Financial regulators draft proposals on outsourcing

Operational risk

There is growing concern among some commentators at the impending growth of regulatory scrutiny of outsourcing in the securities industry in the USA and Europe through introduction of additional regulation governing outsourcing. It is important to put these impending regulatory changes in context.

MiFID requires investment firms to ensure they take reasonable steps to avoid undue additional operational risk when relying on third parties for the performance of operational functions. This is targeted, specifically, at functions that are critical for the provision of continuous and satisfactory service to clients and for the performance of investment activities on a continuous and satisfactory basis.

Equally, a firm may not outsource important operational functions in a way that materially impairs the quality of its internal control and the ability of supervisors to monitor the outsourcing firm's compliance with all obligations. Strict and rigorous conditions are imposed on investment firms that wish to outsource "critical" and "important" functions.

Most importantly, outsourcing of investment services and activities should be considered as capable of constituting a material change of the conditions for authorisation of an investment firm and, in consequence, have to be notified to the relevant financial regulator.

The UK Financial Services Regulator, the FSA, is the first of the EU national financial regulators to articulate its concerns and outline how its proposes to address the requirements of MiFID.

"Operational risks posed by outsourcing could present a significant threat to the statutory objective of securing the appropriate degree of protection for customers, maintaining confidence in the financial system and reducing financial crime."

This is essentially in line with its statutory duties under the Financial Services and Markets Act 2000. Financial institutions must monitor and effectively manage and supervise the competence and performance of the outsourced service providers. At the same time there will be "a differential approach" to what are termed critical and important functions and non-critical functions.

The NYSE drafted its proposal on outsourcing, "Due Diligence and Conditions Required in the Use of Service Providers", after concluding that broker-dealers were not adequately supervising the work they outsourced. The regulatory arm of NYSE Group said that "in many instances written procedures, business continuity plans and formal due diligence were lacking".

The NYSE proposal also covers issues beyond compliance-functions having to do with "core processes". Customer orders or accounts handling, as well as clearing and settlement of transactions, would come under additional scrutiny. Written notification to the exchange will be required when one of these functions is outsourced, although service providers that are broker-dealers or clearing firms are exempt from this requirement.

When work is sent offshore, exchange members would have to assess the laws and business procedures of the respective countries and how they affect the provider's performance. Firms must supervise ongoing outsourced work. If problems arise, a firm would have two months to either increase supervision of the activity or bring the work inhouse.

Other US regulators have issued statements about outsourcing. The SEC has stated that firms cannot outsource key compliance obligations, while the US NASD (National Association of Securities Dealers) has advised member firms to not outsource compliance, except in cases where the outsourcing vendor is registered-such as an execution provider or custodian.

Interestingly, neither the SEC nor NASD guidelines have any enforcement provisions, while the NYSE proposal will give the exchange the authority to require a member firm to correct any flaws and take action against deficiencies. To bring some consistency to the regulatory regimes in the USA, the SEC and NASD should review their enforcement options.

In both the European and USA (NYSE) regulatory jurisdictions, these changes essentially subject to regulation the processes and procedures which firms should be applying as a matter good operational practice, if not under their corporate governance responsibilities. Where internal policies and procedure fall short of regulatory requirements, the shortfall in oversight and monitoring of outsourcing standards and conditions can probably be addressed by formalising processes and procedures, which occur informally, and designating specific internal corporate responsibilities as well as more rigorous and continuous monitoring of performance.

Perhaps the real crunch comes for firms that have outsourced services to geographic areas where it is very difficult for either the outsourcer or the regulator to evidence adherence to outsourcing conditions and standards. In such circumstances, unless the outsourced activities can be transferred to another operating environment - internal or external - the pragmatic approach would be to insource the activity by acquisition of the resource which provides the service from the outsourcer. In other words, those resources would become employees of the firm.

Copyright © 2006, IT-Analysis.com

Sponsored: 5 critical considerations for enterprise cloud backup