Outsourcing Challenges and 3rd Party Risk

This article is focused on capital markets participants’ operational resilience and increasing reliance on 3^rd parties, the reasons and challenges of group-wide compliance programs to maintain sound Risk Management Risk Management One of the most common terms utilized by brokers, risk management refers to the practice of identifying potential risks in advance. Most commonly, this also involves the analysis of risk and the undertaking of precautionary steps to both mitigate and prevent for such risk.Such efforts are essential for brokers and venues in the finance industry, given the potential for fallout in the face of unforeseen events or crises. Given a more tightly regulated environment across nearly every asset class, One of the most common terms utilized by brokers, risk management refers to the practice of identifying potential risks in advance. Most commonly, this also involves the analysis of risk and the undertaking of precautionary steps to both mitigate and prevent for such risk.Such efforts are essential for brokers and venues in the finance industry, given the potential for fallout in the face of unforeseen events or crises. Given a more tightly regulated environment across nearly every asset class, Read this Term.

Since the COVID-19 pandemic, and with an intensification of the trade war between China and the U.S., the supply chains’ future is uncertain. Organisations from all industries across the globe are deeply affected, allocating additional resources to manage the disruption by responding to the immediate challenges.

Some organisations are better prepared than others to respond to the heightened need to assess their supply chain, in particular their IT infrastructure to adequately support operations stability, network robustness, and data security. The geographies of the supply chain have become of vital importance. Thus, 3^rd party Risk exposure is increasing, however, Due Diligence is not keeping pace with it.

Cost-effectiveness is even more relevant in today’s environment, Thus, the already relaxed on-boarding and

monitoring practices of a complex, multi-tier supply chain due diligence is further compromised, inadvertently subjecting the business to further financial and operational risk. In such an environment, suppliers tend to engage in fraudulent practices knowing that the risks of detection within an organisation are low. Naturally, competitors will gain an advantage; either by exploiting vulnerable points within an organisation that has failed to take adequate safeguards, or by advertising services with better controls and systems for client protection.

Prior to COVID-19 disaster, Refinitiv conducted an interesting survey (published Feb 2020), with a total of 1,794 participants across 16 countries (899 LEs and 895 SMEs) with a total of over 17mln 3^rd party relationships, an average of 10,000 per organisation.

According to the survey results, despite greater Regulation Regulation Like any other industry with a high net worth, the financial services industry is tightly regulated to help curb illicit behavior and manipulation. Each asset class has its own set of protocols put in place to combat their respective forms of abuse.In the foreign exchange space, regulation is assumed by authorities in multiple jurisdictions, though ultimately lacking a binding international order. Who are the Industry’s Leading Regulators?Regulators such as the UK’s Financial Conduct Authority ( Like any other industry with a high net worth, the financial services industry is tightly regulated to help curb illicit behavior and manipulation. Each asset class has its own set of protocols put in place to combat their respective forms of abuse.In the foreign exchange space, regulation is assumed by authorities in multiple jurisdictions, though ultimately lacking a binding international order. Who are the Industry’s Leading Regulators?Regulators such as the UK’s Financial Conduct Authority ( Read this Term and stronger enforcement action, organisations are struggling to gain visibility of all 3^rd party risks to take appropriate action. A staggering 61% of respondents stated that prosecution would be unlikely if they breached 3^rd party related regulations.

Many have reported that they are not completing full 3^rd party due diligence at their onboarding or ongoing monitoring stages. This is occurring because of competitive pressures, greater globalization and increasingly complex supply chains.

Seeing the survey results, we wonder how the organisations in Singapore are doing. The reported percentage of due diligence on 3^rd parties completed is underwhelming, with a significant fall from 62% in 2016 to 48% in 2020. Alarmingly, Singapore’s slump was the highest of all 16 countries.

The effects of a rule-based rather than a risk-based approach, adopted by organisations, particularly cost-conscious SMEs, could see them facing disruptions on varying levels. Those hoping that compliance with bare minimum reporting obligations will suffice is rather reckless and must be re-considered.

We are aware that MAS is particularly interested in material outsourcing arrangements. MAS is clear about the growing exposure to countries' risk, an overlapping risk, touching everything from cloud and reputation risk to transactional and operational risk. Specifically, MAS raised its concerns about IT supply chains, defined as a weak link in Financial Institutions' cyber defenses.

Failures can occur in a variety of forms but generally, they fall into two categories: systems or procedural failures and human failures. It is clear that there are a variety of causal risk factors, but it is possible to categorize them into external risks (threats) and internal risks (errors and culture).

To prepare for the unexpected, the FFIEC says, that organisations should establish strategies for:

1. Contingency
2. Service Continuity
3. Exit Strategies.

Understanding the environment the 3^rd parties operate in, is a crucial starting point. When assessing the service provider, It is mandatory to be familiar with:

1. Scope of the services to be rendered
2. The specifics of your product distribution channel vulnerabilities, such as the internet, telecommunications zoom, google teams, mobile phone provider; private entities engaged as Introducing Brokers (IBs) or Appointed Representatives (ARs) - licensed or not?
3. Contract T&C: have a clear compensation structure
4. National and international rules and guidance
5. Industry best practice

The supply chain can have direct or indirect distribution channels. Direct channels include more traditional face-to-face interactions. Though, some organisations also adopt multi-channel distribution methods. From a compliance perspective, all potential risks and requirements must be considered for each channel adopted. This is a key consideration in the development of products of services as requirements and obligations can vary enormously.

The organisation must have a full picture of 3^rd Party profile prior to entering into a transaction, however, this has proved to be a common challenge especially when the 50% rule is concerned. It is imperative that financial institutions understand from whom they are acquiring services, as well as with whom their third-party vendors might be interacting.

OFAC’s Cyber-Related Sanctions Program specifically mentions the 50 Percent Rule, and the FFIEC’s recent Joint Statement on the same warns that “continued use of products and services from a sanctioned entity may cause the financial institution to violate OFAC sanctions.” A download of a software patch is enough to merit such a violation. Before dismissing this as irrelevant to your organization, keep in mind that technology firms from sanctioned countries span across the globe, and their connection to their subsidiaries is often blurred.

Naturally, Due Diligence is not limited to sanction screening. It incorporates Anti-Bribery and Corruption policies, procedures, and processes as part of a 'holistic' financial crime compliance risk framework.

With regards to compensation arrangements, some red flags should be raised if the 3^rd party compensation is to be based on performance, i.e. success fees, bonus fees and introducing broker fees for certain sectors. For example, in 2019, the Australian OTC FX & derivatives industry took a major hit as ASIC disallowed brokerages to compensate their IBs, instrumental partners to most retail brokers worldwide. That rule is extremely challenging for brokers that do not have their own infrastructure and are reliant on IBs for their trading volume, especially if that revenue comes from a self-directed region. It has been noted that Australia’s authorities clearly do not approve of this method of doing business. Similarly, in other jurisdictions, the IB model has been phased out. Thus, the method of remunerating today’s IBs could be a fixed fee rather than commission.

Other contributing factors indicating a High 3^rd Party Risk:

1. the 3^rd party role is to enhance the organisation’s chances of winning commercial and/or government contracts
2. the 3^rd party requests discretionary authority to handle local matters, in a region, especially if the contracting organisation has no presence or little expertise in a jurisdiction that is dramatically different to its Head Quarters.
3. industry: usually checked against Transparency International’s Bribe Payers Index (BPI). In accordance to OECD, most corrupt industries are considered for extraction & construction (due to bidding processes), transportation (organised crime, corruption is at the enforcement level), and finance. We all remember the 2018 case of 1MDB fund and corrupt bankers: Goldman Sachs.
4. Selection of the party: recommended by a customer or retention of a specific 3^rd party is encouraged or required by a government official.

No matter if your organization is a traditional bank, money service business, insurance firm or other entity, here are some effective ways to handle the burden:

• Review counterparty for on-boarding and ongoing due diligence policies and procedures to ensure that entity ownership is initially identified and continually monitored for changes.
• Conduct routine risk assessments of your 3^rd party by incorporating the 50 Percent Rule into your Compliance Program. In addition to screening entity names against the SDN List, screen entity officers, directors and contract signatories of counterparties.
• Upgrade your watch list screening process to cross-reference a database, that identifies entities owned by sanctioned persons or jurisdictions.
• Outsourcing scope: regularly re-evaluate the economic and operational benefits of the 3^rd party against raised ref flags, if any.

In Conclusion

Better data, greater innovation, and new forms of collaboration hold the key to reducing 3^rd Party risk. Therefore, building greater transparency and resilience into an organisation’s counterparties is crucial. Perhaps, proactive smart cost-effective action supported by more comprehensive data will improve the effectiveness of the organisations’ Due Diligence efforts.

Our role is to add to your in-house Compliance efforts when you assess your counterparty before, your engagement, advising on best on-going monitoring practices, supporting your due diligence and screening efforts, offering the best practical Compliance Solutions relevant to your organisation’s size and before your business model and industry.

RESOURCES / NOTES

1. https://www.refinitiv.com/en/risk-and-compliance/resources/hidden-threats-third-party-risk
2. https://www.treasury.gov/resource-center/faqs/Sanctions/Pages/faq_general.aspx
3. MAS Guidelines on outsourcing, Oct 2018
4. https://www.weforum.org/reports/good-practice-guidelines-conducting-third-party-due-diligence

Ina Mackinnon is CEO and Founder of Alba Compliance Pte Ltd