Outsourcing handbook

The Outsourcing handbook (FSMA_2023_24) provides practical guidance on outsourcing for SGPCIs and SGs of any function. It emphasizes that while outsourcing can bring expertise and cost efficiencies, it does not diminish the responsibility of the firm’s management to adhere to sound governance principles. The FSMA oversees the adequacy of the organization to ensure compliance with applicable laws, including outsourced activities. The guidelines stress the importance of proportionality in organizing SGPCI/SG activities, meaning that outsourcing requirements should be proportional to the organization’s size, nature, and complexity.
The document outlines the necessity for SGPCIs/SGs to maintain a register of all ongoing outsourcing arrangements, including details such as the nature of the outsourced function, the provider’s information, the countries where the service will be executed, and whether the outsourced function is considered critical or important. For critical or important functions, additional information such as risk assessments, audit dates, and estimated annual budgetary costs should be included in the register. The SGPCI/SG must be able to provide the complete register or specific parts of it to the FSMA upon request in a computer-readable format.
Furthermore, the document addresses the management of conflicts of interest arising from outsourcing activities, emphasizing the need for appropriate governance measures to handle such conflicts. It also highlights the role of internal audit in independently reviewing outsourced functions, particularly critical or important ones, to ensure compliance with laws, risk strategy, and effective governance participation.
The guidelines also detail the decision-making process for outsourcing, emphasizing the importance of a thorough and documented analysis before engaging a service provider. This includes evaluating whether the function is critical or important, assessing relevant risks, and identifying and evaluating potential conflicts of interest. Additionally, it stresses the need for a clear description of the outsourced function, contract terms, financial obligations, and the provider’s obligations regarding sub-outsourcing. The document also emphasizes the importance of written contracts for outsourced critical or important functions, including clauses related to sub-outsourcing, termination, and compliance with laws and contractual obligations.
The handbook repeals and replaces Circular PPB 2004/5 of the CBFA dated 22 June 2004 on sound management practices in outsourcing by credit institutions and investment firms. SGPCIs/SGs have until 30 June 2024 to implement the present outsourcing handbook and the principles of sound management that it contains.