Well, not really. But I am sure you have heard regulatory concerns about the lack of appropriate controls around outsourcing in financial services. It is therefore not entirely surprising that the UK’s Prudential Regulation Authority (PRA) has recently fined a bank £1.2 million for failures in the controls associated with outsourcing (here). There are, however, a number of interesting points about this enforcement case that have broader lessons about the supervisory expectations associated with the use of outsourcing in financial services.
1. The regulatory expectations with respect to outsourcing within a group or to a third party outside the group are the same. I have heard this before but I was still expecting to see a recognition that there may be a difference. I could not really find an obvious distinction in the enforcement notice. This is particularly relevant in financial services where brands are typically a collection of companies, sometimes with a core staff serving a number of companies, in particular with respect to finance (and, in insurance, actuarial). This also has implications for risk functions which will also need to articulate how their oversight relates to the various companies.
2. The outsourcing arrangements are documented appropriately in a timely manner. While putting contracts in place within a group is probably understood to be a regulatory expectation, there are two important dimensions that this case highlights. The first of these is the importance of putting contracts in place at the outset and undertaking due diligence; bear in mind point 1 above. This also includes signing the contracts! Secondly, in the case of internal outsourcing involving a control function, it is important that the roles and responsibilities of the various parties are clearly defined. This can include determining the different roles of people and teams probably sitting near each other.
3. The legal form of the outsourcing provider does not matter. A JV form that effectively provides an outsourcing activity should also be treated as outsourcing.
4. The consequences of a lack or breakdown of controls matter a great deal. If the finance function is outsourced within the group, then a breakdown can have severe financial implications (e.g. unauthorised payments) and can include misreporting of the capital and liquidity position to the PRA.
Last but not least, the response when the issue is discovered remains crucial. In this case, it involved terminating certain outsourcing contracts and putting in place new ones, transferring finance teams to the relevant company and ensuring operational separation of the Bank from the rest of the group. In addition, the bank commissioned a firm of accountants to review the matter, undertook its own review of all outsourcing contracts and was subject to a skilled persons review by the PRA. As in other cases, the fine may not have been the largest cost to the bank.
If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here. My target is to post on a regular basis but I will not be flooding your inbox.
This post is part of a series of posts on the practical lessons for risk management from enforcement cases. The posts are all brought together in the page Enforcement Cases of the blog.