimately responsible for managing and monitoring outsourcing risks.A reference to the board of directors can also include a board committee, such as a board committee established to examine specific issues.

The Governance GuidelineAutorité des marchés financiers. Governance Guideline. sets out sound management principles that a financial institution should consider with respect to outsourcing risks.

The AMF expects the roles and responsibilities for managing these risks to be defined, documented and incorporated in the financial institution’s overall risk management strategy.Autorité des marchés financiers. Integrated Risk Management Guideline.

Within the specific context of managing outsourcing risks, board of directors and senior management are assigned the following main responsibilities in particular:

  • the board of directors should establish appropriate levels of outsourcing authorization, based on the materiality of arrangements and the type of risks they may represent;

  • senior management should approve the factors for determining materiality and designate persons to assess the importance of the financial institution’s outsourcing arrangements.

The number of designated persons in charge should depend on the financial institution’s size and the materiality of the activities to be outsourced. In certain cases, a single person in charge of outsourcing could be sufficient. However, it would not be necessary to appoint such a person where laws provide for structures or committees that can assume such a task.

 

5. Management of outsourcing activities

Principle 2: Assessing the expediency of outsourcing

The AMF expects financial institutions to conduct a preliminary assessment of the expediency of outsourcing to determine the scope of the risks involved.

The reasons for relying on outsourcing and the related strategic orientation must be clearly defined at the start of the exercise.

The assessment of the expediency of outsourcing should be as comprehensive as possible. It should delineate the activity to be outsourced and help determine the scope of the initiative.See Appendix 2.

At this point, it is also critical to identify and assess the potential risks related to outsourcing.See principles 7 and 8.

This assessment should be detailed in a written report to be submitted to senior managementThe group of individuals responsible for managing a financial institution on a day-to-day basis in accordance with the strategies and policies set by the board of directors. . The latter should ensure that all required authorizations have been obtained.

Principle 3: Due diligence of ability of service providers

The AMF expects all financial institutions to determine a service provider’s reputation as well as the financial and operational elements indicative of its ability to provide quality service.

Prior to entering into an arrangement with a service provider, comprehensive background checks should be conducted with respect to its ability based on recent information.See Appendix 3. A financial institution may rely on a recent background check of the service provider’s ability carried out by a member of the same financial group as the financial institution. These background checks should be documented. The service provider’s ability to perform should be reviewed regularly as part of the overall assessment process. However, the extent of these checks may be modified commensurate with the risks the provider represents.

The service provider’s ability should also be updated whenever the outsourcing arrangement is renegotiated or renewed.

If a financial institution is considering an off shoring arrangement, a background check of a service provider’s ability should take into account the political, economic and social context of the country in which the activity will be carried out.

Principe 4: Documenting outsourcing arrangements

The AMF expects financial institutions to document their outsourcing arrangements through written service agreements incorporating the conditions governing the relations, functions, obligations and responsibilities of the parties to the contract.

The degree to which a service agreement is detailed will depend on the type and importance of the outsourcing arrangement. However, the outsourcing contract should include the strategies adopted by the financial institution and involving the service provider for mitigating exposure to risk. Moreover, should the service provider in turn rely on outsourcing, the financial institution should ensure that the outsourcing contract sets out the service provider’s responsibilities in this regard.

To facilitate access to information and documentation, the outsourcing contract should contain a clause under which the financial institution may request additional information on the outsourcing arrangement from the service provider.

Principle 5: Monitoring of outsourcing arrangements

The AMF expects financial institutions to monitor their outsourcing arrangements, by adequately managing relationships with service providers so as to ensure that the latter fulfill all contract conditions.

The monitoring of outsourcing arrangements should, in particular, allow for:

  • updating a centralized list of material outsourcing arrangementsAn outsourcing arrangement that may have a major impact on an institution’s financial condition, its operations and, ultimately, its reputation. ; however, sound outsourcing practices favour the maintenance of a complete list of outsourcing arrangements (material and less so);

  • regularly assessing the performance of service providers. Performance indicators, both qualitative and quantitative, should be clearly defined under the outsourcing contract (including explanations of indicators, calculation methods and communication frequency);

  • regularly assessing the service provider’s financial capacity and operational ability;See Appendix 3.

  • co-operating with service providers (such as frequent meetings) to ensure that performance levels are met;

  • following up on the achievement of outsourcing arrangement objectives set by the financial institution (such as cost reduction);

  • ensuring that the risks related to the financial institution’s outsourcing arrangements do not hinder its ability to honour client commitments or comply with laws and regulations.

Principle 6: Material intragroup outsourcing arrangements

The AMF expects financial institutions to adequately manage the risks related to outsourcing arrangements entered into with members of the same financial group.

The principles set out in this guideline also apply to outsourcing arrangements entered into with members of the same financial group.See exceptions noted under section 1. However, risk management related to these arrangements may be specified in a policy and proceduresA set series of tasks to be performed. It is generally the result of imperatives that cannot be negotiated by the individual who applies it. implemented at the group level. In such a case, the financial institution should ensure that this policy and those procedures adequately cover the risks arising from these arrangements.

Thus, when a financial institution enters into material outsourcing arrangements with members of the same financial group, the AMF expects the financial institution to:

  • document the outsourcing arrangements in order to clarify their scope and the responsibilities of the service providers (in this case, members of the same financial group);

  • verify the service provider’s ability to provide quality service. In such a case, checks can be more cursory than those for outside service providers;

  • ensure that the outsourcing arrangements entered into with members of the same financial group do not hinder the financial institution’s ability to honour client commitments or comply with laws and regulations;

  • establish a business continuityThe capability of an organization to continue delivering products or services at acceptable predefined levels following a disruptive incident. plan.

The AMF could have other expectations with respect to certain intragroup outsourcing arrangements subsequent to its supervisory activities.

6. Management of outsourcing risks

Principle 7: Inventory and assessment of outsourcing risks

The AMF expects financial institutions to identify the various risks related to outsourcing arrangements in order to be able to adequately assess and manage them.

Outsourcing can generate financial risks as well as strategic risks, operational risks, legal risks, and risks related to the financial institution’s reputation and level of concentration, all of which must be identified.

The AMF expects financial institutions to develop a methodology for assessing their exposure to risk, based on their respective size and risk profileA financial institution’s overall level of risk exposure that is based on an evaluation of the risks inherent in the financial institution’s significant activities, its ability to manage risks, its financial condition and its commercial practices. as well as the type of outsourcing arrangement involved. A financial institution should therefore assess its exposure to risks related to its outsourcing arrangements in light of the foregoing. This assessment should enable it to determine the risk exposure associated with each of its outsourcing arrangements and to ascertain its aggregate exposure to outsourcing risks. The assessments must be performed on a regular basis.See Appendix 4.

Assessing risk exposure related to outsourcing should be a key factor in deciding whether or not to draw on outsourcing. These assessments should also be used to review the terms of outsourcing contracts at the time of the renewal or extension of outsourcing arrangements.

Principle 8: Management of business continuity

The AMF expects financial institutions to ensure that their reliance on service providers is not detrimental to their management of business continuity.

A financial institution’s management of business continuity can be hindered by the occurrence of an incident subsequent to the termination of an outsourcing arrangement or the inability of a service provider to honour its commitments or the voluntary decision to bring the outsourced activity in-house. In this regard, the financial institution should assess the impact of its reliance on service providers on its business continuity and take any necessary corrective measures.

The management of business continuity, whether as it relates to the financial institution itself or service providers, should be rigorously structured so as to ensure an optimal degree of preparedness. Management of business continuity hinges on the preparation and documentation of a business continuity planA written action plan that sets out the procedures and resources required for the continuity and resumption of an institution’s operations. . It also includes an assessment of the reliability of a business continuity plan, crisis management and the updating of the business continuity program.

Should negative consequences related to outsourcing arrangements take place, the AMF expects financial institutions to set up the measures required to resume normal operations as expeditiously as possible and thereby prevent such a similar event from reoccurring. In this regard, the financial institution should, in particular:

  • assess the extent of the consequences (such as costs) and their scope (impact on operations, reputation, financial strength, etc.);

  • prepare an inventory of the risk factors causing these consequences;

  • determine the necessary corrective measures (such as change of service provider), based on the seriousness of the situation and the negative consequences;

  • enter these elements in the report on the management and monitoring of outsourcing arrangements.

Senior management and the board of directorsA body of elected or appointed individuals ultimately responsible for the governance and oversight of a financial institution. should be notified as quickly as possible of the occurrence of a negative consequence having a material impact on the institution.

 

Appendix 1: Examples of outsourcing arrangements

The outsourcing arrangements covered by this guideline may involve the following areas:

  • information technology (e.g., data entry and processing);

  • information technology (e.g., data entry and processing);

  • document processing (e.g., cheques, credit cards);

  • administration of insurance policies;

  • administration of claimsA financial asset that has a counterpart liability. ;

  • administration of loans;

  • management of investments (e.g., portfolio management);

  • marketing (e.g., call centres, telemarketing);

  • research (e.g., product development);

  • back office management (e.g., payroll processing);

  • property management;

  • professional services related to the business activities of the financial institution (e.g., internal auditInternal audit ensures the systematic and independent assessment of all risk management, control and governance processes. It constitutes the third line of defense of a financial institution. s, actuarial services, accounting);

  • human resources;

  • safekeeping of securitiesAn interest in or charge on property taken by a creditor or guarantor to secure the payment or performance of an obligation. ;

  • wealth management.

However, the guideline does not apply to the following:

  • agreement entered into with the external auditor, unless it is reasonable to conclude that the results of the service will not be subject to audit proceduresA set series of tasks to be performed. It is generally the result of imperatives that cannot be negotiated by the individual who applies it. during an audit of the institution’s financial statements;

  • courier services, regular mail, utilities, telephone;

  • procurement of specialized training;

  • discrete advisory services (e.g., legal services, certain investment advisory services that do not result directly in investment decisions, independent appraisals, trustees in bankruptcy);

  • purchase of goods, wares, commercially available software and other commodities;

  • independent audit reviews;

  • credit background and background investigation and information services;

  • market information services (e.g., Bloomberg, Moody’s);

  • independent consulting;

  • services the financial institution is not legally able to provide;

  • printing services;

  • repair and maintenance of fixed assets;

  • supply and service of leased telecommunication equipment;

  • travel agency and transportation services;

  • correspondent banking services;

  • maintenance and support of licensed software;

  • temporary help and contract personnel;

  • fleet leasing services;

  • specialized recruitment;

  • external conferences;

  • clearing and settlementThe completion of a transaction wherein the seller transfers securities or financial instruments to the buyer and the buyer transfers money to the seller. arrangements between members or participants of recognized clearing and settlement systems;

  • sales of insurance policies by agents or brokers;

  • ceded insurance and reinsurance ceded;

  • syndication of loans.

 

Appendix 2: Examples of assessments of outsourcing arrangements

The assessment of an outsourcing arrangement should take into account the following elements, in particular:

  • identification of the type of activity to outsource (strategic or support activity);

  • analysis of the cost of the activity to outsource;

  • identification of current proceduresA set series of tasks to be performed. It is generally the result of imperatives that cannot be negotiated by the individual who applies it. ;

  • description of the activity to outsource (number of employees, their functions, etc.);

  • description of the relationships or interactions of the activity to outsource with other activities carried out by the financial institution;

  • inventory of assets held or leased with regard to the activity to outsource;

  • overview of how the competition handles the activity to outsource;

  • identification of the strategic medium- and long-term orientations of the activity to outsource;

  • identification of obstacles to outsourcing (regulatory requirements, technological hurdles, financial considerations, etc.);

  • ability of the financial institution to return the outsourced activity internally.

 

Appendix 3: Examples of due diligence of service providers

When selecting a service provider that will be able to ensure quality service or when regularly reviewing a provider’s ability to continue to adequately meet its commitments, the following information should be considered:

  • Reputation: What reputation does the service provider have in the industry? Are there any complaints regarding the service provider? Has the service provider ever violated any laws or been involved in disputes in the performance of its activities? Are the service provider’s reputation and corporate cultureRefers to the common values and standards that define a business and influence its mindset, conduct and the actions of its entire staff. compatible with those of the financial institution?

  • History: How long has the service provider been in business? Have any events had an impact on its experience? Has the service provider ever had to interrupt its activities due to a system deficiency or outside event? If so, was the service provider able to adequately manage business continuity subsequent to the event?

  • Financial capacity: Is the service provider financially stable? What were the service provider’s financial results in the past few years (analysis of financial statements)? What are the service provider’s forecasts for the next few years?

  • Organization: Where is the service provider’s head office located? Where are the main points of service located from which the outsourced activity will be performed (if different)? Is the location of the resources (assets, employees and technologies) necessary for the performance of the outsourced activity suitable to the financial institution?

  • Partners and subcontractors: Does the service provider rely on subcontracting? Who are the subcontractors? What type of relationships (nature and quality) does the service provider have with subcontractors and business partners?

  • Competence: What is the degree of relevant experience and expertise with respect to the outsourced activity and with respect to managing outsourcing relations?

 

Appendix 4: Examples of methodology for assessing exposure to outsourcing risks

Exposure to risk resulting from an outsourcing arrangement depends on two critical factors: the severity of the impacts of potential negative consequences of the outsourcing arrangement and the probability that each of these consequences will occur. Negative consequences are associated with risk factors that characterize each outsourcing arrangement. Assessing the risk exposure in an outsourcing arrangement consists in determining the value of each of these risk factors, identifying the related negative consequences and estimating the scope of the impact of each negative consequence.

Risks Factors Negative Consequences

Risk factors related to financial institution

  • Degree of relevant outsourcing experience and expertise
  • Degree of experience and expertise in managing outsourcing relations
  • Accuracy of cost estimates

Risk factors related to service providers

  • Size of the service provider
  • Financial capacity
  • Degree of relevant outsourcing experience and expertise
  • Degree of experience and expertise in managing outsourcing relations

Risk factors related to outsourcing

  • Type and scope of the outsourced activity
  • Degree to which the outsourced activity is linked to other activities
  • Limited knowledge of outsourced activity

Risk factors related to business environment

  • Scarcity of service providers
  • Changing regulations

Risk factors related to information technology

  • Technological discontinuity
  • Technology transfer
  • Unexpected transition and management expenses
  • Costly amendments to agreements
  • Litigation due to differing interpretations of contract clauses
  • Difficulty in renegotiating agreements
  • High costs of renewing agreements
  • Lower service quality
  • Increase in the cost of service delivery
  • Loss of competence vis-à-vis the outsourced activity
  • Loss of innovative ability
  • Loss of co-ordination ability
  • Loss of control over outsourced activity
  • Loss of legitimacy
  • Disruption within organization