Outsourcing Louis P. Piergeti VP, IIROC March 29, 2011.

Slides:

Advertisements

Similar presentations

The Role of the IRB An Institutional Review Board (IRB) is a review committee established to help protect the rights and welfare of human research subjects.

Advertisements

Training & Development Contract Management. Contents Introduction to Contract Management Definition Contract Management Issues Activities Overview Contract.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Auditing, Assurance and Governance in Local Government

©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.

SEMINAR NAIC/ASSAL/SVS REGULATION & SUPERVISION OF MARKET CONDUCT © 2014 National Association of Insurance Commissioners Overview and Purpose of Market.

PENSION REFORMS IN EASTER EUROPE: Individual Pension Schemes: Best practices Kiev, 27 th May 2004 Angel Martínez-Aldama Vice Chairman EFRP.

The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.

The Data Protection (Jersey) Law 2005.

Off shoring From the perspective of a Financial Regulator Jean Moorhouse Financial Services Authority.

IS3350 Security Issues in Legal Context

1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Code of Conduct for Mobile Money Providers 6 November 2014 All material © GSMA The policy advocacy and regulatory work of the GSMA Mobile Money team.

Copyright © 2014 Lender Performance Group, LLC. All rights reserved. Managing risks associated with third-party relationships, in other words Vendor Management.

Guidance for Managing Third-Party Risk Chicago Region Regulatory Conference Call December 8, 2010.

TELLEFSEN AND COMPANY, L.L.C. SEC Regulation SCI and Automation Review Policy Compliance March 2013 Proprietary and Confidential.

1 Jersey Funds Association Educational training session – 22 June 2010.

Vendor Risk: Effective Management is Essential

COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.

Measure what matters – to build stronger financial performance and to achieve financial stability under OFR Peter Scott Peter Scott Consulting

Governance of the Treasury Function CIPFA Scottish Treasury Management Forum Alan George, Regional Director 23rd February 2012.

HIPAA Trading Partners, Legal Relationships October 2, 2001 presented by Peter B. Goldstein, Esq. Cap Gemini Ernst & Young, US LLC.

1-1 Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Finance and Governance Workshop Data Protection and Information Management 10 June 2014.

Implications of the Markets in Financial Instruments Directive (“MIFID”) Richard Thompson.

Consolidated Supervision: Managing the Risks in a Diversified Financial Services Industry Barbara Baldwin June 2001.

The Client Relationship Model: The Civil Impact of Regulatory Changes Association of Corporate Counsel - Ontario Chapter Program ACC Securities Law Committee.

M. ANGELA JIMENEZ 1 UNIT 5. REGULATION OF EXTERNAL AUDIT IFAC AND E.C.

Indian Banks & the Global Challenges January 31, 2006 Outsourcing Opportunity: Strategic & Operational Level Mr.Shailesh Haribhakti Managing Partner &

In the context of the theme of the conference – “The new Economic Model – Value Chain Transformation” and Tack A “Professionalism” the requirements of.

Why the Office of Compliance and Ethics was Created

Sharing Information With Affiliates and Third Parties F. Jay Meyer Vice President & Senior Counsel TD Bank, N.A. Portland, Maine.

Introduction Arrangements Louis P. Piergeti VP, IIROC March 29, 2011.

Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.

Setting Standards for Outsourcing Vivienne Sullivan

FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.

MANAGING THIRD-PARTY RISK New York Region Regulatory Conference Call March 3, 2011.

Policies for Information Sharing April 10, 2006 Mark Frisse, MD, MBA, MSc Marcy Wilder, JD Janlori Goldman, JD Joseph Heyman, MD.

ANTI-MONEY LAUNDERING COMPLIANCE PROGRAM FCM TRAINING

World Intellectual Property Organization DCPPS 1 presented by Mr. Vladimir Yossifov WIPO NATIONAL WORKSHOP ON INNOVATION SUPPORT SERVICES AND THEIR MANAGEMENT.

Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.

Electronic Trading Rules Presentation to CLS Education Committee May 15, 2013.

Session 7 Compliance failure policy. 1 Contents Part 1: COLP and COFA duties Part 2: What do we have to comply with and why does it matter? Part 3: Compliance.

Developing an Investment Governance Framework

Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.

World Bank International Standards and their Measures for Financial Institutions and Non-Financial Businesses and Professions to Prevent Money Laundering.

Fred Carter Senior Policy & Technology Advisor Information and Privacy Commissioner Ontario, Canada MISA Ontario Cloud Computing Transformation Workshop.

Pertemuan 14 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Workshop on Privacy of Public Figures and Freedom of Information - Skopje, 9-10 October 2012.

1 1 Effective Administration of Commercial Contracts Breakout Session # Session D06 Name: Holly Walker, CPCM Corporate Learning Solutions and Contract.

Introduction to the Australian Privacy Principles & the OAIC’s regulatory approach Privacy Awareness Week 2016.

Data protection—training materials [Name and details of speaker]

FSC Caribbean Group of Securities Regulators 10th Annual Conference and Workshop November 6 -8, 2013.

Introduction to Procurement for Public Housing Authorities Getting Started: Basic Administrative Requirements Unit 1.

Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.

Improving Compliance with ISAs Presenters: Al Johnson & Pat Hayle.

What Is Vendor Management And Why Is It Important To You?

Accountability & Structured Privacy Management

Outsourcing by Financial Institutions Week 12-Lecture 8 ( )

Operational Risk.

Chapter 3: IRS and FTC Data Security Rules

OUTSIDE BUSINESS ACTIVITIES Presented by Robert Brush April 25, 2016

BVI Business Companies Act Workshop

VIth AIDA EUROPE CONFERENCE (Vienna, 3-4 November 2016)

Current Privacy Issues That May Affect Your Credit Union

Investor protection and MIFID

Data transfers to non-EU countries under the new GDPR

Neopay Practical Guides #2 PSD2 (Should I be worried?)

Explain the role of ethics in financial- information management

Presentation transcript:

Outsourcing Louis P. Piergeti VP, IIROC March 29, 2011

IOSCO definition of outsourcing “An event in which a regulated outsourcing firm contracts with a service provider for the performance of any aspect of the outsourcing firm’s regulated or unregulated functions that could otherwise be undertaken by the firm itself. It is intended to include only those services that were or can be delivered by internal staff and management…”

Key risks of outsourcing RiskMajor concerns Strategic Risk The third-party may conduct activities on its own behalf which are inconsistent with the overall strategic goals of the regulated entity. Failure to implement appropriate oversight of the outsource provider. Inadequate expertise to oversee the service provider. Reputation Risk Poor service from third-party. Third-party practices not in line with stated practices (ethical or otherwise) of regulated entity. Compliance Risk Privacy laws are not complied with. Consumer and prudential laws not adequately complied with. Outsource provider has inadequate compliance systems and controls. Operational Risk Technology failure. Inadequate financial capacity to fulfill obligations and/or provide remedies. Inadequate internal controls leading to undetected errors or fraud. Difficult/costly for firm to undertake inspections of the service providers operations.

Key risks of outsourcing (cont’d) Exit Strategy Risk The risk that appropriate exit strategies are not in place. This could arise from over-reliance on one firm, the loss of relevant skills in the institution itself preventing it to bring the activity back in-house, and contracts which make a speedy exit prohibitively expensive. Limited ability to return services to home country due to lack of staff or loss of intellectual history. Country Risk Political, social and legal climate may create added risk. Business continuity planning is more complex. Contractual Risk Ability to enforce contract. For off shoring, choice of law is important. Access Risk Outsourcing arrangement hinders ability of regulated entity to provide timely data and other information to regulators. Additional layer of difficulty in regulator understanding activities of the outsource provider. Concentration and Systemic Risk Overall industry has significant exposure to outsource provider. This concentration risk has a number of facets, including: Lack of control of individual firms over provider; and Systemic risk to industry as a whole.

IOSCO 9 principles on outsourcing 1.Corporate governance 2.Risk management 3.No subrogation of regulatory responsibility 4.Due diligence 5.Contract 6.Business Continuity 7.Confidential Information 8.Regulatory Assessment 9.Concentration

Core or material outsourced functions “Core functions” are defined as “critical or material to the ongoing viability of an entity as well as meeting its regulatory obligations to customers”.

Example of core functions Accounting Compliance Back-office operations Information system management and maintenance Registration of salespersons Customer application processing and document administration Customer complaint handling Collection of margin and overdue cash accounts Research reports and market newsletters

NI requirements on outsourcing Dealer Members remain responsible and accountable for all functions that they outsource to a service provider –Cannot subrogate regulatory obligations to service provider Functions outsourced must be set out in a written legally binding contract Dealer Member must conduct and document due diligence analysis of third party service provider (including affiliates) –Reputation –Financial stability –Internal controls and ability to deliver services Service provider must have safeguards in place to keep information confidential Dealer Member must conduct ongoing reviews of the quality of outsourced services

NI requirements on outsourcing (cont’d) Service provider must develop and test a business continuity plan Arrangement must consider other legal requirements such as privacy laws Dealer Member, IIROC and auditors must have the same access to the work product of the third-party service provider as they would if the Dealer Member itself performed the activities. –Dealer Member must ensure this access is provided and should include a provision requiring it in the contract with the service provider.

Required contract terms No subrogation of regulatory obligations. Rights of inspection and access to books, records and information relevant to the outsourced activity to Dealer Member, IIROC, and auditors. Define all activities outsourced and responsibilities of the parties. Establish precise service and performance levels and how they will be monitored. Service provider to immediately inform the Dealer Member of any material change in circumstances which could have a material impact on the provision of services. Agreement must cover the ownership of intellectual property and the protection of confidential information. Provision that requires prior consent of the Dealer Member to sub-outsourcing to other third-party providers. Cover termination and exit process to allow for transfer of the service to another service provider or to the Dealer Member itself.

Regulatory expectations on all outsourcing arrangements (including ICB) Dealer Members to provide IIROC with prior written notification of material changes to business model. This includes outsourcing of core functions to third party service providers. Dealer Members must comply with the requirements as a registrant under NI and Policy 11. Dealer Members must maintain a control log of all outsourcing arrangements and copies of executed agreements on file for inspection upon request. IIROC must be granted unfettered access to the operations of service provider(s) during the course of any examination of the Dealer Member.

Rules and Guidance References IIROC Notice – Reporting of changes to business models dated March National Instrument and Part 11 – Internal controls and systems. Principles on Outsourcing of Financial Services for Market Intermediaries, Chapter 1 – Technical Committee of the International Organizations of Securities Commission (IOSCO), February Superintendent of Financial Institutions (OSFI) revised Guideline B-10 on “Outsourcing of Business Activities, Functions and Processes” dated March FSA Handbook (Chapter 8) – Adoption of Markets in Financial Instruments Directive (MiFID) Connect trade association industry guidance on outsourcing May 2010.