Last week, a joint international forum that was established to address banking and securities issues published guidance for financial services companies related to outsourcing.
The Joint Forum, established in 1996, includes the International Organization of Securities Commissions, the Basel Committee on Banking Supervision, and the International Association of Insurance Supervisors.
The report includes a set of principles that are designed to assist regulated entities in determining the "minimum steps they should take when considering outsourcing activities."
Lyons
But according to Greg Lyons, a partner at Goodwin Procter who chairs the firm's Financial Services and Banking practice groups, the guidance isn't only relevant for banks.
"Although the guidance is directed to financial institutions," notes Lyons, who also publishes a weekly Financial Services Alert for Goodwin Procter, "its fundamental principles are useful for any industry engaged in outsourcing activities, particularly other regulated industries."
Indeed, the outsourcing trend has impact far beyond the financial services industry; there has been a boom in outsourcing in recent years, and the topic has been a lightning rod for policy makers and unions. It's also become a corporate governance issue through shareholder resolutions at IBM and other companies.
Just last week, an ethics committee of the AICPA weighed in on the topic, issuing an exposure draft that would require auditors to inform clients if their work has been outsourced (see box above, right).
Huey Evans
According to Gay Huey Evans, the director of markets in the UK Financial Services Authority who also chairs the Joint Forum, the report should assist firms "in establishing the basic framework for effective management of the risks that may arise as a result of outsourcing.”
The report estimates that "of some $340 billion spent on IT globally in 2003, $120 billion or a third was entrusted to third parties."
It also notes that the principal motive behind outsourcing in the financial services industry is cost reduction. Secondary reasons include access to better technology, a desire to focus on the core business, and quality and service issues.
Guiding Principles
The report outlines nine "guiding principles," seven of which cover the responsibilities of regulated entities when they outsource. Those seven are:
Policy And Board Oversight: A regulated entity seeking to outsource activities should have in place a
comprehensive policy to guide the assessment of whether and how those activities can be appropriately outsourced. The board of directors or equivalent body retains responsibility for the outsourcing policy and related
overall responsibility for activities undertaken under that policy.
Risk Management: The regulated entity should establish a comprehensive outsourcing risk
management program to address the outsourced activities and the relationship with the service provider.
Obligations To Customers, Regulators: The regulated entity should ensure that outsourcing arrangements neither diminish its ability to fulfill its obligations to customers and regulators, nor impede effective supervision by regulators.
Due Diligence: The regulated entity should conduct appropriate due diligence in selecting third party service providers.
Contracts: Outsourcing relationships should be governed by written contracts that clearly describe all material aspects of the outsourcing arrangement,
including the rights, responsibilities and expectations of all parties.
Contingency Plans: The regulated entity and its service providers should establish and maintain
contingency plans, including a plan for disaster recovery and periodic testing of backup facilities.
Confidentiality: The regulated entity should take appropriate steps to require that service
providers protect confidential information of both the regulated entity and its clients from intentional or inadvertent disclosure to unauthorized persons.
The report also noted that regulators should take into account outsourcing activities to ensure that "outsourcing arrangements do not hamper the ability of a regulated entity to meet its regulatory requirements." Regulators should also be aware of the risks posed where the outsourced activities of multiple regulated entities are concentrated within a limited number of service providers.
Regarding risks, the report noted several compliance risks, one of them being that the outsource provider does not have adequate compliance systems and controls.
The full report, which includes case studies and a country-by-country analysis of approaches to outsourcing, can be downloaded from the chart above, right.
In addition, the Joint Forum is accepting comments on the report. Comments should be forwarded by email to baselcommittee@bis.org before Sept. 20, 2004.
No comments yet