Amid the COVID-19 pandemic and its aftermath, would financial firms be wise to consider outsourcing some of their compliance function?
About 28% of financial firms outsource some or all of their compliance functionality, according to the Thomson Reuters Regulatory Intelligence’s 2019 cost of compliance report.
Regulators have extended substantial forbearance and regulatory relief to financial firms to seek to mitigate the impact of COVID-19, but forbearance does not, and will not mean, turning a future blind eye to compliance breaches. A point that was made a year ago by Derville Rowland, director general of the Central Bank of Ireland, who said: “To put it bluntly, we found significant risk management deficiencies on a widespread basis. More broadly, we concluded that, when it comes to outsourcing arrangements, governance and risk management standards are emphatically not where they need to be.”
The golden rule for successful outsourcing is that while activities can be moved to a different group, company, or a third party, the skills to manage those activities must be retained in-house. Indeed, financial firms would be well-advised to consider a review of the strategic viability and shifting risks associated with all outsourcing as a matter of urgency. Elements to consider for strategic review include:
- All outsourcing arrangements should have had upfront due diligence on the outsourcer (even when it is a group company), together with a detailed written agreement specifying all aspects of the outsourced arrangements. Among other things the detailed written agreement should cover the practical measures involved in exiting the outsourced arrangement.
- The continuing resilience of the outsource company should also be considered. While most firms will undertake comprehensive due diligence at the start of the relationship with an outsourcer, it is less common to undertake continuing checks to ensure that the outsourcer remains effective. All firms should have comprehensive, tested contingency plans to not only track the resilience of outsourcing arrangements but also have documented plans in place to deal with the failure of an outsource provider.
- In the current circumstances it is unlikely that firms will have the ability to access physically an offsite outsource location. In more normal times every effort should have be made to carry out at least an annual onsite visit to all major or material outsourcers to assess the level, timeliness and quality of the information flows. Firms need to seek to ensure that all possible mitigants to a lack of physical access are considered, actioned and documented. Any undue risks arising should be considered as part of the overall assessment of continuing strategic viability.
- Many firms process data in a number of locations and in a number of jurisdictions. As a matter of course firms should have a robust central record of exactly what data is held where and on what basis. This is not just a question of compliance with data protection requirements but also a question of accessibility and, where needed, retrieval. Should a swift and comprehensive repatriation of data be required, it is an essential prerequisite for a firm to know exactly what is held where and under what terms. Again, firms should review and document all data processing and other arrangements and determine whether they continue to remain viable and within acceptable risk tolerances.
- A key consideration for firms is to ensure that they have retained the right (as should be set out in the outsource contract) to be informed before any of the firm’s data or activity is outsourced from the outsourcer. Too many firms have found that their data has been passed on and away from their original outsourcer to numerous other entities, thereby increasing possible loss, contagion, reputational and concentration risks.
- It is inevitable that there will be those who seek to take advantage of uncertainty and the increased potential for the unexpected to happen. Firms should be aware that there has already been an increase in cyber risk incidents. As part of any review of outsourcing arrangements, consideration should be given to the cyber resilience of the outsource provider. Firms may choose to risk assess the approach taken and may consider bolstering the general prevention of cyber-attacks by seeking to ensure that the outsourcer regularly and securely backs up company confidential, sensitive client or other important files in a remote, un-connected backup or storage facility.
- As part of the response to COVID-19, many firms will already have reviewed their business continuity and disaster recovery plans. As part of that review the consideration of all outsourced arrangements should have been a key feature and would have been particularly pertinent for any firm required to create a “living will”. The contingencies and risks inherent on relying on outsourced arrangements for business continuity or disaster recovery should be included in the overall strategic viability assessment for the outsourcing.
- With almost half of firms reporting a lack of in-house compliance skills as a driver for outsourcing, firms should review their capacity to oversee any activities outsourced, particularly when potentially significant numbers of employees may be unwell or otherwise unable to work. Documented contingency plans should be put in place re-allocating skilled in-house resources as needed and any skills gaps filled as soon as is feasible.
There are many factors which will determine the continuing strategic viability of an outsourcing arrangement and firms should document, in detail, any assessment made. It will always be a judgement call, but firms need to consider carefully whether or not they can continue to oversee, with appropriate robustness, all of their outsourcing arrangements in the current circumstances.
For some firms it may be a risk-aware decision to bring activities back in-house, shortening and simplifying the control infrastructure needed to manage (often overseas) outsourcing arrangements.