Document, document and document again
June 2017 | EXPERT BRIEFING | FINANCE & INVESTMENT
In recent months, the Securities and Exchange Commission (SEC), the Financial Conduct Authority (FCA) and the Monetary Authority of Singapore (MAS) have all issued consultations and guidance on outsourcing. Although the regulators advised on slightly different areas, the theme is clear. With outsourcing on the up, fund managers must have defined strategies, and most importantly, must document these with evidence that ongoing monitoring is in place.
SEC’s consultation paper on business continuity and transition plans
The SEC issued a consultation paper in June 2016 looking at the third-parties that managers increasingly rely upon. The SEC is proposing that managers are required to implement a business continuity and transition plan, “reasonably designed to address operational and other risks related to a significant disruption”.
Senior management should focus on the maintenance of critical operations, the protection, back-up and recovery of third-party data, and a pre-arranged alternate physical location. The fund must have stakeholder communication plans and it will need to identify business-critical services and create a plan of transition that accounts for the possible winding down of the adviser’s business, or in the event that the adviser is unable to continue providing services.
FCA guidance for firms outsourcing to the cloud and to other third-party IT services
In July 2016, the FCA published guidelines in line with, but broader than, the SEC advice. These state that when looking to outsource, managers should consider all legal and regulatory factors, as well as the jurisdiction of the service provider in question. A detailed business case should be produced and a proper contract should exist. A firm is also required to document and manage any potential risk of outsourcing, ensuring it adheres to international standards. To achieve this it is recommended that managers determine the full responsibility of the service provider, allocate management and ensure dispute resolution arrangements are in place.
Furthermore, a data residency policy must be agreed between the firm and any outsourced providers, which sets out data loss and breach notification protocols, in line with the DPA 1998. The FCA also recommends that managers pre-agree effective access to data from the outsourced provider, ensuring access is available to both the managers themselves and, if need be, the regulator, and that the outsourced data is not stored in domiciles that may inhibit effective access.
The FCA states that it is also important to facilitate visits to the outsourcing partner by the firm, the auditor and even the regulator if necessary. Firms also need to agree details of sub-contracting arrangements before entering into outsourcing agreements, and it is recommended that there is a change of management process, as well as some exit and termination plans in place.
The guidance is pragmatic, but it puts a considerable onus on managers to document and maintain records, and to share with the regulator if required.
MAS guidelines on outsourcing
The MAS also published its guidelines on outsourcing in July 2016. Although the MAS recognises the value of outsourcing, like the SEC and the FCA, it argues that a number of potential risks are generated.
Importantly, the definition of outsourced services here is broad, including audit and cloud computing.
The key to meeting MAS’ regulatory requirements is discipline. The board and senior management must identify all existing outsourcing arrangements and policies, and define the desired risk appetite the fund is ready to absorb.
The fund must then define a process for the approval of outsourcing arrangements, consistent with its established strategy and risk appetite. Once the board has set the guidelines, the next steps fall to senior management. They will need to evaluate the risk of all current outsourcing, in line with the risk appetite set by the board. They must also document outsourcing policies and ensure they are implemented effectively, are ‘fit for purpose’ and are updated as required. Contingency plans must be tested to ensure that they actually work.
Outsourcing policies and procedures must be independently reviewed with any actions implemented and any risks communicated to the board.
The MAS has also provided guidelines on service provider selection, which recommends firms consider a prospective outsourced providers’ ability to implement and support the arrangement. It highlights the importance of assessing the outsourced provider’s financial strength and resources, in addition to its corporate governance, business reputation, culture and ability to cope with any pending or potential litigation. Firms are advised to review providers’ security controls and business continuity plans, along with audit, reporting and risk management frameworks.
Checking the necessary insurance coverage is in place is also key, as is ensuring that all outsourced partners comply with applicable laws and regulation. Finally, the MAS advises that it is important to assess the political, legal and social landscape that any prospective provider operates in.
So what does this all mean?
Managers need to define and develop proper strategies in respect of outsourcing and disaster recovery, and document them. They must be fully aware of what they outsource, to whom and they must fully understand the risks.
Gone are the days of informal processes. When regulators come knocking they will not want to talk. They will want to see quality documentation supporting the decisions that have been made – and followed up on an ongoing basis. They need evidence that the outsourcing decision was the right one and that the fund and its investors have benefitted.
In short, regulators around the world want to see that managers are organised, have considered the risks they run within their own business, not just the portfolio, and most importantly, that they have mitigated against those risks and have documentary evidence to this effect. Document, document, and document again.
Ian Kelly is the chief executive officer of Augentius Group.
© Financier Worldwide