Are You Managing Your Outsourcing Risks?

Are You Managing Your Outsourcing Risks?

Outsourcing of non-core activities has been the go-to option for fund managers to control operating costs, gain access to expert capabilities, and manage internal resources to focus on their core activities, among others. Furthermore, it brings increased benefits for small and medium fund managers that often lack the scale of larger fund managers.

According to a survey by Northern Trust conducted on investment managers across the APAC, EMEA and North America regions in the first quarter of 2020, 45% of the respondents considered data management to be outsourced within the next two years, followed by 40% and 38% for back office and middle office functions respectively. With the growing reliance on outsource service providers (“OSPs”), particularly in performing critical activities, the trend is causing concern amongst regulators, as highlighted by the Financial Stability Board (“FSB”).

With the growing reliance on outsource service providers (“OSPs”), particularly in performing critical activities, the trend is causing concern amongst regulators, as highlighted by the Financial Stability Board (“FSB”) .

The Guidelines on Outsourcing (the “Guidelines”) that was last revised in October 2018 by the Monetary Authority of Singapore (“MAS”), set out the expectations on a financial institution (“FI”) that has an outsourcing arrangement or is planning to outsource its business activities to a service provider. The FI is expected to adopt a sound and responsive risk management framework for its outsourcing arrangements, and conduct a self-assessment of all existing outsourcing arrangements against the Guidelines. The Guidelines provided risk management practices including the Board and Senior Management responsibilities, the requirements for evaluation of risks, assessment of service providers, outsourcing agreement, confidentiality and security, business continuity management, monitoring and control of outsourcing arrangements, audit and inspection.

The below provides practical recommendations on key focus areas that FIs should have in place to meet MAS’ expectations and requirements:

Outsourcing Risk Management Framework
FIs are required to have in place an Outsourcing Risk Management Framework to effectively manage outsourcing arrangements, encompassing of the Board and Senior Management oversight and governance, internal controls and especially risk management.

The robust framework should enable the FI to adopt a risk-based approach when assessing its outsourcing arrangements, including identifying risk exposures that may impede the objectives of the business and evaluating the identified risks through analyzing the impact of the outsourcing arrangements on the overall risk profile of the FI.

Some of the key risks (not exhaustive) that are observed in an outsourcing arrangement are:

• Strategic Risk
  • Conflicting strategic goals and objectives between the OSP and FI.
  • Lack of oversight of the OSP’s activities.

• Reputation Risk
  • Departure of OSP practices from required quality standard of the FI.

• Compliance Risk
  • Unclear responsibilities in managing compliance requirement between OSP and FI.
  • OSP’s inadequate compliance systems and controls.

• Operational Risk
  • Technology failure from using obsolete or unkept IT system used for processing information.
  • Non-performance of OSP to fulfil obligations and/or provide remedies.
  • Fraud or error due to lackadaisical attitude or negligence.

Assessment of Service Providers
A comprehensive due diligence is required when considering (new), renegotiating (change) or renewing a particular OSP, in order to identify and mitigate key risks (such as the highlighted above). The assessment shall be documented and re-performed periodically as part of the monitoring and control processes of outsourcing arrangements.

Outsourcing Agreement
To safeguard against any unclear understanding of the obligations, responsibilities, rights and service level expectations arising from an outsourcing arrangement. It is prudent to have the contractual terms and conditions properly defined in written agreements and in line with the requirements set out in the Guidelines. The Guidelines has prescribed the minimum contents required in such agreements and also be vetted by a competent authority.

Additional areas were highlighted by the Guidelines as below:

• Confidentiality and Security
  Ensure the adequacy and effectiveness of the OSP’s security policies and practices, to protect the confidentiality and security of the customer information.
• Business Continuity Management
  Ensure that the OSP has in place satisfactory business continuity plans (“BCP”), in particular, requirements including recovery time objectives (“RTO”), recovery point objectives (“RPO”), and resumption operating capacities.
• Audit and Inspection
  Ensure that the FI is allowed to conduct audits on the OSP and its subcontractors. Independent audits and/or expert assessments should be conducted on all outsourcing arrangements.

Monitoring and Control of Outsourcing Arrangements
Specific for “material” outsourcing arrangements, a register shall be maintained at all times. This register shall be used as part of the oversight and governance controls.

A “material outsourcing arrangement” is defined as an outsourcing arrangement, which:
(a) in the event of a service failure or security breach, has the potential to either materially impact an institution’s:

• business operations, reputation or profitability; or
• ability to manage risk and comply with applicable laws and regulations,

(b) involves customer information and, in the event of any unauthorised access or disclosure, loss or theft of customer information, may have a material impact on an institution’s customers. At least on an annual basis, periodic reviews shall be conducted on all “material” outsourcing arrangements to ensure that the outsourcing risk management policies and procedures, and the Guidelines are effectively implemented. This shall include performing comprehensive pre- and post- implementation reviews of new outsourcing arrangements or when amendments are made to the outsourcing arrangements.

Anti-Money Laundering and Countering the Financing of Terrorism (“AML/CFT”) Outsourcing Arrangements

In recent years, there has been increased scrutiny on FIs’ outsourcing arrangements from the MAS, particularly in critical outsourced functions such as the AML/CFT functions. The report “Strengthening Capital Markets Intermediaries Oversight over AML/CFT Outsourcing Arrangements” published by the MAS in July 2020, highlighted the gaps in capital markets intermediaries (“CMIs”) oversight of AML/CFT outsourcing arrangements, observed over a series of thematic inspections of CMIs to assess the adequacy of their oversight of AML/CFT service providers. These deficiencies exposed CMIs to potential regulatory and reputational risks. The key challenges include, inadequate understanding and quality control of service providers, and the inability to monitor performance in a timely manner.

The bottom line here is, activities can be outsourced but not the responsibilities. The responsibilities for maintaining effective oversight and governance of outsourcing arrangements, managing outsourcing risks, and implementing an adequate outsourcing risk management framework lies with the company, its Board and Senior Management. The Senior Management has to ensure that there is independent review and audit for compliance with outsourcing policies and procedures.