Securities and Exchange Board of India (SEBI) has issues an important circular numbered CIR/MIRSD/24/2011, dated December 15, 2011. Through this circular, SEBI has provided the guidelines on outsourcing of activities by intermediaries. These guidelines are as follow:
1. SEBI Regulations for various intermediaries require that they shall render at all times high standards of service and exercise due diligence and ensure proper care in their operations.
2. It has been observed that often the intermediaries resort to outsourcing with a view to reduce costs, and at times, for strategic reasons.
3. Outsourcing may be defined as the use of one or more than one third party – either within or outside the group - by a registered intermediary to perform the activities associated with services which the intermediary offers.
4. Principles for Outsourcing: The risks associated with outsourcing may be operational risk, reputational risk, legal risk, country risk, strategic risk, exit-strategy risk, counter party risk, concentration and systemic risk. In order to address the concerns arising from the outsourcing of activities by intermediaries based on the principles advocated by the IOSCO and the experience of Indian markets, SEBI had prepared a concept paper on outsourcing of activities related to services offered by intermediaries. Based on the feedback received on the discussion paper and also discussion held with various intermediaries, stock exchanges and depositories, the principles for outsourcing by intermediaries have been framed. These principles shall be followed by all intermediaries registered with SEBI.
5. Activities that shall not be Outsourced: The intermediaries desirous of outsourcing their activities shall not, however, outsource their core business activities and compliance functions. A few examples of core business activities may be – execution of orders and monitoring of trading activities of clients in case of stock brokers; dematerialisation of securities in case of depository participants; investment related activities in case of Mutual Funds and Portfolio Managers. Regarding Know Your Client (KYC) requirements, the intermediaries shall comply with the provisions of SEBI {KYC (Know Your Client) Registration Agency} Regulations, 2011 and Guidelines issued thereunder from time to time.
6. Other Obligations: The following additional obligations are worth notice:
(i) Reporting To Financial Intelligence Unit (FIU) - The intermediaries shall be responsible for reporting of any suspicious transactions / reports to FIU or any other competent authority in respect of activities carried out by the third parties.
(ii) Need for Self Assessment of existing Outsourcing Arrangements – In view of the changing business activities and complexities of various financial products, intermediaries shall conduct a self assessment of their existing outsourcing arrangements within a time bound plan, not later than six months from the date of issuance of this circular and bring them in line with the requirements of the guidelines/principles.
7. This circular is issued in exercise of powers conferred under Section 11(1) of the Securities and Exchange Board of India Act, 1992 to protect the interests of investors in securities and to promote the development of, and to regulate the securities market.
The following principles for outsourcing for intermediaries have been prescribed by SEBI:
1. An intermediary seeking to outsource activities shall have in place a comprehensive policy to guide the assessment of whether and how those activities can be appropriately outsourced. The Board / partners (as the case may be) {hereinafter referred to as the “the Board”} of the intermediary shall have the responsibility for the outsourcing policy and related overall responsibility for activities undertaken under that policy.
The policy shall cover activities or the nature of activities that can be outsourced, the authorities who can approve outsourcing of such activities, and the selection of third party to whom it can be outsourced. For example, an activity shall not be outsourced if it would impair the supervisory authority’s right to assess, or its ability to supervise the business of the intermediary. The policy shall be based on an evaluation of risk concentrations, limits on the acceptable overall level of outsourced activities, risks arising from outsourcing multiple activities to the same entity, etc.
The Board shall mandate a regular review of outsourcing policy for such activities in the wake of changing business environment. It shall also have overall responsibility for ensuring that all ongoing outsourcing decisions taken by the intermediary and the activities undertaken by the third-party, are in keeping with its outsourcing policy.
2. The intermediary shall establish a comprehensive outsourcing risk management programme to address the outsourced activities and the relationship with the third party. An intermediary shall make an assessment of outsourcing risk which depends on several factors, including the scope and materiality of the outsourced activity, etc. The factors that could help in considering materiality in a risk management programme include
(i) The impact of failure of a third party to adequately perform the activity on the financial, reputational and operational performance of the intermediary and on the investors / clients;
(ii) Ability of the intermediary to cope up with the work, in case of non performance or failure by a third party by having suitable back-up arrangements;
(iii) Regulatory status of the third party, including its fitness and probity status;
(iv) Situations involving conflict of interest between the intermediary and the third party and the measures put in place by the intermediary to address such potential conflicts, etc.
While there shall not be any prohibition on a group entity / associate of the intermediary to act as the third party, systems shall be put in place to have an arm’s length distance between the intermediary and the third party in terms of infrastructure, manpower, decision-making, record keeping, etc. for avoidance of potential conflict of interests. Necessary disclosures in this regard shall be made as part of the contractual agreement. It shall be kept in mind that the risk management practices expected to be adopted by an intermediary while outsourcing to a related party or an associate would be identical to those followed while outsourcing to an unrelated party.
The records relating to all activities outsourced shall be preserved centrally so that the same is readily accessible for review by the Board of the intermediary and / or its senior management, as and when needed. Such records shall be regularly updated and may also form part of the corporate governance review by the management of the intermediary.
Regular reviews by internal or external auditors of the outsourcing policies, risk management system and requirements of the regulator shall be mandated by the Board wherever felt necessary. The intermediary shall review the financial and operational capabilities of the third party in order to assess its ability to continue to meet its outsourcing obligations.
3. The intermediary shall ensure that outsourcing arrangements neither diminish its ability to fulfill its obligations to customers and regulators, nor impede effective supervision by the regulators. The intermediary shall be fully liable and accountable for the activities that are being outsourced to the same extent as if the service were provided in-house. Outsourcing arrangements shall not affect the rights of an investor or client against the intermediary in any manner. The intermediary shall be liable to the investors for the loss incurred by them due to the failure of the third party and also be responsible for redressal of the grievances received from investors arising out of activities rendered by the third party. The facilities / premises / data that are involved in carrying out the outsourced activity by the service provider shall be deemed to be those of the registered intermediary. The intermediary itself and Regulator or the persons authorized by it shall have the right to access the same at any point of time. Outsourcing arrangements shall not impair the ability of SEBI/SRO or auditors to exercise its regulatory responsibilities such as supervision/inspection of the intermediary.
4. The intermediary shall conduct appropriate due diligence in selecting the third party and in monitoring of its performance. It is important that the intermediary exercises due care, skill, and diligence in the selection of the third party to ensure that the third party has the ability and capacity to undertake the provision of the service effectively. The due diligence undertaken by an intermediary shall include assessment of:
(i) third party’s resources and capabilities, including financial soundness, to perform the outsourcing work within the timelines fixed;
(ii) compatibility of the practices and systems of the third party with the intermediary’s requirements and objectives;
(iii) market feedback of the prospective third party’s business reputation and track record of their services rendered in the past;
(iv) level of concentration of the outsourced arrangements with a single third party; and
(v) the environment of the foreign country where the third party is located.
5. Outsourcing relationships shall be governed by written contracts / agreements / terms and conditions (as deemed appropriate) {hereinafter referred to as “contract”} that clearly describe all material aspects of the outsourcing arrangement, including the rights, responsibilities and expectations of the parties to the contract, client confidentiality issues, termination procedures, etc. Outsourcing arrangements shall be governed by a clearly defined and legally binding written contract between the intermediary and each of the third parties, the nature and detail of which shall be appropriate to the materiality of the outsourced activity in relation to the ongoing business of the intermediary. Care shall be taken to ensure that the outsourcing contract:
(i) clearly defines what activities are going to be outsourced, including appropriate service and performance levels;
(ii) provides for mutual rights, obligations and responsibilities of the intermediary and the third party, including indemnity by the parties;
(iii) provides for the liability of the third party to the intermediary for unsatisfactory performance/other breach of the contract
(iv) provides for the continuous monitoring and assessment by the intermediary of the third party so that any necessary corrective measures can be taken up immediately, i.e., the contract shall enable the intermediary to retain an appropriate level of control over the outsourcing and the right to intervene with appropriate measures to meet legal and regulatory obligations;
(v) includes, where necessary, conditions of sub-contracting by the third-party, i.e. the contract shall enable intermediary to maintain a similar control over the risks when a third party outsources to further third parties as in the original direct outsourcing;
(vi) has unambiguous confidentiality clauses to ensure protection of proprietary and customer data during the tenure of the contract and also after the expiry of the contract;
(vii) specifies the responsibilities of the third party with respect to the IT security and contingency plans, insurance cover, business continuity and disaster recovery plans, force majeure clause, etc.;
(viii) provides for preservation of the documents and data by third party ;
(ix) provides for the mechanisms to resolve disputes arising from implementation of the outsourcing contract;
(x) provides for termination of the contract, termination rights, transfer of information and exit strategies;
(xi) addresses additional issues arising from country risks and potential obstacles in exercising oversight and management of the arrangements when intermediary outsources its activities to foreign third party. For example, the contract shall include choice-of-law provisions and agreement covenants and jurisdictional covenants that provide for adjudication of disputes between the parties under the laws of a specific jurisdiction;
(xii) neither prevents nor impedes the intermediary from meeting its respective regulatory obligations, nor the regulator from exercising its regulatory powers; and
(xiii) provides for the intermediary and /or the regulator or the persons authorized by it to have the ability to inspect, access all books, records and information relevant to the outsourced activity with the third party.
6. The intermediary and its third parties shall establish and maintain contingency plans, including a plan for disaster recovery and periodic testing of backup facilities. Specific contingency plans shall be separately developed for each outsourcing arrangement, as is done in individual business lines. An intermediary shall take appropriate steps to assess and address the potential consequence of a business disruption or other problems at the third party level. Notably, it shall consider contingency plans at the third party; co-ordination of contingency plans at both the intermediary and the third party; and contingency plans of the intermediary in the event of non-performance by the third party. To ensure business continuity, robust information technology security is a necessity. A breakdown in the IT capacity may impair the ability of the intermediary to fulfill its obligations to other market participants/clients/regulators and could undermine the privacy interests of its customers, harm the intermediary’s reputation, and may ultimately impact on its overall operational risk profile. Intermediaries shall, therefore, seek to ensure that third party maintains appropriate IT security and robust disaster recovery capabilities. Periodic tests of the critical security procedures and systems and review of the backup facilities shall be undertaken by the intermediary to confirm the adequacy of the third party’s systems.
7. The intermediary shall take appropriate steps to require that third parties protect confidential information of both the intermediary and its customers from intentional or inadvertent disclosure to unauthorised persons. An intermediary that engages in outsourcing is expected to take appropriate steps to protect its proprietary and confidential customer information and ensure that it is not misused or misappropriated. The intermediary shall prevail upon the third party to ensure that the employees of the third party have limited access to the data handled and only on a “need to know” basis and the third party shall have adequate checks and balances to ensure the same. In cases where the third party is providing similar services to multiple entities, the intermediary shall ensure that adequate care is taken by the third party to build safeguards for data security and confidentiality.
8. Potential risks posed where the outsourced activities of multiple intermediaries are concentrated with a limited number of third parties. In instances, where the third party acts as an outsourcing agent for multiple intermediaries, it is the duty of the third party and the intermediary to ensure that strong safeguards are put in place so that there is no co-mingling of information/documents, records and assets.
1. SEBI Regulations for various intermediaries require that they shall render at all times high standards of service and exercise due diligence and ensure proper care in their operations.
2. It has been observed that often the intermediaries resort to outsourcing with a view to reduce costs, and at times, for strategic reasons.
3. Outsourcing may be defined as the use of one or more than one third party – either within or outside the group - by a registered intermediary to perform the activities associated with services which the intermediary offers.
4. Principles for Outsourcing: The risks associated with outsourcing may be operational risk, reputational risk, legal risk, country risk, strategic risk, exit-strategy risk, counter party risk, concentration and systemic risk. In order to address the concerns arising from the outsourcing of activities by intermediaries based on the principles advocated by the IOSCO and the experience of Indian markets, SEBI had prepared a concept paper on outsourcing of activities related to services offered by intermediaries. Based on the feedback received on the discussion paper and also discussion held with various intermediaries, stock exchanges and depositories, the principles for outsourcing by intermediaries have been framed. These principles shall be followed by all intermediaries registered with SEBI.
5. Activities that shall not be Outsourced: The intermediaries desirous of outsourcing their activities shall not, however, outsource their core business activities and compliance functions. A few examples of core business activities may be – execution of orders and monitoring of trading activities of clients in case of stock brokers; dematerialisation of securities in case of depository participants; investment related activities in case of Mutual Funds and Portfolio Managers. Regarding Know Your Client (KYC) requirements, the intermediaries shall comply with the provisions of SEBI {KYC (Know Your Client) Registration Agency} Regulations, 2011 and Guidelines issued thereunder from time to time.
6. Other Obligations: The following additional obligations are worth notice:
(i) Reporting To Financial Intelligence Unit (FIU) - The intermediaries shall be responsible for reporting of any suspicious transactions / reports to FIU or any other competent authority in respect of activities carried out by the third parties.
(ii) Need for Self Assessment of existing Outsourcing Arrangements – In view of the changing business activities and complexities of various financial products, intermediaries shall conduct a self assessment of their existing outsourcing arrangements within a time bound plan, not later than six months from the date of issuance of this circular and bring them in line with the requirements of the guidelines/principles.
7. This circular is issued in exercise of powers conferred under Section 11(1) of the Securities and Exchange Board of India Act, 1992 to protect the interests of investors in securities and to promote the development of, and to regulate the securities market.
The following principles for outsourcing for intermediaries have been prescribed by SEBI:
1. An intermediary seeking to outsource activities shall have in place a comprehensive policy to guide the assessment of whether and how those activities can be appropriately outsourced. The Board / partners (as the case may be) {hereinafter referred to as the “the Board”} of the intermediary shall have the responsibility for the outsourcing policy and related overall responsibility for activities undertaken under that policy.
The policy shall cover activities or the nature of activities that can be outsourced, the authorities who can approve outsourcing of such activities, and the selection of third party to whom it can be outsourced. For example, an activity shall not be outsourced if it would impair the supervisory authority’s right to assess, or its ability to supervise the business of the intermediary. The policy shall be based on an evaluation of risk concentrations, limits on the acceptable overall level of outsourced activities, risks arising from outsourcing multiple activities to the same entity, etc.
The Board shall mandate a regular review of outsourcing policy for such activities in the wake of changing business environment. It shall also have overall responsibility for ensuring that all ongoing outsourcing decisions taken by the intermediary and the activities undertaken by the third-party, are in keeping with its outsourcing policy.
2. The intermediary shall establish a comprehensive outsourcing risk management programme to address the outsourced activities and the relationship with the third party. An intermediary shall make an assessment of outsourcing risk which depends on several factors, including the scope and materiality of the outsourced activity, etc. The factors that could help in considering materiality in a risk management programme include
(i) The impact of failure of a third party to adequately perform the activity on the financial, reputational and operational performance of the intermediary and on the investors / clients;
(ii) Ability of the intermediary to cope up with the work, in case of non performance or failure by a third party by having suitable back-up arrangements;
(iii) Regulatory status of the third party, including its fitness and probity status;
(iv) Situations involving conflict of interest between the intermediary and the third party and the measures put in place by the intermediary to address such potential conflicts, etc.
While there shall not be any prohibition on a group entity / associate of the intermediary to act as the third party, systems shall be put in place to have an arm’s length distance between the intermediary and the third party in terms of infrastructure, manpower, decision-making, record keeping, etc. for avoidance of potential conflict of interests. Necessary disclosures in this regard shall be made as part of the contractual agreement. It shall be kept in mind that the risk management practices expected to be adopted by an intermediary while outsourcing to a related party or an associate would be identical to those followed while outsourcing to an unrelated party.
The records relating to all activities outsourced shall be preserved centrally so that the same is readily accessible for review by the Board of the intermediary and / or its senior management, as and when needed. Such records shall be regularly updated and may also form part of the corporate governance review by the management of the intermediary.
Regular reviews by internal or external auditors of the outsourcing policies, risk management system and requirements of the regulator shall be mandated by the Board wherever felt necessary. The intermediary shall review the financial and operational capabilities of the third party in order to assess its ability to continue to meet its outsourcing obligations.
3. The intermediary shall ensure that outsourcing arrangements neither diminish its ability to fulfill its obligations to customers and regulators, nor impede effective supervision by the regulators. The intermediary shall be fully liable and accountable for the activities that are being outsourced to the same extent as if the service were provided in-house. Outsourcing arrangements shall not affect the rights of an investor or client against the intermediary in any manner. The intermediary shall be liable to the investors for the loss incurred by them due to the failure of the third party and also be responsible for redressal of the grievances received from investors arising out of activities rendered by the third party. The facilities / premises / data that are involved in carrying out the outsourced activity by the service provider shall be deemed to be those of the registered intermediary. The intermediary itself and Regulator or the persons authorized by it shall have the right to access the same at any point of time. Outsourcing arrangements shall not impair the ability of SEBI/SRO or auditors to exercise its regulatory responsibilities such as supervision/inspection of the intermediary.
4. The intermediary shall conduct appropriate due diligence in selecting the third party and in monitoring of its performance. It is important that the intermediary exercises due care, skill, and diligence in the selection of the third party to ensure that the third party has the ability and capacity to undertake the provision of the service effectively. The due diligence undertaken by an intermediary shall include assessment of:
(i) third party’s resources and capabilities, including financial soundness, to perform the outsourcing work within the timelines fixed;
(ii) compatibility of the practices and systems of the third party with the intermediary’s requirements and objectives;
(iii) market feedback of the prospective third party’s business reputation and track record of their services rendered in the past;
(iv) level of concentration of the outsourced arrangements with a single third party; and
(v) the environment of the foreign country where the third party is located.
5. Outsourcing relationships shall be governed by written contracts / agreements / terms and conditions (as deemed appropriate) {hereinafter referred to as “contract”} that clearly describe all material aspects of the outsourcing arrangement, including the rights, responsibilities and expectations of the parties to the contract, client confidentiality issues, termination procedures, etc. Outsourcing arrangements shall be governed by a clearly defined and legally binding written contract between the intermediary and each of the third parties, the nature and detail of which shall be appropriate to the materiality of the outsourced activity in relation to the ongoing business of the intermediary. Care shall be taken to ensure that the outsourcing contract:
(i) clearly defines what activities are going to be outsourced, including appropriate service and performance levels;
(ii) provides for mutual rights, obligations and responsibilities of the intermediary and the third party, including indemnity by the parties;
(iii) provides for the liability of the third party to the intermediary for unsatisfactory performance/other breach of the contract
(iv) provides for the continuous monitoring and assessment by the intermediary of the third party so that any necessary corrective measures can be taken up immediately, i.e., the contract shall enable the intermediary to retain an appropriate level of control over the outsourcing and the right to intervene with appropriate measures to meet legal and regulatory obligations;
(v) includes, where necessary, conditions of sub-contracting by the third-party, i.e. the contract shall enable intermediary to maintain a similar control over the risks when a third party outsources to further third parties as in the original direct outsourcing;
(vi) has unambiguous confidentiality clauses to ensure protection of proprietary and customer data during the tenure of the contract and also after the expiry of the contract;
(vii) specifies the responsibilities of the third party with respect to the IT security and contingency plans, insurance cover, business continuity and disaster recovery plans, force majeure clause, etc.;
(viii) provides for preservation of the documents and data by third party ;
(ix) provides for the mechanisms to resolve disputes arising from implementation of the outsourcing contract;
(x) provides for termination of the contract, termination rights, transfer of information and exit strategies;
(xi) addresses additional issues arising from country risks and potential obstacles in exercising oversight and management of the arrangements when intermediary outsources its activities to foreign third party. For example, the contract shall include choice-of-law provisions and agreement covenants and jurisdictional covenants that provide for adjudication of disputes between the parties under the laws of a specific jurisdiction;
(xii) neither prevents nor impedes the intermediary from meeting its respective regulatory obligations, nor the regulator from exercising its regulatory powers; and
(xiii) provides for the intermediary and /or the regulator or the persons authorized by it to have the ability to inspect, access all books, records and information relevant to the outsourced activity with the third party.
6. The intermediary and its third parties shall establish and maintain contingency plans, including a plan for disaster recovery and periodic testing of backup facilities. Specific contingency plans shall be separately developed for each outsourcing arrangement, as is done in individual business lines. An intermediary shall take appropriate steps to assess and address the potential consequence of a business disruption or other problems at the third party level. Notably, it shall consider contingency plans at the third party; co-ordination of contingency plans at both the intermediary and the third party; and contingency plans of the intermediary in the event of non-performance by the third party. To ensure business continuity, robust information technology security is a necessity. A breakdown in the IT capacity may impair the ability of the intermediary to fulfill its obligations to other market participants/clients/regulators and could undermine the privacy interests of its customers, harm the intermediary’s reputation, and may ultimately impact on its overall operational risk profile. Intermediaries shall, therefore, seek to ensure that third party maintains appropriate IT security and robust disaster recovery capabilities. Periodic tests of the critical security procedures and systems and review of the backup facilities shall be undertaken by the intermediary to confirm the adequacy of the third party’s systems.
7. The intermediary shall take appropriate steps to require that third parties protect confidential information of both the intermediary and its customers from intentional or inadvertent disclosure to unauthorised persons. An intermediary that engages in outsourcing is expected to take appropriate steps to protect its proprietary and confidential customer information and ensure that it is not misused or misappropriated. The intermediary shall prevail upon the third party to ensure that the employees of the third party have limited access to the data handled and only on a “need to know” basis and the third party shall have adequate checks and balances to ensure the same. In cases where the third party is providing similar services to multiple entities, the intermediary shall ensure that adequate care is taken by the third party to build safeguards for data security and confidentiality.
8. Potential risks posed where the outsourced activities of multiple intermediaries are concentrated with a limited number of third parties. In instances, where the third party acts as an outsourcing agent for multiple intermediaries, it is the duty of the third party and the intermediary to ensure that strong safeguards are put in place so that there is no co-mingling of information/documents, records and assets.