Outsourcing parts of a compliance program to outside consultants has become a strategic move for some financial institutions as they strive to keep pace with regulatory directives and their evolving risk profile.
But such outsourcing creates an oversight obligation on the part of the hiring firm that can surpass the monitoring and testing the firm uses with its other vendors. The outsourced components must fit into the compliance program structure and the firm’s culture.
The U.S. Federal Financial Institutions Examination Council (FFIEC) prescribes uniform principles, standards, and report forms for vendor-compliance elements in the examination of financial institutions by federal regulators.
Some of the due diligence guidelines it suggests for firms when outsourcing activities include the following:
- Designating the appropriate executive and department to manage the relationship and ensure vendors comply with the procedures for contracted for in areas including recordkeeping, status report delivery, and data privacy. When compliance functions are being outsourced, the compliance team must manage the relationship, but they should keep the teams affected by the contractor’s work — such as audit, HR and IT — informed and ready to make adjustments to the program.
- The compliance team must assess the vendor risks, such as a review of the vendor’s staff expertise, licenses and registrations, its professional references, supervisory structure and procedures, its financial stability and insurance. Such assessments can be gleaned though research, interviews and client reviews. Monitoring of these factors should be constant, particularly when the firm is providing compliance-related services. For instance, if the consultant wants to change any personnel assigned to the task, this must be first communicated to the firm so it can review the new individual’s background and credentials.
- Firms must avoid conflicts of interest in their vendor relationships. When the firm is outsourcing compliance work, the compliance team must be on the alert for any signs of a conflict involving relationships maintained by the consultant and its employees, any subsidiaries of the consultant or vendors the consultant employs. The firm must carefully document its review of conflicts, noting the other clients the consultant is serving, as well as its employers, officers and directors.
- The vendor must demonstrate financial stability. The compliance department should make sure a credit review is undertaken and any liens, judgments or other hardships considered and documented.
- The vendor must ensure that firm’s records will be held in the strictest confidence and that it has the processes and controls to ensure safe storage of data. To be safe, the firm should consider offering specialized training to the consultant on how to best keep such data confidential and which persons should have access.
- The outsourcing contract should specify the firm’s right to receive regular detailed reporting about its progress and confirmations that each stage of its work has been completed. It should also detail the firm’s right to conduct periodic audits of the consultant’s work and business. Also, the contract should include the consultant’s agreement to allow the firm to review any vendors it uses and the consultant’s business continuity plan, particularly as both change during the contract period.
A case brought in 2013 (pdf) by the Securities and Exchange Commission (SEC) highlights the regulatory vulnerabilities of contracting with third parties for chief compliance officer (CCO) services.
According to the SEC, the outsourced CCO firms providing services to two series trusts failed to provide proper information to the trustees regarding the compliance program it had been hired to review, submitting just short statements with its review, and supplying no reasons for the basis of its overly general determinations.
The SEC said the two compliance service providers and the trustees to the trust violated Rule 38a-1 of the Investment Company Act by failing to provide regulators specific information about the adequacy of the trusts’ compliance program as mandated by the rule.
Under 38A-1, registered firms can satisfy their obligations by reviewing the well-documented summaries of its compliance programs that are prepared by the chief compliance officer. Such summaries should give the directors a good understanding of how the compliance programs address particular, significant risks faced by the firm.
The case demonstrates for firms and their boards that compliance program reviews should not be rubber-stamped. And a financial services firm must have the internal capability to evaluate the work of the service providers who conduct the compliance program reviews.
The quality of the information available to directors about the compliance program’s testing and updating helps them make business decisions, and such communication to regulators enables them to assess the firm’s soundness.
Julie DiMauro is a regulatory intelligence and e-learning expert in the GRC division of Thomson Reuters. She writes for the daily subscription service geared to compliance and risk professionals in the financial services industry called Accelus Regulatory Intelligence. Follow Julie on Twitter @Julie_DiMauro and email her at [email protected].