Tech & Sourcing @ Morgan Lewis


The Board of the International Organization of Securities Commissions (IOSCO) has published a set of revised outsourcing principles for regulated entities. IOSCO is an international policy forum for securities regulators and a global standard-setter for securities regulation whose membership regulates more than 95% of the world's securities markets.

IOSCO’s revisions come amid an increased focus on ensuring the operational resilience of regulated entities, brought to the fore during the COVID-19 pandemic.

The revised principles comprise a set of fundamental precepts and seven principles for regulated entities to consider when reviewing their outsourcing contracts. They are based on, and merge, the 2005 and 2009 principles for market intermediaries and for markets, respectively, and their application has been expanded to include trading venues, market intermediaries and market participants acting on a proprietary basis, and regulated credit rating agencies.

IOSCO states that it is keeping a “watching brief” on the application of outsourcing principles to asset management.

Fundamental Precepts

IOSCO’s report sets out certain precepts for regulated entities to consider when reading the seven principles. These include the following:

  • The definition of “outsourcing”
  • Proportional application of the principles
  • The full responsibility of the regulated entity to the regulator for all outsourced tasks
  • Materiality and criticality assessments
  • Application of the principles to affiliates performing outsourced tasks
  • The treatment of subcontracting
  • Certain additional risks of outsourcing on a cross-border basis

Common outsourced tasks of in-scope firms that IOSCO cites include information technology and cloud services, operation/support of exchanges and trading platforms, regulatory reporting, and other control functions such as real-time trade monitoring and audits.


  1. Due Diligence: A regulated entity should conduct suitable due diligence processes in selecting an appropriate service provider and in monitoring its ongoing performance.
  2. Written Contract: A regulated entity should enter into a legally binding written contract with each service provider, the nature and detail of which should be appropriate to the materiality or criticality of the outsourced task to the business of the regulated entity. IOSCO highlights that, as a result of increased remote working, service level provisions applicable to the provider may depend on whether staff are working onsite or remotely.
  3. Information Security, Business Resilience, Continuity, and Disaster Recovery: A regulated entity should take appropriate steps to ensure that both the regulated entity and any service provider establish procedures and controls to protect the regulated entity’s proprietary and client-related information and software and to ensure a continuity of service to the regulated entity, including a plan for disaster recovery with periodic testing of backup facilities. IOSCO highlights the cybersecurity and service quality challenges posed by a remote working environment, and additionally suggests validating tests of capabilities to safeguard the security and the accessibility of remote network connections.
  4. Confidentiality Issues: A regulated entity should take appropriate steps to ensure that service providers protect confidential information and data related to the regulated entity and its clients from intentional or inadvertent unauthorized disclosure to third parties.
  5. Concentration of Outsourcing Arrangements: A regulated entity should be aware of, and manage effectively, the risks posed where it is dependent on a single service provider for material or critical outsourced tasks or where it is aware that one of its service providers provides material or critical outsourcing services to multiple regulated entities. IOSCO states that the COVID-19 pandemic highlighted potential concentration risk from a technology and infrastructure perspective (e.g., cloud service providers).
  6. Oversight, Access, and Audit: A regulated entity should take appropriate steps to ensure that its regulator, its auditors, and itself are able to obtain promptly, upon request, information concerning outsourced tasks that is relevant to contractual compliance and/or regulatory oversight.
  7. Termination of Outsourcing Arrangements: A regulated entity should include written provisions relating to the termination of outsourced tasks in its contract with service providers and ensure that it maintains appropriate exit strategies.

The report includes an annex that describes how outsourcing integrates with cloud computing and how credit rating agencies use and incorporate outsourcing and cloud computing in their organizational strategies and structures.


The impact of the COVID-19 pandemic has focused regulators’ attention on issues of operational resilience and vulnerabilities, and practical challenges of a remote working environment, especially where third-party outsourcing and other service providers are relied upon.

IOSCO’s principles have been reflected in certain recent jurisdictional regulatory guidance:

  • United States: The Financial Industry Regulatory Authority, Inc., an affiliate member of IOSCO, highlighted in August 2021 cybersecurity risks and other “questions” for member firms to consider including due diligence, business continuity, and oversight of providers.
  • United Kingdom: Both the Prudential Regulation Authority and the Financial Conduct Authority published policy statements this year addressing similar areas to IOSCO’s principles, including contractual requirements, and re-affirming the focus of these financial services supervising authorities on operational resilience and third-party risk management.
  • European Union: The European Securities and Markets Authority published in May 2021 final guidelines on outsourcing to cloud service providers, which cover due diligence, oversight, business continuity, and contractual requirements, among other matters.

We will continue to monitor these issues, which we expect to remain on the outsourcing and third-party risk agenda of regulators and international standard setters.