Outsourcing Challenges and 3rd Party Risk

Sunday, 02/08/2020 | 15:10 GMT by Ina MacKinnon
  • Ina Mackinnon on the current challenges complying with outsourcing guidance.
Outsourcing Challenges and 3rd Party Risk
FM

This article is focused on capital markets participants’ operational resilience and increasing reliance on 3rd parties, the reasons and challenges of group-wide compliance programs to maintain sound Risk Management .

Since the COVID-19 pandemic, and with an intensification of the trade war between China and the U.S., the supply chains’ future is uncertain. Organisations from all industries across the globe are deeply affected, allocating additional resources to manage the disruption by responding to the immediate challenges.

Some organisations are better prepared than others to respond to the heightened need to assess their supply chain, in particular their IT infrastructure to adequately support operations stability, network robustness, and data security. The geographies of the supply chain have become of vital importance. Thus, 3rd party Risk exposure is increasing, however, Due Diligence is not keeping pace with it.

Cost-effectiveness is even more relevant in today’s environment, Thus, the already relaxed on-boarding and

Ina MacKinnon, CEO & Founder Alba Compliance

Ina MacKinnon, CEO & Founder Alba Compliance

monitoring practices of a complex, multi-tier supply chain due diligence is further compromised, inadvertently subjecting the business to further financial and operational risk. In such an environment, suppliers tend to engage in fraudulent practices knowing that the risks of detection within an organisation are low. Naturally, competitors will gain an advantage; either by exploiting vulnerable points within an organisation that has failed to take adequate safeguards, or by advertising services with better controls and systems for client protection.

Prior to COVID-19 disaster, Refinitiv conducted an interesting survey (published Feb 2020), with a total of 1,794 participants across 16 countries (899 LEs and 895 SMEs) with a total of over 17mln 3rd party relationships, an average of 10,000 per organisation.

According to the survey results, despite greater Regulation and stronger enforcement action, organisations are struggling to gain visibility of all 3rd party risks to take appropriate action. A staggering 61% of respondents stated that prosecution would be unlikely if they breached 3rd party related regulations.

Many have reported that they are not completing full 3rd party due diligence at their onboarding or ongoing monitoring stages. This is occurring because of competitive pressures, greater globalization and increasingly complex supply chains.

43%of 3rd parties are not subject to due diligence checks (6% higher than 2016 survey results).
60%of respondents are not fully monitoring 3rd parties for ongoing risks
63% of respondents agree that the economic climate is encouraging organisations to take regulatory risks in order to win new business
53%of respondents say that they would report a 3rd party breach internally and only 16% would report it externally.

Seeing the survey results, we wonder how the organisations in Singapore are doing. The reported percentage of due diligence on 3rd parties completed is underwhelming, with a significant fall from 62% in 2016 to 48% in 2020. Alarmingly, Singapore’s slump was the highest of all 16 countries.

The effects of a rule-based rather than a risk-based approach, adopted by organisations, particularly cost-conscious SMEs, could see them facing disruptions on varying levels. Those hoping that compliance with bare minimum reporting obligations will suffice is rather reckless and must be re-considered.

We are aware that MAS is particularly interested in material outsourcing arrangements. MAS is clear about the growing exposure to countries' risk, an overlapping risk, touching everything from cloud and reputation risk to transactional and operational risk. Specifically, MAS raised its concerns about IT supply chains, defined as a weak link in Financial Institutions' cyber defenses.

Failures can occur in a variety of forms but generally, they fall into two categories: systems or procedural failures and human failures. It is clear that there are a variety of causal risk factors, but it is possible to categorize them into external risks (threats) and internal risks (errors and culture).

To prepare for the unexpected, the FFIEC says, that organisations should establish strategies for:

  1. Contingency
  2. Service Continuity
  3. Exit Strategies.

Understanding the environment the 3rd parties operate in, is a crucial starting point. When assessing the service provider, It is mandatory to be familiar with:

  1. Scope of the services to be rendered
  2. The specifics of your product distribution channel vulnerabilities, such as the internet, telecommunications zoom, google teams, mobile phone provider; private entities engaged as Introducing Brokers (IBs) or Appointed Representatives (ARs) - licensed or not?
  3. Contract T&C: have a clear compensation structure
  4. National and international rules and guidance
  5. Industry best practice

The supply chain can have direct or indirect distribution channels. Direct channels include more traditional face-to-face interactions. Though, some organisations also adopt multi-channel distribution methods. From a compliance perspective, all potential risks and requirements must be considered for each channel adopted. This is a key consideration in the development of products of services as requirements and obligations can vary enormously.

The organisation must have a full picture of 3rd Party profile prior to entering into a transaction, however, this has proved to be a common challenge especially when the 50% rule is concerned. It is imperative that financial institutions understand from whom they are acquiring services, as well as with whom their third-party vendors might be interacting.

OFAC’s Cyber-Related Sanctions Program specifically mentions the 50 Percent Rule, and the FFIEC’s recent Joint Statement on the same warns that “continued use of products and services from a sanctioned entity may cause the financial institution to violate OFAC sanctions.” A download of a software patch is enough to merit such a violation. Before dismissing this as irrelevant to your organization, keep in mind that technology firms from sanctioned countries span across the globe, and their connection to their subsidiaries is often blurred.

Naturally, Due Diligence is not limited to sanction screening. It incorporates Anti-Bribery and Corruption policies, procedures, and processes as part of a 'holistic' financial crime compliance risk framework.

With regards to compensation arrangements, some red flags should be raised if the 3rd party compensation is to be based on performance, i.e. success fees, bonus fees and introducing broker fees for certain sectors. For example, in 2019, the Australian OTC FX & derivatives industry took a major hit as ASIC disallowed brokerages to compensate their IBs, instrumental partners to most retail brokers worldwide. That rule is extremely challenging for brokers that do not have their own infrastructure and are reliant on IBs for their trading volume, especially if that revenue comes from a self-directed region. It has been noted that Australia’s authorities clearly do not approve of this method of doing business. Similarly, in other jurisdictions, the IB model has been phased out. Thus, the method of remunerating today’s IBs could be a fixed fee rather than commission.

Other contributing factors indicating a High 3rd Party Risk:

  1. the 3rd party role is to enhance the organisation’s chances of winning commercial and/or government contracts
  2. the 3rd party requests discretionary authority to handle local matters, in a region, especially if the contracting organisation has no presence or little expertise in a jurisdiction that is dramatically different to its Head Quarters.
  3. industry: usually checked against Transparency International’s Bribe Payers Index (BPI). In accordance to OECD, most corrupt industries are considered for extraction & construction (due to bidding processes), transportation (organised crime, corruption is at the enforcement level), and finance. We all remember the 2018 case of 1MDB fund and corrupt bankers: Goldman Sachs.
  4. Selection of the party: recommended by a customer or retention of a specific 3rd party is encouraged or required by a government official.

No matter if your organization is a traditional bank, money service business, insurance firm or other entity, here are some effective ways to handle the burden:

  • Review counterparty for on-boarding and ongoing due diligence policies and procedures to ensure that entity ownership is initially identified and continually monitored for changes.
  • Conduct routine risk assessments of your 3rd party by incorporating the 50 Percent Rule into your Compliance Program. In addition to screening entity names against the SDN List, screen entity officers, directors and contract signatories of counterparties.
  • Upgrade your watch list screening process to cross-reference a database, that identifies entities owned by sanctioned persons or jurisdictions.
  • Outsourcing scope: regularly re-evaluate the economic and operational benefits of the 3rd party against raised ref flags, if any.

In Conclusion

Better data, greater innovation, and new forms of collaboration hold the key to reducing 3rd Party risk. Therefore, building greater transparency and resilience into an organisation’s counterparties is crucial. Perhaps, proactive smart cost-effective action supported by more comprehensive data will improve the effectiveness of the organisations’ Due Diligence efforts.

Our role is to add to your in-house Compliance efforts when you assess your counterparty before, your engagement, advising on best on-going monitoring practices, supporting your due diligence and screening efforts, offering the best practical Compliance Solutions relevant to your organisation’s size and before your business model and industry.

RESOURCES / NOTES

  1. https://www.refinitiv.com/en/risk-and-compliance/resources/hidden-threats-third-party-risk
  2. https://www.treasury.gov/resource-center/faqs/Sanctions/Pages/faq_general.aspx
  3. MAS Guidelines on outsourcing, Oct 2018
  4. https://www.weforum.org/reports/good-practice-guidelines-conducting-third-party-due-diligence

Ina Mackinnon is CEO and Founder of Alba Compliance Pte Ltd

This article is focused on capital markets participants’ operational resilience and increasing reliance on 3rd parties, the reasons and challenges of group-wide compliance programs to maintain sound Risk Management .

Since the COVID-19 pandemic, and with an intensification of the trade war between China and the U.S., the supply chains’ future is uncertain. Organisations from all industries across the globe are deeply affected, allocating additional resources to manage the disruption by responding to the immediate challenges.

Some organisations are better prepared than others to respond to the heightened need to assess their supply chain, in particular their IT infrastructure to adequately support operations stability, network robustness, and data security. The geographies of the supply chain have become of vital importance. Thus, 3rd party Risk exposure is increasing, however, Due Diligence is not keeping pace with it.

Cost-effectiveness is even more relevant in today’s environment, Thus, the already relaxed on-boarding and

Ina MacKinnon, CEO & Founder Alba Compliance

Ina MacKinnon, CEO & Founder Alba Compliance

monitoring practices of a complex, multi-tier supply chain due diligence is further compromised, inadvertently subjecting the business to further financial and operational risk. In such an environment, suppliers tend to engage in fraudulent practices knowing that the risks of detection within an organisation are low. Naturally, competitors will gain an advantage; either by exploiting vulnerable points within an organisation that has failed to take adequate safeguards, or by advertising services with better controls and systems for client protection.

Prior to COVID-19 disaster, Refinitiv conducted an interesting survey (published Feb 2020), with a total of 1,794 participants across 16 countries (899 LEs and 895 SMEs) with a total of over 17mln 3rd party relationships, an average of 10,000 per organisation.

According to the survey results, despite greater Regulation and stronger enforcement action, organisations are struggling to gain visibility of all 3rd party risks to take appropriate action. A staggering 61% of respondents stated that prosecution would be unlikely if they breached 3rd party related regulations.

Many have reported that they are not completing full 3rd party due diligence at their onboarding or ongoing monitoring stages. This is occurring because of competitive pressures, greater globalization and increasingly complex supply chains.

43%of 3rd parties are not subject to due diligence checks (6% higher than 2016 survey results).
60%of respondents are not fully monitoring 3rd parties for ongoing risks
63% of respondents agree that the economic climate is encouraging organisations to take regulatory risks in order to win new business
53%of respondents say that they would report a 3rd party breach internally and only 16% would report it externally.

Seeing the survey results, we wonder how the organisations in Singapore are doing. The reported percentage of due diligence on 3rd parties completed is underwhelming, with a significant fall from 62% in 2016 to 48% in 2020. Alarmingly, Singapore’s slump was the highest of all 16 countries.

The effects of a rule-based rather than a risk-based approach, adopted by organisations, particularly cost-conscious SMEs, could see them facing disruptions on varying levels. Those hoping that compliance with bare minimum reporting obligations will suffice is rather reckless and must be re-considered.

We are aware that MAS is particularly interested in material outsourcing arrangements. MAS is clear about the growing exposure to countries' risk, an overlapping risk, touching everything from cloud and reputation risk to transactional and operational risk. Specifically, MAS raised its concerns about IT supply chains, defined as a weak link in Financial Institutions' cyber defenses.

Failures can occur in a variety of forms but generally, they fall into two categories: systems or procedural failures and human failures. It is clear that there are a variety of causal risk factors, but it is possible to categorize them into external risks (threats) and internal risks (errors and culture).

To prepare for the unexpected, the FFIEC says, that organisations should establish strategies for:

  1. Contingency
  2. Service Continuity
  3. Exit Strategies.

Understanding the environment the 3rd parties operate in, is a crucial starting point. When assessing the service provider, It is mandatory to be familiar with:

  1. Scope of the services to be rendered
  2. The specifics of your product distribution channel vulnerabilities, such as the internet, telecommunications zoom, google teams, mobile phone provider; private entities engaged as Introducing Brokers (IBs) or Appointed Representatives (ARs) - licensed or not?
  3. Contract T&C: have a clear compensation structure
  4. National and international rules and guidance
  5. Industry best practice

The supply chain can have direct or indirect distribution channels. Direct channels include more traditional face-to-face interactions. Though, some organisations also adopt multi-channel distribution methods. From a compliance perspective, all potential risks and requirements must be considered for each channel adopted. This is a key consideration in the development of products of services as requirements and obligations can vary enormously.

The organisation must have a full picture of 3rd Party profile prior to entering into a transaction, however, this has proved to be a common challenge especially when the 50% rule is concerned. It is imperative that financial institutions understand from whom they are acquiring services, as well as with whom their third-party vendors might be interacting.

OFAC’s Cyber-Related Sanctions Program specifically mentions the 50 Percent Rule, and the FFIEC’s recent Joint Statement on the same warns that “continued use of products and services from a sanctioned entity may cause the financial institution to violate OFAC sanctions.” A download of a software patch is enough to merit such a violation. Before dismissing this as irrelevant to your organization, keep in mind that technology firms from sanctioned countries span across the globe, and their connection to their subsidiaries is often blurred.

Naturally, Due Diligence is not limited to sanction screening. It incorporates Anti-Bribery and Corruption policies, procedures, and processes as part of a 'holistic' financial crime compliance risk framework.

With regards to compensation arrangements, some red flags should be raised if the 3rd party compensation is to be based on performance, i.e. success fees, bonus fees and introducing broker fees for certain sectors. For example, in 2019, the Australian OTC FX & derivatives industry took a major hit as ASIC disallowed brokerages to compensate their IBs, instrumental partners to most retail brokers worldwide. That rule is extremely challenging for brokers that do not have their own infrastructure and are reliant on IBs for their trading volume, especially if that revenue comes from a self-directed region. It has been noted that Australia’s authorities clearly do not approve of this method of doing business. Similarly, in other jurisdictions, the IB model has been phased out. Thus, the method of remunerating today’s IBs could be a fixed fee rather than commission.

Other contributing factors indicating a High 3rd Party Risk:

  1. the 3rd party role is to enhance the organisation’s chances of winning commercial and/or government contracts
  2. the 3rd party requests discretionary authority to handle local matters, in a region, especially if the contracting organisation has no presence or little expertise in a jurisdiction that is dramatically different to its Head Quarters.
  3. industry: usually checked against Transparency International’s Bribe Payers Index (BPI). In accordance to OECD, most corrupt industries are considered for extraction & construction (due to bidding processes), transportation (organised crime, corruption is at the enforcement level), and finance. We all remember the 2018 case of 1MDB fund and corrupt bankers: Goldman Sachs.
  4. Selection of the party: recommended by a customer or retention of a specific 3rd party is encouraged or required by a government official.

No matter if your organization is a traditional bank, money service business, insurance firm or other entity, here are some effective ways to handle the burden:

  • Review counterparty for on-boarding and ongoing due diligence policies and procedures to ensure that entity ownership is initially identified and continually monitored for changes.
  • Conduct routine risk assessments of your 3rd party by incorporating the 50 Percent Rule into your Compliance Program. In addition to screening entity names against the SDN List, screen entity officers, directors and contract signatories of counterparties.
  • Upgrade your watch list screening process to cross-reference a database, that identifies entities owned by sanctioned persons or jurisdictions.
  • Outsourcing scope: regularly re-evaluate the economic and operational benefits of the 3rd party against raised ref flags, if any.

In Conclusion

Better data, greater innovation, and new forms of collaboration hold the key to reducing 3rd Party risk. Therefore, building greater transparency and resilience into an organisation’s counterparties is crucial. Perhaps, proactive smart cost-effective action supported by more comprehensive data will improve the effectiveness of the organisations’ Due Diligence efforts.

Our role is to add to your in-house Compliance efforts when you assess your counterparty before, your engagement, advising on best on-going monitoring practices, supporting your due diligence and screening efforts, offering the best practical Compliance Solutions relevant to your organisation’s size and before your business model and industry.

RESOURCES / NOTES

  1. https://www.refinitiv.com/en/risk-and-compliance/resources/hidden-threats-third-party-risk
  2. https://www.treasury.gov/resource-center/faqs/Sanctions/Pages/faq_general.aspx
  3. MAS Guidelines on outsourcing, Oct 2018
  4. https://www.weforum.org/reports/good-practice-guidelines-conducting-third-party-due-diligence

Ina Mackinnon is CEO and Founder of Alba Compliance Pte Ltd

About the Author: Ina MacKinnon
Ina MacKinnon
  • 1 Article
  • 7 Followers

Retail FX