Back to basics – an outsourcing primer for compliance officers at private banks
Sandra Lawrence, Collas Crill, Executive director, Guernsey, 16 December 2019
Outsourcing arrangements can be an efficient and effective way of subcontracting a business activity to an external third party, perhaps because of a dearth of resources, knowledge or IT infrastructure. However, the risks that they present should not be underestimated; a business is only as strong as its weakest link and remains accountable for all its contractors' actions, both good and bad.
Businesses must retain the enough skills and knowledge in their own right to allow their boards and senior managers to oversee the activities that they are outsourcing properly. If this is not possible, they should seek 'assurance' (in the form of checks and tests) from experienced practitioners.
In the Guernsey financial services sector, the regulator (the Guernsey Financial Services Commission) pronounces on outsourcing in a variety of places, especially in its guidelines for each sector, in its AML/CFT rulebook and in the accounts of thematic reviews that it publishes periodically. The compliance officer in question must view these obligations not only as regulatory requirements but also as a way to show regulators (or any other officials) that his firm governs itself well and can offset its risks, the better to preserve its all-important good name and perhaps also to harness a competitive advantage.
Regulators expect businesses to consider whether the following factors and risks, amongst others, apply to each particular outsourcing arrangement. These always vary and depend on the nature and scale of the outsourced activity. Most importantly, businesses should show their regulators that they have reviewed things regularly, remembering that intra-group arrangements may also be involved in these requirements.
"Due diligence and ongoing monitoring"
The compliance officer in question must check the background of the outsourcer at the outset of his firm’s relationship with it, the better to make sure that it is 'fit and proper' (a phrase used by all regulators) to do the job, in much the same way that he checks the background of a prospective client. He must take into account the nature and extent of the activity that he is outsourcing.
For example, cleaning and facilities management firms may lay the customer-firm open to the theft of data, because they have access to business premises outside office hours. The compliance officer ought to think of countering this by operating a "clear desk and screen" policy and making sure that people store paperwork in locked drawers or cabinets. He should ensure that the third party has policies and procedures that vet its staff to a standard that his own firm can gauge. It might, for example, insist on seeing police disclosure reports and reliable references.
An IT service provider is likely to present a financial firm with a very wide range of risks. Not only might it have access to the firm's premises outside office hours; it might also have full access to, and control of, systems and the data contained therein. It is equally important for the compliance officer to keep monitoring that provider, categorising it according to the risks that he thinks that it poses to the business and writing down a procedure by which he plans to revisit various matters again and again. He must review those arrangements periodically with a frequency determined by his perception of this-or-that risk.
He must also consider whether the third party does anything controversial that directly contradicts his own business' culture and policies – for example, it might display a disregard for climate change or it might use child labour in its supply chains. The compliance officer ought to keep a record of this review in case the regulator comes to call. There is no inherent reason why the regulator should care about the firm's prejudices, but regulators in the English-speaking world seem to be very annoyed when banks deviate from any of their written policies, especially nowadays in the field of ESG or Environmental, Social and Governance factors.
He must measure the performance of the third party by implementing appropriate service-level agreements and monitoring its performance against them. Whenever it fails to meet its obligations, he must already have a written procedure in place to spot its underperformance and deal with it.
Contractual obligations
A legally binding, written contract keeps a record of the contractor's responsibilities in a clear and unambiguous manner. Where appropriate, it should say whether or not sub-contracting is permissible, the extent to which it is, whether the contractor is obliged to notify the compliance officer before it undertakes it and whether the compliance officer has a right to object to any sub-contracting. The compliance officer ought to think about the risks posed by that additional party. Is it 'fit and proper'? Does it satisfy the requirements? Who oversees it?