Article 21 Outsourcing

  1. (1)

    An application for registration as a securitisation repository shall demonstrate that, where an applicant arranges for activities to be performed on its behalf by third parties, including by undertakings with which it has close links, shall ensure that the third party has the ability and the capacity to perform those activities reliably and professionally.

  2. (2)

    The application for registration as a securitisation repository shall specify or contain all of the following:

    1. (a)

      a description of the scope of the activities to be outsourced as well as the detail and extent to which those activities are outsourced;

    2. (b)

      a copy of the relevant service level agreements with clear roles and responsibilities, metrics and targets for every key requirement of the applicant that is outsourced, the methods employed to monitor the service level of the outsourced functions and the measures or actions to be taken in the event of not meeting service level targets;

    3. (c)

      a copy of the contracts governing those service level agreements, including the identification of the third party service provider;

    4. (d)

      a copy of any external reports on the outsourced activities, where available;

    5. (e)

      details of the organisational measures and policies with respect to outsourcing and the risks posed by it as specified in paragraph 4.

  3. (3)

    The application for registration shall demonstrate that the outsourcing does not reduce the applicant's ability to perform senior management or management body functions.

  4. (4)

    The application for registration as a securitisation repository shall contain information sufficient to demonstrate how the applicant remains responsible for any outsourced activity and a description of the organisational measures taken by the applicant to ensure the following:

    1. (a)

      that the third party service provider is carrying out outsourced activities effectively and in compliance with applicable laws and regulatory requirements and that the third party service provider adequately addresses identified failures;

    2. (b)

      the identification by the applicant of risks in relation to outsourced activities and the adequate periodic monitoring of those risks;

    3. (c)

      that there are adequate control procedures with respect to outsourced activities, including effective supervision of those activities and of their risks within the applicant;

    4. (d)

      the adequate business continuity of outsourced activities.

    For the purposes of point (d) of the first subparagraph, the applicant shall provide information on the business continuity arrangements of the third party service provider, including the applicant's assessment of the quality of those business continuity arrangements and, where needed, any improvements to those business continuity arrangements that have been requested by the applicant.

  5. (5)

    Where the third-party service provider is supervised by a regulatory authority, the application for registration shall also contain information demonstrating that the third-party service provider cooperates with that authority in connection with outsourced activities.