Feeds

Financial regulators draft proposals on outsourcing

Operational risk

  • alert
  • submit to reddit

Bridging the IT gap between rising business demands and ageing tools

There is growing concern among some commentators at the impending growth of regulatory scrutiny of outsourcing in the securities industry in the USA and Europe through introduction of additional regulation governing outsourcing. It is important to put these impending regulatory changes in context.

MiFID requires investment firms to ensure they take reasonable steps to avoid undue additional operational risk when relying on third parties for the performance of operational functions. This is targeted, specifically, at functions that are critical for the provision of continuous and satisfactory service to clients and for the performance of investment activities on a continuous and satisfactory basis.

Equally, a firm may not outsource important operational functions in a way that materially impairs the quality of its internal control and the ability of supervisors to monitor the outsourcing firm's compliance with all obligations. Strict and rigorous conditions are imposed on investment firms that wish to outsource "critical" and "important" functions.

Most importantly, outsourcing of investment services and activities should be considered as capable of constituting a material change of the conditions for authorisation of an investment firm and, in consequence, have to be notified to the relevant financial regulator.

The UK Financial Services Regulator, the FSA, is the first of the EU national financial regulators to articulate its concerns and outline how its proposes to address the requirements of MiFID.

"Operational risks posed by outsourcing could present a significant threat to the statutory objective of securing the appropriate degree of protection for customers, maintaining confidence in the financial system and reducing financial crime."

This is essentially in line with its statutory duties under the Financial Services and Markets Act 2000. Financial institutions must monitor and effectively manage and supervise the competence and performance of the outsourced service providers. At the same time there will be "a differential approach" to what are termed critical and important functions and non-critical functions.

The NYSE drafted its proposal on outsourcing, "Due Diligence and Conditions Required in the Use of Service Providers", after concluding that broker-dealers were not adequately supervising the work they outsourced. The regulatory arm of NYSE Group said that "in many instances written procedures, business continuity plans and formal due diligence were lacking".

The NYSE proposal also covers issues beyond compliance-functions having to do with "core processes". Customer orders or accounts handling, as well as clearing and settlement of transactions, would come under additional scrutiny. Written notification to the exchange will be required when one of these functions is outsourced, although service providers that are broker-dealers or clearing firms are exempt from this requirement.

When work is sent offshore, exchange members would have to assess the laws and business procedures of the respective countries and how they affect the provider's performance. Firms must supervise ongoing outsourced work. If problems arise, a firm would have two months to either increase supervision of the activity or bring the work inhouse.

Other US regulators have issued statements about outsourcing. The SEC has stated that firms cannot outsource key compliance obligations, while the US NASD (National Association of Securities Dealers) has advised member firms to not outsource compliance, except in cases where the outsourcing vendor is registered-such as an execution provider or custodian.

Interestingly, neither the SEC nor NASD guidelines have any enforcement provisions, while the NYSE proposal will give the exchange the authority to require a member firm to correct any flaws and take action against deficiencies. To bring some consistency to the regulatory regimes in the USA, the SEC and NASD should review their enforcement options.

In both the European and USA (NYSE) regulatory jurisdictions, these changes essentially subject to regulation the processes and procedures which firms should be applying as a matter good operational practice, if not under their corporate governance responsibilities. Where internal policies and procedure fall short of regulatory requirements, the shortfall in oversight and monitoring of outsourcing standards and conditions can probably be addressed by formalising processes and procedures, which occur informally, and designating specific internal corporate responsibilities as well as more rigorous and continuous monitoring of performance.

Perhaps the real crunch comes for firms that have outsourced services to geographic areas where it is very difficult for either the outsourcer or the regulator to evidence adherence to outsourcing conditions and standards. In such circumstances, unless the outsourced activities can be transferred to another operating environment - internal or external - the pragmatic approach would be to insource the activity by acquisition of the resource which provides the service from the outsourcer. In other words, those resources would become employees of the firm.

Copyright © 2006, IT-Analysis.com

Build a business case: developing custom apps

More from The Register

next story
BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
Auntie tight-lipped as major outage rolls on
iPad? More like iFAD: We reveal why Apple ran off to IBM
But never fear fanbois, you're still lapping up iPhones, Macs
Nadella: Apps must run on ALL WINDOWS – PCs, slabs and mobes
Phone egg, meet desktop chicken - your mother
HP, Microsoft prove it again: Big Business doesn't create jobs
SMEs get lip service - what they need is dinner at the Club
ITC: Seagate and LSI can infringe Realtek patents because Realtek isn't in the US
Land of the (get off scot) free, when it's a foreign owner
Samsung threatens to cut ties with supplier over child labour allegations
Vows to uphold 'zero tolerance' policy on underage workers
Dude, you're getting a Dell – with BITCOIN: IT giant slurps cryptocash
1. Buy PC with Bitcoin. 2. Mine more coins. 3. Goto step 1
There's NOTHING on TV in Europe – American video DOMINATES
Even France's mega subsidies don't stop US content onslaught
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.