article

Review of offshore outsourcing – Financial services advice licensees

Published

Key points

  • ASIC has reviewed the use of offshore service providers (OSPs) among Australian financial services advice licensees (licensees) and their representatives.
  • Advice licensees retain ultimate responsibility under the Corporations Act 2001(Corporations Act) for the operation of their financial services businesses, including where they outsource to OSPs.
  • The quality of risk management arrangements in relation to the use of OSPs varied across advice licensees we reviewed, with improvements in different areas required for each of the licensees.
  • Advice licensees should have sufficient skills to independently identify material risks and to assess an OSP’s performance and ongoing suitability, regardless of whether the licensee or their representatives access OSPs directly or through an intermediary.

ASIC’s review

ASIC reviewed how advice licensees and their representatives use OSPs through intermediary businesses. We did this to understand how advice licensees manage the risks of using OSPs, with a particular focus on technology, data sharing and privacy.

Australian advice licensees have obligations under the Corporations Act to maintain adequate risk management systems and have adequate resources to provide the financial services provided by the business and carry out supervisory arrangements.

We reviewed 10 licensees with financial advice businesses of varying sizes who use OSPs through an intermediary.

We conducted an end-to-end review of policies, processes, practices and other risk management arrangements of the selected licensees for their:

  • onboarding due diligence of OSPs
  • monitoring and supervision of the ongoing performance of OSPs used by the financial advice business, and
  • cyber arrangements to protect personal and sensitive client information.

Of the 10 licensees we reviewed, over 300 of their representatives used OSPs at some point over the past two years.

Our review also included engagement with six intermediary businesses offering offshore outsourcing solutions to Australian advice licensees to understand the services and infrastructure they offered and their cyber security arrangements.

These six intermediaries connect Australian businesses with resources based internationally, including the Philippines, India and Sri Lanka.

We also obtained a sample of data from two large fund managers to understand the extent individuals located offshore enquire about Australian client superannuation and managed fund account information. The data indicated that enquiries originating from offshore were occurring regularly, with one fund manager reporting 900 enquiries in a 30-day period and another 16,500 enquiries originating from 24 countries in a 12-month period.

Advice licensee responsibilities

As set out in ASIC regulatory guidance, advice licensees are able to outsource functions, including administrative functions, advice support services and paraplanning. However, regardless of whether these functions are outsourced directly or through an intermediary business, licensees remain responsible for complying with their obligations.  

Where functions are outsourced, advice licensees must:  

  • have measures in place to ensure that due skill and care are taken in choosing suitable service providers  
  • monitor the ongoing performance of service providers, and  
  • appropriately deal with any actions by service providers that breach service level agreements or the licensee’s general obligations: see Regulatory Guide 104 AFS licensing: Meeting the general obligations (RG 104), paragraph 104.36. 

Advice licensees need effective risk oversight processes for identifying, prioritising, managing and monitoring critical risks. Licensees also need systems in place to ensure that their risk oversight processes are improved continuously as the business environment changes. 

Where responsibility for the outsourcing arrangements is delegated to an authorised representative, policies and procedures should be comprehensive, and auditing of compliance with the relevant licensee policies and procedures should be regularly undertaken and recorded by the licensee.

Failing to adequately supervise outsourced functions could result in the licensee failing to meet its legal obligations and cause harm to consumers. The more critical the outsourced function, the greater the risks involved. The risks can be exacerbated when there is inadequate supervision of these functions, particularly when they are outsourced internationally. 

What services are being outsourced?

Our engagement with the six OSP intermediary businesses identified the following as some of the offshore services these intermediaries offer Australian advice licensees:

  • financial planning assistants to complete a range of tasks, including client data entry and product research
  • paraplanning services
  • insurance application and document support, and
  • client communication, such as client situation updates or business updates.

The six intermediary businesses reported having a combined total of over 1000 licensees or their representatives as clients and over 600 representatives of licensees had engaged with one of the six intermediary businesses in the in the past two years.

Of the 10 licensees we reviewed, the main offshore outsourced services used are advice support services, including paraplanning and administrative operations.

What are the key risks?

Some of the risks that arise from an advice licensee’s use of OSPs that concern us include:

  • risk of loss of control over some outsourced tasks or business functions that can impede a licensee’s ability to protect the confidentiality of its own and client information
  • risks related to data and technology, particularly protection of sensitive client information, because OSPs subject to foreign government laws may have to comply with directions that conflict with Australian laws or may lose control over, or access to, the data provided by the licensee
  • risks related to the effective detection and management of a breach of data or cyber incident for an Australian business if the business function or outsourced task is undertaken offshore
  • risk of operational disruption to the service that can harm consumers (offshore infrastructure may also be less reliable than that available in Australia, causing unnecessary disruptions to information technology services), and
  • risk of a licensee losing control over the people and processes dealing with outsourced business functions, which may pose challenges to the effectiveness of supervisory regimes and systems.

Observations: Policies, procedures and practices

We are concerned that most of the advice licensees reviewed did not have adequate arrangements in place for the assessment, appointment and ongoing monitoring of offshore outsourced services used by their representatives. Instead, they rely on the representative to ensure risks are managed appropriately.

Some of the licensees we reviewed recognise the risks of using OSPs and have taken, or are taking, steps to manage these risks. The degree of sophistication and rigour of risk management practices varied significantly, as highlighted below:

  • three licensees who used OSPs did not have a formal offshore outsourcing policy in place, and one licensee did not have offshore outsource policies at all, despite using OSPs
  • seven of the licensees’ information technology policies did not specifically reference or set additional requirements for offshore staff. In these cases, the policies were generic and applied to all staff, regardless of physical location or employment arrangement
  • there was no evidence that the licensees undertook regular audits of their representatives’ use of OSPs
  • were unable to identify all of their representatives that were using OSPs
  • none of the licensees we reviewed have systems for real-time alerts for OSP access violations or any audit system access or activity logs
  • when using an OSP intermediary business, licensees and their representatives appear to rely on the representations made by those businesses in relation to cyber security, without independent assessment or verification, and
  • of the six licensees with offshore outsourcing policies in place, only one provided comprehensive steps the licensee or their representatives need to take before appointing an OSP. In the policies of the other five licensees, the appointment requirements were broad and did not identify the minimum requirements that should be expected to satisfy the licensee that the OSP meets an adequate standard.

Considerations for advice licensees

Licensees should consider the following practices and findings from our review when developing, reviewing and modifying their risk management arrangements when engaging with OSPs, either directly or through an intermediary. 

Appointing an OSP

Cross icon

Poor practice

We identified an instance where one licensee did not have any policies or procedures for their representatives to use when engaging the services of an OSP. The licensee instead relied on the representatives who use OSPs to ’… conduct their business in a professional, compliant and legal manner,’ stated the licensee.

Three licensees did not have formal offshore outsourcing policies in place, despite engaging OSPs; however, they did provide some guidance in other policies.

Tick icon

Better practice

Six advice licensees provided a checklist that could be used by the licensee or their representatives to assess whether an OSP was suitable to be engaged. This included steps such as:

  • determining what information technology systems are in place
  • confirming that Australian privacy laws and principles will be met, and
  • establishing clear business roles prior to appointment.

In addition to providing a checklist, licensees should consider what minimum requirements need to be met for the licensee to be satisfied the appointment of the OSP is appropriate. For example, confirming that the service provider meets an information technology standard consistent with the licensee’s existing cyber policies, or that any contracts contain specific clauses relating to use, access, retention and disposal of data.

Disclosing use of offshore service provider

Cross icon

Poor practice

Four licensees did not have a policy that addressed whether the use of an OSP is required to be disclosed to a client or whether explicit consent is required to be obtained from the client prior to transmitting to, or allowing access to, their data by an OSP.

Tick icon

Better practice

For three licensees, their policy required disclosure from the representatives (e.g. in their Financial Services Guide  ) that client information may be provided to an OSP. The remaining three licensees require their representatives to obtain explicit client consent prior to providing client information to an OSP.

Monitoring ongoing compliance

Cross icon

Poor practice

There was no evidence the licensees we reviewed conduct regular and documented audits of the application of their policy and use of OSPs by their representatives.

Tick icon

Better practice

Licensees that conduct audits at appropriate intervals and formally record the application of their policy and use of OSPs to ensure it complies with the licensee’s policies and procedures, as well as general licence obligations.

Approved offshore outsourcing provider panel

Cross icon

Poor practice

Three licensees we reviewed did not maintain a centralised list of OSPs approved for use by their representatives. For those licensees, where a representative seeks to engage the services of an OSP, the licensee allows the representative to independently assess the OSPs capabilities in relation to the services being provided, including cyber risk and resilience. In two cases, the licensee does not review and approve the representative’s assessment.

Licensees who do not maintain oversight over the appointment of OSPs may find their representatives appoint an OSP with insufficient skills to deliver the necessary standard of service or allow offshore resources to access licensee systems who are not appropriately vetted or not operating in accordance with the licensee’s cyber policies.

Tick icon

Better practice

Four licensees we reviewed have established a panel of approved OSPs for use by their representatives. The licensees have undertaken their own due diligence and assessed the OSP as meeting the licensee’s standards, including around cyber security and service delivery.

Knowing which representatives use offshore services

Cross icon

Poor practice

We identified two instances where licensees did not identify all their representatives that were using OSPs. A licensee who is unaware if their representatives are using OSPs is likely not meeting their general licensee obligations.

Tick icon

Better practice

Licensees that are aware of all outsourced functions that are being used by their representatives in the provision of financial services to ensure they are able to carry out their supervisory function and comply with their general licensee obligations, particularly in relation to their risk management obligations.  

Identifying and managing cyber risks

Cross icon

Poor practice

Five licensees did not explicitly require OSPs to comply with the licensee’s existing cyber frameworks to address cyber security risks or their cyber frameworks failed to consider the additional risk posed when Australian client information is accessed by OSPs.

Tick icon

Better practice

Licensees that document and monitor OSP risk as part of the licensee’s organisational risks register, even when the OSP services are being used and monitored by the licensee’s representative. The OSP’s cyber risks should be assessed on a periodical basis using an industry standard or framework. Licensees that use an industry standard or framework should also actively explore and address entity risks unique to them.

Data privacy

Cross icon

Poor practice

While our review indicates that most OSPs access internal systems, additional risks are introduced where a licensee or representative transmits client information to an OSP but has not conducted an additional assessment of the offshore regulatory environment for data security and protection and implemented additional precautionary measures if required.

Tick icon

Better practice

In cases where client information is transmitted to an OSP by a licensee or their representative, it must be transmitted securely, and licensees should consider additional precautionary measures, such as enhanced encryption. In addition, the licensee should confirm that the OSP meets an information technology standard consistent with the licensee’s existing cyber policies and that any contracts contain specific clauses relating to use, access, retention and disposal of data.

Monitoring OSP system access

Cross icon

Poor practice

None of the licensees we reviewed audit system access or activity logs or have systems for real-time alerts for OSP access violations.  

Tick icon

Better practice

Licensees that have an appropriate mechanism in place to review and audit activity of the OSP, including access logs, actions and compliance status on a regular basis. If the licensees rely on their representative to conduct this oversight of OSPs they use, the licensee must take reasonable steps to ensure this is occurring regularly. For continuous monitoring, allowing licensees to rapidly detect and respond to data breaches or access violations, licensees could use real-time alert tools to detect unauthorised access or anomalous behaviour by OSPs.

Incident response management

Cross icon

Poor practice

The licensees we reviewed have broad, undefined policies in relation to critical systems recovery timeframes to restore services and recover data if a security incident or system failure occurs. The policies do not explicitly reference OSPs.  

Tick icon

Better practice

Licensees that require OSPs to have documented response strategies for high-risk scenarios (like ransomware attacks), regular disaster recovery testing, and participate in scheduled recovery testing. These requirements should be documented in the licensee’s system recovery policies. 

Where to from here?

Licensees should consider how the findings from our review apply to their business if they are using OSPs or planning to do so in the future.

The observations from this review, in conjunction with longstanding ASIC guidance on compliance with obligations to maintain adequate risk management systems in RG 104, will help licensees improve their arrangements where needed and assist them to demonstrate they are:

  • undertaking reasonable due diligence when engaging the services of an OSP or approving OSPs for use by their representatives
  • meeting their oversight obligations in relation to their use, and their representatives’ use, of OSPs
  • ensuring OSPs used by the licensee or their representatives are adhering to the cyber policy standards of the licensee
  • consistently applying the same standards required of Australian-based third-party service providers to OSPs, particularly in relation to the handling of client information, and
  • ensuring adequate risk management frameworks are in place for ongoing assessment and monitoring of the risks of OSPs, and that these frameworks are reviewed and updated.

ASIC will continue to monitor the governance and risk management frameworks of financial services entities, and where appropriate, hold them to account for failing to have processes in place to protect consumers and investors from harm.

ASIC is Australia’s corporate, markets and financial services regulator.