OPINION
2020 Jan/07
Financial Investment Services Firms’ Management of Outsourcing: Overseas Cases
Jan. 07, 2020
PDF
Cho, Sung Hoon
- Summary
- Rapid technological advances and other changes in the business environment have made business outsourcing become increasingly important in financial investment services firms’ management strategies, and also has brought about a shift the way outsourcing is regulated. Against the backdrop, the Financial Services Commission unveiled its reform plan to shift Korea’s regulation on financial investment services firms’ outsourcing from a rule-based towards a principle-based one. Already, financial regulators and supervisors in other jurisdictions such as the US, the EU, the UK, and Singapore have drafted guidelines on how financial services firms should manage outsourcing. Those guidelines set forth details on outsourcing-related risks, roles and responsibilities of the board and top management for outsourcing management, the risk management process for outsourcing, etc.
The shift towards a principle-based regulation means higher autonomy in individual financial investment services firms in their outsourcing decision making, but at the same time higher responsibility for managing outsourcing. Accordingly, individual financial investment services firms should devise their own outsourcing management rules and processes. Regulatory and supervisory authorities as well as Korea Financial Investment Association should provide support in this area by formulating industry-wide common guidelines for managing outsourcing.
In May 2019, the Financial Services Commission unveiled its plans to shift the regulation on financial investment services firms’ outsourcing from the current rule-based regulation towards a principle-based approach.1) The regulation on financial investment services firms’ outsourcing was first introduced as part of the 2007 Financial Investment Services and Capital Markets Act (FSCMA, hereinafter), primarily purposed to prevent any adverse impact of outsourcing on investor protection and prudential criteria of a financial investment services firm. However, the rule-based approach that elaborates every detail has exposed many problems. Under rapid changes in the business environment such as Fintech, the rule-based approach is known to deter innovation and attempts to improve efficiency via outsourcing. This is the rationale behind the regulatory revision proposed recently.
The shift towards a principle-based regulation means the regulation giving only the basic principle with leaving all the details in the hands of individual financial investment services firms. This increases their autonomy, and at the same time, accountability. In particular, individual firms will be imposed with burden to devise their own internal guidance or guidelines on outsourcing to prevent any outsourcing from endangering investor protection or prudential criteria.
Under the circumstances, this article explores how financial services firms in other countries use outsourcing, and what guidelines regulators and supervisors in developed countries present to manage risks associated with financial services firms’ outsourcing.2) This could provide useful reference for Korean financial investment services firms to come up with their own outsourcing strategies and internal outsourcing guidelines.
Outsourcing of overseas financial services firms3)
According to the surveys on overseas financial services firms’ outsourcing practices, infrastructure and post-trade processing are the mostly outsourced areas. Among those, infrastructure including IT and data management are outsourced mostly, followed by post-trade processing that includes reconciliation, settlement, approval, etc. As post-trade processing has been highly commoditized, service differentiation in this area is becoming less important. By outsourcing those areas, financial services firms can save costs and focus on their core strategies. Middle-office tasks, such as accounting, compliance, etc. are increasingly outsourced, but not as actively as the two areas mentioned above. Most financial services firms recognize front-office activities as their core tasks, and those activities are barely outsourced.
Cost savings were mentioned most frequently as the key driver for outsourcing decisions, followed by mitigating investments, focusing on core strategies, flexibility for regulatory changes, better access to certain knowledge, scalability, service improvements, etc. Other than those, financial services firms surveyed also cite the quality of services, loss of control over outsourced services or operations, lack of internal development in outsourced services and operations, etc.
Regarding the key factors to choose a third-party service supplier, financial services firms surveyed mention the quality of services and solutions, prices (outsourcing costs), a third-party supplier’s reputation and track records, long-term viability, etc.
Outsourcing guidelines by overseas regulators and supervisors
This article provides a concise overview of what is commonly found among outsourcing guidance or guidelines for financial services firms by regulators and supervisors in the US, the EU, the UK, and Singapore.4) Those jurisdictions do not explicitly provide any statutory regulation on financial services firms’ outsourcing. Instead, regulators and supervisors have established guidance or guidelines to help financial services firms properly manage the risks associated with outsourcing.
They point to the following risks that could arise from outsourcing. First, a strategic risk arises either when the outsourcing decision of a financial services firm is not aligned with the firm’s strategic objectives, or when it outsources its innate or core functions. Second, a reputation risk refers to the case in which a financial services firms loses its reputation due to, e.g., customer complaints triggered by the low service quality by a third-party supplier; a security breach such as a leak of customer information; or non-compliance with laws and regulations. Third, an operational risk means the risk arising from a third-party supplier’s inappropriate internal process or system, external events, human errors, etc. Fourth, a transactional risk refers to the case in which a third-party supplier’s outsourcing services fail to meet the expectations of financial services firms due to insufficient infrastructure, low technological power, human errors, etc. Fifth, a credit risk arises when a third-party supplier fails to meet contract terms and conditions, or cannot achieve the pre-specified financial performance. Lastly, a compliance risk happens when a third-party supplier breaches relevant laws and regulations or fails to comply with internal policies, procedures, and standards.
The guidance and guidelines in common underscore the role and responsibility of the board and top management in their decision making and management with regard to outsourcing. Outsourcing is a strategic decision that is closely linked to a financial services firm’s long-term competitiveness, and the board of directors and top management are held accountable for grasping and controlling the risks associated with the approval, execution, and management of outsourcing. It’s recommended that the board approve the outsourcing plan and top management execute, manage and regularly report the development to the board.
Regulators and supervisors present the process of managing outsourcing risks, which makes up the core part of the outsourcing management guidance. The first step of the process is to assess the risks inherent in operations to be outsourced. This includes whether the outsourcing is aligned with the firm’s business strategy; the cost-benefit analysis; the internal assessment on capability and expertise required for managing a third-party outsourcing supplier, etc. The next step is thorough due diligence on potential candidates for third-party suppliers, according to which the supplier is finally selected.
After the selection, the financial services firm establishes an outsourcing contract with the selected third-party supplier. Because the structure and content of the contract is critically important, the guidance and guidelines come forth with concrete details that should be included in the contract. Also, the outsourcing contract must be made and established in a written form including the followings: 1) the outsourced function and the scope; 2) costs including payments to the third-party supplier; 3) oversight and auditing of the third-party supplier; 4) performance standards for evaluation and monitoring; 5) security-related matters such as information and data confidentiality; 6) ownership and license issues related to the product from outsourcing; 7) liability and compensation for damages from the third-party supplier’s negligence; 8) termination of the contract and other measures in the case of non-compliance with the contract; 9) the conflict resolution process between the financial services firm and the third-party supplier; 10) how to handle customer complaints; 11) contingency plans for the outsourced task or function in the case of emergency; and 12) matters related to subcontracting.
It’s important to design the contract structure in a detailed manner because once a contract is established for outsourcing, the risks are managed according to the contract.
Implications
Rapid technological advances often dubbed as the Fourth Industrial Revolution have gravely affected the financial industry and brought about groundbreaking changes in the financial industry value chain via which financial services or products are produced and provided. With unbundling and rebundling in the financial industry value chain in progress, the market observes the emergence of new technology firms specialized in specific functions that never existed before. Under the circumstances, it’s not impossible for financial services firms to remain status quo, integrating all value chain processes internally to provide services. However, outsourcing a specific function or service is likely to enhance efficiency, which increases the importance of outsourcing. Furthermore, the changes in the financial industry value chain means that the current regulation based on traditional divisions of business reached its limit. It’s highly likely that the market observes the emergence of new functions that cannot be categorized into traditional divisions of business. Such changes in the business environment seem to have been reflected in the May 2019 FSC plans for shifting towards a principle-based regulation from the incumbent rule-based outsourcing regulation. Such a regulatory direction gives individual financial investment services firms not only higher autonomy in outsourcing decisions, but also larger accountability for managing outsourcing. Accordingly, individual financial investment services firms should come up with their own outsourcing management rules and processes. Regulatory and supervisory authorities as well as Korea Financial Investment Association should provide support in this area by formulating industry-wide common guidelines for managing outsourcing.
1) FSC, May 27, 2019, FSC to ease restrictions on information sharing in financial investment business, Press Release.
2) Because overseas cases cover all financial services firms including financial investment services firms, I adopt the term ‘financial investment services firm’ for Korean firms, and the ‘financial services firm’ for overseas firms.
3) Overseas cases are from the following sources:
BNP Paribas, Oliver Wyman, 2017, Post-trade processing: Investment banks rethink third-party strategies.
McCahery, J.A., De Roode, F.A., 2018, Governance of financial services outsourcing: Managing misconduct and third-party risks, ECGI working paper series in law No. 417/2018.
4) Sources for this article are the following regulations, instructions, and guidelines provided by regulators and supervisors:
(US) FDIC, 2008, Guidance for managing third-party risk; Federal Financial Institutions Examination Council (FFIEC), 2004, Outsourcing technology services; FRB, 2013, Guidance on managing outsourcing risk; Office of the Comptroller of the Currency (OCC), 2013, Third-party relationships: Risk management guidance.
(EU) EBA, 2019, Final report on EBA guidance on outsourcing arrangements; BIS, 2005, Outsourcing in financial services.
(UK) FCA, 2018, FG 16/5 guidance for firms outsourcing to the cloud and other third-party IT services; FCA, 2019, Outsourcing, Chapter 8 of Senior arrangements, systems and controls.
(Singapore) MAS, 2016, Guidelines on outsourcing.
The shift towards a principle-based regulation means the regulation giving only the basic principle with leaving all the details in the hands of individual financial investment services firms. This increases their autonomy, and at the same time, accountability. In particular, individual firms will be imposed with burden to devise their own internal guidance or guidelines on outsourcing to prevent any outsourcing from endangering investor protection or prudential criteria.
Under the circumstances, this article explores how financial services firms in other countries use outsourcing, and what guidelines regulators and supervisors in developed countries present to manage risks associated with financial services firms’ outsourcing.2) This could provide useful reference for Korean financial investment services firms to come up with their own outsourcing strategies and internal outsourcing guidelines.
Outsourcing of overseas financial services firms3)
According to the surveys on overseas financial services firms’ outsourcing practices, infrastructure and post-trade processing are the mostly outsourced areas. Among those, infrastructure including IT and data management are outsourced mostly, followed by post-trade processing that includes reconciliation, settlement, approval, etc. As post-trade processing has been highly commoditized, service differentiation in this area is becoming less important. By outsourcing those areas, financial services firms can save costs and focus on their core strategies. Middle-office tasks, such as accounting, compliance, etc. are increasingly outsourced, but not as actively as the two areas mentioned above. Most financial services firms recognize front-office activities as their core tasks, and those activities are barely outsourced.
Cost savings were mentioned most frequently as the key driver for outsourcing decisions, followed by mitigating investments, focusing on core strategies, flexibility for regulatory changes, better access to certain knowledge, scalability, service improvements, etc. Other than those, financial services firms surveyed also cite the quality of services, loss of control over outsourced services or operations, lack of internal development in outsourced services and operations, etc.
Regarding the key factors to choose a third-party service supplier, financial services firms surveyed mention the quality of services and solutions, prices (outsourcing costs), a third-party supplier’s reputation and track records, long-term viability, etc.
Outsourcing guidelines by overseas regulators and supervisors
This article provides a concise overview of what is commonly found among outsourcing guidance or guidelines for financial services firms by regulators and supervisors in the US, the EU, the UK, and Singapore.4) Those jurisdictions do not explicitly provide any statutory regulation on financial services firms’ outsourcing. Instead, regulators and supervisors have established guidance or guidelines to help financial services firms properly manage the risks associated with outsourcing.
They point to the following risks that could arise from outsourcing. First, a strategic risk arises either when the outsourcing decision of a financial services firm is not aligned with the firm’s strategic objectives, or when it outsources its innate or core functions. Second, a reputation risk refers to the case in which a financial services firms loses its reputation due to, e.g., customer complaints triggered by the low service quality by a third-party supplier; a security breach such as a leak of customer information; or non-compliance with laws and regulations. Third, an operational risk means the risk arising from a third-party supplier’s inappropriate internal process or system, external events, human errors, etc. Fourth, a transactional risk refers to the case in which a third-party supplier’s outsourcing services fail to meet the expectations of financial services firms due to insufficient infrastructure, low technological power, human errors, etc. Fifth, a credit risk arises when a third-party supplier fails to meet contract terms and conditions, or cannot achieve the pre-specified financial performance. Lastly, a compliance risk happens when a third-party supplier breaches relevant laws and regulations or fails to comply with internal policies, procedures, and standards.
The guidance and guidelines in common underscore the role and responsibility of the board and top management in their decision making and management with regard to outsourcing. Outsourcing is a strategic decision that is closely linked to a financial services firm’s long-term competitiveness, and the board of directors and top management are held accountable for grasping and controlling the risks associated with the approval, execution, and management of outsourcing. It’s recommended that the board approve the outsourcing plan and top management execute, manage and regularly report the development to the board.
Regulators and supervisors present the process of managing outsourcing risks, which makes up the core part of the outsourcing management guidance. The first step of the process is to assess the risks inherent in operations to be outsourced. This includes whether the outsourcing is aligned with the firm’s business strategy; the cost-benefit analysis; the internal assessment on capability and expertise required for managing a third-party outsourcing supplier, etc. The next step is thorough due diligence on potential candidates for third-party suppliers, according to which the supplier is finally selected.
After the selection, the financial services firm establishes an outsourcing contract with the selected third-party supplier. Because the structure and content of the contract is critically important, the guidance and guidelines come forth with concrete details that should be included in the contract. Also, the outsourcing contract must be made and established in a written form including the followings: 1) the outsourced function and the scope; 2) costs including payments to the third-party supplier; 3) oversight and auditing of the third-party supplier; 4) performance standards for evaluation and monitoring; 5) security-related matters such as information and data confidentiality; 6) ownership and license issues related to the product from outsourcing; 7) liability and compensation for damages from the third-party supplier’s negligence; 8) termination of the contract and other measures in the case of non-compliance with the contract; 9) the conflict resolution process between the financial services firm and the third-party supplier; 10) how to handle customer complaints; 11) contingency plans for the outsourced task or function in the case of emergency; and 12) matters related to subcontracting.
It’s important to design the contract structure in a detailed manner because once a contract is established for outsourcing, the risks are managed according to the contract.
Implications
Rapid technological advances often dubbed as the Fourth Industrial Revolution have gravely affected the financial industry and brought about groundbreaking changes in the financial industry value chain via which financial services or products are produced and provided. With unbundling and rebundling in the financial industry value chain in progress, the market observes the emergence of new technology firms specialized in specific functions that never existed before. Under the circumstances, it’s not impossible for financial services firms to remain status quo, integrating all value chain processes internally to provide services. However, outsourcing a specific function or service is likely to enhance efficiency, which increases the importance of outsourcing. Furthermore, the changes in the financial industry value chain means that the current regulation based on traditional divisions of business reached its limit. It’s highly likely that the market observes the emergence of new functions that cannot be categorized into traditional divisions of business. Such changes in the business environment seem to have been reflected in the May 2019 FSC plans for shifting towards a principle-based regulation from the incumbent rule-based outsourcing regulation. Such a regulatory direction gives individual financial investment services firms not only higher autonomy in outsourcing decisions, but also larger accountability for managing outsourcing. Accordingly, individual financial investment services firms should come up with their own outsourcing management rules and processes. Regulatory and supervisory authorities as well as Korea Financial Investment Association should provide support in this area by formulating industry-wide common guidelines for managing outsourcing.
1) FSC, May 27, 2019, FSC to ease restrictions on information sharing in financial investment business, Press Release.
2) Because overseas cases cover all financial services firms including financial investment services firms, I adopt the term ‘financial investment services firm’ for Korean firms, and the ‘financial services firm’ for overseas firms.
3) Overseas cases are from the following sources:
BNP Paribas, Oliver Wyman, 2017, Post-trade processing: Investment banks rethink third-party strategies.
McCahery, J.A., De Roode, F.A., 2018, Governance of financial services outsourcing: Managing misconduct and third-party risks, ECGI working paper series in law No. 417/2018.
4) Sources for this article are the following regulations, instructions, and guidelines provided by regulators and supervisors:
(US) FDIC, 2008, Guidance for managing third-party risk; Federal Financial Institutions Examination Council (FFIEC), 2004, Outsourcing technology services; FRB, 2013, Guidance on managing outsourcing risk; Office of the Comptroller of the Currency (OCC), 2013, Third-party relationships: Risk management guidance.
(EU) EBA, 2019, Final report on EBA guidance on outsourcing arrangements; BIS, 2005, Outsourcing in financial services.
(UK) FCA, 2018, FG 16/5 guidance for firms outsourcing to the cloud and other third-party IT services; FCA, 2019, Outsourcing, Chapter 8 of Senior arrangements, systems and controls.
(Singapore) MAS, 2016, Guidelines on outsourcing.