Press Release
The FSC Adjusts the Outsourcing Management of Financial Institutions based on the Risk-Based Approach and Announces Amendments to the Outsourcing Regulations
2023-03-07
The FSC Adjusts the Outsourcing Management of Financial Institutions based on the Risk-Based Approach and Announces Amendments to the Outsourcing Regulations
The Financial Supervisory Commission (FSC) stated that in order to guide financial institutions to establish a comprehensive risk management framework for outsourced operations (outsourcing), as well as to review relevant application procedures and reporting contents, it announced the draft amendments to the "Regulations Governing Internal Operating Systems and Procedures for the Outsourcing of Financial Institution Operation" (hereinafter referred to as the "Regulations") to strengthen the operational resilience of financial institutions and protect customer rights and interests. During the announcement period, a public hearing will also be held to collect opinions on the draft amendment from external parties.
The FSC has considered that the current contents of outsourcing risks for financial institutions are different. In recent years, financial institutions have actively adopted emerging technologies such as cloud computing and cloud storage to enhance digital transformation and increase agility and flexibility of financial services. The scope of application has gradually diversified, and it is necessary to adjust the relevant management aspects for outsourcing based on risk-based principles. The FSC also considers that international regulations on outsourcing supervision are moving towards the risk-based approach (RBA) and therefore proposes the revision draft of the Regulations (refer to the Attachment for the background explanation).
The main points of the amendment to the Regulations are as follows:
1. Establish a risk-based outsourcing management framework: (Article 4 of the amended articles)
(1) Financial institutions should formulate appropriate policies and principles to evaluate risks, materiality, and impact on operations and customer rights and interests of outsourcing matters and adopt corresponding control measures based on the RBA principle.
(2) Financial institutions are ultimately responsible for outsourcing: The scope of outsourcing and the division of responsibilities between the financial institution and the service provider should be clearly specified in outsourcing contracts, but financial institutions should take the ultimate responsibility for the outsourcing matters and the protection of customer rights and interests.
(3) Specifying five core principles: The principles include defining responsibility of the board of directors, having sufficient resources and expertise for the control of outsourcing, identifying material operations, conducting due diligence on service providers, and ensuring the inspection right of competent authorities.
2. Strengthen financial institutions’ ability to respond to emergency events: For emergency events with material impact on normal operations of financial institutions or customer rights and interests, financial institutions should specify the relevant responsibilities and obligations to jointly handle possible incidents with the service provider. Financial institutions should establish corresponding control and emergency response measures, and conduct regular drills. (Article 8 of the amended articles)
3. Simplify the outsourcing application procedures and documents: (Article 5, Article 11, and Article 12 of the amended articles)
(1) The amendment deletes the existing requirements that credit card issuance marketing, consumer loan marketing, and debt collection operations shall obtain regulatory approval in advance. However, financial institutions are still required to monitor and control outsourcing matters in accordance with Article 11 to Article 16 of the Regulations.
(2) If a financial institution applies for other outsourcing items (new types of outsourcing) and is approved by the competent authority, other financial institutions are not required to obtain regulatory approval to conduct the newly approved outsourcing items after the competent authority announces a notice letter.
4. Adopt risk-based supervision and adjust the scope of cross-border and cloud outsourcing applications: (Article 17 to 19 of the amended articles)
(1) Considering that if retail financial business information systems that are outsourced to overseas, operations of financial institutions and customer rights and interests may have greater potential impact, and therefore more prudent control standards should be adopted. Hence, the provision in Article 17 specifies that the outsourcing of retail financial business information systems that are deemed material and are outsourced to overseas shall require an application to the competent authority for approval.
(2) The FSC strengthens related regulations to increase customer data protection and ensure the safety and reliability of cloud technologies and applications. Meanwhile, the FSC also consolidates existing application documents, so that financial institutions would focus on establishing sound internal governance framework for outsourcing rather than the preparation of application documents.
5. Establish a comprehensive reporting mechanism for outsourcing: The FSC will refer to international practices to strengthen the reporting contents for outsourcing and specify obligations of updating relevant information timely so that the FSC can obtain complete information of outsourced matters of financial institutions, service providers, and control situations. These measures will help the competent authority review the effectiveness of outsourcing operations conducted by financial institutions. (Processed in accordance with the authorization granted in Article 3, Paragraph 3 of the existing articles)
6. Strengthen the supervisory measures of the competent authority: If the outsourced operation violates the Regulations or other laws and regulations, the competent authority can require the financial institution to take necessary measures based on the severity of the situation. (Article 22 of the amended articles).
The FSC stated that the revision of the Regulations will achieve three benefits:
1. Strengthening operational resilience: The amendment of the Regulations helps strengthen financial institutions' own governance decisions on outsourcing matters, fully assess the risks of outsourcing matters, carefully select the service providers, establish contingency plans and transfer mechanisms for termination of outsourcing to ensure customer data protection, information security, and business continuity. This enhances the operational resilience of financial institutions, and enables them to respond to various emergencies promptly and appropriately.
2. Promoting digital transformation: The FSC encourages financial institutions to use technology for digital transformation as well as to improve professional knowledge and expertise to enhance the management of third-party risks.
3. Enhancing supervisory efficiency: In addition to aligning supervisory measures with international practices, the FSC requires financial institutions to regularly review the overall outsourcing situation and report complete outsourcing-related information to the FSC to continuously monitor the overall outsourcing, customer data protection, and risk control of financial institutions.
The proposed amendments will be published in the Executive Yuan Gazette, and, in addition, the FSC will post a general description along with a comparison chart of revised articles on its website. Anyone wishing to comment may visit the FSC website within 60 days after the date of the public announcement and submit comments by visiting FSC Laws and Regulations Retrieving System.
The background explanation for the draft amendment of the "Regulations Governing Internal Operating Systems and Procedures for the Outsourcing of Financial Institution Operation" is provided (Attachment).
The Financial Supervisory Commission (FSC) stated that in order to guide financial institutions to establish a comprehensive risk management framework for outsourced operations (outsourcing), as well as to review relevant application procedures and reporting contents, it announced the draft amendments to the "Regulations Governing Internal Operating Systems and Procedures for the Outsourcing of Financial Institution Operation" (hereinafter referred to as the "Regulations") to strengthen the operational resilience of financial institutions and protect customer rights and interests. During the announcement period, a public hearing will also be held to collect opinions on the draft amendment from external parties.
The FSC has considered that the current contents of outsourcing risks for financial institutions are different. In recent years, financial institutions have actively adopted emerging technologies such as cloud computing and cloud storage to enhance digital transformation and increase agility and flexibility of financial services. The scope of application has gradually diversified, and it is necessary to adjust the relevant management aspects for outsourcing based on risk-based principles. The FSC also considers that international regulations on outsourcing supervision are moving towards the risk-based approach (RBA) and therefore proposes the revision draft of the Regulations (refer to the Attachment for the background explanation).
The main points of the amendment to the Regulations are as follows:
1. Establish a risk-based outsourcing management framework: (Article 4 of the amended articles)
(1) Financial institutions should formulate appropriate policies and principles to evaluate risks, materiality, and impact on operations and customer rights and interests of outsourcing matters and adopt corresponding control measures based on the RBA principle.
(2) Financial institutions are ultimately responsible for outsourcing: The scope of outsourcing and the division of responsibilities between the financial institution and the service provider should be clearly specified in outsourcing contracts, but financial institutions should take the ultimate responsibility for the outsourcing matters and the protection of customer rights and interests.
(3) Specifying five core principles: The principles include defining responsibility of the board of directors, having sufficient resources and expertise for the control of outsourcing, identifying material operations, conducting due diligence on service providers, and ensuring the inspection right of competent authorities.
2. Strengthen financial institutions’ ability to respond to emergency events: For emergency events with material impact on normal operations of financial institutions or customer rights and interests, financial institutions should specify the relevant responsibilities and obligations to jointly handle possible incidents with the service provider. Financial institutions should establish corresponding control and emergency response measures, and conduct regular drills. (Article 8 of the amended articles)
3. Simplify the outsourcing application procedures and documents: (Article 5, Article 11, and Article 12 of the amended articles)
(1) The amendment deletes the existing requirements that credit card issuance marketing, consumer loan marketing, and debt collection operations shall obtain regulatory approval in advance. However, financial institutions are still required to monitor and control outsourcing matters in accordance with Article 11 to Article 16 of the Regulations.
(2) If a financial institution applies for other outsourcing items (new types of outsourcing) and is approved by the competent authority, other financial institutions are not required to obtain regulatory approval to conduct the newly approved outsourcing items after the competent authority announces a notice letter.
4. Adopt risk-based supervision and adjust the scope of cross-border and cloud outsourcing applications: (Article 17 to 19 of the amended articles)
(1) Considering that if retail financial business information systems that are outsourced to overseas, operations of financial institutions and customer rights and interests may have greater potential impact, and therefore more prudent control standards should be adopted. Hence, the provision in Article 17 specifies that the outsourcing of retail financial business information systems that are deemed material and are outsourced to overseas shall require an application to the competent authority for approval.
(2) The FSC strengthens related regulations to increase customer data protection and ensure the safety and reliability of cloud technologies and applications. Meanwhile, the FSC also consolidates existing application documents, so that financial institutions would focus on establishing sound internal governance framework for outsourcing rather than the preparation of application documents.
5. Establish a comprehensive reporting mechanism for outsourcing: The FSC will refer to international practices to strengthen the reporting contents for outsourcing and specify obligations of updating relevant information timely so that the FSC can obtain complete information of outsourced matters of financial institutions, service providers, and control situations. These measures will help the competent authority review the effectiveness of outsourcing operations conducted by financial institutions. (Processed in accordance with the authorization granted in Article 3, Paragraph 3 of the existing articles)
6. Strengthen the supervisory measures of the competent authority: If the outsourced operation violates the Regulations or other laws and regulations, the competent authority can require the financial institution to take necessary measures based on the severity of the situation. (Article 22 of the amended articles).
The FSC stated that the revision of the Regulations will achieve three benefits:
1. Strengthening operational resilience: The amendment of the Regulations helps strengthen financial institutions' own governance decisions on outsourcing matters, fully assess the risks of outsourcing matters, carefully select the service providers, establish contingency plans and transfer mechanisms for termination of outsourcing to ensure customer data protection, information security, and business continuity. This enhances the operational resilience of financial institutions, and enables them to respond to various emergencies promptly and appropriately.
2. Promoting digital transformation: The FSC encourages financial institutions to use technology for digital transformation as well as to improve professional knowledge and expertise to enhance the management of third-party risks.
3. Enhancing supervisory efficiency: In addition to aligning supervisory measures with international practices, the FSC requires financial institutions to regularly review the overall outsourcing situation and report complete outsourcing-related information to the FSC to continuously monitor the overall outsourcing, customer data protection, and risk control of financial institutions.
The proposed amendments will be published in the Executive Yuan Gazette, and, in addition, the FSC will post a general description along with a comparison chart of revised articles on its website. Anyone wishing to comment may visit the FSC website within 60 days after the date of the public announcement and submit comments by visiting FSC Laws and Regulations Retrieving System.
The background explanation for the draft amendment of the "Regulations Governing Internal Operating Systems and Procedures for the Outsourcing of Financial Institution Operation" is provided (Attachment).
- Visitor: 2760
- Update: 2023-03-16
