• PRU 6.8 PRU 6.8 Outsourcing

    • PRU 6.8.1 PRU 6.8.1

      An Authorised Person must establish and maintain appropriate systems and controls to manage its outsourcing risk.

      • Guidance

        1. The GEN rules set out the Regulator requirements on outsourcing by Authorised Persons. This Section complements the requirements in the GEN rules and contains guidance on managing the Operational Risk associated with outsourcing arrangements.
        2. The assessment of outsourcing risk at an Authorised Person may depend on several factors, including the scope and materiality of the outsourced activity, how well the Authorised Person manages, monitors and controls outsourcing risk (including its general management of Operational Risk), and how well the service provider manages and controls the potential risks of the operation.
        3. Factors that an Authorised Person should consider in establishing outsourcing arrangements include the following:
        a. the financial, reputational and operational impact on the Authorised Person of the failure of a service provider to perform adequately the activity;
        b. potential losses to an Authorised Person's customers and counterparts in the event of a service provider failure;
        c. the consequences of outsourcing the activity on the ability and capacity of the Authorised Person to conform with regulatory requirements and changes in such requirements;
        d. the interrelationship of the outsourced activity with other activities within the Authorised Person;
        e. the cost associated with the outsourcing;
        f. any affiliation or other relationship between the Authorised Person and the service provider;
        g. the regulatory status of the service provider;
        h. the degree of difficulty and time required to select an alternative service provider or to bring the business activity in-house, if necessary;
        i. the complexity of the outsourcing arrangement. For example, the ability to control the risks where more than one service provider collaborates to deliver an end-to-end outsourcing solution; and
        j. any data protection, security and other risks which may be adversely affected by the geographical location of an outsourcing service provider. To this end, Specific Risk management expertise in assessing country risk related, for example, to political or legal conditions, could be required when entering into and managing outsourcing arrangements that are taken outside of the home country.