金融服务外包【外文翻译】

外文翻译
Outsourcing in Financial Services Material Source:Business Credit October 2005,V ol.107, No.9,64-70
Author:The Joint Forum
1 Executive Summary
Financial services businesses throughout the world are increasingly using third parties to carry out activities that the businesses themselves would normally have undertaken. Industry research and surveys by regulators show financial firms outsourcing significant parts of their regulated and unregulated activities. These outsourcing arrangements are also becoming increasingly complex.
Outsourcing has the potential to transfer risk, management and compliance to third parties who may not be regulated, and who may operate offshore.
In these situations, how can financial service businesses remain confident that they remain in charge of their own business and in control of their business risks? How do they know they are complying with their regulatory responsibilities? How can these businesses demonstrate that they are doing so when regulators ask?
To help answer these questions and to guide regulated businesses, the Joint Forum established a working group to develop high-level principles about outsourcing.
In this paper, the key issues and risks are spelt out in more detail and principles are put forward that can serve as benchmarks. The principles apply across the banking, insurance and securities sectors, and the international committees involved in each sector1may build on these principles to offer more specific and focused guidance. Selected international case studies (see Annex A) show why these questions matter.
Today outsourcing is increasingly used as a means of both reducing costs and achieving strategic aims. Its potential impact can be seen across many business activities, including information technology (e.g., applications development, programming, and coding), specific operations (e.g., some aspects of finance and accounting, back-office activities & processing, and administration), and contract
1The Basel Committee on Banking Supervision (BCBS), the International Organization of Securities Commissions (IOSCO) and the International Association of Insurance Supervisors (IAIS).
functions (e.g., call centres). Industry reports and regulatory surveys of industry practice indicate that financial firms are entering into arrangements in which other firms –related firms within a corporate group and third-party service providers –conduct significant parts of the enterprise’s regulated and unregulated activities.2 Activities and functions within an organisation are performed and delivered in diverse ways. An institution might split such functions as product manufacturing, marketing, back-office and distribution within the regulated entity. Where a regulated entity keeps such arrangements in-house, but operates some activities from various locations, this would not be classified as outsourcing. The entity would therefore be expected to provide for any risks posed by this in its regular risk management framework.
Increasingly more complex arrangements are developing whereby related entities perform some activities, while unrelated service providers perform others. In each case the service provider may or may not be a regulated entity. The Joint Forum principles are designed to apply whether or not the service provider is a regulated entity.
Outsourcing has been identified in various industry and regulatory reports as raising issues related to risk transfer and management, frequently on a cross-border basis, and industry and regulators acknowledge that this increased reliance on the outsourcing of activities may impact on the ability of regulated entities to manage their risks and monitor their compliance with regulatory requirements. Additionally, there is concern among regulators as to how outsourcing potentially could impede the ability of regulated entities to demonstrate to regulators (e.g., through examinations) that they are taking appropriate steps to manage their risks and comply with applicable regulations.
Among the specific concerns raised by outsourcing activities is the potential for over-reliance on outsourced activities that are critical to the ongoing viability of a regulated entity as well as its obligations to customers.
Regulated entities can mitigate these risks by taking steps (as discussed in the principles) to: draw up comprehensive and clear outsourcing policies, establish effective risk management programmes, require contingency planning by the outsourcing firm, negotiate appropriate outsourcing contracts, and analyse the
2Bank Information Technology Secretariat (BITS) Framework for Managing Technology Risk for IT Service Provider Relationships, Version II, November 2003, p. 2.
financial and infrastructure resources of the service provider.
Regulators can also mitigate concerns by ensuring that outsourcing is adequately considered in their assessments of individual firms whilst taking account of concentration risks in third-party providers when considering systemic risk issues.
Of particular interest to regulators is the preservation at the regulated entity of strong corporate governance. In this regard outsourcing activities that may impede an outsourcing firm's management from fulfilling its regulatory responsibilities are of concern to regulators. The rapid rate of IT innovation, along with an increasing reliance on external service providers have the potential of leading to systemic problems unless appropriately constrained by a combination of market and regulatory influences.
This paper attempts to spell out these concerns in more detail and develop a set of principles that gives guidance to firms, and to regulators, to help them better mitigate these concerns without hindering the efficiency and effectiveness of firms.
2 Guiding Principles - Overview
The Joint Forum has developed the following high- level principles. The first seven principles cover the responsibilities of regulated entities when they outsource their activities, and the last two principles cover regulatory roles and responsibilities. Here we present an overview of the principles. More detail may be found in section 9.
ⅠA regulated entity seeking to outsource activities should have in place a comprehensive policy to guide the assessment of whether and how those activities can be appropriately outsourced. The board of directors or equivalent body retains responsibility for the outsourcing policy and related overall responsibility for activities undertaken under that policy.
ⅡThe regulated entity should establish a comprehensive outsourcing risk management programme to address the outsourced activities and the relationship with the service provider.
ⅢThe regulated entity should ensure that outsourcing arrangements neither diminish its ability to fulfil its obligations to customers and regulators, nor impede effective supervision by regulators.
Ⅳ The regulated entity should conduct appropriate due diligence in selecting third-party service providers.
ⅤOutsourcing relationships should be governed by written contracts that clearly describe all material aspects of the outsourcing arrangement, including the
rights, responsibilities and expectations of all parties.
Ⅵ The regulated entity and its service providers should establish and maintain contingency plans, including a plan for disaster recovery and periodic testing of backup facilities.
ⅦThe regulated entity should take appropriate steps to require that service providers protect confidential information of both the regulated entity and its clients from intentional or inadvertent disclosure to unauthorised persons.
Ⅷ Regulators should take into account outsourcing activities as an integral part of their ongoing assessment of the regulated entity.
Regulators should assure themselves by appropriate means that any outsourcing arrangements do not hamper the ability of a regulated entity to meet its regulatory requirements.
ⅨRegulators should be aware of the potential risks posed where the outsourced activities of multiple regulated entities are concentrated within a limited number of service providers.
3 Definition
Outsourcing is defined in this paper as a regulated entity’s use of a third party (either an affiliated entity within a corporate group or an entity that is external to the corporate group) to perform activities on a continuing basis that would normally be undertaken by the regulated entity, now or in the future.
Outsourcing can be the initial transfer of an activity (or a part of that activity) from a regulated entity to a third party or the further transfer of an activity (or a part thereof) from one third-party service provider to another, sometimes referred to as “subcontracting.” In some jurisdictions, the initial outsourcing is also referred to as subcontracting.
Firms should consider several factors as they apply these principles to activities that fall under the outsourcing definition. First, these principles should be applied according to the degree of materiality of the outsourced activity to the firm's business. Even where the activity is not material, the outsourcing entity should consider the appropriateness of applying the principles. Second, firms should consider any affiliation or other relationship between the outsourcing entity and the service provider. While it is necessary to apply the Outsourcing Principles to affiliated entities, it may be appropriate to adopt them with some modification to account for the potential for differing degrees of risk with respect to intra-group outsourcing. Third, the firm may consider whether the service provider is a regulated
entity subject to independent supervision.
According to this definition, outsourcing would not cover purchasing contracts, although as with outsourcing, firms should ensure that what they are buying is appropriate for the intended purpose. Purchasing is defined, inter alia, as the acquisition from a vendor of services, goods or facilities without the transfer of the purchasing firm's non-public proprietary information pertaining to its customers or other information connected with its business activities.
This paper will refer to a regulated entity as the body that is authorised for a regulated activity by a regulator. The principles set forth in this paper are targeted at such entities.
Third party or service provider refers to the entity that is undertaking the outsourced activity on behalf of the regulated entity.
The term regulator refers to all supervisory and regulatory authorities that authorise firms to undertake any regulated activity and supervise that activity.
4 Developments in industry Practice Motivation
5 Current Trends in Outsourcing
Financial firms have entered into outsourcing arrangements for many years, albeit not to the extent seen in the recent past. For example, in the securities industry, since the 1970s, firms have outsourced quasi-clerical activity, such as the printing and storage of records. This was undertaken because of the comparative cost savings.
As technology has evolved, outsourcing of information services has become more common. In the 1980s and 1990s, such deals tended to be large scale and often involved the outsourcing of whole IT divisions primarily based on cost and the importance of remaining up to date with rapidly evolving technology.
Subsequently, we have seen a growth of outsourcing in more strategic areas such as human resources and some have observed the trend of “business processing outsourcing” (BPO), i.e., end-to-end outsourcing of a business line or process in its entirety. BPOs also mean that the relationship between the outsourcer and the third party changes somewhat as the latter becomes more of a strategic partner than a traditional supplier.
Another major trend in outsourcing that appears to have gained momentum is “off-shoring”, i.e., effectively outsourcing activities beyond national borders. Many conglomerates are trying to create global efficiencies by basing transaction processing and call centres offshore. Arrangements are sometimes entered into with
unrelated parties, while in other cases the outsourcing firm establishes its own offshore base (i.e., through an affiliate) to provide services.
In India alone a range of organisations have set up outsourcing arrangements as illustrated by the sample of firms in the table below. (Approximate staff numbers are indicated in parentheses.)
Table 1:Financial Services Companies in India in 2003
Source: Deloitte presentation to Board of Governors of the Federal Reserve System Offshoring and Cross-Border Outsourcing by Banks, March 30 2004.
Anecdotal evidence suggests that China, Malaysia and the Philippines are also seen as desirable outsourcing locations.
According to a 2004 report by Deloitte5, offshoring will continue to grow throughout this decade. The report estimates the percentage of global financial services companies with offshore facilities grew to 67% in 2003 compared with 29% in 2002. It further estimates that by 2005 some $210 billion of industry costs will be offshore, rising to $400 billion or 20% of the total industry cost base in 2010.
The report notes that the percentage for large firms is significantly higher than for small firms and also notes that increasingly firms are setting up their own operations offshore, distinguishing this trend from the growth of outsourcing, per se.
At a practical level this growth in offshoring has led to a need for regular monitoring of “country risk”, which means that an outsourcing institution needs to monitor foreign government policies and political, social, economic and legal conditions in the country where it has a contractual relationship with a service provider. It should also develop appropriate contingency plans and exit strategies. As part of an organisation's need to consider business continuity issues, it should consider whether the processes could quickly revert to the home country in extremis.
金融服务外包
资料来源：商业信用，2005年10月，卷107，第9期，第64-70页
作者：联合论坛
1概要
在世界范围内，金融企业越来越多地利用第三方进行业务活动。

行业监管机构的研究和调查结果显示，金融机构将部分重要业务及不受管制的业务进行外包。

进行外包的业务也变得越来越复杂。

金融服务外包能转移风险，对不受管制，可以经营离岸的第三方进行管理。

在这样的情况下，如何能使金融企业仍有信心经营该企业，控制其经营风险？企业如何知道他们遵循其监管职责？如何证明他们在外包业务时正按照监管部门的规定？
为解决这些问题，引导企业规范运营，联合论坛成立了一个工作小组来制定关于外包的深入条款。

该本文件中，考虑到更多关于关键问题及风险问题的细节，产生的原则性条款可以作为基准。

这些原则条款适用于所有银行，保险和证券业，并且在这些原则条款的基础上，对每个参与的部门提供更具体的集中指导[这些部门包括巴塞尔银行监管委员会（BCBS），国际证监会组织（IOSCO）,国际保险监管官协会（IAIS）]。

部分国际案例分析（见附件一）。

目前，金融服务外包越来越作为一种降低成本，实现战略目标的手段。

企业组织从事的许多业务活动都可以看出其潜在影响，包括信息技术（例如，应用软件开发，编程和编码），具体操作（例如，会计服务，后台服务及管理工作等），契约功能（如呼叫中心）。

行业报告研究和行业惯例的监管调查显示，金融机构将业务活动外包给第三方服务供应商，从而构成管制和不受管制的外包业务的重要组成部分（IT服务供应商与风险管理技术框架的关系，BITS,2003(11):2）
企业组织实现业务活动与职能，并将其以多元化的形式进行传递。

企业组织可能具有产品生产、市场营销、后台和实体管制等功能。

凡监管实体在内部保持这样的安排，但经营行为在不同地点，将不会被列为金融服务外包。

因此，该实体将被纳入常规的风险管理框架。

企业实体将所负责的越来越多的业务活动交给其他无关的服务供应商执行。

每种不同的情况下，这些服务供应商可能作为也可能不作为受监管的实体。

联合论坛提出的原则性条款，用来区分这些服务供应商是否作为受监管的实体存在。

跨境监管报告证明服务外包存在于各种行业，有利于提高企业风险转移和
管理功能，并且行业监管机构指出，对金融服务外包行为的依赖性可能会影响受管制的企业对风险管理及监测其遵守法规要求的能力。

另外，值得关注的是监管机构采取适当手段（如通过测试）证实金融服务外包是否对实体监管能力产生妨碍，由此管制风险。

进行金融服务外包业务的具体问题在于受监管的实体进行金融服务外包的潜力，他们的生存能力依赖于可行性外包行为与客户的信任。

金融机构能通过采取可行性措施（如上述原则）减轻风险：制定全面的外包政策，建立有效的风险管理方案，由外包服务供应商提供的应急计划，洽谈签订服务外包订单合同，分析服务提供商的金融状况及基础设施资源。

监管机构在考虑系统性风险问题时，在充分考虑个人公司经营的同时，考虑风险集中的第三方服务供应商，在风险评估中减少对外包的关注。

通常，监管机构对企业机构的内部管理结构予以重视。

在外包过程中，监管机构较关注的是外包可能阻碍其履行监管职责。

随着信息产业的高速发展，外包越来越被企业所依赖，由此可能引起的系统性问题，只有通过市场调节与监管的潜在影响才能解决。

本文意在更详细地阐述这些问题，并制定一整套原则性条款，为企业与监管机构提供指导，在不影响企业有效运营的情况下，帮助他们更有效地缓解问题。

2指导原则的概述
联合论坛已制定出以下的高层次原则。

前七个原则的责任单位包括所有将业务活动进行外包的受监管的企业，而最后两个原则包括企业的监管角色和职责。

在这里，我们对这些原则作一个概述。

（详见条款9）
Ⅰ受监管的实体在进行外包活动时，应制定全面的政策对该外包活动的可行性进行评估。

董事会或企业监管部门对外包政策及在有关政策下进行的业务外包行为负全责。

Ⅱ受监管的实体应建立完整的外包风险管理机制，处理外包活动与服务提供商的关系。

Ⅲ受监管的实体应确保外包既不削弱企业经营能力，也不阻碍监管机构的有效监督。

Ⅳ受监管的实体应对所选择的第三方服务供应商作适当的调查。

Ⅴ外包关系的确立应签订书面合同，明确描述外包的各项重大问题，包括权利、责任及双方的目标。

Ⅵ受监管的实体与其服务提供商应建立并维护应急方案，包括拥有灾难恢复和定期测试的备份设施方案。

Ⅶ受监管的实体应采取适当措施，要求服务供应商保护双方的监管实体，
防止有意或无意地泄露未经授权的客户的机密信息。

Ⅷ监管机构应将外包活动作为其正在进行的受监管实体的评估活动的组成部分。

监管机构应采取适当的措施保证任何外包活动不得妨碍受监管的实体履行监管的能力。

Ⅸ监管机构应当意识到不同的受监管实体的外包活动的集中风险，对此，监管部门可对服务供应商的数量进行限制。

3 定义
本文件对金融服务外包的定义是，外包是现在或者将来，一个受监管的金融实体使用第三方服务供应商（可以是一个企业集团，也可以是企业的外部下属实体）持续性执行业务的行为，所展开的业务活动受到规管。

金融服务外包，可以是从一个受监管的实体活动（或该活动的一部分）承包给第三人或者从一个第三方服务供应商进一步转移到另一个初级业务转让，有时也被称为“分包”。

在某些地区，最初的外包就被称为分包。

在金融服务外包定义范围内，公司应在应用这些原则时考虑几个因素。

首先，这些原则的适用性应根据进行服务外包的公司业务的重要程度来决定。

不属于核心业务的外包，外包实体应考虑这些原则的适用性。

其次，企业在服务外包过程中应考虑到服务外包实体与服务供应商的联系及其他关系。

业务外包给下属实体在不同程度上是考虑到集团内部业务外包的潜在风险性。

第三，外包企业会考虑的一点是服务供应商是否是受监管的独立实体。

根据这个定义，虽然企业在服务外包过程中需要确保其所购买的产品能达到预期目标，但外包并不构成采购协议。

采购的定义是，除其他外，商业性质的有机体从外部引入服务、商品或设施、信息的业务活动。

本文所指的受监管的实体是指一个由监管机构规管业务活动的，认可监管机构规定的企业实体。

在本文中提及的原则针对这些实体提到。

第三方或服务供应商指以受监管实体的名义进行外包活动的实体。

监管者指授权公司进行受监管业务活动，并监督这些活动的所有的监管工作者和监管机构。

4 产业发展动机分析的发展
…………
5 外包发展新趋势
在某种程度上，金融机构发展金融服务外包的历史已有多年。

例如，自20世纪70年代开始，在证券业，企业已经将文书业务外包，如印刷、储存记录。

这样的业务活动比较节省成本。

随着信息技术的发展，信息服务外包已经越来越普遍。

20世纪80年代、
90年代，由于成本因素以及技术进步的推动作用，金融服务外包的发展趋势更明显，并渐渐涉及整个IT行业。

随着发展，我们看到更多的领域也呈现金融服务外包的趋势，诸如人力资源和业务流程外包（BPO）。

BPO也意味着外包商与第三方之间的关系发生改变，后者称为一个比传统的供应商更有优势的战略合作伙伴。

金融服务外包另外一个主要趋势体现在“离岸外包”，即超越国界地完成业务外包工作。

许多金融企业正在全球范围内建立事务处理和呼叫中心离岸点。

金融机构通过与非关联方订立合作关系（即通过联盟）拥有自己的离岸基地。

以印度为例，对在印度建立离岸基地的金融机构的抽样调查表显示如下（大致的员工人数在括号中标明）。

表 1:2003年印度金融服务公司
来源：德勤会计师事务所，美国联邦储备系统的离岸外包及跨境银行，2004年3月30日。

11。