Prudential Standard for the Outsourcing of Services for Institutions Licensed to Conduct Business Under the Banking Act

PRUDENTIAL STANDARD FOR THE OUTSOURCING OF SERVICES FOR INSTITUTIONS LICENSED TO CONDUCT BUSINESS UNDER THE BANKING ACT Prepared by the BANK SUPERVISION DEPARTMENT May 2020 EASTERN CARIBBEAN CENTRAL BANK ST KITTS

1  TABLE OF CONTENTS

1. COMMENCEMENT ......................................................................................... 2
2. DEFINITIONS ................................................................................................. 2
3. OBJECTIVES .................................................................................................. 5
4. APPLICATION ................................................................................................ 5
5. STANDARDS .................................................................................................. 6 5.1. RESPONSIBILITY OF THE BOARD AND SENIOR MANAGEMENT .......................... 6 5.2. OUTSOURCING POLICY .................................................................................. 8 5.3. RISK MANAGEMENT FRAMEWORK .................................................................. 9 5.4. MATERIALITY .............................................................................................. 10 5.5. GOVERNANCE OF THIRD PARTY OUTSOURCING RELATIONSHIPS ..................... 11 5.6. INTRA-GROUP OUTSOURCING ........................................................................ 12 5.7. DUE DILIGENCE IN SELECTING THIRD PARTY SERVICE PROVIDERS ................. 13 5.8. CONTINGENCY PLANS .................................................................................. 14 5.9. CONFIDENTIALITY AND SECURITY ................................................................ 15 5.11. ABILITY TO FULFIL OBLIGATIONS TO CUSTOMERS AND REGULATORS ............. 17 APPENDIX I ........................................................................................................... 18 APPENDIX II ........................................................................................................... 1

2  BANKING PRUDENTIAL STANDARD NO. 02 OF 2020 This Prudential Standard is issued by the Eastern Caribbean Central Bank (”Central Bank”), in exercise of the powers conferred on it by section 184 of the Banking Act, No….of 20151 .

1. COMMENCEMENT This Prudential Standard shall come into effect on the 1st day of October 2020.
2. DEFINITIONS The following terms are defined for the purpose of this Standard: a) "Affiliate" in relation to a Licensed Financial Institution (“LFI”) means: i. A company which is or has at any relevant time been
3. A holding company or subsidiary of LFI;
4. A subsidiary of a holding company of LFI; or
5. A holding company of a holding company or a subsidiary of a subsidiary of LFI; or ii. Any company over which LFI has control; iii. Any company over which LFI and any person associated with LFI has control; iv. Any company which has common ownership with LFI; v. Any company which has the same beneficial owner or shares common management and has any interlinked businesses with LFI. b) “Board” means the Board of Directors responsible for the management of a licensed financial institution. c) “Control” means the power of a person, either alone or with an affiliate or relative or connected or other person, directly or indirectly or by and agreement or otherwise to -                                                              1 Section 183 of the Banking Act of Anguilla.

3  i. Exercise more than twenty per cent of the voting rights at any meeting of shareholders of a licensed financial institution, company or unincorporated body; ii. Elect a majority of the directors of a licensed financial institution, company or unincorporated body; or iii. Exert influence over the business and affairs of a licensed financial institution, company or unincorporated body; and, iv. The terms “controlling interest” and “controlling shareholder” shall be construed accordingly; d) “Intra-Group Service Provider” refers to the entity that is undertaking the outsourced activity on behalf of the regulated entity, which is a member of the corporate group to which the financial institution belongs, whether located in the ECCU or elsewhere. e) “Licensed Financial Institution” means any person or incorporated entity licensed to conduct banking business under the Banking Act. f) “Material Activities” in relation to an LFI refers to: i. Activities or services of great significance; that any weakness or failure in the financial institution’s delivery could have a significant effect on its ability to continue as a going concern, and or meet its regulatory responsibilities; ii. Key systems, activities or services without which; would inhibit a financial institution from delivering services to its customers; iii. Any activity which would have a significant impact on a financial institution’s risk management; and the management of risks relating to these activities; iv. Any other activities requiring authorisation from the Central Bank. g) “Offshoring” means the subcontracting of a material activity, service or function with a service provider (including related parties or affiliates) in a country outside the Eastern Caribbean Currency Union (“ECCU”). Offshoring includes

4  arrangements where the service provider is incorporated in the ECCU; however, the physical location of the outsourced activity is outside the ECCU. Offshoring does not include arrangements where the service provider is incorporated outside of the ECCU but the physical location of the outsourced activity, service or function is in the ECCU. h) “Outsourcing” means to enter into a contractual agreement with a third-party service provider, where the service provider manages functions, business activities, processes or products that are, or could be undertaken by the LFI. The definition of outsourcing does not include purchasing2 contracts or the engaging of consultants to provide technical advice on operations or to organise and establish a service; however, the use of a service provider to manage or deliver that service would constitute outsourcing3 . i) “Regulated entity” refers to a body that is authorised for regulated activities by a regulator. j) “Regulator” refers to a governmental or non-governmental body that ensures compliance with laws, regulations and established rules, provides input into developing and interpreting legislation and regulations, issues standards, and approves requests from regulated financial institutions or persons; this includes the Eastern Caribbean Central Bank and/or any other local, regional and international regulator(s), where applicable.                                                              2 Purchasing is defined, inter alia, as the acquisition from a vendor of services, goods or facilities without the transfer of the purchasing firm's non-public proprietary information pertaining to its customers or other information connected with its business activities. 3 Direct contractual relationships between a third party and a client should not fall within the definition of outsourcing. That is, if a financial institution habitually contracts out a function that it could not otherwise perform, then it is not referred to as outsourcing.

5  k) “Senior Management” of an institution means: i. The chief executive officer, deputy chief executive officer, chief operating officer, chief financial officer, internal auditor, company secretary, or manager of a significant business unit of the institution; or ii. A person with similar responsibilities or with a position similar to that identified in item (i); or iii. Any person who is authorised to make a policy decision. l) “Subcontracting” means the further transfer of an outsourced activity (or a part thereof) from a third party service provider to another service provider. m) “Third Party Service Provider” refers to an entity that is undertaking the outsourced activity on behalf of the financial institution, which is external to the licensed financial institution, whether located in the ECCU or elsewhere. 3. OBJECTIVES This Prudential Standard aim to: a) Provide guidance to LFI under the Act on sound principles for the management of outsourcing arrangements. b) Set out measures that LFIs shall take to manage risks associated with outsourcing material4 activities. c) Ensure that LFIs maintain control of risks associated with outsourcing and that these risks are adequately managed. d) Provide minimum standards with which the Central Bank expects compliance for outsourced services, activities and functions. 4. APPLICATION a) This Standard applies to all institutions licensed under the Banking Act.                                                              4 A definition of materiality and material activities is contained in Section 2 the interpretation section.

6  b) Where an LFI outsources material activities all the requirements of this Standard shall apply. c) Where an LFI outsources non-material activities, it should apply the requirements of this Standard in a manner proportionate to the risk. d) This Standard must be read in conjunction with the provisions of the Act, as well as written directives, the Prudential Standard on Corporate Governance and any other Standard that the Central Bank may issue from time to time pursuant to the relevant Legislation. e) Appendix I provides a non-exhaustive list of examples of outsourcing arrangements that are, as well as those that are not subject to this Standard. It should not be misconstrued that arrangements not defined as outsourcing, need not be subject to adequate risk management and sound internal controls. Institutions may consult with the Central Bank when they are uncertain whether a particular arrangement falls within this definition. f) Appendix II provides a non-exhaustive list of key risks identified in outsourcing arrangements. 5. STANDARDS 5.1. RESPONSIBILITY OF THE BOARD AND SENIOR MANAGEMENT Consistent with the Central Bank’s Prudential Standard on Corporate Governance, the Board of Directors of a Licensed Financial Institution or Licensed Financial Holding Company is ultimately responsible for effective oversight of all outsourcing arrangements. Outsourcing does not diminish the obligations of Board and Senior Management to maintain effective oversight and governance of outsourcing arrangements, managing outsourcing risks, and implementing an adequate outsourcing risk management framework, in accordance with this Standard. The Board and Senior Management of LFIs must therefore ensure that a sound risk management culture is in place to mitigate and manage risks arising from outsourcing, by taking the following steps: i. Evaluate the risk associated with all existing and proposed outsourcing arrangements;

7  ii. Carefully evaluate all outsourcing agreements or contracts; iii. Develop a process for determining the materiality of the arrangements; iv. Implement sound policies and procedures for outsourcing; v. Conduct a comprehensive risk analysis and implement appropriate risk mitigation measures before the decision is made to enter into an outsourcing agreement; vi. Conduct due diligence and analyse the financial and infrastructural assets of the service provider (intra-group or third party service provider); vii. Ensure that there is a comprehensive contingency plan for the provision of outsourced services/process in the event of a breach of contract, natural disaster or other unforeseen occurrences; viii. Periodically review the effectiveness of these policies and procedures; and ix. Ensure that core management functions are not outsourced. The Board and Senior Management must ensure that policies are in place for effective oversight of outsourced activities. Appropriate terms of reference, with clearly defined roles and responsibilities and reporting channels on the part of the service provider should be in place and included in the contract, which binds the agreement between the financial institution and the service provider. The Board and Senior Management must develop a comprehensive understanding of the benefits and costs before an activity is outsourced. This analysis should comprise an assessment of the organisation's core competencies, managerial capabilities, cost and reliability of contingency plans and future goals of the financial institution. The Board and Senior Management should ensure that the role of compliance and internal audit is not hindered by the outsourcing arrangement. The internal audit function and the risk and compliance function must have the authority to assess any outsourced functions.

8  5.2. OUTSOURCING POLICY a) The Board and Senior Management should establish specific policies, criteria and procedures for making decisions about outsourcing before any third party services are contracted. These policies or procedures should be assessed by the Risk Management function and should include the following: i. An evaluation of whether the activity or service in particular should be outsourced, the risk implications, and parameters on the overall level of outsourced activities. ii. The outsourcing policy must include an outline for the assessment of outsourced activities as well as the service provider(s) and any subcontractors. iii. Financial institutions must ensure that their outsourcing policy appropriately addresses offshoring arrangements and any associated risks. iv. An assessment of risks arising from outsourcing multiple activities to the same service provider.

b) The Board has the responsibility for approving the outsourcing policy and has overall responsibility for activities undertaken under that policy and make a clear strategic decision as to whether certain services should be outsourced.

c) The internal audit function and the compliance function5 may be outsourced, but they must remain subject to appropriate oversight by the Board. d) The LFI must ensure that all outsourcing arrangements with service providers allow for the efficient and timely flow of information and data to the Central Bank and other regulatory institutions, including directly from the third party service provider to assist with effective monitoring. In addition, all outsourcing arrangements with third party service providers must allow for on-site examinations by the Central Bank if required.                                                              5 For the purposes of this Standards, compliance and internal audit function are material business activities.

9  e) No activity shall be outsourced if it would impair the Central Bank’s right to assess, or its ability to supervise, the business of a LFI in the ECCU territories. 5.3. RISK MANAGEMENT FRAMEWORK a) An LFI must seek the prior approval from the Central Bank to enter into contractual agreements to outsource any of its activities, in accordance with Section 53(7) of the Banking Act, 20156 . LFIs should also inform the Central Bank of any material developments to vary, renew extend or terminate after entering into an outsourcing arrangement for material activities. b) The Board is responsible for any outsourcing of activities undertaken by an LFI. Outsourcing may result in the third party service provider having day-to-day managerial responsibility for a business service or activity; however, the LFI remains accountable for complying with all prudential and compliance requirements and managing the risks that pertain to the outsourced activity. c) An LFI must identify, assess, manage, mitigate and report on risks associated with outsourcing to its Board. d) LFIs should establish a comprehensive outsourcing risk management framework to address all outsourced activities and the relationship with the third party service providers. It is the responsibility of the Board and Senior Management to ensure that adequate risk mitigation practices are in place for the effective oversight and management of the outsourcing arrangements. The Board or delegated committee should: i. Review and approve risk management policies for outsourcing; ii. Regularly review compliance with the outsourcing policy; iii. Approve all outsourcing arrangements of material business activities;                                                              6 Section 52(7) of the Anguilla Banking Act.

10  iv. Regularly review reports on outsourcing arrangements; v. Ensure the audit activities include assurance of the outsourcing arrangements and adherence to the terms and conditions of the agreements. This includes a review of the third party service provider’s internal controls as it relates to the service provided; and vi. The LFI should notify the Central Bank of the proposed use of subcontractors by the service provider for all or part of an outsourced activity. 5.4. MATERIALITY The materiality of an outsourcing arrangement will depend on the extent to which the arrangement has the potential to have a critical impact, both qualitative and quantitative, on a significant business line or the operations of a licensee. An assessment of the risks of outsourcing material activities should be done in establishing the outsourcing risk management framework including but not limited to the following: i. The ability to maintain critical controls and meet supervisory and regulatory requirements and delivery of the outsourced activity or service; ii. The financial, operational and reputational impact on the financial institution of the failure of a third party service provider to effectively perform or deliver the activity or service; iii. The reliance of the service provider on third parties to deliver the service; iv. The degree of difficulty and time required to find an alternative third party service provider or to bring the business activity in house; v. The ability to maintain control of outsourcing risk (including its general capabilities of managing operational risk); and vi. The ability of the third party service provider to mitigate the potential risks in the outsourcing arrangement. Licensed financial institutions should periodically assess an outsourcing arrangement’s materiality. In instances where an arrangement is reassessed as material, it should comply with

11  the principles set out in this Standard and reported to the Central Bank within 60 days of reassessment. 5.5. GOVERNANCE OF THIRD PARTY OUTSOURCING RELATIONSHIPS a) A comprehensive written legal agreement should govern all outsourcing arrangements. The clauses of the contract should be appropriate to the materiality of the outsourced activity and should be done in relation to the on-going business and goals of the financial institution. The agreement should be forward looking and should be perused by the institution’s legal counsel. The agreement should include, but not be limited to the following: i. A clear definition and performance standards (qualitative and quantitative) for the activities, which are being outsourced. ii. Terms of the agreement and responsibilities of the outsourcing firm. iii. The duration of the outsourcing function. iv. Material issues unique to the outsourcing arrangement (see section 5.3 for guidance). v. Provisions that give the financial institution right of access to all data, records and information relevant to the outsourced activity. vi. The financial institution should ensure that the outsourcing contracts or agreements comply with the Banking Act and other regulations or standards of The Central Bank as well as other regulatory requirements in home and host countries. vii. Provision for the continuous monitoring and assessment by the LFI of the third party service provider and its ability to implement or institute immediate corrective actions or measures. viii. Provisions to ensure that the third party service provider does not hinder the LFI from meeting its regulatory obligations nor impede the Central Bank or other regulators from exercising its regulatory and supervisory powers. ix. Conditions for subcontracting by the service provider for all or part of an outsourced activity.

12  x. The requirement for approval from the financial institution for the use of subcontractors by the service provider in the delivery of the outsourced activities. The subcontractor shall be subject to the same due diligence process as the third party service provider. xi. The ability to maintain similar control over the risks when a service provider outsources to other third parties or subcontractors as in the original direct outsourcing arrangement. xii. A termination clause that includes conditions for termination of the outsourcing contract. xiii. Provisions relating to material corporate changes or winding up of the outsourcing firm. xiv. Provisions for the ownership of intellectual property following termination. xv. Provisions for the return of books, records, information, and other material after the termination of the contract. xvi. Procedures for dispute settlement and business continuity during dispute settlement. xvii. Contract fees. xviii. Provisions for the disclosure of terms and conditions of insurance coverage and notification of significant changes in the insurance coverage. 5.6. INTRA-GROUP OUTSOURCING The outsourcing Standard is also applicable to outsourcing arrangements within an LFI’s group structure. The institution is expected to develop group-wide risk management policies and procedures and demonstrate the process by which the board or its sub-committee provides oversight and management of the outsourcing risks on a group-wide basis.

An LFI shall ensure that the intra-group service provider is able to address risks specific to the institution, particularly those related to the following:  Business Continuity Management;  Monitoring and control;

13   Audit and inspection;  Right of access by the Central Bank to administer effective supervision over the service provider; and  Compliance with regulatory standards. The respective roles and responsibilities, of each institution in the outsourcing arrangement, should be documented in an agreement. 5.7. DUE DILIGENCE IN SELECTING THIRD PARTY SERVICE PROVIDERS a) LFIs must implement procedures for conducting due diligence in order to assess the third party service provider’s capacity and ability to perform outsourced activities effectively, consistently and to a high standard. The standard of the outsourced function should be on the same level or higher than that provided by the financial institution. Risk factors associated with using a particular third party service provider should also be assessed and taken into consideration before selection. Activities should not be outsourced to providers who do not meet the due diligence requirements.

b) LFIs must assess all relevant aspects of the third party service provider, including its ability to perform the outsourcing activity. Where applicable, an LFI’s assessment should be supplemented by on-site visits, independent reviews and market feedback. c) Appropriate due diligence of the service provider should include but not be limited to the following assessments: i. A background check which includes financial strength, quality of output, business reputation, complaints, compliance with applicable laws and regulations, and pending litigation.

14  ii. Experience and technical competence and adequacy of resources to implement and support the outsourced activity. iii. Ability to meet objectives of the financial institution. iv. Reliance on and success in dealing with sub-contractors. v. Geographical location including economic, social, legal and political conditions and regulations that might adversely impact on the third party service provider’s ability to effectively perform outsourced functions. vi. Ability to meet disaster recovery and business continuity requirements. vii. The adequacy of insurance coverage. viii. The robustness of its risk management framework and capabilities with respect to the outsourcing arrangement. 5.8. CONTINGENCY PLANS a) An LFI shall take appropriate steps to assess the consequence of a potential business disruption or other problems at the service provider as well as any subcontractor. An LFI shall assess contingency plans of the third party service provider to ensure that contingency plans are appropriately coordinated with that of the LFI and that they are in line with its goals and objectives. b) Contingency plans shall be implemented for each individual outsourcing arrangement. c) An LFI shall ensure that service providers maintain appropriate cyber security, and appropriate disaster recovery capabilities. At minimum, the following should be incorporated into the third party’s contingency planning: i. Contingency plans for all critical applications and services; ii. Periodic testing of all contingency plans. Plans should be continually reviewed and kept up to date with technological and operational advancements. iii. Business continuity in the event of natural and/or other disasters and other events that could lead to a disruption in the outsourced operations. iv. Stressed exits in situations such as insolvency or liquidation of the service provider;

15  v. Contingency plans shall state the third party service provider’s acceptable ‘down time’, backup, record protection and retention; including equipment, programme and data files, and maintenance of the disaster recovery plans. vi. Identified teams, as well as standby teams responsible for managing the recovery and assessing the financial impact of a disruption in outsourced services. 5.9. CONFIDENTIALITY AND SECURITY a) LFIs that engage in outsourcing should ensure that measures are implemented to protect the confidentiality and security of customer information, and ensure that it is not misused or misappropriated. Licensed financial institutions should ensure that third-party service providers have data protection, confidentiality and privacy policies and/or controls that are consistent with that of the LFI. The outsourcing agreement shall include provisions prohibiting the third party service provider and subcontractors from using or disclosing the financial institution’s proprietary information or that of its customers, except as necessary to provide the contracted services and to meet regulatory and statutory provisions. b) To minimise the reputation and legal risk that may arise from breaches in confidentiality, the Board and Senior Management of LFIs must ensure that procedures and policies are implemented to ensure that: i. Only authorised individuals, agents or systems have access to confidential data and records. ii. All confidential data are maintained in a secure manner and protected from unauthorised viewing or modification during transmission over public, private or internal networks. iii. The institution’s standards and controls for data use and protection must be complied with, when third parties access data through outsourcing relationships.

16  iv. All access to restricted data is logged and appropriate efforts are made to ensure that access logs are resistant to tampering. c) An LFI shall implement measures to ensure adherence to customer privacy and data protection requirements. The following should form part of privacy procedures in outsourcing: i. The financial institution customer privacy policies and standards take account of and comply with the Banking Act. ii. Customer data are not used for purposes other than that which they are specifically permitted to or for purposes beyond which customers have authorised or that is mandated by the Central Bank or otherwise required by law. 5.10. MONITORING An LFI shall establish frameworks for the management and monitoring of its outsourcing arrangements. These frameworks shall provide for the following: i. Assign clear responsibility within the organisation for the monitoring of the outsourced arrangement. ii. Periodic review of all outsourcing arrangements with a more rigorous approach adopted for material activities. This is to ensure that the institution’s outsourcing policies and procedures, and the requirements of the policy are effectively implemented. iii. Reporting to the Board on the monitoring of outsourcing arrangements. iv. Prompt actions and reporting on any adverse developments arising in any outsourcing arrangement is brought to the immediate attention of the Board, Senior Management, the service provider, and to the regulator.

17  v. The maintenance of a register of all outsourcing agreements and ensure that the register is readily accessible for review by the regulator and Board. 5.11. ABILITY TO FULFIL OBLIGATIONS TO CUSTOMERS AND REGULATORS a) Outsourcing arrangements shall not impinge on the rights of a consumer in relation to an LFI, including the customer’s ability to obtain remedies under relevant laws and regulations. b) The Central Bank or any other regulatory body’s ability to exercise supervision and its regulatory responsibility of financial institutions should not be impaired by outsourcing arrangements.

18  APPENDIX I Examples of Outsourcing Arrangements The following, although not exhaustive, are examples of some services that, when performed by a third party or intra-group service provider, would be regarded as outsourcing arrangements for the purposes of this Standard:  Information system management and maintenance (for example, data entry and processing, data centres, data centre facilities management, end-user support, local area networks, help desks, information technology security operations);  Application processing (for example, loan originations, insurance policies, credit cards);  Back office management (for example, electronic funds transfer, payroll processing, custody operations, quality control, purchasing);  Business continuity and disaster recovery functions and activities;  Document processing (for example, cheques, credit card slips, bill payments, bank statements, other corporate payments);  Loan administration (for example, loan negotiations, loan processing, collateral management, collection of bad loans);  Investment management (for example, portfolio management, cash management);  Marketing and research (for example, product development, call centres, telemarketing, data warehousing and mining, advertising, media relations);  Professional services related to the business activities of the institution (for example, accounting, internal audit, actuarial, compliance);  Cloud computing; and  Human resources (for example, benefits administration, recruiting). The following arrangements would generally not apply to outsourcing arrangements, falling under the scope of this Standard:  Courier services, regular mail, utilities, telephone;

19   Supply and service of leased telecommunication equipment;  Market information services;  Clearing and settlement arrangements between members or participants of recognised clearing and settlement systems;  Global financial messaging infrastructure which are subject to oversight by relevant regulators (for example, SWIFT);  Correspondent banking services;  Procurement of specialized training;  Discrete advisory services (for example, legal opinions, certain investment advisory services that do not result directly in investment decisions, independent appraisals, trustees in bankruptcy);  Purchase of goods, wares, commercially available software and other commodities;  Independent audit reviews;  Credit background and background investigation and information services;  Independent consulting (for example, consultancy services for areas which the institution does not have the internal expertise to conduct);  Services the LFI is not legally able to provide;  Printing services;  Repair and maintenance of fixed assets;  Travel agency and transportation services;  Maintenance and support of licensed software;  Temporary help and contract personnel;  Fleet leasing services;  Specialized recruitment;  External conferences; and  Syndication of loans.

1  APPENDIX II Key Risks in Outsourcing Key Risks Definition Concerns Reputational Risk The potential that negative publicity regarding an institution's business practices, whether true or not, will cause a decline in the customer base, costly litigation, or revenue reduction.  Poor service from third party.  Customer service is not consistent with the standards of the financial institution.  Practices and operations are not in keeping with that of the financial institution. Strategic Risk The risk to revenues, earnings, market share and product offering as a result of poor decision making or implementation of those decisions.  The service provider conducts activities that are inconsistent with the overall strategic goals and objectives of the regulated entity.  Lack of due diligence and oversight mechanisms of the activities of the service provider.  Lack of appropriate exit strategies.  Limited ability to return services to the financial institution due to loss of expertise. Operational Risk (including security and legal risks) The risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events.  Technology failure and lack of, or ineffective contingency planning.  Inadequate financial capacity to fulfill obligations or provide remedies by the service provider.  Fraud or errors during the normal course of business by the service provider.

2  Key Risks Definition Concerns  Limited ability to enforce outsourcing contract. Compliance Risk The risk of legal or regulatory sanctions, material financial loss, or loss to reputation a bank may suffer as a result of its failure to comply with laws, regulations, rules, related self-regulatory organization standards, and codes of conduct applicable to its banking activities.  Non-compliance with privacy, consumer and prudential laws.  Inadequacy of compliance systems and controls by service providers. Concentration and Systemic Risk Systemic risk is the risk of disruption to financial services that is caused by an impairment of all or parts of the financial system and has the potential to have serious negative consequences for the real economy.  Overall industry has significant exposure to a service provider.  Lack of control of individual firms over provider. Access Risk Access risk is the risk that the outsourcing arrangement may hinder the ability of LFI to provide timely data and other information to regulators.  Additional layer of difficulty in the regulator’s understanding of the activities of the outsource provider. Country Risk Country risk refers to the possible risk that a LFI’s condition would be adversely affected due to country specific conditions. These conditions can range from political, social and legal climate that may create added risks.  Business continuity planning becomes more complex. Exit Strategy Risk Exit strategy risk is the risk that appropriate exit strategies are not in place.  Over reliance on one organisation for services that can result in loss of relevant skills in the LFI. Step-In Risk Step In Risk is the risk that a financial institution will decide to provide financial support to a third party provider that is facing stress, in the absence of, any contractual obligation to provide such support.  Reputational risk concerns arising from service provider’s inability to perform its contractual obligation with the licensee.