Ina Mackinnon of Alba Compliance Pte Ltd, has provided her commentary on current challenges complying with outsourcing Guidance.
This article is focused on capital markets participants’ operational resilience and increasing reliance on 3rd parties, the reasons and challenges of group-wide compliance programs to maintain a sound risk management.
Since the COVID-19 pandemic, and with intensification of the trade war between China and the U.S. the supply chains’ future is uncertain. Organisations from all industries across the globe are deeply affected, allocating additional resources to managing disruption, responding to the immediate challenges. Some organisations are better prepared than others to respond to the heightened need to assess their supply chain, particularly their IT infrastructure to adequately support operations stability, network robustness and data security. The geographies of the supply chain becomes of vital importance. 3rd party Risk exposure is increasing however Due Diligence is not keeping pace. Cost effectiveness is even more relevant in today’ environment, meaning that already relaxed on-boarding and monitoring practices of a complex, multi-tier supply chain due diligence is further compromised, inadvertently subjecting the business to a further financial and operational risk. In such environment, suppliers tend to engage in fraudulent practices knowing that the risks of detection within an organisation are low. Naturally, competitors will gain an advantage either by exploiting vulnerable points within an organisation that has failed to take adequate safeguards or by advertising services with better controls and systems for client protection.
Prior to COVID-19 disaster, Refinitiv conducted an interesting survey (published Feb 2020), with total of 1,794 participants across 16 countries (899 large and 895 SMEs) with a total of over 17mln 3rd party relationships, an average of 10,000 per organisation.
According to the survey results, despite greater regulation and stronger enforcement action, organisations are struggling to gain visibility of all 3rd party risks to enable appropriate action to be taken. Staggering 61% of respondents stated that prosecution would be unlikely if they breached 3rd party related regulations.
Many have reported that they are not completing full 3rd party due diligence at their on-boarding or ongoing monitoring stages. Why? Competitive pressures, greater globalization and increasingly complex supply chains.
|43%||of 3rd parties are not subject to due diligence checks (6% higher than 2016 survey results).|
|60%||of respondents are not fully monitoring 3rd parties for ongoing risks|
|63%||of respondents agree that the economic climate is encouraging organisations to take regulatory risks in order to win new business|
|53%||of respondents say that they would report a 3rd party breach internally and only 16% would report it externally.|
Seeing the survey’s results, we wonder how are the organisations in Singapore are doing. The reported percentage of due diligence on 3rd parties done is underwhelming, dropping from already low 62% in 2016 to 48% in 2020. Alarmingly, Singapore’ drop was the highest of all 16 countries.
The effects of rule based rather then risk based approach adopted by organisations, particularly cost conscious SMEs, could see them facing disruptions on different levels. Hope that compliance with a bare minimum reporting obligations will suffice is rather reckless and must be re-considered.
We are aware that MAS is particularly interested in material outsourcing arrangements. MAS is clear about growing exposure to country risk, an overlapping risk, touching everything from cloud and reputation risk to transaction and operational risk. Specifically, MAS raised its concerns about IT supply chains, defined as a weak link in Financial Institutions cyber defenses.
Failures can occur in a variety of forms but generally they fall into two categories: systems or procedural failures and human failures. It is clear that there are a variety of causal risk factors, but it is possible to categorize them into external risks (threats) and internal risks (errors and culture).
To prepare for the unexpected, the FFIEC says, that organisations should establish strategies for:
- Service Continuity
- Exit Strategies.
Understanding the environment the 3rd parties operate in is crucial starting point. When assessing the service provider, It is mandatory to be familiar with:
- Scope of the services to be rendered
- The specifics of your product distribution channel vulnerabilities, such as internet, telecommunications zoom, google teams, mobile phone provider; private entities engaged as Introducing Brokers (IBs) or Appointed Representatives (ARs) – licensed or not?
- Contract T&C: have clear compensation structure
- National and international rules and guidance
- Industry best practice
The supply chain can have direct or indirect distribution channels. Direct channels include more traditional face-to-face interactions. Some organisations also adopt multi-channel distribution methods. From a compliance perspective all potential risks and requirements must be considered for each channel adopted. This is a key consideration in the development of products of services as the requirements and obligations can vary enormously.
The organisation must have a full picture of 3rd Party profile prior entering into a transaction, however this proved to be a common challenge especially when the 50% rule is concerned. It is imperative that financial institutions understand from whom they are acquiring services, as well as with whom their third-party vendors might be interacting.
OFAC’s Cyber-Related Sanctions Program specifically mentions the 50 Percent Rule, and the FFIEC’s recent Joint Statement on the same warns that, “continued use of products and services from a sanctioned entity may cause the financial institution to violate OFAC sanctions.” A download of a software patch is enough to merit such a violation. Before dismissing this as irrelevant to your organization, keep in mind that technology firms from sanctioned countries span across the globe, and their connection to their subsidiaries is often opaque.
Naturally, the Due Diligence is not limited to sanction screening. It incorporates Anti-Bribery and Corruption policies, procedures and processes as part of a ‘holistic’ financial crime compliance risk frameworks.
With regards to compensation arrangements, some red flags should be raised if the 3rd party compensation is to be based on performance i.e. success fees, bonus fees, introducing broker fees for certain sectors. For example, in 2019, Australian OTC FX & derivatives industry took a major hit as ASIC disallowed brokerages to compensate their IBs, instrumental partners to most retail brokers worldwide. That rule is most challenging for brokers which do not have their own infrastructure and are reliant on IBs for their trading volume, especially if that revenue comes from a self-directed region. Australia’s authorities clearly do not approve of this method of doing business. Similarly, in other jurisdictions, The IB model has been phased out. The method of remunerating today’s IBs could be a fixed fee rather than commission.
Other contributing factors indicating a High 3rd Party Risk:
- the 3rd party role is to enhance the organisation’s chances of winning commercial and/or government contracts
- the 3rd party requests discretionary authority to handle local matters, in a region, especially if contracting organisation has no presence or little expertise in a jurisdiction dramatically different to its Head Quarters.
- industry: usually checked against Transparency International’s Bribe Payers Index (BPI). In accordance to OECD, most corrupt industries are considered to extraction & construction (due to bidding processes) , transportation (organised crime, corruption is at the enforcement level), and finance – we all remember 2018 case of 1MDB fund and corrupt bankers, Goldman Sachs.
- Selection of the party: recommended by a customer or retention of a specific 3rd party is encouraged or required by a government official.
No matter if your organization is a traditional bank, money service business, insurance firm or other entity, here are some ways to more effectively handle the burden:
- Review counterparty on-boarding and ongoing due diligence policies and procedures to ensure that entity ownership is initially identified and continually monitored for changes.
- Conduct routine risk assessments of your 3rd party exposure. Incorporate the 50 Percent Rule into your Compliance Program. In addition to screening entity names against the SDN List, screen entity officers, directors and contract signatories of counterparties.
- Upgrade your watch list screening process to cross reference a database, that identifies entities that are owned by sanctioned persons or jurisdictions.
- Outsourcing scope: regularly re-evaluate the economic and operational benefits of the 3rd party against raised ref flags, if any.
Better data, greater innovation and new forms of collaboration hold the key to reducing 3rd Party risk. Building greater transparency and resilience into an organisation’s counterparties is crucial. Perhaps a proactive, smart cost effective actions supported by a better and more comprehensive data will improve the effectiveness of the organisations’ Due Diligence efforts?
Our role is to add to your in-house Compliance efforts when you assess your counterparty before your engagement, advising on best on-going monitoring practices, support your due diligence and screening efforts, offering best practical Compliance Solutions relevant to your organisation’s size, business model and industry.
RESOURCES / NOTES
- MAS Guidelines on outsourcing, Oct 2018