21 July 2020
In May 2020 the International Organization of Securities Commissions (IOSCO) published a consultation report (the IOSCO Report) concerning its work on understanding recent developments in outsourcing and setting out proposals to update the existing IOSCO principles on outsourcing (Principles). Much has happened in the area of outsourcing since 2005 when the Principles were first developed, notably in the development of cloud services.
IOSCO Report overview
IOSCO has developed seven principles setting out expectations for regulated entities that outsource tasks, along with guidance for implementation. They comprise:
Principle 1: |
A regulated entity should conduct suitable due diligence processes in selecting an appropriate service provider and in monitoring its ongoing performance. |
Principle 2: |
A regulated entity should enter into a legally binding written contract with each service provider, the nature and detail of which should be appropriate to the materiality or criticality of the outsourced task to the business of the regulated entity. |
Principle 3: |
A regulated entity should take appropriate steps to ensure both the regulated entity and any service provider establish procedures and controls to protect the regulated entity’s proprietary and client-related information and software and to ensure a continuity of service to the regulated entity, including a plan for disaster recovery with periodic testing of backup facilities. |
Principle 4: |
A regulated entity should take appropriate steps to ensure that service providers protect confidential information and data related to the regulated entity and its clients, from intentional or inadvertent unauthorised disclosure to third parties. |
Principle 5: |
A regulated entity should be aware of the risks posed, and should manage them effectively, where it is dependent on a single service provider for material or critical outsourced tasks or where it is aware that one service provider provides material or critical outsourcing services to multiple regulated entities including itself. |
Principle 6: |
A regulated entity should take appropriate steps to ensure that its regulator, its auditors, and itself are able to obtain promptly, upon request, information concerning outsourced tasks that is relevant to contractual compliance and/or regulatory oversight including, as necessary, access to the data, IT systems, premises and personnel of service providers relating to the outsourced tasks. |
Principle 7: |
A regulated entity should include written provisions relating to the termination of outsourced tasks in its contract with service providers and ensure that it maintains appropriate exit strategies. |
IOSCO has identified that as markets have become faster and more competitive, and firms seek to reduce cost and efficiency, there has been growing reliance on outsourcing. Increasing automation, the availability of third party software as a service (SaaS) solutions, and cloud storage, have contributed to these developments. These developments are giving rise to growing tensions, as the service providers are generally unregulated, but regulated entities are becoming increasingly reliant on the services they provide, some of which are critical to the efficient operation of the business and activities of regulated entities.
Historically, many regulators have not sought to regulate back office functions of regulated entities directly: individuals who are not client facing and who only conduct back or middle office functions often do not require a licence or authorisation, and regulators provide considerable flexibility to regulated entities to manage their operations in compliance with applicable regulations. This principle has driven regulators’ attitudes to outsourcing: regulated entities are generally free to outsource, provided that they exercise appropriate due diligence in the choice and monitoring of service providers, and remain liable for compliance and the proper functioning of their operations.
However, there is an observable trend to expand the reach of regulators, which may be attributable to concerns regarding perceived failures in the industry to cultivate a more effective compliance culture, or the increased frequency in the incidence and severity of so-called black swan events since the turn of the century. For example, the expansion in the obligations on and requirements for depositaries in Europe under the UCITS and the AIFM directives, and the proposed regulatory regime for depositories of regulated funds in Hong Kong.
Commentary on findings in relation to cloud computing
The focus of this article is on Principle 6 and the findings of IOSCO’s Committee 6 (C6) which (inter alia) examined the role of cloud computing in outsourcing as these findings are relevant to the work currently being undertaken by the financial services industry in Hong Kong in response to the SFC’s circular of 31 October 2019 on the use of external electronic data storage (the EDSP Circular).
Providers of electronic data storage (EDSPs) are typically unregulated. The very large providers deal with an enormous variety of customers, most of whom are likewise unregulated. These providers are very reluctant to expose themselves voluntarily to any form of direct or indirect relationship with regulators. Those which provide services primarily to regulated clients, often those which provide record storage as an adjunct to software services, are more familiar with the environment in which their regulated users operate, and therefore perhaps more sensitive to the regulatory demands placed on their customers. However, even these providers are resistant to assuming any form of direct obligation to regulators, which has been a major issue with the form of undertaking required of overseas EDSPs under the EDSP Circular.
Summary of the IOSCO Report in relation to cloud computing
The IOSCO Report notes that “There is a wide range of tasks that are outsourced in the securities and derivatives markets. Commonly outsourced tasks include information technology (IT), operation/support of exchanges and trading platforms, regulatory reporting, and other control functions such as real-time trade monitoring and audits. Other examples include joint ventures and strategic alliances aimed at facilitating trading (e.g., the shared use of analytical, legal, compliance, internal controls, IT, and any other support functions for critical tasks within a group of entities). In the over-the-counter (OTC) derivatives sector, outsourced post trade tasks typically include trade matching and confirmation, portfolio reconciliation and compression, collateral management, trade reporting, credit limit checks, and custody of assets.
It is increasingly commonplace for firms to use third party service providers to carry out, or otherwise support, some of their regulated business activities. While this approach can deliver economic benefits, it may also raise concerns about risk management and compliance when such tasks are outsourced to entities that are not regulated and/or are based in different jurisdictions. In particular, it can diminish regulators’ ability to regulate or supervise certain functions within firms.”
The IOSCO Report expresses concern that there is some concentration of outsourced tasks in a small number of “highly specialised, often IT-based companies” which could expose the regulated entities they serve to risk in the event that the operations of such service providers are interrupted.
It is common ground that a regulated entity retains full responsibility, legal liability, and accountability to regulators for all tasks that it may outsource to a service provider to the same extent it would if the service were provided in-house. The regulatory responsibilities of a regulated entity and its management cannot be outsourced. Moreover, outsourcing should not be permitted to impair a regulator’s ability to perform its functions, including the proper supervision and examination of a regulated entity – it is in this area that much of the discussion relating to cloud services takes place.
C6 engaged in discussions with a variety of cloud computing experts. Proponents of cloud-based infrastructures highlight several advantages of such arrangements:
-
Improved accessibility – Services are accessible from a wide variety of devices and from any location with network access to the cloud.
-
Cost efficiency – Cloud provider resources are pooled to serve multiple clients, which creates economies of scale. This reduces the cost of data storage.
-
Demand scalability – The cloud provides a flexible platform that can grow and shrink to match the client’s needs.
-
Always-on availability – Applications running on a cloud infrastructure are rarely off-line and are accessible whenever there is an internet connection.
-
Improved security – A key concern of a cloud provider is to carefully monitor the cloud’s security, which is more efficient than monitoring a conventional in-house system.
On the other hand, outsourcing poses a number of challenges and risks, both for regulated entities that outsource and for their regulators. These challenges and risks may be complicated further where the outsourcing involves the storage of electronic data with third party providers, particularly if those providers’ storage facilities are outside the jurisdiction of their clients.
When a regulated entity uses a third party to perform a task, it may have a detrimental impact on the regulated entity’s understanding of how the task is performed, with a consequential loss of control over that task.
Outsourcing may compromise a regulated entity’s ability to protect the confidentiality of its own and client information. This risk has increased in recent years, as many tasks are computerised, and data and information are stored in cloud environments, i.e., stored on remote servers and accessed from the internet. It is common industry practice to use privacy agreements when outsourcing tasks to safeguard data.
It is generally accepted that the number of cyber incidents and data leaks is increasing. Outsourcing to, and storing of, data in a cloud may increase these risks. The monitoring of, and reliance on, outsourced tasks may be exposed to risk arising from the uncertainty of the physical location of data, lack of understanding of cloud technology risks on the part of the regulated entity, and the rapid development and changing nature of cloud technology. On the other hand, the adoption of cloud technology by regulated entities may have a mitigating impact on these risks as service providers may be more aware of cyber-security issues and have more sophisticated systems to detect and prevent cyber-incidents than individual regulated entities.
The Principles apply to tasks that a regulated entity outsources both within its own jurisdiction in which it maintains a presence and on a cross-border basis. Particular risks applicable to cross-border cloud services may include the following:
-
if the books, records, or other material are maintained in a foreign jurisdiction steps must be taken to ensure prompt access to, and translation of, such data when necessary; and
-
where confidential information and/or client data are subject to outsourcing, the regulated entity should assess the regulatory environment for data security and protection and, if necessary, consider additional precautionary measures such as introducing enhanced encryption.
Service providers may use the services of a sub-contractor to perform the outsourced tasks, but the regulated entity should ensure that sub-contracting is not permissible without its prior approval. The regulated entity should consider whether such sub-contracting arrangements may compromise the integrity of the confidentiality of data or its access to data, or the quality of the service provided.
Principle 6 states that:-
A regulated entity should take appropriate steps to ensure that its regulator, its auditors, and itself are able to obtain promptly, upon request, information concerning outsourced tasks that is relevant to contractual compliance and/or regulatory oversight including, as necessary, access to the data, IT systems, premises and personnel of service providers relating to the outsourced tasks.
Regulated entities should therefore make provision in their arrangements with service providers for prompt access by regulators and ensure that their regulators are able, upon request, to obtain any data and information relating to or generated by the outsourced task promptly, irrespective of whether they are in the possession of the regulated entity or the service provider.
Arrangements between regulated entities and service providers should seek to ensure that the regulated entities, its auditors and regulators have appropriate prompt access to the premises, personnel, and data and other information where it is held.
Such access to data should be in a form that is acceptable to the regulator. This should be considered in terms of both the format in which information is made available (e.g. electronic versus paper) and the language in which the material is provided, particularly where the outsourced task is performed in a jurisdiction other than that of the regulated entity.
The IOSCO Report suggests that steps to ensure access may include:
-
Contractual provisions by which the regulated entity (including its auditor) has access to, and a right of inspection of, the service provider dealing with outsourced tasks, and similar access to any subcontractor. Where appropriate, these may include physical inspections at the premises of the service provider, delivery of data or copies of data to the regulated entity or its auditor, or inspections that utilise electronic technology (e.g. “virtual inspections”).
-
Access may be also necessary to systems, hardware, software, algorithms, procedures, manuals, and the staff at the service provider responsible for maintaining them.
-
Considering the use of pooled audits or assurance statements to obtain confirmation that their requirements and associated regulatory expectations are being met. Consideration should be given to ensuring that appropriate access to these statements is permitted to regulators.
-
Contractual provisions by which the service provider is required to make books, records, and other information about outsourced tasks by the service provider available to the regulator upon request. Such contractual provisions may include the requirement to store electronic data in a format that is easily accessible by regulators. In addition, the service provider may be required to comply with any requirements in the regulated entity’s jurisdiction to provide periodic reports to the regulator.
-
Appropriate plans for continued access by the regulator to books, records and appropriate personnel and systems in the event of the termination of the contract.
-
Contractual provisions which prohibit the service provider from deleting, discarding, or otherwise making unavailable, the records of the regulated entity in a manner that is not consistent with the records retention requirements applicable to the regulated entity, including in the event of non-payment of fees and charges by the regulated entity.
C6’s report on cloud computing was focussed on use by credit rating agencies. However, the same issues arise with other users in the financial services industry, where similar growth in use of and reliance on cloud computing services may be observed. IT outsourcing is a common practice for firms, and cloud computing solutions are increasingly becoming the preferred IT outsourcing option.
The four deployment models identified in the IOSCO Report are:
1. |
Private cloud – This cloud infrastructure is for exclusive use by a single organisation comprised of multiple consumers (e.g., business units). It may exist on or off the clients’ premises. |
2. |
Community cloud – This cloud infrastructure is for the exclusive use of a specific community of consumers from organisations that have shared concerns. It may exist on or off the clients’ premises. |
3. |
Public cloud – This cloud infrastructure is for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organisation, or some combination of them. It exists on the cloud provider’s premises. |
4. |
Hybrid cloud – This cloud infrastructure is composed of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardised or proprietary technology that enables data and application portability. |
Prior to cloud adoption, organisations would house their data on their own premises on their own systems. Under this traditional model, an organisation would have to invest capital by purchasing equipment and maintaining the infrastructure on-site (e.g., power resources, temperature controls, maintenance, and security). Cloud computing is a form of outsourcing as all or parts of this infrastructure are moved to a cloud provider.
Certain users contacted by C6 stated that negotiating contract terms with cloud providers can be challenging due to the providers’ asymmetrical bargaining power. The cloud market is dominated by a few large firms.
C6 reported that survey responses indicate that some cloud providers have committed to providing cooperation and assistance to regulators and supervisors. Two users commented that contracts include a regulatory right of access provision that is specifically negotiated to maintain transparency and cooperation with regulators.
One user found it difficult to negotiate a requirement granting regulators the right to conduct on-premises inspections of the cloud provider’s facilities. Cloud providers believe that allowing multiple clients and regulators to conduct site visits and inspections creates a security risk. A cloud service provider stated that clients can gain comfort around compliance with certain standards through third-party certifications and audits.
The findings in relation to the EDSP Circular
It is not clear the extent to which the SFC drew on the findings of the various IOSCO committees, and C6 in particular, in framing the EDSP Circular. There is much in the IOSCO report to support the approach taken by the SFC. However, the EDSP Circular goes further than the recommendations in the IOSCO Report in one significant regard: its requirement for an undertaking from overseas EDSPs to the SFC to preserve data and cooperate with requests for data from the SFC. This requirement has proved a significant issue, as so far it does not appear that any EDSP has been prepared to give the undertaking.
IOSCO welcomes comments on the consultation report on or before 1 October 2020.
For further information, please contact: