Some product providers have created facilities for advisers to upload documents on-line. This is then stored in a secure environment by the provider.
John, a Moonstone Protector client recently raised an interesting compliance question in this regard.
I have started uploading document directly to XYZ. In the past I used to send the documents via email and then store the email.
This new process is faster and saves me having to store all these documents, which is a huge relief for a one person business.
| ● | Can I outsource the keeping of records to XYZ for the required 5 years? |
| ● | If permitted, must I disclose this in next year’s conduct of business report? |
Our willing and able compliance consultant responded:
The new Fit & Proper requirements provide the following with regards to recordkeeping:
A FSP must at all times have:
| ● | adequate storage and filing systems for the safe-keeping of records, business communications and correspondence; | |
| ● | systems and procedures that are adequate to safeguard the security, integrity and confidentiality of information, including: | |
| ○ | electronic data security and internal and external cybersecurity; | |
| ○ | physical security of assets and records; | |
| ○ | system application testing; | |
| ○ | back-up and disaster recovery plans and procedures for systems and electronic data | |
You may however outsource this function to a third party, provided the following requirements are met:
A FSP, where it outsources a function or activity must –
| ● | ensure that the person to whom the function or activity has been outsourced – | |
| ○ | has the ability, capacity, and any authorisation required by law to perform the outsourced functions, services or activities reliably and professionally; | |
| ○ | is able to carry out the outsourced services effectively, to which end the FSP must establish methods for assessing the standard of performance of that person; | |
| ● | have a written contract that governs the outsource arrangement and which clearly provides for all material aspects of the outsourcing arrangement, including: | |
| ○ | addressing the rights, responsibilities, and service-level requirements of all parties; | |
| ○ | providing for access by the FSP and the Registrar to the person’s business and information in respect of the outsourced function or activity; | |
| ○ | addressing sub-outsourcing; and | |
| ○ | addressing confidentiality, privacy and the security of information of the FSP and clients of the FSP | |
| ● | properly supervise the carrying out of the outsourced functions, and adequately manage the risks associated with the outsourcing, including any risks to the FSP’s clients; | |
| ● | take appropriate action if it appears that the person may not be carrying out the functions effectively and in compliance with applicable laws and regulatory requirements; | |
| ● | retain the necessary expertise to supervise the outsourced functions effectively and manage the risks associated with the outsourcing; | |
| ● | be able to terminate the arrangement for outsourcing where necessary without detriment to the continuity and quality of its provision of financial services to clients; | |
| ● | establish, implement and maintain a contingency plan for disaster recovery and periodic testing of backup facilities; | |
| ● | have effective access to data related to the outsourced activities, including any data relating to the FSP’s clients, as well as to the business premises of the person; and ensure that the outsourcing arrangement does not | |
| ○ | compromise the fair treatment of or continuous and satisfactory service to the FSP’s clients; or | |
| ○ | result in key decision making responsibilities being removed from the FSP. | |
In other words, you may “outsource” this function to XYZ, but I doubt whether they will enter into a Service Level Agreement that provides specifically for record-keeping.
A further question that comes to mind is whether you will have access to those records should your contract with the provider be terminated?
I would therefore advise you to continue keeping your own records and to regard the XYZ facility as an additional back-up system.
John responded:
Thank you for your comprehensive response. I will maintain the records in question to comply with the specific wording of the regulations. In reality, however, it is an unnecessary task as they are all on the XYZ main frame which is far more secure than any I could create and is always accessible by me or the client.
