The MFSA Guidance document includes a whole section on outsourcing, specifically addressing issues about governance, risks and responsibilities surrounding IT outsourcing arrangements.
The Guidance defines what constitutes outsourcing arrangement. It also provides examples of instances that should not constitute an outsourcing arrangement.
The Guidance document provides the basis for an outsourcing governance framework. Amongst other things, it states that:
- Outsourcing arrangements within the same Group does not exonerate the License Holder from its responsibilities, since the responsibility still lies within License Holder.
- A register of outsourced services should be maintained (guidance document lists what this register should include).A risk assessment should be carried out for outsourced services (the Guidance Document lists the factors to be included in the risk assessment). The assessment should also take into consideration issues relating to conflict of interests.
- An Outsourcing Policy should be established (the guidance document lists the areas to be included in the Outsourcing Policy).
- The License Holder should receive appropriate reports (including independent audit reports) from the outsourced service provider.
- Business continuity plans need to factor outsourcing arrangements into consideration.
- The areas in IT outsourcing arrangements that should be covered by the internal audit function.
The Guidance document also highlights the outsourcing process that should be adhered to by License Holders. It describes the following processes pertinent to an outsourcing arrangement:
- Pre-outsourcing analysis
- Contractual phase
- Monitoring and oversight of outsourcing arrangements
- Exit strategies