Regulations may mandate outsourcing agreements that clearly define the general rights, obligations, and responsibilities of FSPs and service providers. It is common for regulations to explicitly require contractual terms to include privacy and security measures to safeguard data of FSPs and customers. FSPs should ensure that every outsourcing agreement addresses the risks identified at the due diligence stage. Agreements may include provisions on the scope of the outsourcing arrangement; business continuity management; operational measures; performance, internal control and risk management standards, notification of important adverse developments to the FSP and the supervisory authority; termination and exit strategies; dispute resolution, and consumer complaint handling mechanisms , among others.
The nature and detail of agreements should be appropriate to the materiality level of the service. For instance, agreements for the provision of material services should place greater emphasis on areas such as commitments relating to operational resilience, including business continuity, contingency planning, and disaster recovery (FSB 2023). Also, each agreement should be tailored to address country specific risks and potential challenges in overseeing and managing outsourcing arrangements with a cross-border service provider. More+
Regulators should also require agreements to include provisions granting FSPs the ability to inspect and audit service providers where needed. These agreements should also ensure the FSP’s right to access information from the service provider, including the relevant details about its sub-contractors. In addition, the supervisory authority may require FSPs to regularly receive reports from service providers on the performance of agreements and control measures. Moreover, agreements should have clauses ensuring the right of the supervisory authority to inspect, supervise and obtain information from service providers to effectively oversee outsourcing arrangements. This oversight is particularly crucial for services that are material or have a potential to lead to significant level of system-level concentration and interconnectedness in the sector.
The outsourcing agreement should also grant FSPs the right to terminate the outsourcing arrangement in the event of a default or if the service provider fails to safeguard the privacy and integrity of the FSP’s customer data. Additionally, agreements should outline measures for ensuring a smooth transition in the event of arrangement termination.
Country Examples
The State Bank of Pakistan (SBP) requires FSPs to ensure their outsourcing contracts grant both the FSP and SBP the rights to access, audit and obtain from the Cloud Service Provider (CSP) and its sub-contractors for assurance, oversight, incident investigation, and inspection regarding outsourced services. In case of offshore CSPs, the SBP-regulated FSP may rely on internationally recognized third party certifications and reports provided by the CSP (SBP 2023). However, the FSP must include a contractual clause in their agreements, which allows them to request an expansion of the scope of these certifications, assessments, or audits to cover relevant controls and systems.
