Guidance on Managing Outsourcing Risk

Guidance on Managing Outsourcing Risk

After completing this reading, you should be able to:

  • Explain how risks can arise through outsourcing activities to third-party service providers and describe elements of an effective program to manage outsourcing risk.
  • Explain how financial institutions should perform due diligence on third-party service providers.
  • Describe topics and provisions that should be addressed in a contract with a third-party service provider.

What is Outsourcing?

Outsourcing is the practice where an institution hires a third party to offer services and/or create goods that would otherwise be taken care of in-house by the institution’s own employees and staff.

Some of the operations commonly outsourced include:

  • Printing and mailing.
  • Data and network services.
  • Recruitment of employees.
  • Digital marketing and management of an institution’s social media space.
  • Security operations.

Why Outsource?

Some of the reasons include the need to:

  • Cut labor, overhead, and equipment costs.
  • Dial down and channel all in-house resources toward the core aspects of the business, spinning off operations not considered critical to outside organizations.
  • Handle increased demand for services during peak business periods (scalability).
  • Take advantage of third-party expertise.

On the downside, the use of service providers to perform operational functions comes with a range of risks. Some of these risks are inherent to the outsourced activity itself, but others come up due to the involvement of a service provider. The use of service providers may expose financial institutions to risks that can result in regulatory action, financial loss, litigation, and loss of reputation. As such, it is imperative that all outsourced services are closely managed and monitored.Benefits of Outsourcing

Risks Considered before Entering and while Managing Outsourcing Arrangements

Compliance risks: Arise when a service provider’s products or activities fail to comply with applicable US laws and regulations.

Concentration risks: Arise when the outsourced service or product is provided by a limited number of service providers or is concentrated in limited geographic locations.

Reputational risks: Arise when a service provider conducts themselves in a manner that causes the public to form a negative opinion about a financial institution.

Country risks: Engaging a service provider based in a foreign country exposes an institution to possible economic, social, and political conditions and events in the country where the provider is located.

Operational risks: A service provider may expose an institution to losses due to inadequate internal processes, failed systems or external events, and human error.

Legal risks: Arise when a service provider exposes a financial institution to legal expenses and possible lawsuits.

Case Studies

Raphaels Bank

In 2019, the UK’s Raphaels Bank was fined £1.89 million for outsourcing failures that rendered customer accounts inaccessible over an eight-hour period on Dec 24, 2015. Consequently, this made 3,367 customers unable to use their prepaid cards and charge cards.

The incident happened after Raphael’s’ card processor was hit by a technology hitch.

The Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) accused the bank of “failing to have adequate processes to enable it to understand and assess the business continuity and disaster recovery arrangements of its outsourced service providers – particularly, how they would support the continued operation of its card programs during a disruptive event.”

Royal Bank of Scotland

A similar incident happened in 2012 at the Royal Bank of Scotland. Unbeknown to the public, the bank had outsourced its system software from an IT vendor. The vendor failed to follow through on a planned system update in a timely manner. This left millions of clients without access to their money. The bank itself was helpless because it had not put in place a business continuity plan in its outsourcing agreement with the vendor.

Due to such an incident, the Federal Reserve Board issued guidelines on managing outsourcing risk. The guidelines require a risk management program for all banks that outsource services.

Elements of an Effective Program to Manage Outsourcing Risk

Any financial institution engaged in outsourcing should have a risk management program that is risk-focused and provides oversight and controls that are commensurate with the level of risk the outsourcing arrangement presents. Special attention should be given to activities that may have a substantial impact on an institution’s financial muscle and those that pose material compliance risk. The complexity of risk management depends on the number (and types) of outsourced activities.

An effective service provider risk management program is built around six core elements:

  1. Risk assessments.
  2. Due diligence and selection of service providers.
  3. Contract provisions and considerations.
  4. Incentive compensation review.
  5. Oversight and monitoring of service providers.
  6. Business continuity and contingency plans.
  1. Risk assessments: Before deciding on whether or not to outsource a business activity, it is important to carry out a risk assessment of the activity. While at it, a financial institution should consider the following:
    • Implications of performing the activity in-house or having it performed by a third party.
    • Whether outsourcing is consistent with the organization’s strategic direction and business strategy.
    • Cost implications for establishing an outsourcing arrangement.
    • Availability of qualified and experienced service providers.
    • Institution’s ability to provide appropriate oversight and management of the relationship.

    Risk assessment should be a regular activity consistent with a financial institution’s service provider risk management program. Following every round of assessment, an institution should scale up (or scale down) its risk mitigation plans, if appropriate.

  2. Due diligence and selection of service providers: Before engaging a service provider, it is important to exercise due diligence and objectively evaluate the provider. The extent of evaluation varies depending on the scope, complexity, and strategic importance of the planned outsourcing arrangement. The financial institution should involve technical experts and key stakeholders in the due diligence process.

    The due diligence process has three key cogs:

    1. Business background, reputation, and strategy.
    2. Financial performance and condition.
    3. Operations and internal controls.

    We shall look into each of these shortly.

  3. Contract Provisions and Considerations:
    • Financial institutions should explore the service contract and all legal issues related to proposed outsourcing arrangements.
    • It is important to involve the institution’s legal counsel before signing any agreements.
  4. Incentive Compensation Review:
    • Financial institutions should ensure that there’s an effective process to review and approve any incentive compensation that may be embedded in service provider contracts.
  5. Oversight and Monitoring of Service Providers:
    • In order to monitor contractual requirements effectively, financial institutions should establish acceptable performance metrics that indicate acceptable performance levels.
  6. Business Continuity and Contingency Considerations:
    • A host of issues can affect a service provider’s ability to offer services.
    • A financial institution should ensure that there are contingency and business continuity plans.
    • It is imperative that a financial institution itself “knows the drill’ so as to be able to cope with an untimely incident.

Due Diligence on Third-party Service Providers

As hinted earlier on, the due diligence process is built around three key elements:

  1. Business Background, Reputation, and Strategy

    As a first step, the financial institution should seek answers to each of the following questions:

    • What’s the prospective service provider’s status in the industry?
    • What are their corporate history and qualifications?
    • What’s the provider’s background and reputation in their industry?
    • Does the provider have an appropriate employee background check (vetting) program?

    The institution should proceed to engage the provider if and only if it obtains satisfactory answers to these questions.

    Ideally, the service provider should be experienced and well-qualified to deliver the service. It is also important to scrutinize the service provider’s business model, including its business strategy and mission, service philosophy, quality initiatives, and organizational policies. The provider’s business model should be resilient and adaptable to a range of potential business directions of the financial institution.

    It is also important to:

    • Reach out to the service provider’s references to ascertain its performance record.
    • Verify any required licenses and certifications.
    • Verify whether there are ongoing legal matters involving the service provider or its principles.
  2. Financial Performance and Condition

    It’s imperative to scrutinize the financial condition of the service provider and its closely-related affiliates. The financial review may include the following:

    • Recent financial statements and annual reports.
    • Sustainability by looking at the length of time that the service provider has been in business and the proportion of the market that they control.
    • How the proposed business relationship will impact the service provider’s financial condition.
    • Level of commitment in terms of financial and staff resources.
    • The service provider’s insurance status.
    • The adequacy of the service provider’s review of the financial condition of any subcontractors.
    • The provider’s other current issues that may materially affect future financial performance and/or existence.
  3. Operations and Internal Controls
    • It is the financial institution’s responsibility to ensure that services provided by service providers comply with applicable laws. Such services should also be consistent with safe-and-sound banking practices.
    • The following may need to be reviewed:
      • Privacy protection of the financial institution’s confidential information.
      • Maintenance and retention of records.
      • Business resumption and contingency planning.
      • Internal controls.
      • Facilities management.
      • Training, including compliance training for staff.
      • Employee background checks.
      • Adherence to applicable laws, regulations, and supervisory guidance.
      • Security of systems (with regard to data, equipment, and property)
      • Systems development and maintenance.
      • Service support and delivery.
    • Contract Provisions and Considerations
      • Financial institutions should explore the service contract and all legal issues related to proposed outsourcing arrangements.
      • It is important to involve the institution’s legal counsel before signing any agreements.
      • The terms of the deal should be put down in writing in a clear, unambiguous manner.

Elements of Well-defined Contracts

Scope

  • The rights and responsibilities of each party should clearly be spelled out. That includes issues such as:
    • Compliance with applicable laws, regulations, and regulatory guidance.
    • Terms governing the use of the institution’s property, equipment, and staff.
    • Support, maintenance, and customer service.
    • Training of financial institution employees.
    • The ability to subcontract services.
    • Contract timeframes.

Cost and Compensation

  • All fees and charges to be paid should be specified.
  • The contract should specify the party responsible for the settlement of various costs that may emanate from the contractual arrangement, including legal, audit, and supervisory examination costs.
  • The contract should also specify the party that’s responsible for the purchase and maintenance of equipment, hardware, software, and other utilities.
  • The financial institution should ensure that the compensation structure does not encourage risky behavior on the part of the service provider.

Right to Audit

  • The agreement may give the financial institution the right to audit the service provider or give the institution (or its proxies) access to the provider’s financial statements.

Establishment and Monitoring of Performance Standards

The agreement should specify measurable performance standards for the service or product.

Confidentiality and Security of Information

  • The contract must contain extensive provisions that address the confidentiality and security of information pertaining to both parties.
  • In order to keep crucial information confidential, the contract may specify the type of information that the service provider can access.
    • In particular, contracts have to conform to FFIEC guidance, section 501(b) of the Gramm-Leach-Bliley Act, which seeks to protect customer information.
  • The contract should also require the service provider to disclose any data breaches in a timely manner.

Ownership and License

  • The contract should specify instances when the service provider is allowed to use the financial institution’s property.
  • In addition, there should be clarity on the ownership of data produced by the service provider.
  • If there’s any software purchase from service providers, the financial institution should ensure that there are escrow agreements that allow it to access the source code and programs under certain conditions.

Indemnification

  • Agreements should be set out in a way that allows the financial institutions to seek indemnification from the service provider if the latter’s negligence leads to claims against the institution.

Default and Termination

  • Events that constitute default should clearly be spelled out, including a list of acceptable remedies aimed at restoring the acceptable level of service.

Dispute Resolution

  • The contract should set out dispute resolution and escalation mechanisms to ensure that any issues that come up are handled promptly.

Insurance

  • The financial institution should seek proof of insurance and seek notification whenever there’s a change in the provider’s insurance coverage.

Customer Complaints

  • Agreements should give details regarding the responsibilities of both parties in case there’s a customer complaint.
  • If the service provider is required to respond to a customer complaint, it should file a report with the financial institution about the incident.

Business Resumption and Contingency Plan of the Service Provider

  • Agreements should address the steps that service providers should take to restore services in the event of an interruption occasioned by operational failures.
  • The financial institution should require the service provider to back up data and maintain disaster recovery and contingency plans.

Foreign-based Service Providers

  • A contract should attempt to specify the law that should be applied in dispute resolution when the service provider is based in a foreign country.

Subcontracting

  • If the agreement allows for subcontracting, the subcontractor should be subject to the same contractual provisions as the service provider.

Practice Question

Bank X is a regional financial institution planning to outsource its IT infrastructure maintenance to a third-party service provider. The senior management is aware of the importance of well-defined contracts and service agreements in mitigating potential risks associated with outsourcing. They have sought the assistance of the bank’s legal counsel to review and finalize the contract with the service provider.

Which of the following elements should Bank X ensure is included in the contract with the third-party service provider for a well-defined outsourcing agreement?

  1. The contract should include a clause stating that the service provider is not allowed to subcontract any services to other parties under any circumstances.
  2. The contract should provide a general overview of the responsibilities of each party, leaving the details to be agreed upon verbally between the parties.
  3. The contract should specify the scope of the services to be provided, including support, maintenance, and customer service, as well as compliance with applicable laws, regulations, and regulatory guidance.
  4. The contract should focus primarily on minimizing the financial institution’s costs, with less emphasis on ensuring the quality of the outsourced services.

Solution

The correct answer is C.

By clearly defining the scope of services, both parties understand their responsibilities and expectations. Furthermore, given that the bank operates within a regulatory environment, ensuring compliance with applicable laws and regulations is crucial. This helps in avoiding regulatory penalties and ensures the bank’s operations run smoothly.

Option A is incorrect. A blanket prohibition on subcontracting may not be practical in all cases, and instead, the bank might specify conditions under which subcontracting is allowed (e.g., with prior approval or ensuring that any subcontractor meets specific criteria).

Option B is incorrect. Relying on verbal agreements can lead to misunderstandings and disputes later on, as verbal commitments are harder to prove. Contracts, especially for such critical services, should be as detailed as possible, specifying roles, responsibilities, and deliverables in clear terms.

Option D is incorrect. While cost-effectiveness is important, compromising on the quality of services, especially in IT infrastructure maintenance, can lead to significant operational risks, security breaches, and potential regulatory issues. Ensuring quality should be a top priority.

Things to Remember

  • Outsourcing agreements serve as a foundation for partnership, ensuring clarity in roles, responsibilities, and deliverables.
  • Ensuring adherence to the regulatory environment in which a financial institution operates is essential, not just for compliance but for maintaining institutional integrity.
  • Quality assurance in IT infrastructure is crucial, as IT serves as the backbone for many banking operations and services.
  • Written contracts provide a tangible record, reducing ambiguities and potential conflicts that might arise from verbal commitments.
Shop CFA® Exam Prep

Offered by AnalystPrep

Featured Shop FRM® Exam Prep Learn with Us

    Subscribe to our newsletter and keep up with the latest and greatest tips for success
    Shop Actuarial Exams Prep Shop Graduate Admission Exam Prep


    Daniel Glyn
    Daniel Glyn
    2021-03-24
    I have finished my FRM1 thanks to AnalystPrep. And now using AnalystPrep for my FRM2 preparation. Professor Forjan is brilliant. He gives such good explanations and analogies. And more than anything makes learning fun. A big thank you to Analystprep and Professor Forjan. 5 stars all the way!
    michael walshe
    michael walshe
    2021-03-18
    Professor James' videos are excellent for understanding the underlying theories behind financial engineering / financial analysis. The AnalystPrep videos were better than any of the others that I searched through on YouTube for providing a clear explanation of some concepts, such as Portfolio theory, CAPM, and Arbitrage Pricing theory. Watching these cleared up many of the unclarities I had in my head. Highly recommended.
    Nyka Smith
    Nyka Smith
    2021-02-18
    Every concept is very well explained by Nilay Arun. kudos to you man!
    Badr Moubile
    Badr Moubile
    2021-02-13
    Very helpfull!
    Agustin Olcese
    Agustin Olcese
    2021-01-27
    Excellent explantions, very clear!
    Jaak Jay
    Jaak Jay
    2021-01-14
    Awesome content, kudos to Prof.James Frojan
    sindhushree reddy
    sindhushree reddy
    2021-01-07
    Crisp and short ppt of Frm chapters and great explanation with examples.

    Leave a Comment