Outsourcing challenges for financial services companies in light of regulatory expectations
Heightened focus by the Central Bank of Ireland on outsourcing arrangements employed by regulated entities means companies need to be able to demonstrate their ability to manage the associated risks writes Shane Walker.
The level of regulatory focus and scrutiny within the area of outsourcing (and specifically IT outsourcing), has increased considerably in recent years, both locally and in a wider European context.

Financial services were among the early adopters of outsourcing, typically focusing on basic transactional processes in order to concentrate on more highly skilled and valued functions. Over time the outsourcing focus has shifted, to align to changes in the financial services landscape. Institutions are extending outsourcing arrangements to more complex core business processes and related Information Technology activities.
Shane Walker
Shane Walker

As the complexity of outsourcing arrangements increases, so too does the need for organisations to comprehensively demonstrate their ability to manage the associated risks and ensure they are aligned with regulatory expectations. Over the past two years, the Central Bank of Ireland (CBI) has carried out multiple targeted and thematic reviews in the areas of outsourcing across a variety of industries and topics. These reviews have highlighted a number of consistent outsourcing issues and challenges facing financial services entities, which can be summarised as follows:

1 Defining and Applying Outsourcing
• Outsourcing Definition: The definition of outsourcing not applied appropriately;
• Intragroup Outsourcing: Not considered in the outsourcing programme, (Intragroup outsourcing requirements should be consistent with those of Third Party entities);
• Material Outsourcing: Not understood or not applied appropriately (Focus on spend rather than risk); and
• Proportionality: Not applied consistently.

2 Outsourcing Assessment Process
• Planning: Outsourced vendors are not aligned to strategic objectives;
• Due Diligence: Failure to carry out thorough due diligence on prospective outsourced vendors; and
• Risk Assessment: Risks not mitigated appropriately, particularly in relation to: Business Continuity, Crisis Management, Data Protection, Information Security, and Compliance.

3 Contracting
• Contracts: Contracts not in place or not aligning to regulatory requirements; and
• Service Level Agreements (SLAs): Lacking robust provisions in relation to security, service availability, performance metrics or penalties.
4 Ongoing Monitoring
• Monitoring: Inadequate monitoring of vendor service performance;
• Reporting & Escalation: Vendor exceptions and incidents not escalated or reported timely, resulting in poor quality service; and
• Governance: Insufficient senior management/board review & oversight.

5 Exit Strategies and Terminations
• Exit Process: Insufficient development of outsourcing vendor exit management strategies and contingency plans; and
• Control Resumption: Inability of senior management to resume control of outsourced processes on a timely basis.

The regulatory focus on outsourcing is expected to continue through 2018 and beyond. It was a top three inspection priority for the European Central Bank in 2017. Put simply, this is due to the material component outsourcing plays in many firms operations in the Irish financial services sector today.

Whilst the resolution of the above challenges are not insurmountable, experience to date demonstrates that financial service entities typically do not consistently align to regulatory expectations. The good news is that if these obstacles are overcome, opportunities exist for financial services entities to truly benefit from the key advantages that outsourcing arrangements can offer, such as cost cutting; service quality enhancement; solving capacity issues; and gaining access to intellectual capital.
Shane Walker is senior manager, Risk Assurance Solutions at PwC.
This article appeared in the December 2017 edition.