Third party, outsourced arrangements and the need for a consolidated approach to compliance
Firms must do their due diligence and ensure activities both in-house and outsourced are being monitored to ensure they are compliant.
Written by a human
Many financial services firms outsource at least some of their activities. Outsourcing can be an efficient and cost-effective way to supplement in-house resources, but it must be appropriately managed, delivered and integrated into the wider approach to risk and compliance to be of real benefit.
Events over the last few years have meant that firms have reevaluated their approach to outsourcing. The pandemic shut down much travel and prevented firms from being able to carry out the usual onsite visits to outsourced activities. The activities themselves were often severely disrupted as COVID-19 affected workforces. The war in Ukraine threw up similar, but different, challenges – from the consequences, both intended and unintended, of sanctions to the loss of access to the many software development teams based in both Ukraine and Russia.
Even in more ‘normal’ times, firms should keep all outsourcing agreements and supply chains under review. Regulated firms should continuously monitor all entities (even those in the same group structure) to which processes or other activities are outsourced. Regular review ensures that, with the continuing unpredictability of crystallizing of geopolitical risks, any outsourcing remains strategically viable and demonstrably compliant, and that there is a clear line of sight to all activities.
Oversight
Risk and compliance teams need to be involved in the oversight of all significant outsourcing arrangements. That is not only in terms of integration with the wider compliance monitoring and oversight but also compliance officers must ensure they have line of sight to any and all outsourced compliance functionality. Specifically, there must be a (tested) back-up plan if that functionality needs to be reallocated, potentially at speed.
Golden rule
The golden rule for successful outsourcing is that while activities can be moved to a different group, company, or third party, the skills to manage those activities must be retained in-house. This may be less obvious in an intra-group outsourcing scenario, but it remains essential for a separate legal entity with a separate license. If there is a branch or other structure involved, then the firm needs to consider the efficacy of the outsourcing arrangements and the skills, governance and local responsibilities of the branch.
Good or better practice
As a matter of course, risk, compliance and internal audit functions should include all outsourcing arrangements in their monitoring plans. Other elements for firms to consider include:
- Exiting an outsourced agreement – all outsourcing arrangements should have involved upfront due diligence on the outsourcer (even when it is a group company), together with a detailed written agreement specifying all aspects of the outsourced arrangements. Among other things, the detailed written agreement should cover the practical measures involved in exiting the outsourced arrangement. Consideration should also be given to the possible downside(s) if an orderly exit is impossible.
- Continuing due diligence – most firms will carry out comprehensive due diligence at the start of the relationship with an outsourcer, but it is less common to undertake continuing checks to ensure the outsourcer remains effective. All firms should have comprehensive, tested contingency plans to track the resilience of outsourcing arrangements and should also have documented plans to deal with the failure of an outsource provider. Geopolitical risk should be built into both upfront and continuing due diligence.
- Onsite visits – under ‘normal’ circumstances, every effort should be made to carry out at least one annual onsite visit to all material outsourcers to assess the level, timeliness and quality of the information flows. If onsite visiting is not feasible then the viability of the arrangement should be (re)considered.
- Data accessibility – many firms process data in a number of locations and jurisdictions. Firms should maintain a central record of exactly what data is held, where, and on what basis. It is not just a question of compliance with data protection requirements but also one of accessibility and, where needed, retrieval, should a swift and comprehensive repatriation of data be required. Again, firms should review and document all data processing and other arrangements and determine whether they continue to remain viable and within acceptable risk tolerances.
- Outsourcing from original outsourcer – firms should ensure they have retained the right (as should be set out in the outsource contract) to be informed before any of the firm’s data or activity is outsourced from the outsourcer. Too many firms have found that their data has been passed on and away from their original outsourcer to numerous other entities, thereby increasing possible loss, contagion, compliance, reputational and concentration risks.
- Cyber risk – there will always be those who seek to take advantage of uncertainty and conflict, with greater potential for the unexpected to happen. Any review of outsourcing arrangements should consider the cyber resilience of the outsource provider. As part of the overall assessment of risk, firms should seek to ensure that the outsourcer’s approach to cyber risk management is in line with that taken by the firm.
- Business continuity and disaster recovery plans – all material outsourced arrangements should be included in a firm’s business continuity and disaster recovery plans and, where feasible, included in the testing of those plans. The contingencies and risks inherent in reliance on outsourced arrangements as part of business continuity or disaster recovery should be included in the overall strategic viability assessment for the outsourcing. In many firms, “what if” assessments relied on the use of back-up or remote locations but in times of heightened geopolitical risk, the use of some locations may become non-viable.
Good or better practice
Firms are on notice that they need to keep their outsourced arrangements under review and any material outsourced arrangements need to be an inherent part of their risk and compliance program. Firms cannot afford to let outsourced arrangements become the weak link in their business and consolidating oversight into the firm-wide risk framework is required good practice.
Any review of outsourced activities should be reported to the board and potentially also to relevant regulators. As with other aspects of compliance, the basics done consistently well will go a long way toward providing firms with a reasonable level of assurance that outsourcing arrangements are, and are likely to remain, under control.
