In the wake of a shift to remote work for much of the financial sector, global regulators are beefing up their principles for outsourcing.
The International Organization of Securities Commissions (IOSCO) published a revised set of principles that aim to ensure the industry’s operational resilience when firms rely on external service providers.
The global regulatory group first developed principles for overseeing the use of outsourcing in 2005. Since then, “developments in markets and technology have focused regulatory attention on risks related to outsourcing,” it said.
“Regulatory reforms, technology developments, increased connectivity among market participants and increased levels of electronic trading and process automation have heightened the complexity of markets and the financial infrastructure and increased focus on operational efficiency,” the report said.
Additionally, the Covid-19 pandemic highlighted “the need to maintain business continuity in situations where external and often unforeseen shocks impact firms and their service providers,” IOSCO said.
The report noted that outsourced activity has “generally proved to be resilient” during the pandemic, and suggested that outsourcing “may have enhanced operational resilience at some financial institutions.”
However, it also said the shift to remote working intensified vulnerabilities, including increased cybersecurity threats, and the practical challenges of auditing and supervision in a remote environment.
The pandemic also increased the industry’s reliance on technology, “and some service providers experienced significant increases in volumes whilst simultaneously responding to lockdown measures, increased absenteeism and the challenges of working from home,” it said.
Ultimately, IOSCO said the pandemic and the increased reliance on outsourcing highlighted the need for increased attention to the kinds of operational resilience issues that are covered in the updated principles.
The revised principles cover issues such as firms’ due diligence in selecting and monitoring service providers; information security, continuity and disaster recovery; and the risks posed by a high concentration in outsourcing arrangements, among other things.