Outsourcing: How can you comply with an obligation without performing the function?
In times like these, are you confident that your business will continue to comply with its obligations where it has outsourced its functions?
We explore strategies that your business can implement to ensure it complies with its obligations whilst outsourcing a function. These start from the pre-engagement phase and extend throughout the relationship.
Why is it important?
Outsourcing itself is not the problem. Even regulators outsource functions. ASIC’s Corporate Plan 2019-23 mentions this 4 times.[1]
If your business outsources functions that relate to its Australian Financial Services Licence (AFSL) your business remains responsible for complying with its obligations as a licensee.
Similarly, if you outsource any anti-money laundering and counter-terrorism financing (AML/CTF) functions, your business remains responsible for complying with its AML/CTF obligations.
If you’re APRA regulated, there are prudential standards that you need to comply with when it comes to outsourcing (depending on which regulated industries you’re in).[2] Whilst some of our readers are not APRA regulated, the prudential standards can provide a good benchmark in terms of good governance practices. Even if you’re not APRA-regulated, if you do not have appropriate arrangements in place, this will increase your risk that you will be in breach of your regulatory obligations.
(Other legal regimes may also impose further obligations on you where you outsource key functions, for example privacy and derivative trade reporting regimes. This article focusses on the financial services and AML/CTF regimes.)
Expectations of regulators
Both ASIC and AUSTRAC have similar expectations on businesses.
In relation to your financial services obligations, ASIC expects businesses:
- to have measures in place to ensure due skill and care is taken in choosing suitable service providers
- can and will monitor the ongoing performance of service providers
- will appropriately deal with any actions by service providers that breach service level agreements or your obligations as a licensee.[3]
In relation to your AML/CTF obligations, AUSTRAC expects businesses to:
- consider the impact outsourcing will have on your ability to meet your obligations
- ensure the roles and responsibilities of each party are clearly documented in a contract
- proactively monitor and test AML/CTF systems as processes provided by the third party.[4]
As noted previously, APRA-regulated entities have specific obligations relating to outsourcing, including:
- maintaining a board-approved policy relating to outsourcing material business activities
- assessing options for outsourcing material business activities to a third party
- having sufficient monitoring and supervision in place to manage outsourcing material business activities
- having a legally binding agreement in place for outsourcing all material business activities with third parties
- consulting with APRA prior to entering into outsourcing agreements in relation to offshoring outsourcing material business activities
- notifying APRA after entering into agreements with Australian service providers for material business activities.[5]
Of course, if you’re an APRA-regulated entity, you will have already considered what a “material business activity” is. In summary, an activity is a “material business activity”, if the activity has the potential, if disrupted, to have a significant impact on matters including the regulated entity’s business operations or ability to manage risks effectively.[6]
Strategies when outsourcing a function
Pre-Engagement
Prior to outsourcing a particular function, you should clearly identify the scope of services to be outsourced and your relevant legal responsibilities. This enables you to consider the materiality of the function and risk-assess the arrangement. This determination will have a flow-on effect throughout the relationship. The higher the risk, the greater the due diligence that should be performed. For example, heightened due diligence should apply to:
- Liquidity, platform and bridge providers for the CFDs sector
- Bank and technology providers for the payments and money remittance sector
- Template software and research providers for the personal advice sector
- transaction monitoring technology providers (for all sectors).
Sometimes, regulators expect extra due diligence at this stage. For example, ASIC’s Regulatory Guide 227 requires CFDs providers to publicly document factors they take into account when determining if hedging counterparties are of sufficient financial standing.[7]
Engagement
When engaging outsourced providers, the risk-assessment at the pre-engagement phase will determine the rigidity of the engagement process followed and the due diligence required to satisfy yourself that the outsourced provider will be able to perform the function on an ongoing basis. For example, if the outsourced service provider is an overseas entity, it may be more difficult to satisfy yourself that they will be able to provide the services in compliance with Australian laws on an ongoing basis.
Although all outsourcing arrangements must be documented in a legally binding agreement, the detail required within the agreement should vary depending on the materiality of the outsourced function and risk of the service provider. The agreement assists with risk management, controlling the risk of the relationship, setting out the scope of the services and the roles, responsibilities and expectations of each party throughout the relationship (including how the outsourced service provider will be monitored and supervised) and what will happen if things go wrong.
The specific risks of any particular relationship and circumstances should be considered before entering into outsourcing arrangement. For example:
- AUSTRAC has commented that high levels of outsourcing of customer-facing AML/CTF processes and limited oversight or influence over the operations of third party service providers is a factor exposing the banking sector to financial crime[8]
- ASIC has recently commented that the trend towards outsourcing non-core functions to third party providers has created difficulties in the management of cybersecurity risks[9] and a higher incidence of cyber security breaches reported to ASIC during the COVID-19 outbreak.[10] So, cybersecurity is an important risk to consider and control.
Monitoring and supervision
When we conduct AFSL or AML/CTF reviews, we ask for evidence that the business has actively monitored and supervised the outsourced provider. Sometimes, we receive a blank look, or an agreement that doesn’t set out any detail in what is expected of the third party provider in terms of monitoring and assurance. This is a problem! Some legal regimes (such as the derivative trade reporting regime) include a safe harbour if you make regular enquiries that are reasonably designed to determine whether the third party is discharging their obligations under the terms of their appointment.[11]
To ensure your business has adequate controls in place to manage the risk of the outsource provider and outsource function, you must have appropriate monitoring and supervision processes in place. This should be risk-based. Accordingly, the frequency and due diligence required will depend on the materiality of the outsourced function and the risk-assessment of the outsource provider. Monitoring and supervision should not just consider whether the terms of the agreement are met, but also whether they can be continue to be met in the future.
Oversight of the relationship
Appropriate governance arrangements are also essential.
For example, when it comes to AML/CTF, the board must approve your AML/CTF Program and the Program must be subject to ongoing oversight of the board and senior management.[12] If you do outsource any AML/CTF related functions, this should be captured in your AML/CTF Program, over which the board and senior management has oversight.
If you are an APRA-regulated entity, APRA has far more stringent requirements around governance of outsourcing arrangements and expects that the board:
- is ultimately responsible for outsourcing a material business activity
- approves the outsourcing policy
- ensures that outsourcing risks and controls are taken into account as part of the business’ risk management strategy.[13]
Senior management and the Board play an essential role throughout the entire relationship. They must be able to make timely and well-informed decisions in relation to the arrangement. To do so, they must:
- be involved in the materiality and risk-assessment
- approve the agreement before execution
- be provided with reports of monitoring and supervision
- be engaged and question, and challenge the reports which they are provided.
Got more questions?
Contact Us | Our Expert Team | Our Training |
Author: Alexa Bowditch (previously a Lawyer at Holley Nethercote)
[1] Pp3, 38, 39 https://download.asic.gov.au/media/5248811/corporate-plan-2019-23-published-28-august-2019.pdf
[2] Prudential Standard CPS 231, Prudential Standard SPS 231 and Prudential Standard HPS 231.
[3] ASIC Regulatory Guide 104: Licensing: Meeting the general obligations, at paragraph 33.
[4][4] AUSTRAC Insights from Compliance Assessments Report, March 2017.
[5] Prudential Standard CPS 231, Prudential Standard SPS 231 and Prudential Standard HPS 231.
[6] For further details, see the relevant prudential standards (CPS 231, SPS 231 and HPS 231).
[7] ASIC Regulatory Guide 227: Over-the-counter contracts for difference: Improving disclosure for retail investors at paragraph 51.
[8] AUSTRAC Risk Assessment: Australia’s Mutual Banking Sector Report 2019, at 5.
[9] ASIC Report 651: Cyber resilience of firms in Australia’s financial markets: 2018-19 at 3.
[10] ASIC Markets Liaison meeting 5 March 2020.
[11] Rule 2.2.7 of ASIC Derivative Transaction Rules (Reporting) 2013 and ASIC Regulatory Guide 251: Derivative transaction reporting at paragraph 31.
[12] Rule 8.4.1 of the Anti-Money Laundering and Counter-Terrorism Financing Rules 2007 (Cth).
[13] APRA Prudential Standard CPS 231 at paragraphs 22 to 24. APRA Prudential Standard SPS 231 at paragraphs 13 to 15.