Compliance and
Outsourcing
International Association of
Risk and Compliance Professionals (IARCP)
A. Banks and Outsourcing
Outsourcing and Basel ii / Basel iii
Outsourcing in Financial Services, from the Bank of International
Settlements (BIS)
Financial
services businesses throughout the world are
increasingly using third parties to carry out activities
that the businesses themselves would normally have undertaken.
Industry research and surveys by regulators show financial firms
outsourcing significant parts of
their regulated and unregulated activities.
These outsourcing arrangements are also becoming
increasingly complex.
Outsourcing has the potential to transfer
risk, management and compliance to third parties who may
not be regulated, and who may operate offshore.
In these situations, how can financial
service businesses remain confident that they remain in charge of
their own business and in control of their business risks?
How do they know they are complying with their regulatory
responsibilities?
How can these businesses demonstrate that
they are doing so when regulators ask?
To help
answer these questions and to guide regulated businesses, the
Joint Forum established a working group to develop high-level
principles about outsourcing.
In this paper, the key issues and risks are spelt out in more
detail and principles are put forward that can serve as
benchmarks.
The principles apply across the banking, insurance and
securities sectors, and the international committees involved in
each sector may build on these principles to offer more specific
and focused guidance.
Today outsourcing is increasingly used as
a means of both reducing costs and achieving strategic aims.
Its potential impact can be seen across many business
activities, including information technology (e.g., applications
development, programming, and coding), specific operations (e.g.,
some aspects of finance and accounting, back-office activities and
processing, and administration), and contract functions (e.g.,
call centres).
Industry reports and regulatory surveys of industry practice
indicate that financial firms are entering into arrangements in
which other firms - related firms within a corporate group and
third-party service providers - conduct significant parts of the
enterprise's regulated and unregulated activities.
Activities and functions within an organisation are performed and
delivered in diverse ways.
An institution might split such functions
as product manufacturing, marketing, back-office and distribution
within the regulated entity.
Where a regulated entity keeps such arrangements inhouse, but
operates some activities from various locations, this would not be
classified as outsourcing.
The entity would therefore be expected to provide for any risks
posed by this in its regular risk management framework.
Increasingly more complex arrangements are
developing whereby related entities perform some activities, while
unrelated service providers perform others. In each case the
service provider may or may not be a regulated entity.
The Joint Forum principles are designed to apply whether or not
the service provider is a regulated entity.
Outsourcing
has been identified in various industry and
regulatory reports as raising issues related to risk
transfer and management, frequently on a cross-border basis, and
industry and regulators acknowledge that this increased reliance
on the outsourcing of activities may impact on the ability of
regulated entities to manage their risks and monitor their
compliance with regulatory requirements.
Additionally, there is concern among
regulators as to how outsourcing potentially could impede the
ability of regulated entities to demonstrate to regulators (e.g.,
through examinations) that they are taking appropriate steps to
manage their risks and comply with applicable regulations.
Among the specific concerns raised by outsourcing
activities is the potential for over-reliance on outsourced
activities that are critical to the ongoing viability of a
regulated entity as well as its obligations to customers.
Regulated entities can mitigate these risks
by taking steps (as discussed in the principles) to: draw up
comprehensive and clear outsourcing policies, establish effective
risk management programmes, require contingency planning by the
outsourcing firm, negotiate appropriate outsourcing contracts, and
analyse the financial and infrastructure resources of the service
provider.
Regulators can also
mitigate concerns by ensuring that outsourcing is adequately
considered in their assessments of individual firms whilst taking
account of concentration risks in thirdparty providers when
considering systemic risk issues.
Of particular
interest to regulators is the preservation at the regulated entity
of strong corporate governance. In this regard outsourcing
activities that may impede an outsourcing firm's management from
fulfilling its regulatory responsibilities are of concern to
regulators.
The rapid rate of IT innovation, along
with an increasing reliance on external service providers have the
potential of leading to systemic problems unless appropriately
constrained by a combination of market and regulatory influences.
This paper attempts to spell out these concerns in
more detail and develop a set of principles that gives guidance to
firms, and to regulators, to help them better mitigate these
concerns without hindering the efficiency and effectiveness of
firms.
Guiding Principles
– Overview
The Joint Forum has developed the following high- level
principles.
The first seven principles cover
the responsibilities of regulated entities when they outsource
their activities, and the last two
principles cover regulatory roles and responsibilities.
Here we present an overview of the principles.
I. A regulated entity seeking to outsource activities
should have in place a comprehensive policy
to guide the assessment of whether and how those activities can be
appropriately outsourced.
The board of directors or equivalent body retains responsibility
for the outsourcing policy and related overall responsibility for
activities undertaken under that policy.
II. The regulated entity should
establish a comprehensive outsourcing risk management programme
to address the outsourced activities and the relationship with the
service provider.
III. The regulated entity should
ensure that outsourcing arrangements neither diminish its ability
to fulfil its obligations to customers and regulators, nor impede
effective supervision by regulators.
IV. The regulated entity should
conduct appropriate due diligence in selecting third-party
service providers.
V. Outsourcing relationships should be
governed by written contracts that clearly describe all
material aspects of the outsourcing arrangement, including the
rights, responsibilities and expectations of all parties.
VI. The regulated entity and its service providers
should establish and maintain contingency
plans, including a plan for disaster recovery and periodic testing
of backup facilities.
VII. The regulated entity should take
appropriate steps to require that service providers protect
confidential information of both the regulated entity and
its clients from intentional or inadvertent disclosure to
unauthorised persons.
VIII. Regulators should take into
account outsourcing activities as an integral part of their
ongoing assessment of the regulated entity.
Regulators should assure themselves by appropriate means
that any outsourcing arrangements do not hamper the ability of a
regulated entity to meet its regulatory requirements.
IX. Regulators should be aware of the
potential risks posed where the outsourced activities of
multiple regulated entities are concentrated within a limited
number of service providers.
Definition
Outsourcing is defined in this paper as a regulated entity’s
use of a third party (either an affiliated
entity within a corporate group or an entity that is external to
the corporate group) to perform activities on a continuing basis
that would normally be undertaken by the regulated entity, now or
in the future.
Outsourcing can be the initial
transfer of an activity (or a part of that activity) from a
regulated
entity to a third party or the
further transfer of an activity (or a part thereof) from
one thirdparty
service provider to another, sometimes referred
to as “subcontracting.”
In some jurisdictions, the initial outsourcing is also referred
to as subcontracting.
Firms should consider several factors
as they apply these principles to activities that fall under the
outsourcing definition.
First, these principles should be
applied according to the degree of
materiality of the outsourced activity to the firm's
business.
Even where the activity is not material, the outsourcing entity
should consider the appropriateness of applying the principles.
Second, firms should consider any
affiliation or other relationship between the outsourcing entity
and the service provider.
While it is necessary to apply the Outsourcing Principles to
affiliated entities, it may be appropriate to adopt them with some
modification to account for the potential for differing degrees of
risk with respect to intra-group outsourcing.
Third, the firm may consider
whether the service provider is a regulated entity subject to
independent supervision.
According to this definition,
outsourcing would not cover purchasing contracts, although as with
outsourcing, firms should ensure that what they are buying is
appropriate for the intended purpose.
Purchasing is defined, inter alia, as the
acquisition from a vendor of services, goods or facilities without
the transfer of the purchasing firm's non-public proprietary
information pertaining to its customers or other
information connected with its business activities.
B. Insurance and Outsourcing
Oursourcing and Solvency II
From the CEIOPS Advice for Level 2 Implementing Measures on
Solvency II: System of Governance
Article 38 - Supervision of outsourced
functions and activities
1. Without prejudice to Article 49, Member States shall
ensure that insurance and reinsurance
undertakings which outsource a function or an insurance or
reinsurance activity take the necessary steps to ensure that the
following conditions are satisfied:
(a) the service provider must
cooperate with the supervisory authorities of the insurance and
reinsurance undertaking in connection with the outsourced function
or activity;
(b) the insurance and reinsurance
undertakings, their auditors and the supervisory authorities must
have effective access to data related to the outsourced functions
or activities;
(c) the supervisory authorities must
have effective access to the business premises of the service
provider and must be able to exercise those rights of access.
2. The Member State where the service provider is located
shall permit the supervisory authorities of the insurance or
reinsurance undertaking to carry out themselves, or through the
intermediary of persons they appoint for that purpose, on-site
inspections at the premises of the service provider.
The supervisory authority of the insurance or reinsurance
undertaking shall inform the appropriate authority of the Member
State of the service provider prior to conducting the on-site
inspection.
In the case of a non-supervised entity the appropriate authority
shall be the supervisory authority.
The supervisory
authorities of the Member State of the insurance or reinsurance
undertaking may delegate such on-site inspections to the
supervisory authorities of the Member State where the service
provider is located.
Article 41 - General
governance requirements
1. Member States shall require all insurance and reinsurance
undertakings to have in place an effective system of governance
which provides for sound and prudent management of the business.
That system shall at least include an
adequate transparent organisational structure with a clear
allocation and appropriate segregation of responsibilities and an
effective system for ensuring the transmission of information.
It shall include compliance with the requirements laid down in
Articles 42 to 49.
The system of governance shall
be subject to regular internal review.
2. The system of governance shall be
proportionate to the nature, scale and complexity of the
operations of the insurance or reinsurance undertaking.
3. Insurance and reinsurance
undertakings shall have written policies in relation to at least
risk management, internal control, internal audit and, where
relevant, outsourcing. They shall ensure that those policies are
implemented.
Those written policies shall be reviewed at least annually.
They shall be subject to prior approval by the administrative,
management or supervisory body and be adapted in view of any
significant change in the system or area concerned.
4. Insurance and reinsurance
undertakings shall take reasonable steps to ensure continuity and
regularity in the performance of their activities, including the
development of contingency plans.
To that end, the undertaking shall employ appropriate and
proportionate systems, resources and procedures.
5. The supervisory authorities shall have appropriate means,
methods and powers for verifying the system of governance of the
insurance and reinsurance undertakings and for evaluating emerging
risks identified by those undertakings which may affect their
financial soundness.
The Member States shall ensure that the supervisory
authorities have the powers necessary to require that the system
of governance be improved and strengthened to ensure compliance
with the requirements set out in Articles 42 to 49.
Article 42 - Fit and
proper requirements for persons who effectively run the
undertaking or have other key functions
1. Insurance and reinsurance undertakings shall ensure that
all persons who effectively run the undertaking or have other key
functions at all times fulfil the following requirements:
(a) their professional qualifications, knowledge and
experience are adequate to enable sound and prudent management
(fit); and (b) they are of good repute and integrity (proper).
2. Insurance and reinsurance undertakings shall notify the
supervisory authority of any changes to the identity of the
persons who effectively run the undertaking or are responsible for
other key functions, along with all information needed to assess
whether any new persons appointed to manage the undertaking are
fit and proper.
3. Insurance and reinsurance undertakings shall notify their
supervisory
authority if any of the persons referred to in
paragraphs 1 and 2 have been
replaced because they no longer
fulfil the requirements referred to in paragraph
Article 44 - Risk management
1. Insurance and reinsurance undertakings
shall have in place an effective
risk-management system comprising strategies, processes and
reporting procedures necessary to identify, measure, monitor,
manage and report, on a continuous basis the risks, at an
individual and at an aggregated level, to which they are or could
be exposed, and their interdependencies.
That risk-management system shall be effective and well
integrated into the organisational structure and in the
decision-making processes of the insurance or reinsurance
undertaking with proper consideration of the persons who
effectively run the undertaking or have other key functions.
2. The risk-management system shall cover the risks to be
included in the calculation of the Solvency Capital Requirement as
set out in Article 101(4) as well as the risks which are not or
not fully included in the calculation thereof.
The risk-management system shall cover at least the
following areas:
(a) underwriting and
reserving;
(b) asset–liability management;
(c) investment, in particular derivatives and similar
commitments;
(d) liquidity and concentration risk management;
(e) operational risk management;
(f) reinsurance and other risk-mitigation techniques.
The written policy on risk management referred to in Article
41(3) shall comprise policies relating to points (a) to (f) of the
second subparagraph of this paragraph.
3. As regards investment risk, insurance and reinsurance
undertakings shall demonstrate that they comply with Chapter VI,
Section 6.
4. Insurance and reinsurance undertakings shall provide for
a risk-management function which shall be structured in such a way
as to facilitate the implementation of the risk-management system.
5. For insurance and reinsurance undertakings using a partial
or full internal model approved in accordance with Articles 112
and 113 the risk-management function shall cover the following
additional tasks:
(a) to design and
implement the internal model;
(b) to test and validate the internal model;
(c) to document the internal model and any subsequent
changes made to it;
(d) to analyse the performance of the internal model and to
produce summary reports thereof;
(e) to inform the administrative,
management or supervisory body about the performance of the
internal model, suggesting areas needing improvement, and
up-dating that body on the status of efforts to improve previously
identified weaknesses.
Article 46 - Internal
control
1. Insurance and reinsurance undertakings shall have in
place an effective internal control system.
That system shall at least include
administrative and accounting procedures, an internal control
framework, appropriate reporting arrangements at all levels of the
undertaking and a compliance function.
2. The compliance function
shall include advising the administrative, management or
supervisory body on compliance with the laws, regulations and
administrative provisions adopted pursuant to this Directive.
It shall also include an assessment of the possible impact of
any changes in the legal environment on the operations of the
undertaking concerned and the identification and assessment of
compliance risk.
Article 47 - Internal
audit
1. Insurance and reinsurance undertakings shall provide for
an effective internal audit function.
The internal audit function shall
include an evaluation of the adequacy and effectiveness of the
internal control system and other elements of the system of
governance.
2. The internal audit function shall be objective and
independent from the operational functions.
3. Any findings and recommendations of the internal audit
shall be reported to the administrative, management or supervisory
body which shall determine what actions are to be taken with
respect to each of the internal audit findings and recommendations
and shall ensure that those actions are carried out.
Article 48 - Actuarial
function
1. Insurance and
reinsurance undertakings shall provide for an effective actuarial
function to:
(a) coordinate the calculation of
technical provisions;
(b) ensure the appropriateness of the
methodologies and underlying models used as well as the
assumptions made in the calculation of technical provisions;
(c) assess the sufficiency and quality of the data used in
the calculation of technical provisions;
(d) compare best estimates against experience;
(e) inform the administrative, management or supervisory
body of the reliability and adequacy of the calculation of
technical provisions;
(f) oversee the calculation of technical provisions in the
cases set out in Article 82;
(g) express an opinion on the overall underwriting policy;
(h) express an opinion on the adequacy of reinsurance
arrangements; and
(i) contribute to the effective implementation of the
risk-management system referred to in Article 44, in particular
with respect to the risk modelling underlying the calculation of
the capital requirements set out in Chapter VI, Sections 4 and 5,
and to the assessment referred to in Article 45.
2. The actuarial function shall be carried out by persons
who have knowledge of actuarial and financial mathematics,
commensurate with the nature, scale and complexity of the risks
inherent in the business of the insurance or reinsurance
undertaking, and who are able to demonstrate their relevant
experience with applicable professional and other standards.
Article 49 – Outsourcing
1. Member States shall ensure that insurance and reinsurance
undertakings remain fully responsible for discharging all of their
obligations under this Directive when they outsource functions or
any insurance or reinsurance activities.
2. Outsourcing of critical or important operational
functions or activities shall not be undertaken in such a way as
to lead to any of the following:
(a) materially
impairing the quality of the system of governance of the
undertaking concerned;
(b) unduly increasing the operational risk;
(c) impairing the ability of the supervisory authorities to
monitor the compliance of the undertaking with its obligations;
(d) undermining continuous and
satisfactory service to policy holders.
3. Insurance
and reinsurance undertakings shall, in a timely manner, notify the
supervisory authorities prior to the outsourcing of critical or
important functions or activities as well as of any subsequent
material developments with respect to those functions or
activities.
Article 50 - Implementing
measures
1. The Commission shall adopt implementing measures to
further specify the following:
(a) the elements of the systems referred to in Articles 41,
44, 46 and 47, and in particular the areas to be covered by the
asset–liability management and investment policy, as referred to
in Article 44(2), of insurance and reinsurance undertakings;
(b) the functions referred to in Articles 44 and 46 to 48;
(c) the requirements set out in Article 42 and the functions
subject thereto;
(d) the conditions under which outsourcing, in particular to
service providers located in third countries, may be performed.
2. Where necessary to ensure appropriate convergence of the
assessmentreferred to in point (a) of Article 45(1), the
Commission may adopt implementing measures to further specify the
elements of that assessment.
Article 246 - Supervision
of the system of governance
1. The requirements set out in Title I, Chapter IV, Section
2 shall apply mutatis mutandis at the level of the group.
Without prejudice to the first subparagraph, the risk
management and internal control systems and reporting procedures
shall be implemented consistently in all the undertakings included
in the scope of group supervision pursuant to points (a) and (b)
of Article 213(2) so that those systems and reporting procedures
can be controlled at the level of the group.
The new
regulatory environment makes compliance and risk management
more complicated and difficult,
but also much more important.
This is a once in a lifetime opportunity.
There is always
one major risk: That firms and organizations do not comply with
laws and regulations. It leads to
significant impairment of reputation, value, earnings, business
opportunities.
An inadequate commitment to
compliance and risk management leads to personal liability and
potential litigation.
Now, more than ever, firms and organizations devote
resources to ensuring their risk management systems are
bulletproof.
The damage is done by negative media attention, and only the
strongest and best prepared entities will survive.
Risk
management is an organized methodology
for continuously identifying and measuring the unknowns;
developing mitigation options; selecting, planning, and
implementing appropriate risk mitigations; and tracking the
implementation to ensure successful risk reduction.
Effective risk management depends on planning; early
identification and analyses of risks; early implementation of
corrective actions; continuous monitoring and reassessment; and
communication, documentation, and coordination.
It is
really interesting to work in projects
like that. Belonging to our risk management association
will give you the necessary resources to be successful.
Visit our
Risk and Compliance Management Speakers
Bureau. The International Association of Risk and
Compliance Professionals (IARCP) has established the Speakers
Bureau for firms and organizations that want to access the
expertise of Certified Risk and Compliance Management
Professionals (CRCPMs) and Certified Information Systems Risk and
Compliance Professionals (CISRCPs).
The IARCP will be the
liaison between our certified professionals and these
organizations, at no cost. We strongly believe that this can be a
great opportunity for both, our certified professionals and the
organizers.
To learn more:
www.risk-compliance-association.com/Risk_Management_Compliance_Speakers_Bureau.html
Membership to our risk management
association is free. It indicates that you stay current and you
are able to make informed decisions.
At every
stage of your career, our community provides training,
certification programs, resources, updates, networking and
services you can use. Investment in
compliance and risk management will see returns.
Join us.
Best Regards, 
George Lekatis
President of
the International Association of Risk and Compliance Professionals
(IARCP)
General Manager, Compliance LLC
1200 G Street NW
Suite 800
Washington DC 20005, USA
Tel: (202) 449-9750
Email:
lekatis@risk-compliance-association.com
Web:
www.risk-compliance-association.com
HQ: 1220 N. Market Street Suite 804
Wilmington DE
19801, USA
Tel: (302) 342-8828
Every Monday
Top 10 risk and
compliance management related news stories and world events
Do you want to receive every Monday the
Top 10 risk and compliance
management related news stories
and world events that (for
better or for worse) shaped the week's agenda, and what is next?
You may submit the form that follows. We meet strict
national and international privacy standards. You can unsubscribe
at any time.
We'd Love To Hear From You and Answer Your Questions
Receive the New Member Orientation Newsletters
You will have the opportunity to learn what members
registered before you have already learned. Understand better
risk and compliance management, projects, careers, challenges
and opportunities.
Free E-book for all Members: 100 Job Descriptions in Risk and
Compliance Management (190 pages, Jan. 2010)
www.risk-compliance-association.com/100_Job_Descriptions_in_Risk_and_Compliance_Management.htm
Certified Risk and Compliance Management Professional (CRCMP)
www.risk-compliance-association.com/Distance_Learning_and_Certification.htm
Certified Information Systems Risk and Compliance Professional
(CISRCP)
www.risk-compliance-association.com/CISRCP_Distance_Learning_and_Certification.htm
Privacy and Compliance with the Federal Trade Commission Fair,
the California Online Privacy Protection Act, the Children Online
Privacy Protection Act, the Privacy Alliance, the Controlling the
Assault of Non-Solicited Pornography and Marketing Act
www.risk-compliance-association.com/Privacy.htm
|
