Well, not really. But
I am sure you have heard regulatory concerns about the lack of appropriate
controls around outsourcing in financial services. It is therefore not entirely surprising that
the UK’s Prudential Regulation Authority (PRA) has recently fined a bank £1.2
million for failures in the controls associated with outsourcing (here). There are, however, a number of interesting
points about this enforcement case that have broader lessons about the
supervisory expectations associated with the use of outsourcing in financial
services.
1. The regulatory expectations with respect to
outsourcing within a group or to a third party outside the group are the same. I have heard this before but I was still
expecting to see a recognition that there may be a difference. I could not really find an obvious
distinction in the enforcement notice.
This is particularly relevant in financial services where brands are
typically a collection of companies, sometimes with a core staff serving a
number of companies, in particular with respect to finance (and, in insurance,
actuarial). This also has implications
for risk functions which will also need to articulate how their oversight
relates to the various companies.
2. The outsourcing arrangements are documented
appropriately in a timely manner. While
putting contracts in place within a group is probably understood to be a
regulatory expectation, there are two important dimensions that this case
highlights. The first of these is the
importance of putting contracts in place at the outset and undertaking due
diligence; bear in mind point 1 above.
This also includes signing the contracts! Secondly, in the case of internal outsourcing
involving a control function, it is important that the roles and
responsibilities of the various parties are clearly defined. This can include determining the different
roles of people and teams probably sitting near each other.
3. The legal form of the outsourcing provider
does not matter. A JV form that
effectively provides an outsourcing activity should also be treated as
outsourcing.
4. The consequences of a lack or breakdown of
controls matter a great deal. If the
finance function is outsourced within the group, then a breakdown can have
severe financial implications (e.g. unauthorised payments) and can include
misreporting of the capital and liquidity position to the PRA.
Last but not least, the response when the issue is
discovered remains crucial. In this
case, it involved terminating certain outsourcing contracts and putting in
place new ones, transferring finance teams to the relevant company and ensuring
operational separation of the Bank from the rest of the group. In addition, the bank commissioned a firm of
accountants to review the matter, undertook its own review of all outsourcing
contracts and was subject to a skilled persons review by the PRA. As in other cases, the fine may not have been
the largest cost to the bank.
If you found this post useful, you may want to subscribe and receive
further posts by email – see box on the right hand side of the screen or
click here. My target is to post on a
regular basis but I will not be flooding your inbox.
This post is part of a series of posts on the practical lessons for
risk management from enforcement cases. The posts are all brought
together in the page Enforcement Cases of the
blog.