9.3.1The Licensed Person must have an outsourcing policy approved by the Board of Directors (or by the Owner/Partners where there is no Board of Directors); and
9.3.2The outsourcing policy must cover the following aspects, at a minimum:
a)Enhanced Due Diligence (EDD) process to be applied on the Service Provider;
b)Responsibilities of the Licensed Person and the Board of Directors (or with the Owner/Partners where there is no Board of Directors) in relation to all outsourced functions;
c)Annual risk assessment of outsourced functions;
d)Control mechanisms to mitigate various outsourcing risks; and
e)Requirement of a Service Level Agreement between the Licensed Person and the Service Provider.