On 28 June 2019 the Bermuda Monetary Authority (BMA) released Outsourcing Guidance Notes (Guidance Notes) applicable to Banks, Deposit Companies, the Bermuda Stock Exchange, Corporate Service Providers, Trust Companies, Money Service Businesses, Investment Businesses, Fund Administrators, and the Credit Union licensed by the BMA, each a Relevant Licensed Entity (RLE). This guidance will come into force on 1 May 2020 and replaces previous guidance on outsourcing issued in 2007.
Application of the Guidelines
The Guidance Notes apply to all outsourcing arrangements, with a particular emphasis on those that are deemed material outsourcing arrangements. In this context, "material" is defined as those whereby failure in provision or performance of the activity would materially impact business operations, financial performance, ability to manage risk, or compliance with Bermuda laws and regulations.
However, the Guidance Notes also provide that certain outsourced services fall outside the scope of the guidelines. These include:
- Provision of services to the RLE which don't form part of the services the RLE itself provides. Examples include:
a. Supply of external advisory services that don't form part of the services or activities of the RLE.
b. Provision of external legal advice.
c. Provision of external training.
d. Security, management and maintenance of the RLE's premises.
2. Provision of standardised services such as office equipment, stationary or photocopying services.
There are two compliance paths to validate existing outsourcing arrangements with the BMA: prior approval or attestation. The prior approval submission deadline to the BMA is 3 January 2020. The attestation deadline to the BMA is 30 April 2020.
There is a transition period from 4 January 2020 to 1 May 2020. During this period, where an RLE wishes to enter into a new material outsourcing arrangement it can use either the prior notification or attestation route.
Once implementation of the Guidance Notes has taken place, RLEs wishing to enter into new material outsourcing arrangements must make prior notification submissions to the BMA.
If the RLE chooses the prior approval path for existing material outsourcing, the BMA expects a complete and comprehensive application which is capable of demonstrating compliance with the Guidance Notes. The expectation being that applications will contain the following information:
- Name, address and regulatory status of the service provider.
- When outsourcing commenced and when it is scheduled to end.
- Whether the service provider is related to the RLE.
- Whether the service provider provides multiple services to the RLE and how concentration risk is being mitigated.
- A summary of the activity outsourced and why it is considered material.
- Reasons for outsourcing.
- What due diligence has been conducted prior to entering the agreement and has continued during the agreement.
- Contingency plans for if the service provider was to fail and whether these have been tested.
- Confirmation that a written agreement, which complies with the guidance, is in existence (a copy must also be included in the application).
- An explanation of the methods the RLE uses to monitor service provider performance.
- Any material delivery performance issues encountered and any remediation action taken.
- Where applicable, a section highlighting areas where the RLE believes that the arrangement may not be fully compliant with the guidance or is beginning to diverge.
The BMA indicated that it will seek to provide a response within 60 calendar days following receipt of applications for approval of pre-existing outsourcing arrangements. It should also be borne in mind that it is imperative that applications are complete and comprehensive as failure to demonstrate compliance with the Guidance Notes can result in the BMA returning the submission. If the submission is returned, the pre-approval route is no longer available with the only option being attestation.
The attestation route requires a declaration made by the CEO of the RLE (or if there is no such person, a Board nominated senior executive), that the existing outsourcing arrangements are in compliance with the Guidance Notes. This attestation will be verified through the BMAs ongoing supervisory process. No supporting documents are required for the attestation submission, however, supporting documentation will be required for subsequent on-site visits from the BMA verifying the attestation.
Following implementation of the Guidance Notes, if an RLE enters into a new material outsourcing arrangement it has to provide a prior notification letter to the BMA signed by the CEO, or board nominated senior executive. Upon receiving this letter, a 20 working day notification period is activated. The contents of this letter should include the following:
- Name, address, regulatory status of the service provider.
- Whether the service provider related to the RLE.
- Details of all outsourced activities to the service provider. This should include a summary and why the activity is considered material.
- Reasons for outsourcing and details of contingency plans that are in place.
- Confirmation from senior management of the RLE that a risk assessment and due diligence have been conducted. If any risks have been identified, how these will be mitigated.
- That a written agreement is in place which meets the requirements of the guidelines (a draft of the agreement should be included).
- How the arrangement will be monitored, including the tools that will be used.
- If applicable, where the RLE believes that there have been divergence or a failure of full compliance with the guidelines.
Responses from the BMA
During the 20 working day period after the receipt of prior notification, the BMA indicated that they may take the following actions:
- Request further information/clarification. The 20 working day period will pause until this is received.
- Formally reject the application. Giving an explanation and any remediation necessary.
- Increasing speed of response. Where there are no objections, usually when there has been an on-going dialogue between the BMA and RLE, the application can be accepted within the 20 working day period.
- Remain silent. Following the 20 working day period, silence can be interpreted as no objection to outsourcing.
It is important that RLEs fully co-operate with the BMA during this process to avoid delays as a consequence of failing to provide any additional information that the BMA requests.
Even if an activity is outsourced, ultimately the responsibility for the outsourced activity remains with management. The management of an RLE should have a clear set of policies concerning management of outsourcing which includes:
- The risk appetite for outsourcing activities. The BMA will expect to see clear evidence that management has a risk evaluation process and that it has been conducted effectively, with identification of potential risks and their mitigation or evidence of contingency plans should the outsourcing provider fail.
- The criteria for what constitutes material outsourcing. These will likely be RLE specific but whatever metrics are used to determine materiality, these must be formalised and clearly articulated in the RLE's policies and procedures.
- Evaluation of whether and how the process should be outsourced.
- Due diligence of the outsourcing provider, or subcontractor. This process should determine if the service provider:
a. Has an appropriate number of qualified staff.
b. Have the necessary technology, cyber security, financial capacity and infrastructure.
c. Has appropriate information and data security to protect any confidential information that it holds about the RLE and its clients.
d. An appropriate risk management framework is in place.
e. Has appropriate business continuity and disaster recovery plans in place and a successful track record of testing can be demonstrated.
f. Can provide the RLE, its auditors and competent authority access to all documents that relate to the outsourcing.
The outsourcing agreement should be a legally binding written agreement that outlines all of the material elements of the relationship between the RLE and service provider. Any issues that have been identified by the risk evaluation and due diligence assessments should also be addressed.
It is the expectation of the BMA that RLEs will be able to demonstrate that they are continually monitoring all of their outsourcing arrangements with the monitoring being conducted proportionate to the risk to the RLE.
RLEs need to ensure that they are suitably prepared for the implementation of the guidelines on 1 May 2020. RLEs are not only expected to provide complete and comprehensive applications for approval of new outsourcing arrangements but there is an expectation that there is also monitoring of these arrangements on an ongoing basis. This may require affected companies to implement new or update their internal risk management policies and frameworks, a task that shouldn't be underestimated.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.