The FSA wrote to CEOs of Asset Managers in December to say that firms weren't always realistic about outsourced service provider risk. They said firms would be in real trouble should a big provider of investment operations or transfer agency go bust. Broadly this seems fair - the likelihood and impact of such an event could be off the scale in most firms' risk management processes and as a result, many firms are struggling to see a credible solution to the regulators' concerns. The reality is that the regulator will press this issue, and there are some subtleties that may be worth thinking about to both satisfy the requirement and to actually give firms an edge.
Here's what firms are currently saying:
- "There's a reason the work was outsourced in the first place". Retaining an ability to exercise "step-in" rights or in-source the function quickly defeats the business case for outsourcing.
- "Oversight has to focus on delivery not risk". Firms meet providers regularly and get Management Information (MI) on service delivery. They often skimp on risk because vendors are shy about internal operational risk and clients can't do much about it.
- "Investment firms have little leverage". Providers are typically large global banks. Most firms have little or no commercial leverage, so expecting these players to adjust their operating models or to expose internal MI is unrealistic. Even where contractual "step in" rights exist, many people agree they're hard to enforce.
- "It's like deck chairs on the Titanic". A provider failure would either be caused by – or would cause - major market disruption. Firms may stop trading after declaring a chaotic market. Besides, our peers would be equally troubled, so there's little competitive advantage to be gained.
- "We'll club together with other firms". These organisations have many clients. Between us we could step in and recover.
So the argument goes that if outsourcing is effectively prohibited, that's fine – but clients will experience higher fees and get a less resilient service. That can't be what the regulator wants, right? In response, the regulator might say:
- "You haven't outsourced the risk". It's an old one but a good one. If the new model has new risks, they need managing – and remember the firm has chosen to be in this situation.
- "Oversight is different from risk management". Those who monitor providers' services are typically incentivised by service delivery, not risk management. So this can't be about silos – the support, assurance and risk functions need to line up around this one.
- "The business model and environment have changed". The sector has outsourced a lot in the last decade, and we know big providers can go 'pop' (the regulator may be less averse to this than in the past). There are few firms who can demonstrate an ability to deal with the combination of those two changes.
- "Limited commercial power doesn't excuse inaction". There are still things you can do to prepare, predict and react. Not all firms will be affected in the same way - there may be good opportunities to harvest FUM from failed competitors.
So where does this leave the CEOs who have to respond to this letter? The regulator's position is likely to evolve – but we know enough to give existing BAU and change efforts something to think about:
- Narrow responses won't work. Vendor managers, BCP, Op Risk and others need to join up. Solutions from each of these functions alone are likely to be incomplete.
- It's not all about the big players. Many firms may be surprised by how a 'middle tier' of vendors is critical. This may include smaller unregulated firms like datacentre providers. They're more likely to fail, get less oversight, and could create the same client outcome, i.e. big redemptions. This is where the outsourced risk is both credible and manageable.
- It doesn't have to be reactive. Some firms use formal 'early warning' indicators for the financial viability of their providers. Although a rushed in-source or switch is still unattractive, early detection could provide valuable time to act.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.