Identify and Mitigate Risk: Third-Party Service Providers
The Economic Substance laws and the updated Guidance provided in December 2019 require certain Regulated Entities to submit their declaration indicating the level on on-island activity no later than six months after their financial year start date. It is now August, and although many firms have already completed their declaration, others have various filing dates and may need support in identifying and minimizing the risks around using third-party service providers. In addition to Governance and Risk considerations discussed in our previous blog, management will be expected to conduct due diligence of service providers before selecting and contracting with them, including information confidentiality and monitoring and oversight.
The due diligence process should include an evaluation of the service provider’s ability— operationally, financially and legally—to meet the servicing needs within Bermuda’s laws, regulatory requirements, local business practices, and accounting standards. This process should also include the following considerations around information confidentiality and how the company will monitor and provide oversight of the provider:
Confidentiality of Information
- Management should ensure that any contract with a third-party service provider prohibits the service provider from disclosing or using company data or information for any purpose other than to carry out the contracted services.
- The contract should state that all information shared by the company with the service provider, regardless of how the service provider processes, stores, copies, or otherwise reproduces it, remains solely the property of the company.
- Any sharing of nonpublic customer-related information from Bermuda offices with a foreign-based third party service provider must comply with Bermuda’s privacy requirements, including any disclosures to and agreements with customers who would be affected by the company’s relationship with that provider.
- Contracts between the company and a service provider must include a provision requiring the service provider to implement security
Monitoring and Oversight
Companies should implement an effective oversight program to monitor the service provider’s ongoing financial condition and performance under the contract. Monitoring policies and procedures should include:
- determining that the service provider maintains adequate physical and data security controls, transaction procedures, business resumption and continuity planning and testing, contingency arrangements, insurance coverage, and compliance with applicable laws and regulations;
- ensuring that the company has sufficient expertise to perform the oversight function; and
- evaluating independent audit reports prepared by the service provider’s audit staff, external audits and reviews (for example, SAS 70 reviews), and internal reports provided by the company’s own auditors.
Oyster can provide guidance in developing the risk assessment processes around outsourcing, conduct the risk assessment, conduct the initial due diligence, and conduct ongoing monitoring of the outsourced activities. For more information about Oyster’s services and how we can help your firm, click here or call (441) 541-5026 and one of your associates will be happy to help you.