Skip to main content

Re-evaluating intra-group arrangements for the Compliance function

This third instalment in a series of blogs on wholesale conduct topics, discusses the challenges regarding compliance outsourcing and how we can help you.

Globally, regulators have set out expectations in relation to compliance outsourcing, emphasising that firms must retain the necessary expertise and resources to supervise outsourced functions effectively and manage risk1.

This blog focuses on considerations for Compliance functions which sit within a regulated entity and receive services from other parts of a Group entity. For example, a UK-based entity regulated by the Financial Conduct Authority (“FCA”) who relies upon certain compliance services provided by offshore teams or other parts of the Group.

Central Compliance services are commonly provided between Group entities, on a cross-border basis or from hub locations to extract, for example, cost efficiencies from offshoring, or bundling of expertise and technical resource in centres of excellence.

Central Compliance services can include a number of critical and important outsourced processes and controls, such as:

  • Control room management of conflict of interest or market abuse risk
  • Financial crime processes such as client on-boarding and due diligence
  • Client money and client asset administration
  • Compliance assurance
  • Management Information reporting and analytics.

In the scenario above, the UK Compliance team of a Group entity is required to exercise adequate oversight of arrangements from the centralised compliance team. It is generally not sufficient to rely on the fact that these services are being provided intra-group to demonstrate effective oversight. The UK Compliance team must dedicate adequate and competent resource and technical expertise to deliver effective oversight, ensuring that UK requirements are brought to the attention of the central service team, and that centralised teams understand and apply UK-specific requirements during their standardised process.

Common Challenges

In our experience of working with various firms across the financial industry, we understand the importance of integrating effective governance and oversight of all outsourced services with the firm’s risk and compliance framework. Common challenges we have observed include:

  • Location specific requirements: Lack of specification and validation as to which services are required by the UK Compliance team against the current business structure, whether services received accurately reflect all services expected and are at the level of quality expected. This also applies to EU Compliance teams relying upon compliance services provided by the Group with headquarters in the UK.
  • Insufficient influence and oversight: Lack of appropriate service recipient representation on relevant central working groups and fora that decide on process or technology changes, or lack of influence or input into Group processes. For example, a lack of minuting and sharing of key decisions made by the central team, or evidence of decisions made by central working groups which do not record UK specific requirements.
  • Unclear expectations across policies and procedures: Insufficient written articulation of UK specific requirements in Group policies, policy addenda and procedures, and lack of training of the central compliance staff on managing UK specific requirements and relying on corporate memory.
  • Absence of specific controls and granular reporting: Inability to generate controls data at the granular level necessary, making it challenging to effectively gauge the robustness of the delivery and performance of outsourced services to the UK Compliance team and to close identified gaps in services received against service level agreements (SLAs).
  • Absence of granular risk monitoring: Due to controls data limitations, Management Information (key risk indicators, key performance indicators and thresholds) is not customised and meaningful enough for the UK Compliance team to effectively identify any change in the risk profile of the outsourced compliance processes. This may also hinder escalation on a timely basis where issues are identified, or where risks are nearing particular thresholds.

Key Takeaways

Compliance leadership should be assured that the services they receive accurately reflect all services they expect and require against their intra-group SLAs, are at the level of quality that they expect, and that they can ensure the effective influence and oversight of the outsourced services within the broader Group context. Adequate resources and technical expertise must be dedicated to deliver effective oversight of outsourced systems and controls to enable compliance leadership to meet their responsibilities as senior managers.

To demonstrate effective oversight, the following components should be considered:

Ability

The service provider must have the ability, capacity, and any authorisation required by law to perform the outsourced functions, services or activities reliably and professionally;

Assessment

The service provider must carry out the outsourced services effectively, and to this end the firm must establish methods for assessing the standard of performance of the service provider;

Risk Management

The service provider must properly supervise the carrying out of the outsourced functions, and adequately manage the risks associated with the outsourcing;

Actions

Appropriate action must be taken by the firm if it appears that the service provider may not be carrying out the functions effectively and in compliance with applicable laws and regulatory requirements;

Supervision

The firm must retain the necessary expertise to supervise the outsourced functions effectively and to manage the risks associated with the outsourcing, and must supervise those functions and manage those risks;

Disclosure

The service provider must disclose to the firm any development that may have a material impact on its ability to carry out the outsourced functions effectively and in compliance with applicable laws and regulatory requirements;

Termination

The firm must be able to terminate the arrangement for the outsourcing where necessary without detriment to the continuity and quality of its provision of services to clients;

Cooperation

The service provider must co-operate with the regulator in connection with the outsourced activities;

Data access

The firm, its auditors, and the regulators must have effective access to data related to the outsourced activities, as well as to the business premises of the service provider; and the regulator must be able to exercise those rights of access;

Confidentiality

The service provider must protect any confidential information relating to the firm and its clients;

Contingency

The firm and the service provider must establish, implement and maintain a contingency plan for disaster recovery and periodic testing of backup facilities where that is necessary having regard to the function, service or activity that has been outsourced.

How can Deloitte help?

Our team have a wealth of expertise in managing end-to-end reviews of the Compliance function of varying sizes across the financial services sector. We have the capabilities to support you with:

  • A sense-check or light-touch review of your compliance outsourcing arrangements to determine potential areas of improvement.
  • Workshops with key stakeholders to understand what currently works well and potential areas requiring improvement or further assessment.
  • A deep dive into your compliance outsourcing arrangements, including a comparison to your peers using our compliance systems and control assessment methodology, to provide further insights and recommendations for enhancement.

If you would like to discuss your requirements further, please contact the authors of this blog.

____________________________________________________________
Footnote:

[1] For example, the European Banking Authority, and Financial Conduct Authority as highlighted in Market Watch 69, for example. The FCA have issued fines to financial services firms over recent years for failure to oversee outsourcing arrangements.