Author: Allan Perrin (DTSQUARED)
The concept of outsourcing (or obtaining services by contract from an outside supplier) is not a new one, with a large number of firms across financial services and other sectors having engaged in outsourcing activity for many years. What has changed however is the regulatory spotlight that now shines on the practice. In 2019, the European Banking Authority (EBA) published its final guidelines on outsourcing arrangements for financial services firms in the European Union. The application date for these guidelines came into force on 30th Sept 2019 with compliance for all existing contracts on 31st December 2021.
Despite the exit of the UK from the European Union in 2020, UK regulators have confirmed that their finalised statement is not ‘materially different’ from the EBA Guidelines, although the Prudential Regulation Authority (PRA) did outline some changes, for example referring to ‘material’ outsourcings where the EBA refers to ‘critical’ or ‘important’ outsourcings. In addition, impacted firms were given until 31st March 2022 to comply due to the COVID-19 pandemic.
In addition to this, the European Securities and Markets Authority (ESMA) have also launched guidelines on the use of cloud providers for financial services organisations, which entered into force on 31st July 2021 for new or amended contracts and on 31st December 2022 for existing contracts. The guidelines comprise nine components that firms need to consider when executing cloud outsourcing arrangements, including maintaining a cloud outsourcing strategy, conducting due diligence, information security and exit provisions, as well as notification of planned cloud outsourcing to the competent authority.
At a high level, the objective of these rules is to maintain financial stability within the UK and European markets focusing on seven main areas:
- Creating and maintaining a written outsourcing policy
- Enhancing responsibilities of Internal Audit to comply with guidelines
- Creating and maintaining a register of all outsourcing arrangements
- Highlighting all outsourcing risks associated with the policy
- Ensuring that the Business Continuity Plan includes all relevant outsourcing arrangements
- Ensuring that the outsourcing agreed service levels ‘include precise quantitative and qualitative performance targets’
- Ensuring appropriate senior management accountability for outsourcing activity (as part of the PRA’s Senior Managers and Certification Regime for UK entities)
Outsourcing Challenges Remain Despite Regulation
Whilst many of these points may be considered part of outsourcing best practice, it is important to note that compliance with these regulations does not guarantee a successful outsourcing exercise. Rather, these should be considered the minimum required standards to reach regulatory compliance. As highlighted in DTSQUARED’s previous paper, ‘Caveat Emptor – People outsourcing pitfalls to avoid’, there are several challenges associated with the outsourcing process. Whilst these may evolve over time, some of the main challenges we see today are highlighted below:
Challenge 1 – Cultural Compatibility. When outsourcing activity to a different firm or region, consideration needs to be made of the cultural differences between the existing and outsourced teams. Although these may reduce over time given appropriate efforts, this will never be an overnight fix.
Challenge 2 – Communication. Whilst existing teams may have used both formal and informal meetings to communicate with each other (such as the infamous ‘water cooler chat’), this may not transpose well within an outsourcing arrangement across borders and firms.
Challenge 3 – Intellectual Property and Data Security. Although this should always be considered by all firms, the process of outsourcing will require additional thought in terms of successfully transferring valuable data across different firms. This challenge will be enhanced when dealing with more sensitive data available to only certain identified teams or individuals
Challenge 4 – Education and Skills. Despite due diligence being performed before initiating the outsourcing activity, some organisations may find that the required skills and subject matter knowledge of outsourced resources are not at the level required. This problem may be exacerbated when attempting to increase activity where the local resource marketplace cannot respond to these demands.
Challenge 5 – Contracts. Although a lot of time and effort may be spent on reviewing every aspect of the outsourcing contract, unforeseen issues may still arise that are not adequately captured within the SLA resulting in potential contractual disputes.
Outsourcing within Financial Services
When it comes to outsourcing within the financial services industry, there have been various trends shown across different organisations. For example, the recent rise in Anti Money Laundering (AML) regulations has triggered an increased focus on financial crime and Know Your Customer (KYC), which has seen some organisations outsource certain aspects of the activity, such as KYC remediation, whilst maintaining full in-house capability for regulatory remediation. As outsourcing models evolve, we are increasingly seeing firms selectively pick and choose which process areas to outsource and which process areas to keep in-house. The ‘pure’ models of aiming for either 100% outsource or 100% in-house are becoming less and less common, with the specific challenges of each process area being highlighted through this activity.
Taking into consideration the challenges stated above, it is important that firms firstly build, then maintain and optimise their outsourcing strategy. To assist with this, ProjectiveGroup has created the ProjectiveGroup Outsourcing Maturity Framework (POMF).
The POMF provides a focused and fast assessment to help understand an organisation’s current state of outsourcing maturity against industry challenges using ProjectiveGroup’s outsourcing best practice model. The key to accurately assessing a company’s level of outsourcing maturity is to incorporate eight core outsourcing pillars within the review. These are:
- Education, Skills and Cultural Compatibility
- Governance and Policies
- Intellectual Property and Data Security
- Risk Management
- Management Oversight, Performance Management and Metrics
- Standardisation and Repeatability
For each of these pillars, we identify the typical best practice capabilities and sub-capabilities that an organisation should have in place and score them on a scale of 0-5. Under this model, zero represents ‘Not Started’ and five indicates an ‘Advanced’ level of maturity which is fully embedded in the operational culture, with the goal of ongoing improvement.
The outputs of the maturity evaluation may be categorised into different deliverables that will facilitate the transition from investigation to action. These are as follows:
- Objectives, Approach and Summary of Questions for each pillar
- Maturity Evaluation Score and Summary of Findings for each pillar
- Summary of the best Targets of Opportunity and Recommendations on Steps to Progress Maturity Levels for each pillar
- Suggested Roadmap to Progress Maturity Levels
- Strategic plan for how this crucial work will fit into and add value to the wider business objectives.
Following the assessment, the results are documented and presented to management. Based on the desired maturity rating in each area, a roadmap of recommendations is constructed to allow the organisation to review, plan, and execute their strategy.
The outlook for outsourcing within financial services will no doubt continue to evolve over time, with different models put in place to best respond to customer demand whilst also considering cost and resilience. Given this, it is important that organisations have a robust outsourcing strategy and execution plan to allow them to maximise the benefits whilst also minimising the risks of the outsourcing process. To discuss this further and learn how we could support your organisation’s outsourcing initiatives, you can contact one of our experts here.