third party risk
An enterprise cannot outsource accountability.one
The following guide on third party risk was written towards controlling a range of risks can possibly arise from the outsourcing of core functions, and is mindful of the following areas of risk:
- Operational risks: the inability of the service provider to deliver on agreed service levels; fraud; billing errors; poor customer service; and continuity of business issues.
- Contractual risks: access to records; access by auditors and regulators; inability to exit the relationship; and enforcement issues.
- Information risks (including Cybersecurity): inappropriate access to or disclosure of sensitive company information or client personal information; loss of intellectual property protection; defamation and loss of reputation; and secondary crime including theft and blackmail of your firm or its clients.
- Legal risks: complexities arising from managing legal and regulatory differences in various locations (e.g. offshore arrangements).
One US regulatortwo noted instances where incomplete management of third party risk resulted in scenarios where financial institutions:
- "failed to properly assess and understand the risks and direct and indirect costs involved in third-party relationships.
- failed to perform adequate due diligence and ongoing monitoring of third-party relationships.
- entered into contracts without assessing the adequacy of a third party's risk management practices.
- entered into contracts that incentivize a third party to take risks that are detrimental to the bank or its customers, in order to maximize the third party's revenues.
- engaged in informal third-party relationships without contracts in place."
I quote that list verbatim here because I really can't say it any better. Impacts arising from these scenarios can be wide-ranging, including: reputational; financial; compliance; and opportunity. A negligent vendor can do unbelievable damage to a good firm like yours.
I've written this guidance based on a variety of regulatory sources, such as:
- OSFI Guideline B-10. Outsourcing of Business Activities, Functions and Processes.
- IIROC Guidance Note 14-0012. Outsourcing arrangements.
I use the term "vendor" a lot, but it's probably better to bear in mind that these practices should be followed in dealing with any service organization, even government agencies.
This article is written as a guide, and therefor uses the word "should". If you're writing a manual of risk control policy and practice around this guide (I've got one, you should write to me), never use "should", always use "shall" or your functional managers will wiggle out of all those "should be done" activities, and your auditors will have a field day.
This guide uses the IOSCO definitions of "outsourcing" and "core function"three:
- Outsourcing: "outsourcing is defined as an event in which a regulated outsourcing firm contracts with a service provider for the performance of any aspect of the outsourcing firm's regulated or unregulated functions that could otherwise be undertaken by the firm itself. It is intended to include only those services that were or can be delivered by internal staff and management".
- Core function: "critical to the ongoing viability of an entity as well as meeting its regulatory obligations to customers".
1. Outsourcing risk practices
Building a framework
I know; process folk like me are always talking about frameworks. But a framework of risk evaluation will help your firm do a thorough job and stay consistent across all vendors. This not only helps eliminate surprises but allows for attention to be focused where it is due, as all vendor arrangements undergo an equal process – thereby "surfacing" relatively high risks. This framework should be created to manage risk for existing and proposed outsourcing arrangement of a core function. This should consist of:
- The development of a process for determining the materiality of arrangements. This will determine whether a function is core.
- Evaluation of risks associated with all core function outsourcing arrangements.
- The implementation of a program for monitoring and managing risks, commensurate with the materiality of existing or proposed arrangements.
During an outsourcing engagement
- Ongoing supervision of outsourced providers of core functions.
- Ensuring that the board of directors and chief executive receives information sufficient to enable them to discharge their duties with regard to the outsourcing of core functions.
2. Determining materiality
Your firm should establish a process for determining whether a function is core. This process should consider:
- The impact of the outsourcing arrangement on the finances, reputation and operations of your firm, or a significant business line, particularly if the service provider should fail to perform over a given period of time.
- The ability of your firm to maintain appropriate internal controls and meet regulatory requirements, particularly if the service provider were to experience problems.
- The cost of the outsourcing arrangement.
- The degree of difficulty and time required to find an alternative service provider or to bring the business activity "in-house".
- The potential that multiple outsourcing arrangements provided by the same service provider can have an important influence—in aggregate—on your firm.
Management functions not to be outsourced
Certain regulatory regimes (e.g. the Canadian wealth management sector, in which I worked for some years) outright forbid certain "material" management functions. Before spending the time necessary to do a full evaluation of a third party, be sure that you have regulatory permission to enter the arrangement. Outsourcing all or substantially all of a management oversight function should always be considered material, and therefor can not be outsourced under such regimes:
- financial analysis;
- any internal audit services related to the internal accounting controls, financial systems, or financial statements;
- senior management; and
- risk management.
Prior to the commencement of an outsourcing arrangement for a core function (or prior to the next contract renewal for an existing arrangement), a risk analysis should be performed for that arrangement. This will take the form of:
- Defining the outsourced function
- A due-diligence process
- Determination of the location of records
- The creation of a business continuity plan
- Consideration of foreign jurisdictions
- The creation of a contract for services
Defining the outsourced function
When considering an outsourcing arrangement for a core function, your firm should define the scope of the arrangement, specifying:
- Which functions are to be outsourced? What are the specific operational, technical, and financial objectives; the required service levels; the complexities, size, and inter-dependencies; and the desired outcomes to be achieved for functions that are to be outsourced?
- Which internal parties will be responsible for overseeing the outsourced provider(s)?
- What are the metrics by which the outsourced function will be deemed to be adequately provided by the service provider?
- How those functions will work with functions retained internally. What are the interfaces; who will perform what regular duties?
- Your firm should consider impact to the firm's internal capabilities should the function be outsourced. Will the outsourcing of this function result in the loss of skills or intellectual capital?
- What is the impact of outsourcing the function on obtaining strategic goals, objectives, and business needs?
- Does your firm have the core competency, capacity, tools, and policies to evaluate and manage the quality of the service delivered by the service provider, to keep abreast of changing business needs, regulations, policies, standards, and priorities?
The due diligence of service providers may include, but is not necessarily limited to, examining a service provider in light of these factors:
- Success record of the service provider (and any significant subcontractors) in implementing and support the outsourced activity.
- Financial strength (e.g., most recent audited financial statements).
- Business reputation, complaints, compliance and pending litigation.
- Internal controls, reporting and monitoring environment (e.g., most recent audit of internal controls).
- The service provider's business resumption and contingency measures, including recovery testing, for ensuring the continuation of the outsourced business activity in the event of problems.
- Reliance on and success in dealing with sub-contractors.
- Insurance coverage, as demonstrated in current insurance certificates.
- Business objectives, human resource policies, service philosophies, business culture, and how they fit with those of your firm and the service to be provided.
- Cybersecurity stance.
Due diligence activities should include:
- Conducting a request for proposals where such an approach would be cost effective.
- Obtaining references from existing clients of the service provider.
Where either of the steps above are deemed not necessary, the decision and its rationale should be briefly documented at the time of the decision.
Service providers in foreign jurisdictions
A due diligence review of a service provider located in a foreign jurisdiction should additionally contemplate:
- The legal environment of both jurisdictions, especially towards understanding the differences.
- The maturity of technical and logistical infrastructure in that other jurisdiction.
- The economic/political/societal conditions, as well as the possibility of natural disasters.
Your firm and the service provider must determine the "choice of law", that governs the legal jurisdiction under which the contract will be bound. This will be vital for resolving disputes.
Location of records
If you're operating in a regulated regime, you probably have to worry about the location of records shared with a vendor or service organization.
Your firm, its regulators, and its auditors must have access to the service provider's books and records that relate to the outsourced activities. Your firm's regulators, upon request, should be able to promptly obtain information concerning activities that are relevant to regulatory oversight. These rights must be guaranteed by contractual provisions. Where appropriate, access rights may include physical inspections at the premises of the service provider, delivery of books and records or copies of books and records to your firm or its auditor, or inspections that utilize electronic technology.
Business continuity plan
Your firm's business continuity plan should address reasonably foreseeable situations where the service provider fails to continue providing service. The business continuity plan and back-up systems should be commensurate with the risk of a service disruption. In particular, your firm's business continuity plan should ensure that your firm has in its possession, or can readily access, all records necessary to allow it to sustain business operations, meet its statutory obligations, and provide all information as may be required by your firm's regulator to meet its mandate, in the event the service provider is unable to provide the service.
Your firm should require that its service providers establish and maintain emergency procedures and a plan for disaster recovery, with periodic testing of backup facilities. Where appropriate, this should include periodic monitoring of testing conducted by the service provider of critical systems and back-up facilities to demonstrate the ability of the service provider to perform adequately even under unusual physical and/or market conditions, and to determine whether sufficient capacity exists under all relevant conditions.
In the event that a service provider is located in a foreign jurisdiction, risk assessment activities should additionally contemplate:
- The legal environment.
- The maturity of technical and logistical infrastructure.
- The economic/political/societal conditions, as well as the possibility of natural disasters.
Contract for services
Your firm should document its arrangement for outsourcing core functions in a legal contract with the service provider. This contract should address all issues relevant to managing the risks associated with the outsourcing arrangement to the extent feasible and reasonable given the circumstances:
- Nature and Scope of the Service Being Provided: To document the service to be provided in a way that allows your firm to measure whether your firm is receiving the expected service. Defines the location(s) from which the service is provided.
- Performance Measures: The agreed terms by which both parties determine whether the service is being adequately provided.
- Reporting Requirements: To document the nature of and timing of reports prepared by the service provider during business as usual and in the event of a disruption or other incident.
- Resolution of Differences: To define the mechanisms for resolving disputes and the jurisdictions under which they will be resolved. The contract must specify whether the service provider will continue operations during dispute resolution.
- Defaults and Termination: Defines the circumstances constituting a default; identifies potential remedies; and defines the terms and timeframes under which the either party may terminate the arrangement. Also, in the event of termination, outlines the procedures for returning your firm's data in a fashion that would enable your firm to sustain business operations without prohibitive expense.
- Ownership and Access: Clearly identifies the assets (intellectual and physical) related to the outsourcing arrangement, and identifies ownership of all assets, including assets generated or purchased for the outsourcing arrangement.
- Contingency Planning: The contract should outline the service provider's measures for ensuring the continuation of the outsourced business activity in the event of events including systems breakdown and natural disaster, and other reasonably foreseeable events. These measures should include regular testing of business recovery and contingency processes.
- Audit Rights: The contract should clearly stipulate the audit requirements and rights of your firm. At a minimum, your firm should retain the right to evaluate the service provided or to employ an independent auditor to do so. This includes a review of the service provider's internal control environment as it relates to the service being provided. Audit rights should also be guaranteed for your firm's regulator, subject to the consent of the service provider's external auditor and the regulator agreeing signing appropriate confidentiality documentation.
- Confidentiality, Security and Separation of Property: At a minimum, the contract or outsourcing agreement is expected to set out your firm's requirements for confidentiality and security. The security and confidentiality policies adopted by the service provider should be materially commensurate with those of your firm and should meet a reasonable standard. The contract should address which party has responsibility for protection mechanisms, the scope of the information to be protected, the powers of each party to change security procedures and requirements, which party may be liable for any losses that might result from a security breach, and notification requirements if there is a breach of security.
- Subcontracting: The contract should set out any rules or limitations to subcontracting by the service provider. In particular, security and confidentiality standards should apply to subcontracting or outsourcing arrangements by the primary service provider. The audit and inspection rights of your firm and its regulator should continue to apply to all significant subcontracting arrangements.
- Pricing: The contract should fully describe the basis for calculating fees and compensation relating to the service being provided.
- Insurance: The service provider should be required to notify your firm about significant changes in insurance coverage and disclose general terms and conditions of the insurance coverage.
Service level agreement
Your firm should establish a service level agreement with each contract for the outsourcing of a core function that:
- Enshrines the required definition of services, quantifiable minimum service level, and metrics that will measure the service level attained.
- Defines security requirements and performance reporting requirements.
- Explicitly states your firm's requirements for business continuity and the location of records.
Your firm, when outsourcing core functions to a service provider, retains the responsibility to ensure that those activities are conducted in accordance with the requirements set out in the applicable regulations and securities legislation.
To carry out this responsibility, your firm must at a minimum supervise the activities performed on their behalf by the outsource service provider in a manner that is similar to the type of supervision that would be required if the activities were performed by your firm itself.
Establishing a program for monitoring and managing risks
Your firm should implement appropriate means, such as the following, for documenting processes and procedures that enable your firm to monitor the service provider's performance and compliance with its contractual obligations, including processes and procedures that:
- Establish measures to identify and report instances of non-compliance or unsatisfactory performance to your firm.
- Establish measures to assess, on a regular basis, the quality of services performed by the service provider.
Your firm should, on an annual basis, review the effectiveness of its monitoring program.
Advising the board of directors and chief executive
Management should report to the board on annual basis regarding the performance of the service provider of outsourced core functions, including:
- Exceptions to service levels.
- Remedial actions undertaken to correct for exceptions.
The following list of controls serves as a final checklist for ensuring that all due diligence has been carried out: prior to entering an outsourcing arrangement; and throughout the life of the service contract.
- Your firm has adopted a definition of core and non-core outsourced functions.
- Your firm categorizes each outsourced service either as core or non-core.
- Your firm ensures that third-party service providers of core functions have adequate safeguards for keeping information confidential. This includes conducting the survey titled "20 Questions for Cyber Security Assessment".
- Your firm ensures that third-party service providers of core functions have adequate safeguards for recovering from a business disruption.
- Your firm conducts ongoing reviews of the quality of outsourced services of core functions.
- Your firm develops and tests a business continuity plan with each third-party service provider of core functions to minimize disruption to your firm's business and its clients if the provider does not deliver the services satisfactorily. Tests are annual at a minimum.
- Your firm considers other legal requirements, such as privacy laws, that may apply when entering into outsourcing arrangements of core functions.
- Your firm, its regulator, and auditors have the same access to the work product of a third-party service provider of core functions as they would if your firm itself performed the activities. Your firm includes a provision requiring this access in any contract entered into with an outsourced provider of core functions.
- For providers of outsourced core functions, the firm maintains formal documentation of technical and organizational relationships covering roles and responsibilities.
OSFIfour has published some guidance on deciding whether a function is "core", considering all of the following examples of potentially core functions. "FRE" means "federally regulated entity", such as a bank or life insurance carrier.
- Information system management and maintenance (e.g., data entry and processing, data centers, facilities management, end-user support, local area networks, help desks).
- Document processing (e.g., cheques, credit card slips, bill payments, bank statements, other corporate payments).
- Application processing (e.g., insurance policies, loan originations, credit cards).
- Policy administration (e.g., premium collection, policy assembly, invoicing, endorsements).
- Claims administration (e.g., loss reporting, adjusting).
- Loan administration (e.g., loan negotiations, loan processing, collateral management, collection of bad loans).
- Investment management (e.g., portfolio management, cash management).
- Marketing and research (e.g., product development, data warehousing and mining, advertising, media relations, call centers, telemarketing).
- Back office management (e.g., electronic funds transfer, payroll processing, custody operations, quality control, purchasing).
- Real estate administration (e.g., building maintenance, lease negotiation, property evaluation, rent collection).
- Professional services related to the business activities of the FRE (e.g., accounting, internal audit, actuarial).
- Human resources (e.g., benefits administration, recruiting).
The following are generally not considered core functions.
- Courier services, regular mail, utilities, telephone.
- Procurement of specialized training.
- Discrete advisory services (e.g., legal opinions, certain investment advisory services that do not result directly in investment decisions, independent appraisals, trustees in bankruptcy).
- Purchase of goods, wares, commercially available software and other commodities
- Independent audit reviews.
- Credit background and background investigation and information services.
- Market information services (e.g., Bloomberg, Moody's).
- Independent consulting.
- Services the FRE is not legally able to provide.
- Printing services.
- Repair and maintenance of fixed assets.
- Supply and service of leased telecommunication equipment.
- Travel agency and transportation services.
- Correspondent banking services.
- Maintenance and support of licensed software.
- Temporary help and contract personnel.
- Fleet leasing services.
- Specialized recruitment.
- External conferences.
- Clearing and settlement arrangements between members or participants of recognized clearing and settlement systems.
- Sales of insurance policies by agents or brokers.
- Ceded insurance and reinsurance ceded.
- Syndication of loans.
1. "Cyber Risk: Resources for Practitioners", Institute of Risk Management, 2014. P76
2. U.S. Office of the Comptroller of the Currency, quoted here.
3. Principles On Outsourcing Of Financial Services For Market Intermediaries – IOSCO. 4. OSFI B-10 Outsourcing of Business Activities, Functions and Processes.
Outsourcing technology service arrangements carry considerable risk to both parties. “Cybersecurity” risk is clearly one of these.
This is a guide to evaluating vendors for their capabilities in keeping your data secure.
This is a guide to evaluating a service organization's cyber security capabilities.
It's well and good to be leery of up-start fintech providers but don't take the incumbents' word that your bank has a better handle on where your data is or how it's protected.
SOC-2 is effectively mandatory among service organizations looking to enter regulated industries such as finance and health. But the financial industry in the US has raised the bar.
Outsourcing technology service arrangements carry considerable risk to both parties. “Cybersecurity” risk is clearly one of these.