The content of this article comes largely from Laven Partners, except for Mr Ganguli's comments on the bullet-points and a list of outsourceable activities at the end. 'Outsourcing' for these purposes is an arrangement whereby a firm hires another firm (or, in regulatory parlance, 'engages a third party') to perform a service that it may already (or may conceivably) be performing itself. It includes the following characteristics.

The guidelines describe how fund-management companies should assess the degree of 'materiality' in an outsourcing arrangement. Material outsourcing constitutes arrangements which if disrupted, could have a significant effect on the firm’s business, operations, reputation or profitability.

The MAS recommends that fund firms should consider the following points when assessing the materiality of an outsourcing arrangement:

• the importance of the business activity to be outsourced;

• the potential effect of the outsourcing on earnings, solvency, liquidity, funding and risk profile;

• the effect on the firm’s reputation and brand value should the service provider fail to perform its services;

• aggregate exposure to a particular service provider in cases where the firm outsources various functions to the same one; and

• the ease with which the firm can maintain appropriate internal controls and obey regulations if the service provider were to experience operational problems.

The determination and reporting of material outsourcing

Laven Partners note that the MAS must be notified in writing of all material outsourcing. Outsourcing of all or substantially all risk management and internal control functions including compliance, internal audit and financial accounting is considered material and firms must report it.

Suvendu Ganguli notes that most large organisations are notified of the requirement, yet the true challenges lie elsewhere.

"Firstly, in Singapore's banking industry, outsourcing and ‘smart-sourcing’ (the later typically refers to outsourcing to an affiliate or subsidiary entity of the group) has been going on for years in a piece-meal and increasingly complex fashion without a corresponding rise in centralised tracking and necessary governance. Most banks are now scrambling to put such controls in place in instances where there are up to 3 layers of outsourcing that makes use of many jurisdictions and many entities, sometimes all relating to a single process.

"Although the regulator does acknowledge any notification of material outsourcing, its response (as one might expect) is typically in a standardised letter that reminds the institution of its obligations to monitor the outsourcing and periodically subject it to scrutiny by Internal Audit. Audit’s function is clearly not to manage a compendium of outsourcing relationships (this is a business responsibility) and therefore, in view of the current turmoil, it is anybody’s guess whether any one function at this-or-that organisation has a full picture of all outsourcing relationships and knows whether all assessments of 'materiality' have been done consistently. In essence, this is very much a 'work in progress,’ with open manholes all around"

The need for 'due diligence'

Laven Partners note that firms should perform formal 'due diligence' on service providers. For this purpose, each fund firm should establish a process for doing so. This should, amongst other things, lead to a written record of each service provider’s technical expertise, its independence from the firm or lack of it, its familiarity with MAS regulations and whether it is likely to be accessible to the MAS during any audits that might take place.

Suvendu Ganguli says: "Interestingly, what this guidance does not consider is that 68% of global outsourcing in the financial services industry is cross-border and multi-jurisdictional (and – yes – an outsourcing from the Dubai International Financial Centre to 'UAE onshore' under Central Bank jurisdiction also counts here). Most regulators in Asia (India, Thailand, Indonesia and Malaysia to name but a few) also have their specific guidelines on outsourcing.

"In this field, again, two items need highlighting. Firstly, in each outsourcing set-up process, the firm has to consider both the sending location’s regulatory requirements for 'due diligence' and those of the receiving location. I have seen circumstances where such requirements conflict with each other and cross-border 'oversight requirements' also pose challenges. Secondly, although the best-known guidelines for transfer pricing come from the Organistion for Economic Co-operation and Development and awareness outside of the OECD region is still somewhat lacking, it has to be kept in mind that recognition of income and costs is only the flip-side of robust risk recognition, even if there is an outsourcing or cross-border context. Since the events at Lehman Brothers in 2008, most regulators have increased their insistence on the effective segregation of client monies and trades from proprietary monies and trades and the scrutiny thereof, but there are no globally consistent rules for 'materiality' assessments to offset outsourcing risks."

Always ensure independence!

Laven Partners say that an established relationship with existing service providers may seem like a natural fit for outsourcing, but these existing relationships may create a conflict of interest. Every outsourcing exercise must assess both the technical expertise of the provider and determine whether any other duties that it performs will create any conflict of interest. For instance, if a fund firm wishes to outsource its internal audit, it should consider whether any conflict might arise from outsourcing it to the service provider that already performs its financial audits.

Suvendu Ganguli notes: "The UK's Bribery Act, which affects the whole world, has focused people's minds on the arms-length conduct that ought to surround (and the conflicts of interest that might surround) the hopefully neutral selection of an outsourcing/service provider/vendor and has generally improved governance on the subject. In the IT and other specialised technical sectors of India, to take one random example, there are still pockets of doubt about how (and by whom) technology vendors are introduced to their clients, about who owns the firm and who is related to whom. The wining-and-dining that precedes the award of a contract does not seem to have died down much recently.

"In the context of fund management, banking and trust advisory services, the strangest of examples can arise out of the complex relations between parties. If, for instance, a customer takes legal action against a nominee entity (which is a subsidiary of a large bank or fund) for mismanagement, mis-selling, tampering with statements or fraud, the nominee entity may in turn find itself having to take legal action against the owning parent company in its capacity as the custodian of the client’s assets."

The performance of periodic reviews

Laven Partners state that each outsourced service provider should have established records that are accessible to the fund management firm and can be used to review, amongst other things, the details of the engagement and the continuing performance of the service provider. In particular, the performance of the service provider should be formally reviewed on a periodic basis and someone should carry out a regular review of the arrangement to determine whether any changes to it have caused 'non-material' outsourcing to be considered material. The MAS never uses the term 'immaterial.'

Suvendu Ganguli notes that anyone who thinks of outsourcing as a benign process that can only lead to cost-savings should think again: "The funds industry has 'material outsourcing' in almost every vital area, from the gathering of economic intelligence/analyst views to accounting, auditing and the production of performance statements. The MAS expects a periodic review for each and every material aspect. In February of this year, clients' statements that belonged to one Asia-based lender were stolen whlie in the care of a third-party service provider – the pain (and the volume of explanation to be made to the regulator) was enormous (see page 2 column 1, Compliance Matters PDF, August 2014)."

The responsibility is always with the fund firm

Laven Partners note that the responsibility for a function, whether performed internally or outsourced, lies ultimately with the fund-management company in question. The senior managers and board are the parties who carry responsibility for the management of any risks associated with the firm, so all outsourcing efforts should be considered in the firm’s 'risk management framework'. Proper 'due diligence,' a focus on expertise and independence and a never-ending stream of periodic reviews of the service-providers (perhaps every year or two) should be helping to mitigate any risk.

Suvendu Ganguli cannot agree more, but believes that two years is very long – any review should take account of regulatory expectations. He adds: "The criteria for selecting outsourcing vendors (and subsequent auditing/periodic reviews) are typically weak in respect of the assessment of business continuity, of the vendor's/service provider's plans and of the effective risk-mitigation of the vendor’s continuity plans.

"When it conducts outsourcing appropriately, a fund firm can find itself freed from sometimes time-consuming operational functions and be able to focus on the more strategic and forward-looking parts of its business. This can drive up revenues and might also cut costs by forestalling the need for new, specialised staff. This is particularly true of emerging or growing businesses with limited staff or expertise. Outsourcing should be done in a systematic and pragmatic way so as not to damage the business. In the meantime, the compliance officer should still bear in mind the regulatory obligations of his fund firm."

The MAS list of outsourceable activities

“Material outsourcing” means an outsourcing arrangement which, if disrupted, has the potential to significantly impact an institution’s business operations, reputation or profitability. The outsourcing of all or substantially all risk management and internal control functions including compliance, internal audit and financial accounting, is to be considered material. An arrangement which was previously not material may subsequently become so from incremental activities outsourced to the same service provider or from an increase in volume or nature of the activity outsourced to the service provider. Material outsourcing risks may also arise when the service provider in a material outsourcing plans to sub-contract the service or makes significant changes to its sub-contracting arrangements. This is why n institution should undertake periodic reviews of its outsourcing arrangements to identify new material outsourcing risks as they arise."

The following are examples of some services that, when performed by a third party, would be regarded as outsourcing for the purposes of the MAS guidelines of 2004, although they are not exhaustive:

• Application processing (e.g. loan origination, credit cards);

• Back office management (e.g. electronic funds transfer, payroll processing, custody operations, quality control, purchasing, maintaining the register of participants of a collective investment scheme (CIS) and sending of accounts and reports to CIS participants);

• Claims administration (e.g. loan negotiations, loan processing,

• collateral management, collection of bad loans);

• Document processing (e.g. cheques, credit card and bill payments, bank statements, other corporate payments);

• Information system management and maintenance (e.g. data entry and processing, data centres, facilities management, end-user support, local area networks, help desks);

• Investment management (e.g. portfolio management, cash management);

• Manpower management (e.g. benefits and compensation administration, staff appointment, training and development);

• Marketing and research (e.g. product development, data warehousing and mining, media relations, call centres, telemarketing);

• Business continuity and disaster recovery capacity and capabilities; and

• Professional services related to the business activities of the institution (e.g. accounting, internal audit, actuarial).

The following arrangements – which fall into 3 general categories – are generally not to be considered as 'outsourcing.'

* Arrangements where the required infrastructure necessitates such substantial investments as to render in-house provision of services nearly impossible, or where certain industry characteristics require the use of third-party providers. These are as follows.

• Telephone, utilities.

• Market information services (e.g. Bloomberg, Moody’s, Standard & Poors).

• Common network infrastructures (e.g. VISA, Mastercard).

• Clearing and settlement arrangements between clearing and settlement institutions/houses and their members, and similar arrangements between members and non-members.

• Correspondent banking services.

• Introducer arrangements (where the institution does not have any contractual relationship with customers).

* Arrangements that pertain to principal-agent relationships rather than to outsourcing. These are as follows.

• The sale of insurance policies by agents or brokers, and ancillary services relating to those sales.

• Arrangements that the institution is not legally or administratively able to provide.

• Statutory audit and independent audit assessments.

• Discreet advisory services (e.g. legal opinions, certain investment advisory services that do not result directly in investment decisions, independent appraisals, trustees in bankruptcy, loss adjusters).

• Independent consulting.

* Arrangements that are generally considered low-risk, which are as follows.

• Mail and courier services.

• Printing services.

• The purchase of goods, commercially available software and other commodities.

• Credit background, background investigation and information services.

• Employment of contractors or temporary personnel.

*Gordon Lai is the relevant expert at Laven Partners' Singapore office. He can be reached on +65 6631 2889 or at gordon@lavenpartners.com. Temaswiss Wealth is the sole purveyor in the APAC region of a specialised operational risk course to do with cross-border outsourcing. Suvendu Ganguli can be reached on +65 6222 9529 or at coo@temaswiss.com