Global menu

Our global pages


IOSCO consults on new proposed principles on outsourcing

  • United Kingdom
  • USA
  • France
  • Germany
  • Hong Kong
  • Global
  • Financial services


Eversheds Sutherland is pleased to announce its appointment by the Global Financial Markets Association (“GFMA”) to work alongside its three trade associations, specifically AFME, ASIFMA and SIFMA in preparing a consolidated response to the outsourcing consultation paper recently issued by the International Organisation of Securities Commissions (“IOSCO”). Over the coming months, Eversheds Sutherland and the GFMA will be collating feedback from the respective trade associations’ global members and submitting the response to IOSCO in early October.

On 28 May 2020, IOSCO issued a consultation paper (CR01/2020) on proposals to update its existing outsourcing principles with regard to certain regulated entities that outsource functions to service providers (the “Paper”). The Paper follows IOSCO’s review of developments in outsourcing and a survey of credit-rating agencies (“CRA”) and the adoption of outsourcing, including the use of cloud computing.


The proposed Principles of Outsourcing (the “Principles”) comprise a set of fundamental precepts and a set of seven principles. The proposed Principles are based on IOSCO’s 2005 Outsourcing Principles for Market Intermediaries and the 2009 Outsourcing Principles for Markets, which seek to assist market intermediaries in determining the steps they should take when considering outsourcing functions. As a result of increased regulatory scrutiny on outsourcing risks and emphasis on operational resilience within regulated entities, IOSCO has re-examined its existing outsourcing framework for market intermediaries to assess whether such principles remain suitable and to update them as appropriate. IOSCO has decided to issue this consultation now as firms move past the initial stages of COVID-19 crisis response, and consider the need to maintain operational resilience and business continuity in the face of unforeseen shocks to their business and their service providers.

Fundamental precepts

The fundamental precepts cover the following issues:

  • Application. The proposed Principles apply to a wide range of regulated entities, including trading venues, market intermediaries, market participants acting on a proprietary basis, credit rating agencies and financial market infrastructures which are regulated. IOSCO is seeking views on the scope of application of the Principles.
  • Definition of outsourcing: Outsourcing describes a business process where a firm uses a service provider to perform tasks, functions and processes that would otherwise be undertaken by the firm. This contrasts against the process of purchasing, which involves the acquisition from a vendor of services without the transfer of responsibility for the handling of the purchasing entity’s non-public proprietary or client information. The Paper clarifies that the proposed Principles are intended to apply to outsourced tasks which pose risks to regulatory objectives.
  • Responsibility of outsourcing: The regulated entity retains full responsibility, legal liability and accountability to its regulator in respect of the outsourced process to the extent it would if the service was provided in-house. The Principles clarify that the outsourcing should not impair the regulator’s ability to perform its supervisory role.
  • Potential benefits of outsourcing: It is acknowledged that Outsourcing can reap significant benefits such as obtaining expertise at a lower cost, automation of tasks and greater flexibility to business models of firms. In particular, cloud-based services or infrastructure list advantages such as improved accessibility, cost efficiency, demand scalability, always-on availability and improved security.
  • Potential risks and challenges: IOSCO also acknowledge the risks and challenges posed by outsourcing to both firms and regulators such as reduced clarity over performance of outsourced function (possibly a loss of control), risks to confidentiality through use of cloud and algorithmic technology and increased risk of cybersecurity incidents and operational disruptions. Low operational resilience in particular presents a broader threat to regulators’ objectives to prevent consumer harm and ensure market integrity and financial stability. Another significant challenge is concentration risk, brought on by increasingly specialised service providers leading to an environment where a small number of entities offer certain services. IOSCO is seeking views on the benefits, risks and challenges posed by outsourcing.
  • Assessment of materiality and criticality: The Principles should be applied in a risk-based manner commensurate with the degree of materiality and criticality of the outsourced function to the business of the firm. In assessing materiality, firms should consider whether the task comprises or affects a significant proportion of the functions of the firm. A critical task may be one which is relatively small but without which the firm is unable to conduct its activities. The Principles list several factors that firms should consider when assessing materiality and criticality such as risks to regulatory objectives, impact on investor protection and price formation and threat to clearing and settlement systems. IOSCO is seeking views on whether its description of materiality and criticality are adequately addressed.
  • Affiliates: The Principles apply regardless of whether outsourced tasks are performed by an affiliated entity of a corporate group or an entity external to the corporate group. The Paper highlights that outsourcing risks may not be as significant when outsourcing to affiliates as the regulated entity should be more familiar with the service providers business. However, such outsourcing may be on less than arms-length terms and increase risk in certain instances. IOSCO therefore suggests that the Principles should be applied where relevant to affiliates with some modification.
  • Cross-border outsourcing: IOSCO considers the risks posed by cross-border outsourcing such as conflicting regulatory and legal regimes, difficulties in physical monitoring and prompt access and economic, social or political risks affecting the ability of the service provider to perform.
  • Sub-contracting of outsourced functions: Regulated entities should ensure that sub-contracting is not permissible without its prior consent. It should also ensure that it has prompt access to data maintained or held by the sub-contractor.
  • Concentration risk: Operational and concentration risks must be considered as these may have a wider impact on other sectors and on public confidence in markets. Such risk can arise where the service provider is unable to perform material and critical functions for a large number of regulated entities or where multiple regulated entities depend on the same provider for disaster recovery services and the provider does not have sufficient capacity in the event of a disruption.

7 principles

The 7 principles cover the following areas and are supplemented with implementation guidance:

  1. Suitable due diligence should be conducted when selecting and monitoring service provider. Firms should exercise due care in selecting service providers and establish appropriate processes for monitoring performance of the service provider on an ongoing basis.
  2. Nature and detail of service provider agreement must factor in materiality and criticality of the outsourced function. The detail of the legal agreement should reflect levels of monitoring and auditing necessary and should deal with the responsibilities of parties, limitations on ability to sub-contract, change control, confidentiality of information, and IT security responsibilities, amongst other considerations.
  3. The regulated entity should establish procedures to protect its proprietary and client-confidential information and to ensure continuity of service. IOSCO emphasises that cybersecurity threats have increased in complexity and number. Such threats have an adverse impact on investors’ privacy and reputation and have a knock-on effect on market confidence. To bolster against that, regulated entities should ensure that firms maintain appropriate IT security, cybersecurity and disaster recover capabilities. IOSCO is seeking views on whether its implementation measures are adequate and in particular, what business continuity measures would be effective when a significant proportion of service providers’ workforce is working remotely.
  4. The regulated entity should take appropriate steps to protect confidential information and prevent inadvertent disclosure. Regulated entities should take steps to ensure that their confidential information is not misused, misappropriated or unlawfully disclosed to others. Firms should consider both physical and electronic information and impose obligations on service providers and sub-contractors accordingly.
  5. The regulated entity should mitigate concentration risk of outsourcing arrangements. In order to mitigate the risks stated under Fundamental Precept J, firms should consider measures such as entering shorter duration contracts, implementing insourcing plans or using different service providers for different tasks. The latter would prevent lock-in risk arising from the service provider’s technological configuration.
  6. Appropriate steps should be taken to ensure access to data, premises, personnel and associated rights of inspection. Regulated entities should ensure that their regulator and itself have prompt and comprehensive access and audit rights over activities for which they are regulated. These may include requiring records be maintained in the regulator’s jurisdiction or requiring that the service provider sends copies of data to parties upon request. Firms should also ensure continued access by their regulated books, records and appropriate personnel upon termination of the contract.
  7. Parties should cater for termination rights and appropriate exit strategies. Regulated entities should consider when an outsourcing agreement may be terminated and procedures for managing the transfer of the task in-house or to another service provider. Firms may consider implementing minimum termination notice periods and requiring service providers to assist and provide full support during the period of service transition.

Outsourcing practices of CRAs

The Paper also includes survey findings on existing outsourcing practices of CRAs, including the use of cloud computing for outsourcing (the “Survey”). In particular, the Survey identified that more central aspects of the credit rating process were being outsourced, especially in instances where functions were outsourced to affiliates. Interestingly, several CRAs did not consider that certain outsourced processes fell within the broad definition of outsourcing adopted by IOSCO (taking into account use beyond traditional outsourcing). For example, for firms operating as a global network, certain aspects of the credit rating function may be outsourced to affiliates but not internally classified as outsourcing.

The 23 CRAs surveyed also adopted cloud technology outsourcing to varying degrees and varying purposes, across all service models (IaaS, PaaS and SaaS). Different challenges and risks were identified in the adoption of cloud computing by CRAs such as concentration and lock-in risk, data localisation restrictions, unequal bargaining power and challenges arising from restricted access and audit rights to premises which impair regulators’ ability to supervise. One CRA encountered difficulties in negotiating a requirement granting rights to a premise inspection of cloud provider’s facilities due to the perceived security risk of granting access to multiple clients/regulators.

On the whole, the Survey found that determinations on outsourcing, due diligence and risk mitigation varied in accordance to the size of the CRA. Smaller CRAs tended to make determinations on a case-by-case basis and adopted more informal risk assessments. Larger CRAs typically had materiality thresholds for outsourcing decisions, multifaceted risk frameworks and layered governance methods.


The consultation will end on 1 October 2020. Firms may submit their comments before this deadline, using one of the following three methods:

  • Via email to with subject line “Principles on Outsourcing.”
  • Via fax to + 34 (91) 555 93 68
  • Via post to Giles Ward, International Organization of Securities Commissions (IOSCO), Calle Oquendo 12, 28006 Madrid, Spain with the heading “Public Comment on Principles on Outsourcing.”