|
8 December 1998
The Chief Executive
All Authorised Institutions
Dear Sir,
Outsourcing
A number of institutions have approached us over the
last couple of years to discuss proposals to outsource some part of
their operation to another party. Examples include outsourcing of back
office processing, data processing and credit card processing.
Clearly, outsourcing has become a popular trend worldwide,
and some other institutions both internationally and within Hong Kong
are likely to follow the trend, to save costs, to get access to specialised
expertise and technology, and to enable them to concentrate on their
core business.
The Monetary Authority does not object in principle
to outsourcing. However, outsourcing raises a number of important issues.
Primarily our concern is the adequacy of systems and controls and data
security/confidentiality after the outsourcing. Institutions should,
therefore, inform the Monetary Authority at an early stage of any outsourcing
proposals. This would include not only outsourcing to independent third
parties, but also to other parts of the institution/group.
Institutions should provide to the Monetary Authority
the following information on any proposed outsourcing:
- Full description of the services to be outsourced;
- Reason for the outsourcing;
- Identity of the service provider (N.B. if the service provider
is not in-house, details should be provided of the service provider's
background, reputation, and expertise in the area of outsourcing);
- Confirmation that appropriate up-to-date records and other information
will be available in the Hong Kong office and that management of
the Hong Kong office will remain in control of and responsible for
the services to be outsourced;
- In the case of cross-border outsourcing, confirmation of the extent
to which other parties (e.g. home supervisor, government departments,
law enforcement agencies, tax authorities) would have access to
the data and other information on the Hong Kong operations;
- In the case of cross-border outsourcing, confirmation that all
requisite approvals have been received and that the home supervisor
is aware of and content with the arrangement;
- Safeguards to ensure the integrity and confidentiality of customer
information. Typical safeguards include:
- undertakings by the service provider that the company, and its
staff, will abide by confidentiality rules;
- contractual rights of the institution to take action against
the service provider in the event of a breach of confidentiality;
- and clear segregation/compartmentalisation of the institution's
data from that of the service provider and its other clients;
N.B. The institution should confirm specifically
that Personal Data (Privacy) Ordinance issues have been addressed.
- Means by which the operations of the service provider will be
reviewed, e.g. access by the institution's internal and external
auditors, and by Monetary Authority examiners;
- Contingency plans / back-up facilities in the event of the service
provider experiencing problems;
- How customers will be informed of the outsourcing; and
- Any other information relevant to our consideration of the proposal.
As indicated in our earlier (July 1996) letter on outsourcing,
the requirement to consult the Monetary Authority re outsourcing proposals
is to ensure the institution's compliance with Clause 12 of the minimum
authorisation criteria laid down in the Seventh Schedule to the Banking
Ordinance. This requires institutions to conduct their business with
integrity, competence and in a manner not detrimental to the interest
of depositors and potential depositors. Institutions should therefore
discuss their plans with the Monetary Authority in advance and should
satisfy the Monetary Authority that there are adequate systems and controls
in place before they proceed with such plans.
Yours faithfully
Y K Choi
Deputy Chief Executive (Acting)
|
