Financial services businesses throughout the world are increasingly using third parties to carry out activities that the businesses themselves would normally have undertaken. Industry research and surveys by regulators show financial firms outsourcing significant parts of their regulated and unregulated activities. These outsourcing arrangements are also becoming increasingly complex.
Outsourcing has the potential to transfer risk, management and compliance to third parties who may not be regulated, and who may operate offshore. In these situations, how can financial service businesses remain confident that they remain in charge of their own business and in control of their business risks? How do they know they are complying with their regulatory responsibilities? How can these businesses demonstrate that they are doing so when regulators ask?
To help answer these questions and to guide regulated businesses, the Joint Forum established a working group to develop high-level principles about outsourcing. In this paper, the key issues and risks are spelt out in more detail and principles are put forward that can serve as benchmarks. The principles apply across the banking, insurance and securities sectors, and the international committees involved in each sector may build on these principles to offer more specific and focused guidance. Selected international case studies (see Annex A) show why these questions matter.
Today outsourcing is increasingly used as a means of both reducing costs and achieving strategic aims. Its potential impact can be seen across many business activities, including information technology (e.g., applications development, programming, and coding), specific operations (e.g., some aspects of finance and accounting, back-office activities and processing, and administration), and contract functions (e.g., call centres). Industry reports and regulatory surveys of industry practice indicate that financial firms are entering into arrangements in which other firms - related firms within a corporate group and third-party service providers - conduct significant parts of the enterprise's regulated and unregulated activities.
Activities and functions within an organisation are performed and delivered in diverse ways. An institution might split such functions as product manufacturing, marketing, back-office and distribution within the regulated entity. Where a regulated entity keeps such arrangements inhouse, but operates some activities from various locations, this would not be classified as outsourcing. The entity would therefore be expected to provide for any risks posed by this in its regular risk management framework.
Increasingly more complex arrangements are developing whereby related entities perform some activities, while unrelated service providers perform others. In each case the service provider may or may not be a regulated entity. The Joint Forum principles are designed to apply whether or not the service provider is a regulated entity.
Outsourcing has been identified in various industry and regulatory reports as raising issues related to risk transfer and management, frequently on a cross-border basis, and industry and regulators acknowledge that this increased reliance on the outsourcing of activities may impact on the ability of regulated entities to manage their risks and monitor their compliance with regulatory requirements. Additionally, there is concern among regulators as to how outsourcing potentially could impede the ability of regulated entities to demonstrate to regulators (e.g., through examinations) that they are taking appropriate steps to manage their risks and comply with applicable regulations.
Among the specific concerns raised by outsourcing activities is the potential for over-reliance on outsourced activities that are critical to the ongoing viability of a regulated entity as well as its obligations to customers.
Regulated entities can mitigate these risks by taking steps (as discussed in the principles) to: draw up comprehensive and clear outsourcing policies, establish effective risk management programmes, require contingency planning by the outsourcing firm, negotiate appropriate outsourcing contracts, and analyse the financial and infrastructure resources of the service provider.
Regulators can also mitigate concerns by ensuring that outsourcing is adequately considered in their assessments of individual firms whilst taking account of concentration risks in thirdparty providers when considering systemic risk issues.
Of particular interest to regulators is the preservation at the regulated entity of strong corporate governance. In this regard outsourcing activities that may impede an outsourcing firm's management from fulfilling its regulatory responsibilities are of concern to regulators. The rapid rate of IT innovation, along with an increasing reliance on external service providers have the potential of leading to systemic problems unless appropriately constrained by a combination of market and regulatory influences.
This paper attempts to spell out these concerns in more detail and develop a set of principles that gives guidance to firms, and to regulators, to help them better mitigate these concerns without hindering the efficiency and effectiveness of firms.