This third instalment in a series of blogs on wholesale conduct topics, discusses the challenges regarding compliance outsourcing and how we can help you.
Globally, regulators have set out expectations in relation to compliance outsourcing, emphasising that firms must retain the necessary expertise and resources to supervise outsourced functions effectively and manage risk1.
This blog focuses on considerations for Compliance functions which sit within a regulated entity and receive services from other parts of a Group entity. For example, a UK-based entity regulated by the Financial Conduct Authority (“FCA”) who relies upon certain compliance services provided by offshore teams or other parts of the Group.
Central Compliance services are commonly provided between Group entities, on a cross-border basis or from hub locations to extract, for example, cost efficiencies from offshoring, or bundling of expertise and technical resource in centres of excellence.
Central Compliance services can include a number of critical and important outsourced processes and controls, such as:
In the scenario above, the UK Compliance team of a Group entity is required to exercise adequate oversight of arrangements from the centralised compliance team. It is generally not sufficient to rely on the fact that these services are being provided intra-group to demonstrate effective oversight. The UK Compliance team must dedicate adequate and competent resource and technical expertise to deliver effective oversight, ensuring that UK requirements are brought to the attention of the central service team, and that centralised teams understand and apply UK-specific requirements during their standardised process.
In our experience of working with various firms across the financial industry, we understand the importance of integrating effective governance and oversight of all outsourced services with the firm’s risk and compliance framework. Common challenges we have observed include:
Compliance leadership should be assured that the services they receive accurately reflect all services they expect and require against their intra-group SLAs, are at the level of quality that they expect, and that they can ensure the effective influence and oversight of the outsourced services within the broader Group context. Adequate resources and technical expertise must be dedicated to deliver effective oversight of outsourced systems and controls to enable compliance leadership to meet their responsibilities as senior managers.
To demonstrate effective oversight, the following components should be considered:
|
|
---|---|
Ability |
The service provider must have the ability, capacity, and any authorisation required by law to perform the outsourced functions, services or activities reliably and professionally; |
Assessment |
The service provider must carry out the outsourced services effectively, and to this end the firm must establish methods for assessing the standard of performance of the service provider; |
Risk Management |
The service provider must properly supervise the carrying out of the outsourced functions, and adequately manage the risks associated with the outsourcing; |
Actions |
Appropriate action must be taken by the firm if it appears that the service provider may not be carrying out the functions effectively and in compliance with applicable laws and regulatory requirements; |
Supervision |
The firm must retain the necessary expertise to supervise the outsourced functions effectively and to manage the risks associated with the outsourcing, and must supervise those functions and manage those risks; |
Disclosure |
The service provider must disclose to the firm any development that may have a material impact on its ability to carry out the outsourced functions effectively and in compliance with applicable laws and regulatory requirements; |
Termination |
The firm must be able to terminate the arrangement for the outsourcing where necessary without detriment to the continuity and quality of its provision of services to clients; |
Cooperation |
The service provider must co-operate with the regulator in connection with the outsourced activities; |
Data access |
The firm, its auditors, and the regulators must have effective access to data related to the outsourced activities, as well as to the business premises of the service provider; and the regulator must be able to exercise those rights of access; |
Confidentiality |
The service provider must protect any confidential information relating to the firm and its clients; |
Contingency |
The firm and the service provider must establish, implement and maintain a contingency plan for disaster recovery and periodic testing of backup facilities where that is necessary having regard to the function, service or activity that has been outsourced. |
Our team have a wealth of expertise in managing end-to-end reviews of the Compliance function of varying sizes across the financial services sector. We have the capabilities to support you with:
If you would like to discuss your requirements further, please contact the authors of this blog.
____________________________________________________________
Footnote:
[1] For example, the European Banking Authority, and Financial Conduct Authority as highlighted in Market Watch 69, for example. The FCA have issued fines to financial services firms over recent years for failure to oversee outsourcing arrangements.