Regulators are redoubling their interest in outsourcing in the wake of the pandemic. Despite the drive to cut costs, firms should be making sure their outsourcing arrangements satisfy regulators and achieve the right customer outcomes, particularly in the area of resilience.
IOSCO’s recent publication of its Principles on Outsourcing, Consultation Report is an early sign of a post-pandemic renewal of the recent regulatory focus on outsourcing. It covers much of the same ground as the PRA’s Consultation Paper CP30/19 Outsourcing and third party risk management, which appeared at the end of last year.
This interest is certainly timely. If financial services now find themselves under pressure to cut costs, their thoughts may well turn to outsourcing. In a world where remote working is becoming the norm, some of the old objections to outsourcing might look weaker. It is important, therefore, to make sure that any new outsourcing decisions take regulatory concerns into consideration – and it’s also a time to check that existing contracts measure up.
Regulators provide guidelines on a range of outsourcing basics from due diligence to the need for exit provisions. Here, we look at the need to safeguard customers’ interests.
Customer outcomes key to outsourcing
Customer outcomes should be a priority both when carrying out due diligence around new outsourcing relationships and during ongoing monitoring of existing contracts. There are several issues which need addressing, and resilience heads the list. Resilience is also the key area that regulators are flagging at the moment.
Safeguard operational resilience
Resilience is vital both to customer outcomes and to market stability. If an outsourcing provider does not do their job in terms of keeping the service running, it can not only be extremely embarrassing from a market perspective but can also severely disadvantage customers – both commercial counterparties and individual consumers, as cases like TSB show.
It’s vital to verify that providers can assure continuity of service in adverse conditions. As we discuss in our paper Resilience or Longevity, firms need to make sure they have the right oversight processes and contractual terms to ensure resilience, together with clarity around roles and responsibilities. It is also important to bear in mind that it may turn out to be impossible to control certain risks in an outsource model, in which case the relevant elements may need to be insourced.
In considering resilience, firms should be aware of the issue of concentration. If too many financial services companies have their back-office IT run by the same provider and that provider’s data centre goes down, the impact on customers and the market could be grave. This is a legitimate concern for regulators but one that is difficult to address at the level of individual firms. However, it’s something to be aware of.
Overhaul governance and oversight
IT systems can be challenging for senior management to understand at the best of times, and once they are outside the business it can be even harder. Yet under SMCR managers are reminded that accountability remains with the firm – and specifically with them – even when delivery is outsourced.
The key is to retain enough specialist expertise in-house to manage whatever is being outsourced. In practice, firms often overlook this requirement or at best just pay lip service to it. Even when cost reductions are urgently needed, this is not an area for penny-pinching.
Oversight must also extend to sub-outsourcing. Firms need to avoid situations where they believe that they are using one supplier but the work is actually done by another. They should always know that their work is being done in the right place and with the right controls. Sub-outsourcing is not a negative: there can be a good reason to outsource parts of a task to a specialist, provided the controls and communications are in place. The firm, and the regulator, should have direct access to all the parties involved, including being able to go on site if appropriate.
Make customer outcomes central to processes
Firms should ensure customer outcomes are central to due diligence and monitoring. A wide range of parties should be involved in meetings and consultations – not just operations and IT but also the “second line” and those in customer-facing roles, to build an understanding of what decisions will mean in practice to customers.
A balanced scorecard approach can be helpful in making sure that a deal or ongoing arrangement is not just commercially beneficial but also able to deliver for customers from a conduct risk, regulatory and resilience point of view.
Broaden your outsourcing decision-making focus
Outsourcing decisions tend to be driven by the finance department, which may naturally lead to an emphasis on cost-cutting rather than on the standard of service provided. To meet regulatory requirements, it’s vital to broaden the focus, and the team.