Article 4
Outsourcing
1. Competent authorities shall verify that the outsourcing by an institution of any tasks, activities or functions related to the design, implementation, and validation of internal models does not prevent or hinder the application of the assessment methodology set out in this Regulation.
2. For the purposes of paragraph 1, competent authorities shall verify whether:
(a) |
tasks and responsibilities reserved for the risk control unit are not outsourced; |
(b) |
the senior management and the management body are actively involved in the supervision of any tasks outsourced by the institution, and in the acquisition of any IT risk management tool solutions from third parties; |
(c) |
the institution itself has sufficient knowledge about any outsourced tasks, activities or functions and of the structure of any data and methodologies obtained from a third party, and is able to verify the quality of the work performed by the third party to which it outsources its tasks, as well as the results of that work; |
(d) |
the internal audit and the ongoing monitoring by the institution of any outsourced tasks, activities and functions are not limited or inhibited by such outsourcing; |
(e) |
full access to all relevant information is granted to competent authorities. |
3. Competent authorities shall verify that third parties involved in the development of methodologies for assessing market risk used by the institution are not involved in the initial or ongoing internal validation of the model by the institution.
4. For the purposes of paragraphs 1, 2 and 3, competent authorities shall review the outsourcing agreement between the institution and the third party. Where appropriate, competent authorities may also:
(a) |
interview or require the submission of written statements from any of the following:
|
(b) |
review other relevant documents of the institution or the third party. |