Outsourcing Challenges and 3rd Party Risk

This article is focused on capital markets participants’ operational resilience and increasing reliance on 3^rd parties, the reasons and challenges of group-wide compliance programs to maintain sound risk management.
Since the COVID-19 pandemic, and with an intensification of the trade war between China and the U.S.  the supply chains’ future is uncertain. Organisations from all industries across the globe are deeply affected, allocating additional resources to managing disruption, responding to the immediate challenges.

Some organisations are better prepared than others to respond to the heightened need to assess their supply chain, particularly their IT infrastructure to adequately support operations stability, network robustness, and data security. The geographies of the supply chain become of vital importance. 3^rd party Risk exposure is increasing however Due Diligence is not keeping pace.
Cost-effectiveness is even more relevant in today’s environment, meaning that already relaxed on-boarding and

monitoring practices of a complex, multi-tier supply chain due diligence is further compromised, inadvertently subjecting the business to a further financial and operational risk. In such an environment, suppliers tend to engage in fraudulent practices knowing that the risks of detection within an organisation are low. Naturally, competitors will gain an advantage either by exploiting vulnerable points within an organisation that has failed to take adequate safeguards or by advertising services with better controls and systems for client protection.
Prior to COVID-19 disaster, Refinitiv conducted an interesting survey (published Feb 2020), with total of 1,794 participants across 16 countries (899 large and 895 SMEs) with a total of over 17mln 3^rd party relationships, an average of 10,000 per organisation.
According to the survey results, despite greater regulation and stronger enforcement action, organisations are struggling to gain visibility of all 3^rd party risks to enable appropriate action to be taken. Staggering 61% of respondents stated that prosecution would be unlikely if they breached 3^rd party related regulations.
Many have reported that they are not completing full 3^rd party due diligence at their onboarding or ongoing monitoring stages. Why? Competitive pressures, greater globalization and increasingly complex supply chains.
 

43% of 3^rd parties are not subject to due diligence checks (6% higher than 2016 survey results). 60% of respondents are not fully monitoring 3^rd parties for ongoing risks 63% of respondents agree that the economic climate is encouraging organisations to take regulatory risks in order to win new business 53% of respondents say that they would report a 3^rd party breach internally and only 16% would report it externally.

 
Seeing the survey’s results, we wonder how the organisations in Singapore are doing. The reported percentage of due diligence on 3^rd parties done is underwhelming, dropping from already low 62% in 2016 to 48% in 2020. Alarmingly, Singapore’s drop was the highest of all 16 countries.
The effects of rule-based rather than risk-based approach adopted by organisations, particularly cost conscious SMEs, could see them facing disruptions on different levels. Hope that compliance with a bare minimum reporting obligations will suffice is rather reckless and must be re-considered.
We are aware that MAS is particularly interested in material outsourcing arrangements. MAS is clear about growing exposure to country risk, an overlapping risk, touching everything from cloud and reputation risk to transaction and operational risk. Specifically, MAS raised its concerns about IT supply chains, defined as a weak link in Financial Institutions’ cyber defenses.
Failures can occur in a variety of forms but generally, they fall into two categories: systems or procedural failures and human failures. It is clear that there are a variety of causal risk factors, but it is possible to categorize them into external risks (threats) and internal risks (errors and culture).
To prepare for the unexpected, the FFIEC says, that organisations should establish strategies for:

Contingency

Service Continuity

Exit Strategies.

Understanding the environment the 3^rd parties operate in is a crucial starting point. When assessing the service provider, It is mandatory to be familiar with:

Scope of the services to be rendered

The specifics of your product distribution channel vulnerabilities, such as the internet, telecommunications zoom, google teams, mobile phone provider; private entities engaged as Introducing Brokers (IBs) or Appointed Representatives (ARs) – licensed or not?

Contract T&C: have a clear compensation structure

National and international rules and guidance

Industry best practice

The supply chain can have direct or indirect distribution channels. Direct channels include more traditional face-to-face interactions. Some organisations also adopt multi-channel distribution methods. From a compliance perspective, all potential risks and requirements must be considered for each channel adopted. This is a key consideration in the development of products of services as the requirements and obligations can vary enormously.
The organisation must have a full picture of 3^rd Party profile prior entering into a transaction, however, this proved to be a common challenge especially when the 50% rule is concerned. It is imperative that financial institutions understand from whom they are acquiring services, as well as with whom their third-party vendors might be interacting.
 specifically mentions the 50 Percent Rule, and the FFIEC’s recent Joint Statement on the same warns that “continued use of products and services from a sanctioned entity may cause the financial institution to violate OFAC sanctions.” A download of a software patch is enough to merit such a violation. Before dismissing this as irrelevant to your organization, keep in mind that technology firms from sanctioned countries span across the globe, and their connection to their subsidiaries is often opaque.
Naturally, the Due Diligence is not limited to sanction screening. It incorporates Anti-Bribery and Corruption policies, procedures, and processes as part of a ‘holistic’ financial crime compliance risk frameworks.
With regards to compensation arrangements, some red flags should be raised if the 3^rd party compensation is to be based on performance i.e. success fees, bonus fees, introducing broker fees for certain sectors. For example, in 2019, the Australian OTC FX & derivatives industry took a major hit as ASIC disallowed brokerages to compensate their IBs, instrumental partners to most retail brokers worldwide. That rule is most challenging for brokers which do not have their own infrastructure and are reliant on IBs for their trading volume, especially if that revenue comes from a self-directed region.  Australia’s authorities clearly do not approve of this method of doing business. Similarly, in other jurisdictions, The IB model has been phased out. The method of remunerating today’s IBs could be a fixed fee rather than commission.
Other contributing factors indicating a High 3^rd Party Risk:

the 3^rd party role is to enhance the organisation’s chances of winning commercial and/or government contracts

the 3^rd party requests discretionary authority to handle local matters, in a region, especially if contracting organisation has no presence or little expertise in a jurisdiction dramatically different to its Head Quarters.

industry: usually checked against Transparency International’s Bribe Payers Index (BPI). In accordance to OECD, most corrupt industries are considered to extraction & construction (due to bidding processes) , transportation (organised crime, corruption is at the enforcement level), and finance – we all remember 2018 case of 1MDB fund and corrupt bankers, Goldman Sachs.

Selection of the party: recommended by a customer or retention of a specific 3^rd party is encouraged or required by a government official.

No matter if your organization is a traditional bank, money service business, insurance firm or other entity, here are some ways to more effectively handle the burden:

Review counterparty on-boarding and ongoing due diligence policies and procedures to ensure that entity ownership is initially identified and continually monitored for changes.

Conduct routine risk assessments of your 3^rd party Incorporate the 50 Percent Rule into your Compliance Program. In addition to screening entity names against the SDN List, screen entity officers, directors and contract signatories of counterparties.

Upgrade your watch list screening process to cross-reference a database, that identifies entities that are owned by sanctioned persons or jurisdictions.

Outsourcing scope: regularly re-evaluate the economic and operational benefits of the 3^rd party against raised ref flags, if any.

In Conclusion
Better data, greater innovation, and new forms of collaboration hold the key to reducing 3^rd Party risk. Building greater transparency and resilience into an organisation’s counterparties is crucial. Perhaps a proactive, smart cost-effective actions supported by a better and more comprehensive data will improve the effectiveness of the organisations’ Due Diligence efforts?
Our role is to add to your in-house Compliance efforts when you assess your counterparty before your engagement, advising on best on-going monitoring practices, support your due diligence and screening efforts, offering the best practical Compliance Solutions relevant to your organisation’s size, business model and industry.
 
RESOURCES / NOTES
 

MAS Guidelines on outsourcing, Oct 2018

 
Ina Mackinnon is CEO and Founder of