For years, the basic underlying approach to compliance has been to avoid a one-size-fits-all approach, tailoring controls and resources to your company’s own, unique risk profile.
In 2020, a few pieces of crucial guidance that didn’t just hint at, but flat out clarified regulatory expectations were:
» The updated FFIEC BSA/AML Exam Manual
» The re-issuance of the Evaluation of Corporate Compliance Programs, a piece of guidance that was reissued for the third time in four years, giving observers an idea of the weight of its implications
What these pieces of guidance don’t promote or rule out is the use of staff augmentation, consultants, and other support services to outsource compliance responsibilities.
With the ebb and flow of challenges in the past year, these guidances can be useful to firms trying to look for cost-savings while not increasing their compliance risk.
Answering the Outsourcing Question
The biggest questions that should be answered by Chief Compliance and Risk Officers are:
What’s the highest risk area (i.e., in need of the most attention the most quickly) that cannot be supported by the current infrastructure (e.g., a new team would need to be built, taking 12-18 months to get off the ground)?
Those high-risk areas — whether it’s a system that needs to be onboarded and implemented, a BAU process that the company doesn’t have capacity for in-house, or a specific project (e.g., a look-back that leads to a policy/procedure refresh) — these are the areas that can potentially be outsourced.
How Far Can You Go?
Undoubtedly, the safest area of compliance to outsource is training, with a wealth of service providers out there to build an LMS, create content, and even provide the training.
But moving into deeper compliance waters, how far out can a company go?
The reality is that there are no limits to what can be outsourced for the FFIEC Manual and other sources of guidance. While the Manual and the DOJ’s guidance talk about “appropriate resources”, neither say it has to be internal resources per se, rather enough resources to ensure that a company’s risk stays in line with its RAS or other parameters.
Can you outsource the function of board-level oversight? No, probably not.
But it’s likely that you can outsource all of the other levels leading up to that level. For example, the customer onboarding process for banks is ripe for managed services, whether its Customer or Enhanced Due Diligence. Transaction Monitoring and SAR filing are routinely supported through staff augmentation, whether in the short term for projects such as look-backs or the long term.
The reality is that there is no shortage of firms that will provide independent testing or model validation. It’s all, relatively speaking, safe to rely on outside sources up to a certain limit.
Checks and Balances
The limit of any involvement of managed services, projects, or other outsourced services is the amount, depth, and quality of the oversight provided by the hosting firm. What regulators look for is that the outsourcing that’s being done is rooted in the company’s risk assessment, and that—while the service provider may have some autonomy—there is sufficient oversight by the company.
» For example, can independent testing be outsourced on a needs basis? Yes.
» Should it be outsourced in whole, and in perpetuity? No.
» Should the managed services/outsourced services adhere to the hosting firm’s policies and procedures? Absolutely.
» Should there be internally-driven QA over the methodology used? Always.
From the Regulator’s POV
To be quite frank, regulators have never specifically called out a company for the use of managed services. It has always been more about the underlying issues that caused firms to use outsourced companies in the first place that have raised any concerns versus the methodologies used by the outsourced companies to solve the issues.
In reality, most regulators understand the need to outsource, and are somewhere between sympathetic and encouraging when it comes to outsourcing. What they look for, and what financial firms should be looking for, is balance.
Are you outsourcing certain areas of compliance, so that that function, business, etc. can be sustainable going forward? If the answer is yes, it’s likely that you’re on the right path.
When it comes to outsourcing, the industry is seeing that balance and sustainability take time, and that relying on the bench strength of managed services is not only viable, but seems to be the way forward.
First, Know Your Obligations
As you consider whether or not to outsource parts of your compliance program, it’s important to remember that your regulatory obligations are the first and most fundamental step in determining what your compliance framework should be. As a regulatory knowledge solution, Ascent is a powerful tool for both in-house compliance teams and third-party legal advisors and consultants.
By providing a constantly-updating register of obligations targeted to your firm, Ascent serves as the single source of regulatory truth for all parties involved in your compliance program, ensuring that everyone is on the same page, working off the same data.
INFOGRAPHIC: Regulatory Knowledge Automation, Explained
To see a demo of our AI-driven regulatory technology, contact us. To stay up to date on all things compliance and technology, subscribe to our email series Cliff Notes below.