Funds choose to work with outsourced functions for a variety of reasons. Cost efficiency, scalability, resourcing and the need for expertise in different fields can all influence the need for and the building of a robust outsourced business infrastructure. Outsourcing often provides the best solution for a streamlined and cost efficient business model which needs expertise in ancillary functions without the potentially disproportionate costs and administration of building those functions internally. Before procuring outsourcing functions, firms will inevitably balance operational risk (which is always at the forefront of a firm’s strategy) against the considerable benefits of outsourcing.

FCA and SEC guidelines on outsourcing

When making decisions on outsourced partners, firms should always pay particular attention to regulatory considerations. The FCA and SEC provide clear guidelines on the regulatory obligations of outsourcing. Most notably, regulatory obligations cannot be delegated and will always be the duty of the regulated entity. Firms are expected to take reasonable care to supervise outsourced functions.

ESG policies

The first consideration when identifying outsourced partners is fit. Does the third-party firm have the right culture and does it align with your firm’s? If you have a fully defined ESG policy, do the third-party firm’s policies and procedures align with yours? If not, can they (and will they) be brought into line with yours? If the answer to all these questions is ‘no’, then you should look for a different provider.

A framework for reporting, monitoring and controls

Carrying out due diligence on suppliers should, in an ideal scenario, travel up the line: investor to fund, fund to outsourced partner and so on. It is essential to establish a framework for reporting, monitoring and controls at the start of your contract. If the regulator seeks information from you, a lack of clarity, visibility, or ability to obtain the information sought in short order can indicate a lack of adequate supervision and can have serious implications.

Security posture

A key focus on your third-party relationships will be cybersecurity. In order to meet their obligations to regulators and investors, firms need to consider not only their own security posture but also that of the partners they work with. If any part of your network or data is accessible to third-parties: IT, regulatory reporting specialists or HR teams for example, then it is imperative that their cybersecurity policies (and practices) is of a an acceptable standard. Minimising operational risk exposure is a vital part of the outsourcing process and should be a particular consideration when carrying out due diligence. Your chosen partner might have expertise they can share from working with similar firms to yours, which may bring an additional benefit and is one of the reasons working with a sector specialist is generally advantageous.

Reporting, monitoring and key processes

The basis of your agreement must be clearly defined so you can manage SLA’s and KPI’s for reporting and monitoring, but also to ensure you understand the process in case of service interruption or failure. Part of the contingency arrangements considered should include loss of services from the provider, should they suffer financial failure or significant loss of resource. How your partners will notify you should there be an interruption in service should be part of your business continuity planning. Vendor security and robustness are key considerations to this. Do you have a clear exit strategy should your relationship come to an end?

It is imperative a firm conducts thorough due diligence on any service being outsourced, whether it be a regulated activity or not. Those in charge must assure themselves that the service being provided does not compromise the firm’s ability to ensure fair treatment of clients and delivers a clear benefit to the firm, both internally and externally.

If operationalising your security and regulatory compliance is high on your agenda, our teams are here to help, starting with a baseline assessment and then working to your tailored objectives and within your regulatory framework. Just get in touch.