Outsourcing & Regulatory Compliance Risks

Transcription

1 Outsourcing & Regulatory Compliance Risks By Matthew Sullivan Today s marketplace dictates that Financial Services Institutions (FSIs) consider using offshore IT services to remain competitive. However, in light of the continuing focus on regulatory compliance, some FSIs have begun to worry about the risk of outsourcer regulatory compliance failures. This article, focusing on Sarbanes-Oxley (SOX) and the Gramm-Leach- Bliley Act (GLBA) (1), explores strategies to decrease compliance risk when using offshore IT vendors. Typically, regulatory compliance risks are adequately addressed if a vendor follows the directions of its FSI client, and the FSI s directions are in compliance with relevant regulations. Indeed, Federal banking agencies have implicitly acknowledged the benefits of outsourcing by providing guidance for outsourcing internal auditors and for managing third party relationships (2). However, those same regulations have also stated that FSIs cannot delegate their compliance obligations under SOX and the GLBA to their outsourced software vendors. Ultimately, an FSI increases the risk of regulatory compliance violations only if its vendors take less care to prevent violations than the company does, so each FSI must monitor and manage the compliance risk of its vendors. Outsourcing Reduced costs and increased productivity have driven the growth in software services outsourcing and FSIs have been some of its largest buyers. As outsourcing has grown, FSIs and outsourcers alike have been forced to clearly define processes and services in order to make sure each party understands its obligations under their agreements, and can measure its benefits from the arrangement. The result has been improved process workflows, definitions and measurements which let companies and their vendors clearly define and transact a standard measure of service output. Increasingly, the standard measure of service output, such as an hour of programmer time, includes terms of delivery that require vendors to meet a set of standards. These standards 1 The U.S. Public Company Accounting Reform and Investor Protection Act of 2002 is commonly known as Sarbanes-Oxley; the Financial Services Modernization Act of 1999 is commonly known as the Gramm-Leach-Bliley Act. 2 Interagency Policy Statement On The Internal Audit Function And Its Outsourcing, March 17, 2003 and Office of the Comptroller of the Currency, Administrator of National Banks, OCC Bulletin on Third-Party Relationships, November 21, Kanbay Incorporated. All rights reserved. Kanbay and the Kanbay logo are registered trademarks of Kanbay Incorporated. Other trademarks are the property of their respective owners.

2 are subject to audits and governed by a relationship between the parties. Increasingly, FSIs are requiring their vendors to deliver services in a manner that meets appropriate regulatory compliance standards for their industry. The Regulations Concurrent with the growth in outsourcing, FSIs have become subject to increasing regulation from such legislation as Sarbanes-Oxley and the GLBA. Sarbanes-Oxley contains numerous provisions, including sections 302 and 404. Section 302 requires public company CEOs and CFOs to certify the adequacy of internal controls and that SEC reports fairly represent the financial positions and results of the company. Section 404 requires that annual SEC reports contain an internal control report assessing the effectiveness of the company s internal controls. Similarly, the GLBA contains privacy provisions which include the Financial Privacy Rule, the Safeguards Rule and the Pretexting Provisions. The Financial Privacy Rule requires financial institutions to give their customers privacy notices that explain the FSI s information collection and sharing practices, give their customers the right to limit some sharing of their information, and limit some FSI uses of consumer information received from other FSIs. The Safeguards Rule requires financial institutions to have a security plan to protect the confidentiality and integrity of personal consumer information. The Pretexting Provisions prohibit the use of false pretenses, including fraudulent statements and impersonation, to obtain consumers personal financial information, such as bank balances. The Risks As indicated previously, FSIs cannot delegate their compliance obligations under SOX and the GLBA to their outsourced software vendors (3). Therefore, financial firms face outsourcerrelated compliance violations if the manner in which their vendors deliver services does not meet applicable laws or regulations. Therefore, the compliance risk of a given vendor may be related to the regulatory sensitivity of the services provided by the outsourced vendor. For example, outsourcers could expose FSIs to SOX 302 and SOX 404-related compliance risks if they provide services that are critical to, or may become critical to, the FSI s control over its financial reporting. Similarly, outsourcers could expose FSIs to GLBA-related compliance risks when they provide services that give them access to systems that could violate the confidentiality and integrity of personal consumer information. In both cases, the regulations are designed to protect against threats of disclosure and/or alteration of information. Because FSIs are responsible for outsourcer violations, FSIs must manage the regulatory compliance risks from outsourcers by applying the tools used for other aspects of the outsourcing relationship: standards, audits and relationship governance. 3 See Footnote Kanbay Incorporated. All rights reserved. Page 2

3 A first step to adequately manage vendor regulatory compliance risk is to determine which outsourcers pose regulatory compliance risks. Compliance Critical Outsourcing Vendors (CCOVs) are those that provide services that pose regulatory compliance-related risks for FSIs.» Sarbanes-Oxley CCOVs are those that provide software or services that are critical to financial reporting, or software that, when implemented, will be critical to financial reporting. For example, your vendor may be a CCOV if it provides production support to an enterprise data warehouse that s used for monthly financial reporting.» GLBA CCOVs are those that provide software or services that give the vendor access to personal consumer information. For example, your vendor may be a CCOV if it is building your new customer billing system. The potential for serious or frequent compliance violations exists when an FSI s vendor management processes do not include appropriate standards, audit features or governance controls. To help confirm that outsourcers are capable of meeting appropriate compliance standards, FSIs should involve their compliance management function in selection and due diligence when services to be outsourced present a potential significant risk to regulatory compliance (4). Managing Outsourcers The process of evaluating potential service outsourcers begins with a Needs Assessment. Armed with an assessment, an FSI can then determine whether or not outsourcing is appropriate and, if so, plan processes for outsourcer selection and due diligence, contracting, and managing outsourcing governance. During each of these processes, FSIs can take specific steps to incorporate regulatory compliance provisions into» the standards outsourcers will be required to meet,» the processes to be audited, and» the governance relationship between the parties. VENDOR SELECTION & DUE DILIGENCE In addition to the typical vendor considerations concerning the mix of quality, service and price, clients often require vendors to meet minimum thresholds for financial stability, size and service infrastructure. For CCOVs, the ability to meet regulatory compliance considerations may be an appropriate additional minimum threshold. During due diligence, one standard many clients use is whether or not outsourced vendors have conducted proper risk assessments of their own processes, systems and people. Outsourcers that have implemented such standards as CMM level 5, ISO 9001, and Six Sigma process improvement have indicated a commitment to customer quality and service. Similarly, those that have implemented ISO have indicated an interest in mitigating the risk in their processes, systems and people. ISO 17799:2005 establishes guidelines and general principles for control objectives and controls to improve information security management. 4 See Footnote Kanbay Incorporated. All rights reserved. Page 3

4 Generally, outsourcers that have implemented ISO will have considered the initiatives required to safeguard their processes and systems in a way consistent with SOX and GLBA regulatory requirements. Another important consideration is the type of relationship the FSI seeks with its outsourcer. Increasingly FSIs are choosing strategic partnerships with outsourcing firms instead of standard company-vendor relationships. Strategic partnerships align the culture and governance of the FSI and the outsourcer, resulting in decreased risks of regulatory compliance violations because the partners share both investments and risks. CONTRACTING A contract legally embodies the agreement between the parties and its accompanying terms and conditions. In addition to standard contract terms, CCOV contracts should include specific requirements for the vendor based on FSI consultation with its legal team to help confirm that such requirements are consistent with applicable regulations (5). In addition, contracts should» define standards (e.g. quality and service levels),» allow FSIs to audit outsourcers, and» define a governance model between the FSI and the outsourcer. Because a contract outlines duties, obligations and responsibilities of the parties it should be reviewed by legal counsel. FSIs can audit outsourcers using either their internal or external auditors. Alternatively, an FSI can secure an audit from the outsourcer s external auditor. For large agreements, where the risk is greater, FSIs have traditionally audited outsourced vendors and required periodic controls reports. Among FSIs, the trend is to require outsourcers to provide SAS70 examinations from the outsourcer s auditors. SAS70 (6) is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA). A SAS70 examination signifies that a service organization has had its control objectives and control activities examined by an independent accounting and auditing firm. A contract is a useful statement of the parties responsibilities, but it should not substitute for a strong governance model to monitor, communicate and resolve disputes with a vendor. FSI/vendor relationships are more often mutually beneficial when contract terms are clear and the parties have provided a robust mechanism to manage the day-to-day activities and a procedure for dispute resolution. OUTSOURCING GOVERNANCE After an outsourcer is selected and a contracted executed, the parties usually want to enjoy a long, mutually-beneficial relationship. To successfully navigate such a relationship, the parties 5 This article is not legal advice. The reader is solely responsible for obtaining his/her own legal advice. 6 Statement on Auditing Standards (SAS) No. 70, Service Organizations 2005 Kanbay Incorporated. All rights reserved. Page 4

5 should generally have an Outsourcing Governance Framework (7). By implementing and monitoring a governance model, an FSI can oversee the vendor and activities that may have a material affect on FSI regulatory compliance (8). Kanbay s governance framework, called Spectrum6, helps build partnerships as opposed to standard vendor-client relationships. The key governance practices in Kanbay s Spectrum6 Governance Framework are» managing relationships to bridge cultural gaps,» collaboratively identifying and assessing outsourcing risks,» creating teams and communication channels to build structural alignment,» creating effective contracts which allow for flexibility,» managing service levels to help confirm on-going service measurement, and» implementing change management practices to facilitate cultural alignment and participation. These practices are implemented after first insuring that both the FSI and the vendor have a common understanding of the objectives for an engagement. This understanding is used to help confirm that expectations, goals and deliverables are managed effectively. Kanbay s Spectrum6 governance framework also encourages the development of peer relationships among various stakeholders in order to foster a collaborative engagement approach. Among governance practices, some of the keys to regulatory compliance are» collaboratively identifying and assessing outsourcing risks,» creating teams and communication channels to build structural alignment, and» managing service levels to ease on-going service measurement. The practice of identifying and assessing outsourcing risk is important to defining the standards by which an outsourcing relationship is governed. By collaboratively identifying the risks associated with an engagement, the parties can help monitor and control these risks by incorporating them into the service level agreements. The practice of creating teams and communication channels to build structural alignment facilitates coordinated activity and compliance with common objectives. The practice of managing service levels to ease on-going service measurement is effectively a microcosm of the overall governance process. Service level monitoring begins with an identification of metrics to be monitored. It also includes the creation of a framework to define, measure, and monitor those metrics. When service level metrics include regulatory-compliance-related measures, the communication channels set up during the engagement serve as a monitoring system for compliance-related issues. They can also be used to benchmark vendors, make periodic process improvements, and build periodic reports which can be tied to vendor compensation. Overall, outsourcing governance is a critical mechanism to help confirm that outsourcing vendors meet their commitments, including those related to regulatory compliance. 7 See Governance: Building Successful Outsourcing Engagements, by Aparna Umakant Katre, July See Footnote Kanbay Incorporated. All rights reserved. Page 5

6 Summary An FSI s level of regulatory compliance risk is not necessarily increased due to outsourcing. The level of risk varies based on an outsourcing vendor s ability to prevent compliance violations, and can be mitigated by FSIs working with their legal counsel to determine their regulatory requirements, and documenting those requirements in the vendor contract. Thus FSIs increase their risk of regulatory compliance violations only if they do not properly identify and document their regulatory requirements, or if they outsource to vendors who fail to fulfill their contractual obligations. An FSI that enters into a software services agreement with an offshore outsourcer does not generally incur increased risk of regulatory compliance violations simply because it is working with an offshore outsourcer. Outsourcers, particularly those that serve FSIs, generally have the same ability and incentive as any FSI to promote secure systems, controlled processes, and employee honesty. The key is to use business incentives for both FSIs and vendors, both onshore and offshore, to set, monitor and enforce proper standards. Standards, audits and a robust governance model provide tools for FSIs and outsourcers around the globe to collaboratively nurture lasting business relationships. A governance model such as Kanbay s Spectrum6 framework helps vendor-client relationships mature into global sourcing partnerships. ABOUT THE AUTHOR Matthew Sullivan leads Kanbay s Risk Management and Regulatory Compliance Practice. He has more than 17 years experience working with financial institutions in the capacities of attorney, management consultant and software product manager. Mr. Sullivan holds degrees in computer science, management, and law. ABOUT KANBAY Founded in 1989, Kanbay (NASDAQ: KBAY) is a global IT services firm focused on the financial services industry. With over 4,700 associates, Kanbay provides its services primarily to banking institutions, insurance companies, credit service companies and capital markets firms. The company uses a global delivery model to provide application development, maintenance and support, software package selection and integration, business process and technology advice, and specialized services. Kanbay is a CMM Level 5 assessed company headquartered in greater Chicago with offices in the U.S., Canada, U.K., Australia, Hong Kong, Japan, Singapore and India Kanbay Incorporated. All rights reserved. Page 6