In my opinion the paper is entirely unbalanced. It would have been better to produce a separate paper to address payment institutions and methods particularly since these are changing quickly. Indeed even this document does not address the issues that I would seek to have addressed. My key concern is that my using the service" definition to remove certain matters that are conducted by third parties from the definition of outsourcing you are potentially creating an issue. This is a paper on the risks and controls for outsourcing and the provision of external services by lawyers, consultants,cleaners and software houses is included in this work. By risk assessing on a sensible basis the level of due diligence required to be conducted can be assessed. By excluding some of these key elements my concern is that the necessary due diligence may not be conducted. I would change the definition and reassess the balance of the paper."
No. They become difficult to separate the cloud and tech inbalance.
This is fine
While happy with the general thrust of the paper again I would emphasise that the EBA is looking at the risks that third party relationships pose to a firm. This includes architects given cases of branches subsiding, bribes being potentially paid and building collapse. Excluding this from the paper without another paper picking this up in my opinion is doing the industry a disservice. I also think that additional guidance could be provided to enable firms to properly assess criticality.
Section 5 currently provides neither examples nor responses. At present this is inadequate. I would particularly be interested in additional guidance regarding non executive directors. Section 6 is a little confusing. Normally the firm will obtain the BCP of the outsourced firm and build that into their own BCP identifying issues requiring resolution. I am not sure that this is consistent with the expectations set out here.
While the guidelines are clear I am unsure where we re identifying the owners, controllers and officers or what work is being undertaken to prevent concentration and fraud, for example.
What is written is fine albeit rather brief. The former BIS papers appear to provide more guidance than is repeated here.
Yes but again are light on the controller, o
I am concerned over the audit rights issue and any regulator will need to recognise limitations in this. It will not be required in all cases and specific additional guidance where it is not available will be required. There is always the reserve of receiving audit reports.