1. Member States shall ensure that, when investment firms
outsource critical or important operational functions or any
investment services or activities, the firms remain fully
responsible for discharging all of their obligations under
Directive 2004/39/EC and comply, in particular, with the
following conditions:
(a) the outsourcing must not result in the delegation by senior
management of its responsibility;
(b) the relationship and obligations of the investment firm
towards its clients under the terms of Directive 2004/39/EC
must not be altered;
(c) the conditions with which the investment firm must
comply in order to be authorised in accordance with
Article 5 of Directive 2004/39/EC, and to remain so, must
not be undermined;
(d) none of the other conditions subject to which the firm's
authorisation was granted must be removed or modified.
2. Member States shall require investment firms to exercise due
skill, care and diligence when entering into, managing or
terminating any arrangement for the outsourcing to a service
provider of critical or important operational functions or of any
investment services or activities.
Investment firms shall in particular take the necessary steps to
ensure that the following conditions are satisfied:
(a) the service provider must have the ability, capacity, and any
authorisation required by law to perform the outsourced
functions, services or activities reliably and professionally;
(b) the service provider must carry out the outsourced services
effectively, and to this end the firm must establish methods
for assessing the standard of performance of the service
provider;
(c) the service provider must properly supervise the carrying
out of the outsourced functions, and adequately manage the
risks associated with the outsourcing;
(d) appropriate action must be taken if it appears that the
service provider may not be carrying out the functions
effectively and in compliance with applicable laws and
regulatory requirements;
(e) the investment firm must retain the necessary expertise to
supervise the outsourced functions effectively and manage
the risks associated with the outsourcing and must
supervise those functions and manage those risks;
(f) the service provider must disclose to the investment firm
any development that may have a material impact on its
ability to carry out the outsourced functions effectively and
in compliance with applicable laws and regulatory requirements;
(g) the investment firm must be able to terminate the
arrangement for outsourcing where necessary without
detriment to the continuity and quality of its provision of
services to clients;
(h) the service provider must cooperate with the competent
authorities of the investment firm in connection with the
outsourced activities;
(i) the investment firm, its auditors and the relevant competent
authorities must have effective access to data related to the
outsourced activities, as well as to the business premises of
the service provider; and the competent authorities must be
able to exercise those rights of access;
(j) the service provider must protect any confidential information
relating to the investment firm and its clients;
(k) the investment firm and the service provider must establish,
implement and maintain a contingency plan for disaster
recovery and periodic testing of backup facilities, where that
is necessary having regard to the function, service or
activity that has been outsourced.
3. Member States shall require the respective rights and
obligations of the investment firms and of the service provider
to be clearly allocated and set out in a written...