Banking has changed since the global financial crisis in 2008. The steady increase in regulations from Washington, the states and international organizations are now impacting IT leaders. As regulators examine vendor relationships and outsourcing arrangements more closely, there is a significant risk that poorly managed IT could trigger an audit finding, a fine or negative publicity. As IT leaders plan to review and renew IT service providers in 2016, here are some of the risks to manage.
In 2013, the Federal Reserve published a document that became required reading for IT leaders. This publication – Guidance on Managing Outsourcing Risk – highlighted the fact that outsourcing a service to a third party does not eliminate responsibility. What happens if a bank fails to properly manage a third party service provider? The Federal Reserve has identified six risks that arise from outsourcing: compliance risk, concentration risk, country risk, legal risk, operational risk and reputational risk.
The Office of the Comptroller of the Currency (OCC), another key U.S. financial regulator, also published guidance related to outsourcing in 2013. In OCC BULLETIN 2013-29, the organization stated, “The OCC is concerned that the quality of risk management over third-party relationships may not be keeping pace with the level of risk and complexity of these relationships.” Specifically, the OCC has noted ineffective practices such as entering into outsourcing without a contract and incentivizing a third party provider to “take risks that are detrimental to the bank.” In the view of regulators, rushing into an outsourcing arrangement to cut expenses is likely to trigger unpleasant regulatory attention.
Regulatory trends: increased enforcement, higher standards
Prior to the financial crisis, many regulatory agencies lacked the resources and support to carry out enforcement actions. In recent years, there’s much greater support for regulatory agencies to impose fines and impose other actions on companies who run afoul of regulations.
“Regulators have taken a deeper interest in outsourcing services that have an impact on either the regulatory posture of the organization or on cyber security and cyber-crime,” explains Bala Pandalangat, president and CEO of Centre for Outsourcing Research & Education (CORE), an organization that provides outsourcing advice and training based in Toronto. CORE’s membership includes Deloitte, IBM, Xerox, large banks, universities and law firms such as Torys LLP.
[Related: 10 outsourcing trends to watch in 2016]
“We see several common mistakes when it comes to outsourcing arrangements,” says Pandalangat. “The number one mistake is viewing risk management is an after-thought. Many deals emphasize the financial benefit of outsourcing at the expense of risk management. If risk management is not built into the contract, costly adjustments may be required to address that concern.”
Country risk and supplier diversity are other areas where mistakes are commonly made. “We have seen certain major financial institutions being caught off guard with severe disruptions during the reason historic floods in Chennai, India,” says Pandalangat. In late 2015, Chennai suffered the heaviest rainfall of a century which disabled the region’s cellular networks, disrupted travel, closed companies and cost injuries and deaths. Having suppliers based in multiple locations and thoroughly understanding disaster recovery capabilities are ways to address this risk.
Looking ahead to the future, increased regulatory expectations are likely. “Some regulators are working with some of the large advisory firms on developing more stringent guidelines,” says Pandalangat. These new guidelines will likely relate to data breaches, security and related matters.
Responding to due diligence requirements: the Infosys perspective
Infosys is one of the world’s largest outsourcing companies and is widely used by many of America’s largest companies, including banks. In some circles, Infosys is controversial because it’s based in India, which suggests the company’s part of the “offshoring” problem. Nevertheless, Infosys is rapidly gaining in popularity. The company has taken a proactive approach to responding to regulatory demands in the financial industry.
“We are seeing greater interest on due diligence activities for new clients and clients who are renewing agreements with us,” explains Dennis Gada, vice president at Infosys. “I view the guidelines on outsourcing from the Federal Reserve and other regulatory agencies as helpful – it clarifies what is expected.”
Continued development of internal training is a major reason for Infosys’s continued success in the highly regulated financial sector. “We have enhanced the training we do on our side. The internal training program shows our teams what is required in documentation, audit requirements and privacy. Before we assign staff to a financial services clients, they have to pass internal tests and certifications,” says Gada.
Increased due diligence in selecting outsourcing providers goes beyond evaluating a provider’s financial viability. “Current and potential clients are looking at our knowledge management processes, our employee background checks process, internal incident reporting process and process to use sub-contractors,” says Gada. IT managers in banking who work with outsourcing providers can ask similar questions to stay in alignment with regulatory expectations.
Beyond cost reduction: the outsourcing trend for the future
The first wave of outsourcing in IT was driven largely by cost considerations. IT leaders saw the potential to reduce staff costs by assignment activities to developing countries such as India. Cost reduction remains an important reason to consider outsourcing. Yet it’s no longer the only consideration: improving productivity and customer service are now part of the mix.
“For a regional bank in the U.S., we are performing part of their mortgage process. Initially, it was a broken process that took a long time to onboard customers. We used a design thinking approach to transform the process. The result: onboarding now takes two days instead of over 30 days,” says Dennis Gada. Such improvements directly improve the customer experience.
“For banking clients, we are also seeing increasing demand for new services. For example, we are getting involved in mortgage origination and KYC (“Know Your Client”) services,” adds Gada. KYC requirements often include verifying a client’s identity, ensuring compliance with anti-corruption laws and ensuring that appropriate services are provided.
Whether you are planning to expand outsourcing or reviewing existing arrangements, take a broad view. Regarding risk, regulators may ask for evidence that you have conducted effective due diligence in selecting and managing the provider. Infosys’s recent work also shows that outsourcing providers are capable of delivering significant productivity gains. Outsourcing IT and other services is a complex decision that deserves careful thought.
This story, "Is outsourcing IT worth the compliance risk?" was originally published by CIO.