Sub-contracting
As third-party relationships become more complex in the financial sector, many third-party service providers often employ sub-contractors to deliver outsourced services to FSPs. However, FSPs must retain ultimate liability and responsibility to authorities and customers for these outsourced services. When a service provider uses sub-contractors, FSPs should maintain the capability to monitor and control risks associated with these outsourcing arrangements. To ensure accountability, outsourcing agreements should include clauses that define the rules and restrictions surrounding sub-contracting. Additionally, these agreements should hold the service provider contractually responsible for the performance and risk management practices of its sub-contractors, as well as for ensuring sub-contractors adhere to the terms specified in the agreement between the FSP and the service provider. The agreement should explicitly require sub-contractors to safeguard the privacy and integrity of all data belonging to both the FSP and its customers that they handle.
A service provider should have appropriate processes in place to manage the risks associated with sub-contracting. These risks can impact its ability to appropriately deliver the outsourced services according to the contract with FSPs. As part of both initial due diligence and ongoing monitoring phases, FSPs should assess how effectively the service provider assesses and manages sub-contracting risks. More+
Due to the increasing complexity of service providers’ sub-contracting relationships, particularly in areas such as Information and Communications Technology (ICT), it can be impractical for each FSP to directly assess and manage every unique risk across each aspect of their third-party service providers’ sub-contracting relationships (FSB 2023). Therefore, it’s important to apply the principle of proportionality and a risk-based approach in the management of risks associated with sub-contracting. However, in line with these principles, it is particularly important for FSPs and supervisory authorities to understand and monitor how the risks from sub-contractors are managed. This is particularly critical when a sub-contractor’s failure or disruption of its services could disrupt or significantly impact the material services outsourced by the FSP.
In general, for ICT-related outsourcing, it is advisable to establish guidelines and rules that require FSPs to contract with service providers, regardless of whether sub-contracting is involved, that comply with the standards already developed by internationally recognized standards bodies, such the International Standards Organization (ISO) and the National Institute of Standards and Technology (NIST). These frameworks enable efficient management of otherwise complex issues such as the security of information based on its varying levels of risk and importance, and discouraging the notion of treating all data uniformly.
Country Examples
Monetary Authority of Singapore (MAS) mandates that FSPs must ensure that the sub-contracting of any part of the material service by the service provider is subject to the FSP’s prior approval. It also requires the subcontracting agreement between the service provider and sub-contractor to have a provision that allows MAS, or an auditor appointed by MAS, to audit the sub-contracting related to the delivery of the relevant material services.
