Feeds

Financial regulators draft proposals on outsourcing

Operational risk

  • alert
  • submit to reddit

Providing a secure and efficient Helpdesk

There is growing concern among some commentators at the impending growth of regulatory scrutiny of outsourcing in the securities industry in the USA and Europe through introduction of additional regulation governing outsourcing. It is important to put these impending regulatory changes in context.

MiFID requires investment firms to ensure they take reasonable steps to avoid undue additional operational risk when relying on third parties for the performance of operational functions. This is targeted, specifically, at functions that are critical for the provision of continuous and satisfactory service to clients and for the performance of investment activities on a continuous and satisfactory basis.

Equally, a firm may not outsource important operational functions in a way that materially impairs the quality of its internal control and the ability of supervisors to monitor the outsourcing firm's compliance with all obligations. Strict and rigorous conditions are imposed on investment firms that wish to outsource "critical" and "important" functions.

Most importantly, outsourcing of investment services and activities should be considered as capable of constituting a material change of the conditions for authorisation of an investment firm and, in consequence, have to be notified to the relevant financial regulator.

The UK Financial Services Regulator, the FSA, is the first of the EU national financial regulators to articulate its concerns and outline how its proposes to address the requirements of MiFID.

"Operational risks posed by outsourcing could present a significant threat to the statutory objective of securing the appropriate degree of protection for customers, maintaining confidence in the financial system and reducing financial crime."

This is essentially in line with its statutory duties under the Financial Services and Markets Act 2000. Financial institutions must monitor and effectively manage and supervise the competence and performance of the outsourced service providers. At the same time there will be "a differential approach" to what are termed critical and important functions and non-critical functions.

The NYSE drafted its proposal on outsourcing, "Due Diligence and Conditions Required in the Use of Service Providers", after concluding that broker-dealers were not adequately supervising the work they outsourced. The regulatory arm of NYSE Group said that "in many instances written procedures, business continuity plans and formal due diligence were lacking".

The NYSE proposal also covers issues beyond compliance-functions having to do with "core processes". Customer orders or accounts handling, as well as clearing and settlement of transactions, would come under additional scrutiny. Written notification to the exchange will be required when one of these functions is outsourced, although service providers that are broker-dealers or clearing firms are exempt from this requirement.

When work is sent offshore, exchange members would have to assess the laws and business procedures of the respective countries and how they affect the provider's performance. Firms must supervise ongoing outsourced work. If problems arise, a firm would have two months to either increase supervision of the activity or bring the work inhouse.

Other US regulators have issued statements about outsourcing. The SEC has stated that firms cannot outsource key compliance obligations, while the US NASD (National Association of Securities Dealers) has advised member firms to not outsource compliance, except in cases where the outsourcing vendor is registered-such as an execution provider or custodian.

Interestingly, neither the SEC nor NASD guidelines have any enforcement provisions, while the NYSE proposal will give the exchange the authority to require a member firm to correct any flaws and take action against deficiencies. To bring some consistency to the regulatory regimes in the USA, the SEC and NASD should review their enforcement options.

In both the European and USA (NYSE) regulatory jurisdictions, these changes essentially subject to regulation the processes and procedures which firms should be applying as a matter good operational practice, if not under their corporate governance responsibilities. Where internal policies and procedure fall short of regulatory requirements, the shortfall in oversight and monitoring of outsourcing standards and conditions can probably be addressed by formalising processes and procedures, which occur informally, and designating specific internal corporate responsibilities as well as more rigorous and continuous monitoring of performance.

Perhaps the real crunch comes for firms that have outsourced services to geographic areas where it is very difficult for either the outsourcer or the regulator to evidence adherence to outsourcing conditions and standards. In such circumstances, unless the outsourced activities can be transferred to another operating environment - internal or external - the pragmatic approach would be to insource the activity by acquisition of the resource which provides the service from the outsourcer. In other words, those resources would become employees of the firm.

Copyright © 2006, IT-Analysis.com

Providing a secure and efficient Helpdesk

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
Driving with an Apple Watch could land you with a £100 FINE
Bad news for tech-addicted fanbois behind the wheel
Special pleading against mass surveillance won't help anyone
Protecting journalists alone won't protect their sources
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Radio hams can encrypt, in emergencies, says Ofcom
Consultation promises new spectrum and hints at relaxed licence conditions
Big Content Australia just blew a big hole in its credibility
AHEDA's research on average content prices did not expose methodology, so appears less than rigourous
Vodafone to buy 140 Phones 4u stores from stricken retailer
887 jobs 'preserved' in the process, says administrator PwC
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.