Done right, outsourcing compliance can be rewarding

While outsourcing compliance functions has increased in popularity, it is still not used by the majority of practitioners who responded to a recent Thomson Reuters survey.

“An outsourced CCO can be an independent voice, and I think that can be useful. I can see that as being a valuable way to get an objective approach from someone whose futures and fortunes are not tied exclusively to that firm … and can afford to be forceful when there’s an issue that person sees.”

SEC Commissioner Hester Peirce

The survey of 750 risk and compliance practitioners in financial services worldwide, entitled “Cost of Compliance Report 2020,” found more than a third had outsourced some or all compliance functions last year. That figure (34 percent) was the highest since Thomson Reuters started asking the question to practitioners four years ago. Last year, 28 percent of respondents said they outsourced some or all compliance functions.

Survey respondents reported some of the compliance functions they outsourced include compliance monitoring, ID and sanctions checking, mandatory training, approving financial promotions, and horizon-scanning for upcoming regulatory changes. Another popular area for outsourcing is the review of marketing materials for investment firms and broker-dealers.

But outsourcing is best accomplished when firms understand how it benefits them and how regulators will assess the quality of the outsourced services provided.

“Outsourcing is seen as a risk by many regulators, and guidance is in place in most jurisdictions. For example, in the United States the Federal Reserve has its own guidelines on outsourcing,” the Thomson Reuters report said. “For compliance functions, outsourcing is a good way of leveraging expertise from already stretched budgets, but care should be taken to ensure that outsourced contracts enable compliance with all relevant rules.”

The Federal Reserve’s “Guidance on Managing Outsourcing Risks,” issued in 2013, recommends conducting thorough due diligence on any service providers under consideration. And the guidance notes outsourcing compliance does not mean a firm outsources its risk.

“The use of service providers does not relieve a financial institution’s board of directors and senior management of their responsibility to ensure that outsourced activities are conducted in a safe-and-sound manner and in compliance with applicable laws and regulations,” the guidance said.

The Securities and Exchange Commission (SEC) has also cast a critical eye on outsourced compliance arrangements, particularly through a 2015 risk report on 20 firms that outsourced their CCOs, issued by its Office of Compliance Inspections and Examinations (OCIE), now called the Division of Examinations.

The risk report found some outsourced CCOs used standardized, generic checklists that did not fully capture business models, practices, strategies, and compliance risks. Others infrequently visited registrants’ offices, conducted only limited reviews of documents and training on compliance-related matters while on site, and had limited visibility into, and authority within, the organization.

The agency’s views on outsourcing compliance functions may have thawed since then, at least in the view of SEC Commissioner Hester Peirce.

Peirce recently spoke on outsourcing on an episode of the Securities Compliance Podcast sponsored by the National Society of Compliance Professionals and told host Patrick Hayes outsourcing the chief compliance officer role could have benefits to a CCO’s objectivity.

“An outsourced CCO can be an independent voice, and I think that can be useful,” she said. “I can see that as being a valuable way to get an objective approach from someone whose futures and fortunes are not tied exclusively to that firm … and can afford to be forceful when there’s an issue that person sees.”

Why outsource compliance?

Jehan Jeyaretnam is global head of compliance services for Acuity Knowledge Partners, which provides offshore compliance services to clients globally.

The foundation of Acuity’s customer base is in the global financial services industry, including asset managers, investment and commercial banks, and private equity and venture capital firms, he said. The firm also has customers in sectors like metals and mining and energy.

The compliance tasks often offshored are either high-volume or time-consuming ones, he said, or those that require specific skill sets.

Acuity’s clients offshore compliance tasks like investment compliance, including investment guideline coding and monitoring; corporate compliance, including e-mail surveillance and distribution compliance; and financial crimes compliance, including transaction monitoring, know your customer (KYC), and enhanced due diligence processes.

Jeyaretnam says some points for Acuity customers include increasing costs and lack of access to specialized compliance talent. Some clients have irregular compliance needs and are more inclined to outsource specific tasks.

“Our best value proposition is saving time for your in-house team by providing skilled resources to address your high-volume, yet low-critical process,” said Jeyaretnam, who is based in Sri Lanka. (Acuity has delivery offices based in India, China, Sri Lanka, and Costa Rica, and some Acuity specialists work in client offices in Hong Kong and the United Kingdom.)

Acuity’s teams are assembled in pods that are exclusive to one client, according to Jeyaretnam. They can provide services overnight that are available to clients’ in-house team first thing in the morning, he said.

Jeyaretnam recommends when considering outsourcing and offshoring compliance functions, start with low-risk activities that are taking a lot of your in-house compliance staff’s time. As your firm builds up a partnership with the offshore team over time—as they meet goals, deadlines, and expectations—you can add more volume or more complicated tasks.

Another reason for outsourcing is to access cutting-edge technology to analyze data.

Bill Hauserman is a senior director of compliance solutions at Bureau Van Dijk, a Moody’s Analytics company, which captures and treats entity information for better decision-making and increased efficiency. Its entity database, called Orbis, contains information on close to 400 million companies across the globe.

Hauserman said 8-10 years ago, 90 percent of outsourced compliance work was performed by people and 10 percent by technology. In the last three years, those numbers have flipped, he said. Firms want to find vendors who can analyze reams of data quickly, or they want vendors who can find patterns within multiple, complex data sets on a specific behavior or customer.

Outsourcing requests are evolving to tackle much more complex sets of tasks. For example, firms might outsource a deep information dive about economic and political conditions in an unfamiliar country or region in which they are considering doing business. They might ask for a detailed report on a specific foreign business partner or a foreign company being purchased through a merger or acquisition. “The level of sophistication of outsourcing needs is much higher,” Hauserman said.

Compliance consultants are also providing targeted intelligence for specific deals in areas of the world that are hard to maneuver in, like China and the Middle East, he said, adding they’ll want to know if anything is wrong with a particular deal.

Such targeted intelligence is being performed by boutique shops staffed by former U.S. State Department and law enforcement officials. These small shops are often located in Eastern Europe, countries like Poland and the Czech Republic, he said, as well as more common offshoring locations like Hong Kong and Singapore. These boutique firms fill a niche to gather intelligence on governments, businesses, and economic conditions for specific deals, and they do not offer cheaper services but instead specific expertise on finding and analyzing information that is hidden, outdated, or hard to find, he said.

Another reason to outsource is difficulty in finding niche compliance talent or due to the high cost of maintaining that talent in-house.

Larry Gordon is the managing director for risk at Endurance Advisory Partners, which provides strategic advice, including outsourcing decisions, to financial institutions. Gordon previously worked for a mid-sized ($100B+ in assets) bank in the Midwest, where he directed credit reviews and sanctions and oversaw Bank Secrecy Act compliance training. In those roles, he evaluated and hired outsourcing providers.

A big problem for mid-sized and small banks, he said, is having in-house subject matter experts to deal with narrow but important problems. He called this a “bus risk” problem—namely, if your organization’s only expert in a particular area is suddenly unavailable, the organization is left without its expert and, more importantly, without any means to replace that expertise quickly.

Ideally, firms would have at least two in-house subject matter experts. But of course, that is not always practical or affordable. Outsourcing, and even sending compliance functions offshore, was an alternative solution.

“We would look for the best tools and best providers, and we were agnostic as to where they were located,” he said. “Sometimes, the best provider was located offshore.”

Outsourcing firms can provide a certain level of detail and consistency on lower-level analysis, he said, and can screen large data sets for potential red flags and other time-consuming tasks.

Once the compliance outsource team submitted its report, bank employees would evaluate the analysis provided by the vendor and apply a more in-depth analysis, including escalating red flags for further investigation, he said.

Potential pitfalls

Outsourcing compliance does have its pitfalls, as noted with regulators like the Federal Reserve or the SEC.

What regulators want to know is whether outsourcing a firm’s entire compliance functions creates a gap between corporate behavior and accountability, according to executive coach and former chief compliance officer Amii Barnard-Bahn.

“A company cannot delegate compliance program design and oversight, disciplinary enforcement, or accountability for its effective implementation,” she wrote in an article for Compliance Week. “The company is ultimately liable for any compliance issues that occur due to mistakes made by your third-party provider—so your organization must still manage and implement effective monitoring controls to oversee any third party.”

Other problems can crop up with vendors, whether it’s with the speed and accuracy that they handle requests or communication issues.

Gordon said during his tenure with the Midwestern bank an offshore outsourcing vendor had been tasked with reviewing financial transaction data to create alerts for risky behavior. Reports generated by the offshore consultant occasionally missed red flags because of the language barrier of its workers or other interpretive issues.

The bank and the vendor would train the workers, and the situation would improve—until the trained worker took his or her improved skill set to another outsourcing vendor. An inexperienced worker would replace the experienced one, and the cycle would continue.

“We were doing everything twice, which costs more than doing it right the first time,” he said. “We were forced to go in a different direction.”