Key points
- ASIC has reviewed the use of offshore service providers (OSPs) among responsible entities (REs) of registered managed investment schemes (funds).
- REs, as Australian financial services (AFS) licensees, retain ultimate responsibility under the Corporations Act 2001 (Corporations Act) for the operation of their funds and should have sufficient skills to independently identify material risks and to assess an OSP’s performance and ongoing suitability.
- The quality of the risk management arrangements in relation to the use of OSPs varied across the REs we reviewed, with improvements in different areas required for each of the REs.
ASIC’s review
ASIC reviewed how REs use OSPs and manage associated risks. Our review focused on the adequacy of the risk management systems, including the frameworks for the oversight and monitoring of OSPs, particularly how they relate to cyber security risk and resilience.
We conducted our review in two phases:
- Phase 1 involved a review of 30 REs to develop a broader understanding of the type of services outsourced to OSPs and what OSPs are being used.
- Phase 2 involved an in-depth review of a sample of 10 REs who use OSPs.
Across the two phases, the REs reviewed are responsible for 392 funds and $191,364 million of assets under management. They represent a cross-section of the industry, factoring in diversity of operations, size, organisational structures and data analysis.
Table 1: ASIC’s review of REs’ use of OSPs
| REs | # of REs | % of total # of REs | # of schemes | % of total # of schemes | AUM $m | % of total AUM |
|---|---|---|---|---|---|---|
| Phase 1 REs | 30 | 9% | 392 | 11% | $191,364 | 9% |
| Phase 2 REs | 10 | 3% | 162 | 5% | $116,812 | 6% |
| Sector total | 349 | 100% | 3,564 | 100% | $2,016,774 | 100% |
Of the 30 REs we reviewed in phase 1, 17 indicated that at least one of their business functions was outsourced to an OSP in the preceding two financial years. Of these 17 REs, we selected a sample of 10 REs for phase 2 of our review.
Phase 2 involved an end-to-end review of policies, processes, practices and other risk management arrangements for their:
- onboarding due diligence of OSPs
- monitoring and supervision of the ongoing performance of OSPs, and
- cyber arrangements to protect personal and sensitive client information.
RE responsibilities
As set out in ASIC regulatory guidance, REs are able to outsource functions, including investment management, custody, fund administration and transaction processing services. Regardless of whether these functions are outsourced, REs remain responsible for complying with their obligations.
Where functions are outsourced, REs must:
- have measures in place to ensure that due skill and care are taken in choosing suitable service providers
- monitor the ongoing performance of service providers, and
- appropriately deal with any actions by service providers that breach service level agreements (SLAs) or the RE’s general obligations: see Regulatory Guide 104 AFS licensing: Meeting the general obligations (RG 104),and Regulatory Guide 259 Risk management systems of fund operators (RG 259).
Boards of REs need effective and robust risk oversight processes for identifying, prioritising, managing and monitoring critical risks. REs also must have systems in place to ensure that their risk oversight processes are improved continuously as the business environment changes.
Failing to adequately supervise outsourced functions could result in the RE failing to meet its legal obligations and cause harm to consumers. The more critical the outsourced function, the greater the risks involved. The risks can be exacerbated when there is inadequate supervision of these functions, particularly where the functions are outsourced internationally.
What services are being outsourced?
The main services REs outsource offshore are management and oversight of investment process and administration of fund’s portfolio, custody, fund administration and transaction processing services.
REs are more likely to engage in the outsourcing of business functions as their total assets increase. For the six entities in the top 20% of our sample by total assets, all outsource at least one business function. For entities within the middle 40% and bottom 40% by total assets, only 33% to 58% outsource one or more business functions to OSPs.
What are the key risks?
Some of the risks that arise from an RE’s use of OSPs that concern us include:
- risk of loss of control over some outsourced tasks or business functions that can impede an RE’s ability to protect confidentiality of its own and client information
- risks related to data and technology, particularly protection of client information, because OSPs subject to foreign government laws may have to comply with directions that conflict with Australian laws or may lose control over or access to an RE’s data
- risks related to the effective detection and management of a breach of data or cyber incident for an Australian business if the business function or outsourced task is undertaken offshore
- risk of operational disruption to the service that can harm consumers and market participants (offshore infrastructure may also be less reliable than that available in Australia, causing unnecessary disruptions to information technology services), and
- risk of an RE losing control over the people and processes dealing with outsourced business functions, which may pose challenges to the effectiveness of supervisory regimes and systems.
Observations: Policies, procedures and practices
The 10 REs included in the phase 2 review generally maintain appropriate risk management systems for oversight of their OSPs. However, the following areas could be improved:
- implementing comprehensive initial and ongoing due diligence processes for choosing and monitoring OSPs
- ensuring clearly defined metrics in SLAs
- monitoring the ongoing performance of OSPs
- maintaining the necessary resources and skills for monitoring outsourced activities
- implementing mechanisms for dealing with breaches of SLAs by OSPs, and
- enhancing cyber security and resilience.
Offshore outsourcing strategy and policy
Of the REs we reviewed in phase 2, all 10 have outsourcing strategies (either standalone or group wide) with the scope covering offshore outsourcing.
All REs responded that they had a balanced or low risk appetite for offshore outsourcing risk and implemented arrangements to identify, assess and manage those risks.
One RE determined that engaging an OSP that is not a related party of the RE fell outside its risk appetite. As a result, its risk treatment strategy was to not engage unrelated parties as OSPs.
Risk management framework, systems and practices
We found that the sophistication of the risk management systems to manage risks related to the offshore outsourcing arrangements varied significantly. Generally, the larger the RE’s business, the more sophisticated their risk management system in terms of ongoing performance monitoring and dealing with breaches of SLAs by OSPs. Five of the larger REs reviewed have an enterprise-wide, integrated approach to risk management of service providers, some on a global scale. For seven REs, a broader outsourcing or vendor management framework covered policies related to OSPs.
The most sophisticated risk management arrangements for offshore outsourcing were seen in four REs that maintain a dedicated outsourcing governance board and a specialised outsourcing risk management team, along with a centralised oversight function, which typically includes a service provider register, a governance team, and executive oversight.
Management of cyber and security risks when engaging OSPs
All 10 REs recognised cyber risks arising from the use of OSPs and have arrangements in place to manage these risks. However, the degree of sophistication and rigour of risk management practices of REs to ensure OSPs have adequate cyber security risk management arrangements varied significantly.
From the review, we identified the four REs that are part of a group regulated by the Australian Prudential Regulation Authority (APRA) or have elected to comply with the requirements of APRA standards have more sophisticated cyber and security management arrangements when engaging with OSPs.
Considerations for REs
REs should consider the following practices and findings from our review when developing, reviewing and modifying their risk management arrangements when engaging with OSPs.
Due diligence processes
Poor practice
Six REs did not consider jurisdictional risks as part of their due diligence process. Five REs did not consider contingency arrangements as part of their due diligence process. The policies of three REs lacked provisions to undertake periodic, independent reviews of the OSPs’ governance and control environment.
As part of their due diligence, none of the REs considered the concentration risk of relying on one OSP to perform a number of functions for the RE, particularly where those functions are critical.
Better practice
REs that have documented processes that enable assessment before selection and on an ongoing basis of the OSP’s technical, financial and human resources capabilities to perform the outsourced tasks effectively, reliably, continuously and to a high standard. REs should consider conducting enhanced due diligence on particular risks. For example, urisdictional, data accessibility, security and privacy of information when offshoring.
The selection, assessment and monitoring of an OSP should be undertaken by competent staff who are skilled to evaluate the ability of the service provider to perform the outsourced tasks.
One RE conducted site visits during the due diligence phase of appointing an OSP to assess whether they have the necessary infrastructure to provide their services.
Ongoing performance monitoring
Poor practice
Four REs’ oversight arrangements did not require clearly defined metrics to measure the service level or the type and frequency of service delivery reports to monitor the performance of the outsourced tasks, which may not allow for the timely and effective identification of current and emerging risks.
Better practice
REs that implement processes for establishing and documenting clearly defined metrics to measure service levels, enabling effective assessment and reporting on the quality of tasks performed by the service provider on an ongoing basis.
In-house staffing and skills
Poor practice
Three REs did not define the level of resourcing required for monitoring offshore outsourced activities and did not specify the appropriate skills required for the staff tasked with monitoring performance of offshored functions.
Better practice
REs that maintain a minimum operational and managerial capability, including technical and human resources appropriate for their business model, which is clearly defined in their policies. This could include senior management and key function holders, such as control, compliance and risk management personnel.
Service level agreements
Poor practice
Four RE policies lack provisions for reassessing materiality or updating SLAs with OSPs after significant business changes.
Better practice
REs that enter into a legally binding written contract with each OSP. The nature and detail of the contract should be appropriate to the materiality or criticality of the outsourced task and should define, as applicable, among other things, the framework for amending existing arrangements.
Handling breaches of SLAs
Poor practice
Three SLAs did not include the requirement for immediate corrective action by the OSP for breaches of the SLA.
Better practice
REs that have mechanisms to identify, escalate and resolve in a timely manner any actions by service providers that breach SLAs.
Identifying and managing cyber risks
Poor practice
Four REs did not explicitly require OSPs to comply with existing cyber frameworks to address cyber security risks or to test the effectiveness of the OSP's incident response capability on a periodic basis.
Better practice
REs that document and monitor an OSP’s risk as part of the organisational risks register, with changes in an OSP’s cyber risk escalated to an appropriate board committee of the RE. The OSP should be required to attain and maintain specific controls, standards or frameworks as part of the contractual arrangement between the RE and OSP. The OSP’s cyber risks should be assessed regularly using an industry standard or framework. REs that use an industry standard or framework should also actively explore and address entity risks unique to them.
Data privacy
Poor practice
Five REs did not assess the offshore regulatory environment for data security and data protection or consider additional precautionary measures (such as enhanced encryption) if client data is permitted to be transmitted to or accessed from offshore.
Better practice
REs that regularly assess OSP controls to manage sensitive and confidential information and response procedures to report any breaches of personal and confidential information, as part of initial and ongoing due diligence.
Monitoring OSP system access
Poor practice
Five REs did not audit system access or activity logs or have systems for real-time alerts to detect OSP access violations.
Better practice
REs that review and audit activity of the OSP, access logs, actions and compliance status on a regular basis. For continuous monitoring, allowing REs to rapidly detect and respond to data breaches or access violations, REs could use real-time alert tools to detect unauthorised access or anomalous behaviour by OSPs.
Incident response and escalation
Poor practice
Five REs did not test the effectiveness of an OSP’s incident response capability. Seven REs did not integrate the OSP’s incident management and contingency plan with the RE’s own contingency plans.
Better practice
REs that review and test the OSP’s incident response capability regularly. To ensure the continuity and quality of outsourced tasks or services in the event of an emergency, REs should consider integrating an OSP’s incident management and contingency plan with the RE’s contingency plans.
Business continuity
Poor practice
Five REs do not require OSPs to have documented critical systems recovery timeframes to restore services and recover data in the event of a security incident or system failure.
Better practice
REs that require OSPs to have documented response strategies for high-risk scenarios (e.g. ransomware attacks), regular disaster recovery testing and participate in scheduled recovery testing.
Ongoing security reviews
Poor practice
Eight REs’ reviews of OSPs’ data handling protection arrangements are not triggered by changes in threats and vulnerabilities, cyber incidents, changes to standards or changes to the nature and scope of data handled by OSPs.
Better practice
REs that perform audits of OSPs’ data handling protection arrangements on a regular basis, as well as establish predefined trigger events, such as changes to standards and cyber breaches that would trigger further reviews.
Where to from here?
We encourage all REs to consider how the findings from our review apply to their business if they are using OSPs or planning to do so in the future.
The observations from this review, in conjunction with longstanding ASIC guidance on compliance with obligations to maintain adequate risk management systems (see RG 104, RG 259 and Regulatory Guide 132 Funds management: Compliance and oversight (RG 132)) help REs improve their arrangements where needed and assist them to demonstrate that they are:
- undertaking reasonable due diligence when engaging the services of an OSP
- meeting their oversight obligations in relation to their use of OSPs
- ensuring the OSPs they use adhere to the RE’s cyber policy standards
- consistently applying the same standards required of Australian-based third-party service providers to OSPs, particularly in relation to the handling of client information, and
- ensuring an adequate risk management framework is in place for ongoing assessment and monitoring of the risks of OSPs, and that the framework is reviewed and updated.
ASIC will continue to monitor the governance and risk management frameworks of financial services entities, and where appropriate, hold them to account for failing to have processes in place to protect consumers and investors from harm.
ASIC is Australia’s corporate, markets and financial services regulator.