How to Become a Member
Member Benefits
Reading Room
Certified Risk and Compliance Training
Contact Us
 
 
 
Become a Certified Risk and Compliance Management Professional
Become a Certified Information Systems Risk and Compliance Professional
 
 
 
Compliance and Outsourcing
International Association of Risk and Compliance Professionals (IARCP)
 
A. Banks and Outsourcing
 
Outsourcing and Basel ii / Basel iii
Outsourcing in Financial Services, from the Bank of International Settlements (BIS)


Financial services businesses throughout the world are increasingly using third parties to carry out activities that the businesses themselves would normally have undertaken.
 
Industry research and surveys by regulators show financial firms outsourcing significant parts of their regulated and unregulated activities.
 
These outsourcing arrangements are also becoming increasingly complex.

Outsourcing has the potential to transfer risk, management and compliance to third parties who may not be regulated, and who may operate offshore.
 
In these situations, how can financial service businesses remain confident that they remain in charge of their own business and in control of their business risks?
 
How do they know they are complying with their regulatory responsibilities?
 
How can these businesses demonstrate that they are doing so when regulators ask?

To help answer these questions and to guide regulated businesses, the Joint Forum established a working group to develop high-level principles about outsourcing.
 
In this paper, the key issues and risks are spelt out in more detail and principles are put forward that can serve as benchmarks.
 
The principles apply across the banking, insurance and securities sectors, and the international committees involved in each sector may build on these principles to offer more specific and focused guidance.
 
Today outsourcing is increasingly used as a means of both reducing costs and achieving strategic aims.
 
Its potential impact can be seen across many business activities, including information technology (e.g., applications development, programming, and coding), specific operations (e.g., some aspects of finance and accounting, back-office activities and processing, and administration), and contract functions (e.g., call centres).
 
Industry reports and regulatory surveys of industry practice indicate that financial firms are entering into arrangements in which other firms - related firms within a corporate group and third-party service providers - conduct significant parts of the enterprise's regulated and unregulated activities.

Activities and functions within an organisation are performed and delivered in diverse ways.
 
An institution might split such functions as product manufacturing, marketing, back-office and distribution within the regulated entity.
 
Where a regulated entity keeps such arrangements inhouse, but operates some activities from various locations, this would not be classified as outsourcing.
 
The entity would therefore be expected to provide for any risks posed by this in its regular risk management framework.

Increasingly more complex arrangements are developing whereby related entities perform some activities, while unrelated service providers perform others. In each case the service provider may or may not be a regulated entity.
 
The Joint Forum principles are designed to apply whether or not the service provider is a regulated entity.

Outsourcing has been identified in various industry and regulatory reports as raising issues related to risk transfer and management, frequently on a cross-border basis, and industry and regulators acknowledge that this increased reliance on the outsourcing of activities may impact on the ability of regulated entities to manage their risks and monitor their compliance with regulatory requirements.
 
Additionally, there is concern among regulators as to how outsourcing potentially could impede the ability of regulated entities to demonstrate to regulators (e.g., through examinations) that they are taking appropriate steps to manage their risks and comply with applicable regulations.

Among the specific concerns raised by outsourcing activities is the potential for over-reliance on outsourced activities that are critical to the ongoing viability of a regulated entity as well as its obligations to customers.

Regulated entities can mitigate these risks by taking steps (as discussed in the principles) to: draw up comprehensive and clear outsourcing policies, establish effective risk management programmes, require contingency planning by the outsourcing firm, negotiate appropriate outsourcing contracts, and analyse the financial and infrastructure resources of the service provider.

Regulators can also mitigate concerns by ensuring that outsourcing is adequately considered in their assessments of individual firms whilst taking account of concentration risks in thirdparty providers when considering systemic risk issues.

Of particular interest to regulators is the preservation at the regulated entity of strong corporate governance. In this regard outsourcing activities that may impede an outsourcing firm's management from fulfilling its regulatory responsibilities are of concern to regulators.
 
The rapid rate of IT innovation, along with an increasing reliance on external service providers have the potential of leading to systemic problems unless appropriately constrained by a combination of market and regulatory influences.

This paper attempts to spell out these concerns in more detail and develop a set of principles that gives guidance to firms, and to regulators, to help them better mitigate these concerns without hindering the efficiency and effectiveness of firms.

Guiding Principles – Overview

The Joint Forum has developed the following high- level principles.
 
The first seven principles cover the responsibilities of regulated entities when they outsource their activities, and the last two principles cover regulatory roles and responsibilities.
 
Here we present an overview of the principles.

I. A regulated entity seeking to outsource activities should have in place a comprehensive policy to guide the assessment of whether and how those activities can be appropriately outsourced.
 
The board of directors or equivalent body retains responsibility for the outsourcing policy and related overall responsibility for activities undertaken under that policy.

II. The regulated entity should establish a comprehensive outsourcing risk management programme to address the outsourced activities and the relationship with the service provider.

III. The regulated entity should ensure that outsourcing arrangements neither diminish its ability to fulfil its obligations to customers and regulators, nor impede effective supervision by regulators.

IV. The regulated entity should conduct appropriate due diligence in selecting third-party service providers.

V. Outsourcing relationships should be governed by written contracts that clearly describe all material aspects of the outsourcing arrangement, including the rights, responsibilities and expectations of all parties.

VI. The regulated entity and its service providers should establish and maintain contingency plans, including a plan for disaster recovery and periodic testing of backup facilities.

VII. The regulated entity should take appropriate steps to require that service providers protect confidential information of both the regulated entity and its clients from intentional or inadvertent disclosure to unauthorised persons.

VIII. Regulators should take into account outsourcing activities as an integral part of their ongoing assessment of the regulated entity.

Regulators should assure themselves by appropriate means that any outsourcing arrangements do not hamper the ability of a regulated entity to meet its regulatory requirements.

IX. Regulators should be aware of the potential risks posed where the outsourced activities of multiple regulated entities are concentrated within a limited number of service providers.
 
Definition

Outsourcing is defined in this paper as a regulated entity’s use of a third party (either an affiliated entity within a corporate group or an entity that is external to the corporate group) to perform activities on a continuing basis that would normally be undertaken by the regulated entity, now or in the future.

Outsourcing can be the initial transfer of an activity (or a part of that activity) from a regulated
entity to a third party or the further transfer of an activity (or a part thereof) from one thirdparty
service provider to another, sometimes referred to as “subcontracting.”
 
In some jurisdictions, the initial outsourcing is also referred to as subcontracting.

Firms should consider several factors as they apply these principles to activities that fall under the outsourcing definition.
 
First, these principles should be applied according to the degree of materiality of the outsourced activity to the firm's business.
 
Even where the activity is not material, the outsourcing entity should consider the appropriateness of applying the principles.
 
Second, firms should consider any affiliation or other relationship between the outsourcing entity and the service provider.
 
While it is necessary to apply the Outsourcing Principles to affiliated entities, it may be appropriate to adopt them with some modification to account for the potential for differing degrees of risk with respect to intra-group outsourcing.
 
Third, the firm may consider whether the service provider is a regulated entity subject to
independent supervision.

According to this definition, outsourcing would not cover purchasing contracts, although as with outsourcing, firms should ensure that what they are buying is appropriate for the intended purpose.
 
Purchasing is defined, inter alia, as the acquisition from a vendor of services, goods or facilities without the transfer of the purchasing firm's non-public proprietary information pertaining to its customers or other information connected with its business activities.
 

 
B. Insurance and Outsourcing
 
Oursourcing and Solvency II
 
From the CEIOPS Advice for Level 2 Implementing Measures on Solvency II: System of Governance

Article 38 - Supervision of outsourced functions and activities

1. Without prejudice to Article 49, Member States shall ensure that insurance and reinsurance undertakings which outsource a function or an insurance or reinsurance activity take the necessary steps to ensure that the following conditions are satisfied:

(a) the service provider must cooperate with the supervisory authorities of the insurance and reinsurance undertaking in connection with the outsourced function or activity;

(b) the insurance and reinsurance undertakings, their auditors and the supervisory authorities must have effective access to data related to the outsourced functions or activities;

(c) the supervisory authorities must have effective access to the business premises of the service provider and must be able to exercise those rights of access.

2. The Member State where the service provider is located shall permit the supervisory authorities of the insurance or reinsurance undertaking to carry out themselves, or through the intermediary of persons they appoint for that purpose, on-site inspections at the premises of the service provider.
 
The supervisory authority of the insurance or reinsurance undertaking shall inform the appropriate authority of the Member State of the service provider prior to conducting the on-site inspection.
 
In the case of a non-supervised entity the appropriate authority shall be the supervisory authority.

The supervisory authorities of the Member State of the insurance or reinsurance undertaking may delegate such on-site inspections to the supervisory authorities of the Member State where the service provider is located.

Article 41 - General governance requirements

1. Member States shall require all insurance and reinsurance undertakings to have in place an effective system of governance which provides for sound and prudent management of the business.

That system shall at least include an adequate transparent organisational structure with a clear allocation and appropriate segregation of responsibilities and an effective system for ensuring the transmission of information.
 
It shall include compliance with the requirements laid down in Articles 42 to 49.

The system of governance shall be subject to regular internal review.

2. The system of governance shall be proportionate to the nature, scale and complexity of the operations of the insurance or reinsurance undertaking.

3. Insurance and reinsurance undertakings shall have written policies in relation to at least risk management, internal control, internal audit and, where relevant, outsourcing. They shall ensure that those policies are implemented.

Those written policies shall be reviewed at least annually.
 
They shall be subject to prior approval by the administrative, management or supervisory body and be adapted in view of any significant change in the system or area concerned.

4. Insurance and reinsurance undertakings shall take reasonable steps to ensure continuity and regularity in the performance of their activities, including the development of contingency plans.
 
To that end, the undertaking shall employ appropriate and proportionate systems, resources and procedures.

5. The supervisory authorities shall have appropriate means, methods and powers for verifying the system of governance of the insurance and reinsurance undertakings and for evaluating emerging risks identified by those undertakings which may affect their financial soundness.

The Member States shall ensure that the supervisory authorities have the powers necessary to require that the system of governance be improved and strengthened to ensure compliance with the requirements set out in Articles 42 to 49.

Article 42 - Fit and proper requirements for persons who effectively run the undertaking or have other key functions

1. Insurance and reinsurance undertakings shall ensure that all persons who effectively run the undertaking or have other key functions at all times fulfil the following requirements:

(a) their professional qualifications, knowledge and experience are adequate to enable sound and prudent management (fit); and (b) they are of good repute and integrity (proper).

2. Insurance and reinsurance undertakings shall notify the supervisory authority of any changes to the identity of the persons who effectively run the undertaking or are responsible for other key functions, along with all information needed to assess whether any new persons appointed to manage the undertaking are fit and proper.

3. Insurance and reinsurance undertakings shall notify their supervisory
authority if any of the persons referred to in paragraphs 1 and 2 have been
replaced because they no longer fulfil the requirements referred to in paragraph

Article 44 - Risk management

1. Insurance and reinsurance undertakings shall have in place an effective risk-management system comprising strategies, processes and reporting procedures necessary to identify, measure, monitor, manage and report, on a continuous basis the risks, at an individual and at an aggregated level, to which they are or could be exposed, and their interdependencies.

That risk-management system shall be effective and well integrated into the organisational structure and in the decision-making processes of the insurance or reinsurance undertaking with proper consideration of the persons who effectively run the undertaking or have other key functions.

2. The risk-management system shall cover the risks to be included in the calculation of the Solvency Capital Requirement as set out in Article 101(4) as well as the risks which are not or not fully included in the calculation thereof.
 
The risk-management system shall cover at least the following areas:

(a) underwriting and reserving;

(b) asset–liability management;

(c) investment, in particular derivatives and similar commitments;

(d) liquidity and concentration risk management;
 
(e) operational risk management;
 
(f) reinsurance and other risk-mitigation techniques.

The written policy on risk management referred to in Article 41(3) shall comprise policies relating to points (a) to (f) of the second subparagraph of this paragraph.

3. As regards investment risk, insurance and reinsurance undertakings shall demonstrate that they comply with Chapter VI, Section 6.

4. Insurance and reinsurance undertakings shall provide for a risk-management function which shall be structured in such a way as to facilitate the implementation of the risk-management system.

5. For insurance and reinsurance undertakings using a partial or full internal model approved in accordance with Articles 112 and 113 the risk-management function shall cover the following additional tasks:

(a) to design and implement the internal model;

(b) to test and validate the internal model;

(c) to document the internal model and any subsequent changes made to it;

(d) to analyse the performance of the internal model and to produce summary reports thereof;

(e) to inform the administrative, management or supervisory body
about the performance of the internal model, suggesting areas needing improvement, and up-dating that body on the status of efforts to improve previously identified  weaknesses.

Article 46 - Internal control

1. Insurance and reinsurance undertakings shall have in place an effective internal control system.

That system shall at least include administrative and accounting procedures, an internal control framework, appropriate reporting arrangements at all levels of the undertaking and a compliance function.

2. The compliance function shall include advising the administrative, management or supervisory body on compliance with the laws, regulations and administrative provisions adopted pursuant to this Directive.
 
It shall also include an assessment of the possible impact of any changes in the legal environment on the operations of the undertaking concerned and the identification and assessment of compliance risk.

Article 47 - Internal audit

1. Insurance and reinsurance undertakings shall provide for an effective internal audit function.

The internal audit function shall include an evaluation of the adequacy and effectiveness of the internal control system and other elements of the system of governance.

2. The internal audit function shall be objective and independent from the operational functions.

3. Any findings and recommendations of the internal audit shall be reported to the administrative, management or supervisory body which shall determine what actions are to be taken with respect to each of the internal audit findings and recommendations and shall ensure that those actions are carried out.

Article 48 - Actuarial function

1. Insurance and reinsurance undertakings shall provide for an effective actuarial function to:

(a) coordinate the calculation of technical provisions;

(b) ensure the appropriateness of the methodologies and underlying models used as well as the assumptions made in the calculation of technical provisions;

(c) assess the sufficiency and quality of the data used in the calculation of technical provisions;

(d) compare best estimates against experience;

(e) inform the administrative, management or supervisory body of the reliability and adequacy of the calculation of technical provisions;

(f) oversee the calculation of technical provisions in the cases set out in Article 82;

(g) express an opinion on the overall underwriting policy;

(h) express an opinion on the adequacy of reinsurance arrangements; and

(i) contribute to the effective implementation of the risk-management system referred to in Article 44, in particular with respect to the risk modelling underlying the calculation of the capital requirements set out in Chapter VI, Sections 4 and 5, and to the assessment referred to in Article 45.

2. The actuarial function shall be carried out by persons who have knowledge of actuarial and financial mathematics, commensurate with the nature, scale and complexity of the risks inherent in the business of the insurance or reinsurance undertaking, and who are able to demonstrate their relevant experience with applicable professional and other standards.

Article 49 – Outsourcing

1. Member States shall ensure that insurance and reinsurance undertakings remain fully responsible for discharging all of their obligations under this Directive when they outsource functions or any insurance or reinsurance activities.

2. Outsourcing of critical or important operational functions or activities shall not be undertaken in such a way as to lead to any of the following:

(a) materially impairing the quality of the system of governance of the undertaking concerned;

(b) unduly increasing the operational risk;

(c) impairing the ability of the supervisory authorities to monitor the compliance of the undertaking with its obligations;

(d) undermining continuous and satisfactory service to policy holders.


3. Insurance and reinsurance undertakings shall, in a timely manner, notify the supervisory authorities prior to the outsourcing of critical or important functions or activities as well as of any subsequent material developments with respect to those functions or activities.

Article 50 - Implementing measures

1. The Commission shall adopt implementing measures to further specify the following:

(a) the elements of the systems referred to in Articles 41, 44, 46 and 47, and in particular the areas to be covered by the asset–liability management and investment policy, as referred to in Article 44(2), of insurance and reinsurance undertakings;

(b) the functions referred to in Articles 44 and 46 to 48;

(c) the requirements set out in Article 42 and the functions subject thereto;

(d) the conditions under which outsourcing, in particular to service providers located in third countries, may be performed.

2. Where necessary to ensure appropriate convergence of the assessmentreferred to in point (a) of Article 45(1), the Commission may adopt implementing measures to further specify the elements of that assessment.

Article 246 - Supervision of the system of governance

1. The requirements set out in Title I, Chapter IV, Section 2 shall apply mutatis mutandis at the level of the group.

Without prejudice to the first subparagraph, the risk management and internal control systems and reporting procedures shall be implemented consistently in all the undertakings included in the scope of group supervision pursuant to points (a) and (b) of Article 213(2) so that those systems and reporting procedures can be controlled at the level of the group.
 
 


The new regulatory environment makes compliance and risk management more complicated and difficult, but also much more important. This is a once in a lifetime opportunity.
 
There is always one major risk: That firms and organizations do not comply with laws and regulations. It leads to significant impairment of reputation, value, earnings, business opportunities.
 
An inadequate commitment to compliance and risk management leads to personal liability and potential litigation.
 
Now, more than ever, firms and organizations devote resources to ensuring their risk management systems are bulletproof.
 
The damage is done by negative media attention, and only the strongest and best prepared entities will survive.
 
Risk management is an organized methodology for continuously identifying and measuring the unknowns; developing mitigation options; selecting, planning, and implementing appropriate risk mitigations; and tracking the implementation to ensure successful risk reduction.

Effective risk management depends on planning; early identification and analyses of risks; early implementation of corrective actions; continuous monitoring and reassessment; and communication, documentation, and coordination.
 
It is really interesting to work in projects like that. Belonging to our risk management association will give you the necessary resources to be successful.
 
Visit our Risk and Compliance Management Speakers Bureau. The International Association of Risk and Compliance Professionals (IARCP) has established the Speakers Bureau for firms and organizations that want to access the expertise of Certified Risk and Compliance Management Professionals (CRCPMs) and Certified Information Systems Risk and Compliance Professionals (CISRCPs).

The IARCP will be the liaison between our certified professionals and these organizations, at no cost. We strongly believe that this can be a great opportunity for both, our certified professionals and the organizers.

To learn more:
www.risk-compliance-association.com/Risk_Management_Compliance_Speakers_Bureau.html
 
Membership to our risk management association is free. It indicates that you stay current and you are able to make informed decisions.
 
At every stage of your career, our community provides training, certification programs, resources, updates, networking and services you can use. Investment in compliance and risk management will see returns.
 
Join us.


Best Regards, 
 
 
 
 George Lekatis
President of the International Association of Risk and Compliance Professionals (IARCP)
General Manager, Compliance LLC
1200 G Street NW Suite 800
Washington DC 20005, USA
Tel: (202) 449-9750
Email: lekatis@risk-compliance-association.com
Web: www.risk-compliance-association.com
HQ: 1220 N. Market Street Suite 804
Wilmington DE 19801, USA
Tel: (302) 342-8828
 

 
 
Every Monday
Top 10 risk and compliance management related news stories and world events

 
Do you want to receive every Monday the Top 10 risk and compliance management related news stories and world events that (for better or for worse) shaped the week's agenda, and what is next?
 
You may submit the form that follows. We meet strict national and international privacy standards. You can unsubscribe at any time.
 
 
 

We'd Love To Hear From You and Answer Your Questions

Name
Email Address
Questions/
Comments
 
 
Receive the New Member Orientation Newsletters
You will have the opportunity to learn what members registered before you have already learned. Understand better risk and compliance management, projects, careers, challenges and opportunities.
 
 

Free E-book for all Members: 100 Job Descriptions in Risk and Compliance Management (190 pages, Jan. 2010)
www.risk-compliance-association.com/100_Job_Descriptions_in_Risk_and_Compliance_Management.htm




 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Security Verified Certified by Trust Guard Privacy Verified Business Verified
 
Certified Risk and Compliance Management Professional (CRCMP)
www.risk-compliance-association.com/Distance_Learning_and_Certification.htm

C
ertified Information Systems Risk and Compliance Professional (CISRCP)
www.risk-compliance-association.com/CISRCP_Distance_Learning_and_Certification.htm

Privacy and Compliance with the Federal Trade Commission Fair, the California Online Privacy Protection Act, the Children Online Privacy Protection Act, the Privacy Alliance, the Controlling the Assault of Non-Solicited Pornography and Marketing Act
www.risk-compliance-association.com/Privacy.htm
 
 
CRCMP

 
       
 
Security Verified Certified by Trust Guard Privacy Verified Business Verified