Outsourcing: an increasingly risky business?
Since the 1980s, outsourcing has been a way to leverage global wage imbalances to lower the cost/income ratios of the banking industry. The rules of the game changed in 2007, with MiFID controlling how outsourcing should be done. However, few outsourcing relationships have come under scrutiny – until now.
In 2008, the financial crisis hit, and outsourcing once again came into regulators’ sights as an obvious source of operational risk. The bottom line is that more stringent restrictions require a deeper level of engagement that could lead to increased prices.
This is not just a problem with your Indian or Russian technology houses. This affects all suppliers – including the large firms that provide custody services, depositary functions, payments and the like. The FSA has recently brought the increasing importance of this issue to the fore, writing a ‘Dear CEO’ letter to multiple asset managers to assess if they have contingency plans allowing them to continue business during the failure of an outsourced function.
What does this mean? Since MiFID there have been notable differences: firstly, what might have historically been OK to outsource may no longer be permitted to go to a supplier. Secondly, if that supplier resides outside the EU, greater controls may be required. Finally, and perhaps most importantly, the firm must hold suppliers to account for new requirements like data protection, business continuity planning, data centre locations, record keeping and reporting.
Will MiFID II/MiFIR radically change the game? Probably not. The outsourcing requirements under MiFID look to remain unchanged. That means a MiFID-authorised firm may continue to outsource non-investment functions, provided it takes the same ‘reasonable steps’ to avoid undue operational risk and ensures its ability to monitor compliance is not inhibited. Given the continuity of these requirements, it seems unlikely that we will see any sudden change in enforcement practices.
However, the incoming technical standards could well give firms more to worry about when they are released next year. For the present, the existing standards place a number of heavy requirements on firms.
For a start, they forbid the outsourcing of management functions, or any function where its outsourcing would affect regulatory compliance or client relationships. They also require that the third party service provider be able to deliver a “professional” service and make full disclosure of their regulatory compliance as well as permitting supervisory oversight, such as on-site visits, to be carried out. The Level 2 requirements also affect the contractual document itself, specifying that it must include SLAs and be terminable with minimal disruption to the service.
The big changes in 2013 are being driven by the European Parliament’s passage of EMIR, which extends many of the MiFID requirements to CCPs, and global adoption of Recovery and Resolution Plans. Both initiatives raise the level of scrutiny and responsibility for outsourced CCP functions. In a nutshell, outsourced functions must be run to the same standard as those run in-house.
Now is the time for firms to run an analysis of organisation-wide service provision. In doing this, financial institutions should take account of the EU’s definition of outsourcing: “an arrangement of any form between an authorised entity and a service provider by which that service provider performs a process, a service or an activity which would otherwise be undertaken by the investment firm itself”. With this in mind, firms should take a broad approach as to what counts as outsourcing, ignoring how relationships are currently classed and asking how they appear objectively.
For service providers engaged by both investment firms and CCPs, the picture gets more complicated. Faced with differing requirements, the issue becomes how to bridge the gaps between MiFID and EMIR in order to make compliance cost-effective. To resolve this, many firms will seek to find common standards. In most cases this will mean taking the greater requirements of MiFID and applying them to both critical and non-critical functions.
Regulatory eyes will continue to be increasingly vigilant of firms’ outsourcing arrangements. UBS’s £30 million fine last year confirms this, with the Swiss regulator, FINMA’s, report saying that the bank’s India-outsourced systems to track deferred settlement trades contributed to failings that resulted in a £1.4 billion loss.
Want to avoid being a target? Better contact your procurement department soon …