Regulators cracking down on outsourcers

perspective As more financial institutions look to outsource core parts of their operations to external suppliers, managing adherence to compliance is paramount, says industry watcher.

perspective Control over outsourcing is now high up on the agenda of regulators--and they are forcing the issue by cracking down on outsourcing arrangements driven by a number of powerful trends.

Firstly, outsourcers are taking on more of the core of firm's operations. Secondly, the number of data and control risk failures appears to be increasing as technology advances and firms handle increasingly sensitive data. For example, memory sticks can now hold vast amounts of sensitive data, yet can easily be lost or stolen.

In the United Kingdom the Financial Services Authority is clear that the ultimate responsibility for a control failure remains with the client not the outsourcer. Yet what is surprising is that many arrangements do not have the control processes in place to prevent failures such as data leakage.

Firms going down the outsource route could face a rude awakening if they do not have good controls in place with their critical suppliers.

All outsourcing companies need to stay on top of compliance issues and new regulations for the industries their clients operate in. This is especially important in the financial services industry where new regulations are constantly being created and updated.

The FSA has been handing out fines to outsourcing providers who are failing to adhere to IT security regulations. For instance, Liberata received a £525,000 (US$976,237.50) fine in April for failing to cope with the number of messages generated by its computer system. This error resulted in life and pension policy holders losing £17,584 (US$32,697.50) in their investments.

In December 2007 the FSA fined Norwich Union Life £1.26 million (US$2.3 million) for various shortcomings in information security and fraud prevention. This penalty broke the record fine imposed by the FSA on the Nationwide Building Society in February 2007 for information security breaches following theft of a laptop containing confidential information.

For the penalized firms, it's not just about fines. It's the damage to their reputations that has the greatest impact. In late August, sensitive information on criminals was lost by a Home Office contractor--and this weekend it has emerged data on 5,000 staff also has gone missing, resulting in embarrassment and front page headlines in both cases.

Along with the FSA, the Information Commissioner's office (ICO) is also coming down hard on outsourcers. The ICO has announced that Marks & Spencer has breached the information security requirements imposed by the Data Protection Act 1998. This followed the theft of a laptop with details on approximately 26,000 employees from a third party contractor. The ICO held M&S responsible for the failure to encrypt the laptop even though the theft was from the third party.

And the recent introduction of MiFID (Markets in Financial Instruments Directive) has also raised the bar, making it clear that client firms are not only ultimately responsible for the services delivered by their outsourcer, but are also responsible for ensuring on an ongoing basis they have the right people, processes and controls in place to provide effective management and monitoring of the supplier.

These high impact incidents seriously harm the reputation of the core firm, even when the root cause occurred within an associate, subsidiary, third party or outsourced provider.

There is a common misconception that outsourcing certain functions will result in a substantial reduction and transfer of risk from the client to the service provider. This view is a direct result of the faith and reliance that tends to be placed on detailed contracts, work orders, Service Level Agreements (SLA) and the general due diligence and care spent on deciding which service provider to engage with. Often, executives are blinded by the benefits of such an arrangement and hence pay less attention to ultimate risk exposure and risk management.

Many firms subject to the U.S. Sarbanes-Oxley regulations place comfort on the SAS70 audit provided to them by their service provider. However, it is not necessarily the case that having a SAS70 means a firm should sleep easy, as having such a report does not necessarily imply that your risks are mitigated.

Having said that, outsourcing arrangements are often better controlled than an in-house captive arrangement. What is often concerning is that some firms consider nearshore and captive offshore operations as being less risky than outsourcing. Yet for these operations, there is often no SLA, no detailed contract, no lawyers involved and no internal audit activity.

The role of regulators is increasing for those firms failing to check the IT controls of firms to which they outsource their operations. The implications of the recent cases of companies failing to comply with the FSA's strict IT security regulations should raise the level of concern for those firms going down the outsourcing route.

However, there are a number of ways firms can work with their suppliers to gain control over their risks. From the beginning they should work closely together to ensure they are able to meet all regulations and that their risk exposure is managed. This will be vital for those in the financial sector who are considering or have outsourced or offshored business or IT processes that are core to the operations. Firms should also go through this process if they have an in-house captive arrangement.

Companies with an appreciation of their enterprise risk are more likely to be able to manage this risk exposure and put in place appropriate controls enterprise-wide. Those with enterprise risk frameworks that cover their outsourcers--or captives--will also be better placed to avoid regulator crackdowns following a control failure.

Peter Fawcett is a director with outsourcing and shared services advisory firm Alsbridge.