International developments in outsourcing point to future direction in Australia

As a body for securities regulators globally, the International Organization of Securities Commissions is an important standard setter for compliance, including in respect to the work of the Australian Securities and Investments Commission (ASIC). Given policy development in respect to outsourcing in Australia in recent times, IOSCO’s recent consultation in this area is a valuable pointer to regulation which may arise in Australia. Having initially delayed its planned consultation exercise to allow the financial services sector to focus on responding to Covid-19, IOSCO subsequently found the pandemic a catalyst to proceed. Therefore, at the end of May, IOSCO launched its consultation on proposed updates to the 2005 Outsourcing Principles for Market Intermediaries and the 2009 Outsourcing Principles for Markets; feedback on the proposed  new Outsourcing Principles (OPs) are requested on or before 1 October 2020. The decision to proceed reflects the acknowledgement that outsourcing is a key element for consideration when assessing operational resilience across the sector.

This post gives a high level summary of the consultation before focusing on the definition of outsourcing used by IOSCO, intragroup arrangements, concentration risk, and access and audit rights. To provide additional context, the IOSCO proposals considered alongside some country/region-specific examples. Followers of the outsourcing theme may not be surprised that IOSCO does not resolve the challenges associated with the focus topics. The post concludes with a focus on developments in outsourcing regulation in Australia.

Introduction

In common with some regional and national authorities among its membership, IOSCO has found that much has changed since its original efforts to define universal principles for outsourcing, not least the move towards use of cloud and the increased speed of markets. What has not changed in the view of IOSCO, and many other regulators across the globe, is that regulated entities retain full responsibility, legal liability, and accountability to the regulator for all outsourced tasks.

Clearly cloud has been a factor driving regulators to revisit their existing guidelines. However, it is clear that consideration of how cloud technologies may be used in the financial services sector has not prompted a fundamental rethink on firms’ responsibilities – much as some may have hoped this would be the case. Similarly, the ‘technology neutral’ mantra remains firmly in place, and some authorities have consulted on or have guidelines for cloud specifically, for example, the European Banking Authority (EBA) and the Australian Prudential Regulation Authority.

Increased and increasing reliance on third party providers is drawing greater regulatory focus as supervisors look to ensure the operational resilience of regulated entities – a condition that is unlikely to change anytime soon, particularly in light of the lessons being learnt under Covid-19. In this consultation, IOSCO explains that, ‘operational resilience refers to the ability of regulated entities, other firms such as service providers, and the financial market as a whole to prevent, respond to, recover, and learn from operational disruptions.’

An overview of the IOSCO proposals

The OPs comprise a set of ‘fundamental precepts’ covering issues such as the definition of outsourcing, the assessment of materiality and criticality, their application to affiliates, the treatment of sub-contracting and outsourcing on a cross-border basis. They also include seven principles, each of which is supplemented with guidance for implementation, covering:

• Due diligence in the selection and monitoring of a service provider.
• The contract with a service provider.
• Termination of outsourcing arrangements.

The seven principles also cover information security, business resilience, continuity and disaster recovery, confidentiality issues, concentration of outsourcing arrangements, and access to data, premises, personnel and associated rights of inspection.

Scope of application – securities markets and FMIs

As noted above, IOSCO is the international policy forum for securities regulators and the global standard setter for securities regulation. Given this context, two fundamental caveats are:

• The OPs are unlikely to be directly applicable in many, if any, jurisdictions; individual jurisdictions and/or authorities must legislate and/or regulate for implementation of the OPs by regulated entities in their jurisdictions. It is very likely that as part of the process of adoption, jurisdictions and/or authorities will apply their own filter or overlay to the OPs themselves or to their enforcement of standards which comply with the OPs.
• The OPs have been developed in the context of securities markets.

The scope of application includes trading venues, intermediaries and market participants, credit rating agencies (CRAs) and financial market infrastructures (FMIs).

As is the practice with global standard setters, IOSCO accommodates jurisdictional differences in its definition of scope. For example, “intermediaries and market participants” includes “regulated entities, other than those that are trading venues, that are in the business of some or all of the following:

• executing orders in, or distributing, securities or derivatives;
• proprietary trading or dealing on own account;
• receiving and transmitting orders from or to third parties;
• providing advice regarding securities or derivatives or the advisability of purchasing or selling securities or derivatives; and
• underwriting of new issues or products.

IOSCO’s definition of FMIs references (as a footnote) the Principles for FMIs which IOSCO penned in collaboration with the Committee on Payments and Market Infrastructures (CPMI). As such, the OPs appear to be intended to apply more widely to include payment systems.

The definition of outsourcing

As might be anticipated from a global standard setter, IOSCO spends some time in discussing the characteristics of outsourcing. What may be most helpful is to understand that the OPs are, ‘written to apply to outsourced tasks that pose risks to regulatory objectives.’

Outsourcing is described as, ‘a business practice in which a regulated entity uses a service provider to perform tasks, functions, processes, services or activities … that would, or could in principle, otherwise be undertaken by the regulated entity itself [although it is not a prerequisite that the entity should have previously performed a task for it to be considered as outsourcing]. This may also be referred to as onshoring, offshoring, near-shoring or right-shoring, depending on the organisational context and the relationship with affiliates and service providers.’ The OPs apply to both extra- and intragroup arrangements.

IOSCO’s approach also incorporates a principle of proportionality as it acknowledges that, ‘interpretation or implementation … should correspond to the degree of materiality and criticality of the outsourced task to the regulated entity’s business and its regulatory obligations…’ That the IOSCO OPs adopt a risk-based approach to the categorisation of outsourcing, applying the terms ‘material’ and ‘critical’ for the most important outsourcing arrangements and acknowledging the subjectivity of that assessment reflects the approaches taken by some member jurisdictions, including the EU and UK. IOSCO says that, ‘In simple terms, a material task is one that comprises or affects a significant proportion of the tasks of the regulated entity; a critical task may be a task that is small in scale but without which the regulated entity is unable to conduct its activities.’

Intragroup arrangements

The OPs will apply regardless of whether the service provider performing the tasks is ‘an affiliated entity of a corporate group’ or external. While acknowledging that the risks may be different, IOSCO’s commentary in the consultation should dissuade anyone from the view that intragroup outsourcing in inherently less risky and that intragroup arrangements will be viewed as such by regulators.

Concentration risk

Principle 5 in the OPs addresses concentration risk, articulating two aspects – in the first case, where the regulated entity is dependent on a single service provider for material or critical tasks and, in the second case, where the regulated entity ‘is aware that one service provider provides material or critical outsourcing services to multiple regulated entities including itself.’

In common with much of the regulatory cannon on risk management, IOSCO expects that firms will conduct ‘ongoing, periodic reviews of service provider capacity’. While this is difficult to challenge at the hypothetical level, in practice firms are likely to have very little insight into the build-up of concentration risk with a particular service provider. Key performance or risk indicators (KPIs/KRIs) may serve as a proxy for potential concentration risk issues and should trigger the regulated entity to conduct some inquiries, but KPIs and KRIs are unlikely to be conclusive. It would be difficult to construct e a KRI which tracks concentration at a service provider.

Access and audit rights

A thorny issue, particularly in respect of use of cloud technology, arises with access and audit rights. IOSCO’s Principle 6 reads: ‘A regulated entity should take appropriate steps to ensure that its regulator, its auditors, and itself are able to obtain promptly, upon request, information concerning outsourced tasks that is relevant to contractual compliance and/or regulatory oversight including, as necessary, access to the data, IT systems, premises and personnel of service providers relating to the outsourced tasks.’

Firms and service providers may argue that access to systems, premises, etc. can be difficult in practice for some types of outsourcing arrangements – notably, this comment is often made in relation to cloud services. Firms may also point out that their ability to negotiate for some outsourcing services may be limited if the market concerned has a small number of providers; again, a comment that is frequently made in respect of cloud services. This is reflected in the research on CRA use of cloud outsourcing which is appended to the IOSCO consultation.

In response, regulators tend to point out that if access is not practicable, then this presents a challenge to their ability to supervise the firm appropriately. Regulators may also remind firms that outsourcing a task does not mean that the firm can divest or lessen its own responsibility for compliance. This tension for regulated entities between maintaining compliance while also taking advantage of technology looks set to continue unless there is intervention from the official sector.

As IOSCO needs to accommodate its members, the global standard setter appears to provide for some  flexibility in its OPs. For example, reference is made to use of pooled audits and/or assurance statements. Similar allowances are made in guidance issued by the UK’s FCA. However, this is somewhat untested as, for example, in the UK there are no published enforcement cases related to outsourcing failures which discuss use of pooled audits or assurance statements. The suitable, or otherwise, of such arrangements is likely to be tested in the context of the individual regulated entity’s supervisory relationship which is unlikely to be publicly disclosed and/or enforcement.

Regulatory policy on outsourcing in Australia

Australian financial services and markets regulation has sought to cover outsourcing for many years, and the level of prescription and regulatory focus has increased substantially in recent times. Since 2007, ASIC has published policy in relation to the responsibility of Australian financial services licensees for services they outsource, and the Australian Prudential Regulation Authority (APRA) has issued Prudential Standard CPS 231 Outsourcing in 2002 to ensure management of prudential risks in the outsourcing of material business activities by authorised deposit-taking institutions (ADIs). These pronouncements have been reinforced by regulation and guidance in relation to information technology, such as:

• ASIC benchmarking of cyber resilience of firms in Australia’s financial markets in Report 555 (November 2017);
• ASIC’s revised policy on outsourcing by financial market operators in Regulatory Guide 172: Financial markets: Domestic and overseas operators (May 2018);
• APRA Information Paper Outsourcing Involving Cloud Computing Services which classified the risks of cloud computing services into three categories, and set out APRA’s expectation for consultation for each of these (September 2018); and
• APRA Prudential Standard CPS 234 Information Security, set out requirements for prudentially regulated institutions to take steps to enhance information security resilience (July 2019).

In 2019, ASIC conducted a consultation on proposed market integrity rules for securities and futures market operators and participants which, among other matters, explored the imposition of requirements regarding outsourcing arrangements for critical systems and the implementation of controls regarding such outsourcing. ASIC’s proposals seek to create obligations on regulated entities regarding notice of outsourcing to ASIC, conduct of appropriate due diligence on outsourced providers, terms of the outsourcing agreement and information access and audit rights. As part of this consultation ASIC also considered implementing obligations on operators regarding information security and cyber risk, reflecting a heightened focus on data protection and the criticality of data integrity to stable, efficient and effective operation of financial markets.

We expect that the focus of ASIC on outsourcing, and especially information technology outsourcing, will continue into the future, and that it will be informed by the IOSCO outsourcing consultation internationally and APRA regulation domestically. We also expect that the outcomes of the 2019 ASIC consultation will have regard to the IOSCO outsourcing principles, and that the ASIC consultation may be delayed further to achieve this.