Page 6 - Knowledge_Insights_Brochure_Matheson
P. 6

8  SENSITIVE DATA:

                           Among the primary areas of concern detailed by the Central Bank in the DP around the
                           risk posed by outsourcing arrangements, was the handling of sensitive data in order for
                           OSPs to execute the outsourced services.  The Central Bank references the importance
                           of having robust data management strategies in place to mitigate against associated risks.

                           In terms of the SLA governing the arrangement, there are three key points to note
                           from the DP:


                             1.  the requirement to include provisions providing the RF with “the right
                               to audit the OSP data storage and management systems to ensure they are
                               aligned with the regulated firm’s requirements from a data perspective”;


                             2.  the requirement to have separate Non-Disclosure Agreements in place
                               dealing with this matter in greater detail; and


                             3.  the Central Bank suggested that RFs “should seek and take account of
                               OSP’s data accreditations and attain agreement on the frequency and format
                               of any renewals of these accreditations and of any management information
                               required from the OSP in relation to the service.  This should be provided
                               through relevant clauses in the outsourcing contract”. 4





                           The Central Bank states that the above are in line with the principles set out in the CEBS
                           2006 Guidelines on Outsourcing, which highlight that RFs “must ensure that their contractual
                           arrangements with their OSP covers the protection of confidential information, banking
                           secrecy and any other specific provisions relating to handling confidential information”.

                           It appears from the above that the Central Bank is particularly concerned with how
                           sensitive data is being dealt with in SLAs, stating that it has “observed weaknesses in this
                           area as part of its supervisory engagement” and that where such clauses are included they
                           “have been deemed unsatisfactory by supervisors”.  In addition, such supervisors noted
                           that “often intragroup arrangements are weaker in this regard than arrangements with third
                           party OSPs”.

                           It would be advisable for RFs to consider such clauses in their SLAs in the context of these
                           comments, to ensure they are adequately addressing the concerns of the Central Bank.
















                      4.  This point arose in the context of specific research carried out by PwC on behalf of the Central Bank in relation to the approach taken by other industries to this matter.

                      5   DISCUSSION PAPER 8 – OUTSOURCING FINDINGS AND ISSUES FOR DISCUSSIONS   www.matheson.com






                                                                                                                 26/02/2020   12:13
       DIR4551_Math_Knowledge_Insights_Brochure V9.indd   5                                                      26/02/2020   12:13
       DIR4551_Math_Knowledge_Insights_Brochure V9.indd   5
   1   2   3   4   5   6   7   8