Effective oversight of outsourced functions in the financial industry

Abstract

With the rise of technology solutions and their application in the financial markets (also referred to as FinTech), several regulated firms, ranging from small to institutional players, are increasingly availing of third parties (both regulated and unregulated) across the globe to perform a process, a service or an activity that would otherwise be undertaken by such regulated firms. Effectively, the decision to avail of such arrangement, labelled as outsourcing, can be the result of multiple business considerations, including (i) reliance on third parties due to their more efficient and cost-effective systems, (ii) scalability, (iii) lack or limited internal resources and/or in-house capabilities, but also (iv) intragroup allocation of functions and (v) agility and flexibility. The financial industry, however, is facing an increasing scrutiny over outsourcing arrangements, especially in respect of information technology (IT)-related outsourcing, by regulators across the European Union (EU) and the United Kingdom. The key regulatory concerns range from stakeholder protection, operational resilience to business continuity. To ensure that such concerns are duly addressed by regulated entities, EU supervisory authorities and the Financial Conduct Authority (FCA) intervened with binding guidelines on outsourcing and a strengthened regulatory framework applicable to outsourcing, covering the pre-outsourcing phase and extending from day-to-day monitoring. This paper aims to provide a pragmatic overview on certain best practices designed to ensure effective monitoring of outsourced functions and sustainable operational resilience. A first section shall focus on the notion of outsourcing and shall identify the main regulatory framework(s) affected by outsourcing rules. The following section will focus on the impact of outsourcing in the investment services industry, with a particular emphasis on asset managers, credit and financial institutions and investment service providers, without looking at the insurance sector. A third section will provide a five-step guidance on building an effective outsourcing monitoring model with a particular focus on small-medium enterprises, while the following section will focus on exit strategies. Before drawing the conclusions of the analysis carried out earlier, a final section will identify what the authors believe being the ultimate goal of ensuring effective third-party outsourcing monitoring, namely the creation of a sustainable control environment designed to deliver operational resilience in the long term.