PE Tech Report


Like this article?

Sign up to our free newsletter

Document, document and document again

By Ian Kelly (pictured), AugentiusThe Securities Exchange Commission (SEC), Financial Conduct Authority and Monetary Authority of Singapore have all issued consultations and guidance on outsourcing. Although the regulators advised on slightly different areas, the theme is clear. With outsourcing on the up, fund managers must have defined strategies, and most importantly document these with evidence that ongoing monitoring is in place.

SEC’s consultation paper on business continuity and transition plans 

The SEC issued a consultation paper last year looking at the third-parties that managers increasingly rely on. The SEC is proposing that managers are required to implement a business continuity and transition plan, ‘reasonably designed to address operational and other risks related to a significant disruption’. 

Senior management should focus on the maintenance of critical operations, the protection, back-up and recovery of third-party data, and a pre-arranged alternate physical location. The fund must have stakeholder communication plans. It will also need to identify business-critical services and create a plan of transition that accounts for the possible winding down of the advisor’s business or in the event the advisor is unable to continue providing services. 

FCA guidance for firms outsourcing to the cloud and to other third-party IT services

Last year the FCA published guidelines in line with, but broader than, the SEC advice. These state that when looking to outsource, managers should consider all legal and regulatory factors as well as the jurisdiction of the service provider in question. A detailed business case should be produced and a proper contract should exist. A firm is also required to document and manage any potential risk of outsourcing, ensuring they adhere to international standards. To achieve this it is recommended that managers determine the full responsibility of the service provider, allocate management and ensure dispute resolution arrangements are in place. 

Furthermore, a data residency policy must be agreed between the firm and any outsourced providers, which sets out data loss and breach notification protocols in line with the DPA 1998. The FCA also recommends that managers pre-agree effective access to data from the outsourced provider, ensuring access is available to both the managers themselves and, if need be, the regulator, and that the outsourced data is not stored in domiciles that may inhibit effective access. 

The FCA states that it’s also important to facilitate visits to the outsourcing partner by the firm, the auditor and even the regulator if necessary. Firms also need to agree details of sub-contracting arrangements before entering into outsourcing agreements, and it is recommended that there is a change of management process as well as some exit and terminations plans in place. 

The guidance is pragmatic but puts considerable onus on managers to document and maintain records – to share with the regulator if required.

Monetary Authority of Singapore (MAS) guidelines on outsourcing

The Monetary Authority of Singapore also published its guidelines on outsourcing last year. Although MAS recognises the value of outsourcing, like the SEC and FCA, it argues that a number of potential risks are generated. 

Importantly, the definition of outsourced services here is broad, including audit and cloud computing.

The key to meeting MAS’ regulatory requirements is discipline. The board and senior management must identify all existing outsourcing arrangements and policies, and define the desired risk appetite the fund is ready to absorb. 

The fund must then define a process for the approval of outsourcing arrangements consistent with its established strategy and risk appetite. Once the board has set the guidelines, the next steps fall to senior management. They will need to evaluate the risk of all current outsourcing in line with the risk appetite set by the board. They must also document outsourcing policies and ensure they are implemented effectively, ‘fit for purpose,’ and updated as required. Contingency plans must be tested to ensure that they actually work.

The outsourcing policies and procedures must be independently reviewed with any actions implemented and any risks communicated to the Board. 

MAS has also provided guidelines on service provider selection, which recommends firms consider a prospective outsourced providers’ capability to implement and support the arrangement. It highlights the importance of assessing the outsourced provider’s financial strength and resources, in addition to its corporate governance, business reputation, culture and ability to cope with any pending or potential litigation. Firms are advised to review providers’ security controls and business continuity plans along with audit, reporting and risk management frameworks.

Checking the necessary insurance coverage is in place is also key, as is ensuring that all outsourced partners comply with applicable laws and regulation. Finally, MAS advise that it is important to assess the political, legal and social landscape that any prospective provider operates in.

So what does this all mean?

Managers need to define and develop proper strategies in respect of outsourcing and disaster recovery, and document them. They must be fully aware of what they outsource, to whom and understand the risks.

Gone are the days of informal processes. When regulators come knocking they won’t want to talk. They will want to see quality documentation supporting the decisions that have been made – and followed on an ongoing basis. They need evidence that the outsourcing decision was the right one and that the fund and its investors have benefitted.

In short, regulators around the world want to see that managers are organised, have considered the risks they run within their own business, not just the portfolio, and most importantly, that they have mitigated against those risks and have documentary evidence to this effect. Document, document, and document again!


Like this article? Sign up to our free newsletter