It’s a familiar tale: A company decides that it can improve efficiency and reduce expenses by outsourcing certain processes, such as customer email and phone response. Pushing out some fundamental, repetitive tasks to a call center is seen as a way to enable employees to focus on selling, not servicing, thus opening the door to potential revenue gains. But a few months into the arrangement, a Securities and Exchange Commission (SEC) examiner calls the firm’s Chief Compliance Officer with an awkward inquiry. Why are customer complaints suddenly spiking?The unfortunate fact is that many firms won’t be able to answer this question, because they have outsourced important functions to a third-party vendor without putting sufficient controls and oversight in place. Perhaps the vendor has been dismissive of customers and hasn’t dealt properly with complaints. Perhaps they have not implemented key controls, such as monitoring customer calls. Whatever the reasons are, an investment advisory firm has to have robust oversight to find out about them. The result of not knowing the answer is that an investment advisory firm may find itself in the spotlight, being called upon to answer to both customers and the SEC for oversight lapses.
Failure to oversee third-party service providers is one of the quickest ways a firm can damage its reputation and attract increased regulatory scrutiny. Underestimating what it takes to assess and manage risk can prove costly. For example, the SEC in 2016 fined 13 advisory firms a total of $2.2 million for negligently disseminating performance information provided by a third-party product sponsor without verifying it. In banking, the fines can and have run into hundreds of millions of dollars.
The SEC and other regulators are united in the view that outsourcing arrangements do not relieve firms of their ultimate responsibility for compliance with all applicable laws and regulations. It’s a cornerstone principle of regulation that firms can outsource functions, but they can never outsource risk. In fact, reputation and regulatory risk increase with outsourcing, even with a robust oversight process.
There is currently limited specific SEC regulatory guidance and requirements applicable to investment advisers on managing third-party risk. The exception is guidance implemented between 2015 and 2017 that details what is and isn’t acceptable for firms that choose to outsource the Chief Compliance Officer function. In the absence of more specific guidance, firms should have in place appropriate risk-based policies and procedures to ensure their third-party risks are prudently mitigated. And it’s worth noting that some valuable insights into regulatory thinking do exist in banking regulation. The Office of the Comptroller of the Currency’s guidance on third-party relationships – issued in 2013 and updated in 2017 – can help investment advisers understand where the regulatory baseline might be drawn.
There is, of course, nothing wrong with outsourcing. Especially for growing firms, outsourcing can be an inexpensive way to add resources, obtain immediate support, and distribute workloads. However, outsourcing can be fraught with risks, especially when there is no risk management program in place for overseeing it.
Risk assessments are critical. Neither business leaders nor compliance officials can know or understand risk without conducting a risk assessment. Some outsourced processes may pose minimal risk; others may pose a high degree of risk, making it incumbent on the firm to conduct due diligence on the vendor and periodically “kick the tires” by conducting periodic reviews or even full audits.
Outsourcing risk is not a risk that only resides with non-affiliate third parties. It may reside with affiliates, too. Service-level agreements between affiliates are an essential part of affiliate outsourcing. The same control processes for third-party outsourcing should, where appropriate, be applied to affiliate outsourcing.
Both affiliated and non-affiliated vendors may pose nearly identical risks and failure to recognize this may lead to control breakdowns. It’s important for Chief Compliance Officers not to let their guard down when it comes to internal, inter-affiliate servicing. For example, in large institutions, with multiple geographic footprints, an internal servicing affiliate may be so far removed from the business of a firm that hiring it is no different than going to a third party.
Investment advisers may want to look at bank regulatory guidance on third-party risk management to gain insight into best practices in managing risk. For example, the Federal Reserve’s 2013 Guidance on Managing Outsourcing Risk states, in part, the following:
The use of service providers to perform operational functions presents various risks to financial institutions. Some risks are inherent to the outsourced activity itself, whereas others are introduced with the involvement of a service provider. If not managed effectively, the use of service providers may expose financial institutions to risks that can result in regulatory action, financial loss, litigation, and loss of reputation. Financial institutions should consider the following risks before entering into and while managing outsourcing arrangements:
- Compliance risks arise when the services, products, or activities of a service provider fail to comply with applicable U.S. laws and regulations.
- Concentration risks arise when outsourced services or products are provided by a limited number of service providers or are concentrated in limited geographic locations.
- Reputational risks arise when actions or poor performance of a service provider causes the public to form a negative opinion about a financial institution.
- Country risks arise when a financial institution engages a foreign-based service provider, exposing the institution to possible economic, social, and political conditions and events from the country where the provider is located.
- Operational risks arise when a service provider exposes a financial institution to losses due to inadequate or failed internal processes or systems or from external events and human error.
- Legal risks arise when a service provider exposes a financial institution to legal expenses and possible lawsuits.
An outsourcing risk management program is a necessity to manage outsourcing risk. The program begins with a documented policy and procedure that at a minimum contains the following:
- Requirement to maintain an inventory of vendors and contracts, including services provided.
- Contractor due diligence, including a risk assessment covering third-party risk. Third parties should be risk-rated to drive scope and cycles for review.
- Monitoring and investigating complaints (internal and external). This is a critical attribute of every third-party oversight program. Metrics about complaints should be routinely provided to the firm.
- Other monitoring, as appropriate, including regulatory actions against the third-party provider; periodic negative list reviews; social media reviews; and internal ethics line reports.
- Contracts that require service levels; comply with laws, rules and regulations; and access to records for monitoring, compliance review and audit purposes, including the subject’s right to audit. Additionally, it should be clarified that third-party contractors may not subcontract their work to other vendors, and that data, client information, and intellectual property will be protected. Contingency plans for relationship termination should be spelled out in the agreement.
The first step to managing outsourcing risk is to know and understand it. The next step is to establish an effective risk management program built on compliance and risk-management expertise. When it comes to third-party relationships, it is vital for firms to put policies, procedures, and disclosures in place to adequately address their risks. Managing outsourcing risk need not be difficult, but it must be diligent; conducting regular risk assessments and adopting a third-party risk management program are the keys to ensuring that risks are appropriately mitigated.