The Central Bank of Ireland’s (CBI) latest discussion paper highlights a trend in regulator interest and oversight of outsourced activity by asset managers and other financial firms. The paper turns up the heat on those responsible for overseeing an increasingly complex and globally dispersed supply chain of data and operations.
As the asset management sector continues to grow and innovate, it also becomes more competitive and complex. With the volume and speed of change, come additional risks to manage. One of these growing operational risks for asset managers is the increased outsourcing of activities to various third-party vendors.
The espoused benefits of outsourcing include leveraging global resources, increasing scalability, and reducing costs through efficiency. However, building a longer, more complex supply chain comes with additional risks including maintenance, protection, and oversight requirements. The more vendors, partners, and geographic dispersion of outsourced activities, the bigger the oversight burden for the asset management firm.
With these threats at the forefront, it is unsurprising that regulators such as the US SEC, the UK’s FCA, the European Banking Authority (EBA), and ESMA, along with industry bodies like IOSCO, have chosen to shine a spotlight on these issues. The latest regulator to address the issue is Ireland’s CBI with the recent release of Outsourcing – Findings and Issues for Discussion (the “CBI Paper”).
The paper is divided into two parts: 1) findings from the CBI’s review of the market and 2) a request for industry feedback on evolving outsourcing trends and risks. The paper is worth a detailed read, however the key themes from part 1 include:
Boards of Directors and Governance
- Written policies and procedures are either incomplete or lacking in some areas.
- Board member knowledge of current outsourcing models is lacking.
- Delegation of service agreements are not thoroughly recorded or described in director materials.
- Risk assessments and due diligence on appointment of outsourced entities are inadequate.
- Tasks are insufficiently categorized (i.e. some tasks are more important, sensitive, or complex than others and should be identified and given extra attention).
- The ongoing monitoring of the outsourced provider may not be frequent or detailed enough to identify, escalate, and resolve issues. Firms must ensure they have the skills, experience, and knowledge to carry out their monitoring responsibilities.
- Asset managers’ BCP plans may not fully document all outsourced arrangements.
- Third party providers are often not included in the BCP testing so large parts of the supply chain are untested.
- Not all BCP plans consider an exit strategy: the timely and efficient transfer of activities to another provider to ensure minimal service disruption if needed.
Part two highlights evolving risks and trends and asks the industry to respond. These include:
- Sensitive data risk – Firms need to ensure third parties acting in a non-EU country maintain compliance with GDPR requirements.
- Cloud providers – Firms must consider the implications of reliance on cloud providers who may be less regulated than bank approved entities.
- Concentration risk – Lack of diversification of outsourced service providers and intra-group entities such as shared service offices, centers of excellence, and operational hubs can create risk in that an issue in one area may quickly spread to several others.
- Offshoring risk – Scrutiny on the supply chain means a greater focus on who’s doing what, where, and why. More than 50% of Irish outsourcing is to the UK, US, India, Germany and France. Half of all outsourcing arrangements were also to locations outside of the European Economic Area (EEA). The message here: Brexit matters.
- Chain outsourcing – Contracts for chain outsourcing and sub-contractor arrangements should capture all parties within the chain and be comprehensive enough to address the risks inherent in such an arrangement
- Alternate provision of outsourced service – Firms need to have more comprehensive BCP plans and exit strategies in case they need to quickly switch providers.
The CBI concludes by stating the findings of their outsourcing review were “disappointing” – language that has made the industry sit up and take notice. The CBI refers to draft outsourcing guidelines by the EBA at several points in the paper. The EBA recently published a comment paper and confirmed that it would publish the final guidelines in the first quarter of the year, so any further CBI steps are likely to be coordinated with the broader EBA initiative.
The paper is a signal for all Irish domiciled asset managers, management companies, and fund boards to watch for further developments from CBI and EBA and to consider a review of the paper against their own policies and procedures, and where required, act to remedy any gaps. Managers not domiciled in Dublin should also take note as the CBI paper is sure to fan the flames of debate among other global regulators. We expect they will ramp up inspection and oversight relating to outsourcing in 2019.
As the CBI did with ETFs, they’ve requested comments by January 2019. In Q1 2019, they will host a conference on outsourcing to engage in international regulatory discourse.
Whether engaging with the CBI or not, asset managers across the globe should ask themselves:
- Do I have a clear view into all data, systems, geographic footprints, and vendors in my supply chain? And are they using any outsourced vendors?
- Do I have certainty around my business continuity and substitutability plan?
- Have I robustly tested existing back-up plans and scenarios which may warrant the transfer of activities?
- Do I have a viable exit strategy if I needed to transfer tasks?
- Are my service providers offering a transparent view into their operational model?
- Are my service providers assisting me with education and solutions for our mutual regulatory and client expectations?
- Do I receive adequate KPIs for outsourced functions in order to assess the efficacy of my global data supply chain?
- Do all parts of my data supply chain and outsourced vendors comply with the highest level of regulatory parameters, such as GDPR?