Outsourcing is a mechanism that allows a regulated financial institution to use a third party, which can be an affiliate (e.g. other entity of the group), to perform activities that would normally be undertaken by that financial institution. The rationale for such outsourcing may include (i) cost reduction, (ii) the provision of services more efficiently by accessing skills and technologies that may not be available within the financial institution locally, or (iii) allowing firms to provide “round-the-clock” services to clients across different time zones (“follow-the-sun” operating model). This can apply to business processes or technology, e.g. “cloud computing outsourcing”.
However, there are risks associated with outsourcing. In the banking sector, the new EBA guidelines on Outsourcing Arrangements set out the minimum requirements that regulators expect firms to comply with to manage these risks. As a National Competent Authority, the Commission de Surveillance du Secteur Financier (CSSF) has transposed European requirements into local regulation for IT Outsourcing relying on a Cloud Computing Infrastructure (Circular 19/714) and is expected to shortly transpose the full guidelines to establish a more harmonised governance of outsourcing in credit institutions. The key principles of the new requirements cover proportionality (Group application and institutional schemes), assessment of outsourcing arrangements, governance frameworks and outsourcing processes.
Although financial institutions in the Eurozone were expected to comply with the above as of September 2019, implementing and abiding by these new standards has proven to be difficult. The challenge has become even more acute during the COVID-19 pandemic, in particular with regards to business continuity and risk assessment.
1. Business Continuity Plan (BCP) and testing
Among governance framework requirements, institutions must implement, maintain and periodically test appropriate business continuity plans with regards to outsourced critical or important functions. In other words, institutions should design and perform a dry-run exercise to assess how teams will work in potential disrupted conditions, e.g. the ability to continue processing customer payments when an outsourced service provider is unable to do so. Until March 2020, only a handful of institutions were fully prepared for the situation where both the institution itself and the service provider were only partially operational for a long period of time. In addition to the decreased number of available resources (e.g. staff on parental leave), larger institutions reached their limits of connectivity due to insufficient internal IT infrastructure to support a large number of remote connections. In order to help remediate this, BCPs should be further extended to cover a wider range of stress scenarios, including a combination of shortage in resources and limited network access.
2. Risk Assessment of outsourcing arrangements
Before outsourcing an activity or a function to a third party, financial institutions must assess the potential impact of outsourcing arrangements on their operational risk. European regulators explicitly require institutions to consider multiple scenarios, including high-severity operational risk events, to allow an assessment of potential impacts. Although loss of access to applications from the service provider’s premises is regularly tested, few institutions considered that service provider’s employees may not be able to access internal systems via remote connection (e.g. IT infrastructure not fit for this purpose). Only a few institutions assessed the potential situation where their providers had insufficient IT setup for remote working (e.g. sufficient internet coverage in third countries). COVID-19 also highlighted an increased number of data security breaches in a particularly vulnerable environment, previously tested as punctual incidents. It now becomes clear that many risks have not been sufficiently anticipated and risk assessment frameworks of outsourcing arrangement should be reinforced.
Through history, financial institutions have been through multiple crises and have learnt how to adapt and continue to provide undisrupted service to their customers. This is once more the case for the current crisis, which is unprecedented in terms of geographical and business scale. Banks should leverage the findings of the COVID-19 crisis to improve business continuity plans and risk assessment frameworks. While not eliminating future risks, improving these aspects of outsourcing arrangements will limit the impact of future crises on banking services and further strengthen the resilience of the financial sector. A considerable increase in operational risks and mitigating costs are unavoidable, and the COVID-19 crisis has demonstrated the vital importance of strong outsourcing partnerships and technically advanced solutions. Now has never been a better time to initiate a review of outsourcing strategies.