Third-party risk is on the rise
Third-party risk, according to Richard Rattue, Managing Director of Compli-Serve SA, is on the rise and needs to top your compliance watchlist.
Hyperproof’s 2022 IT Compliance Benchmark Report shows a staggering 90% of respondents had dealt with a third-party issue in the last year.
The need for risks to be prioritised
Members of Law Firm, Fasken’s Insurance Team said that over the past years, organisations have become reliant on third parties to provide various services, including compliance services. “As a result of the increased reliance, organisations have consequently opened themselves to more risk such as data breaches. The recent Hyperproof’s 2022 IT Compliance Benchmark Report provides an indication of how many organisations have had to deal with third-party risks and the need for third-party risks to be prioritised in relation to the compliance agenda.”
From a compliance perspective, Members of Law Firm, Fasken’s Insurance Team said that it would be imperative for organisations to understand the possible risks that emanate from third-party services and understand the obligations they are required to meet, both legally and contractually, in order to ensure a sufficient management plan is put into place, to better reduce the risks on a continuous monitoring basis. Without a sufficient third-party risk management plan, an organisation’s day to day operations are most likely to be affected and the organisation may be subject to hefty fines and reputational damage.”
Compliance, high on the agenda
Compliance departments, according to Rattue, take direction from the C-Suite, so hopefully third-party risk is high on the agenda, due to how commonplace outsourcing has become in business.
“When you insource everything, you have direct line of sight of all your operations and can control things easily. But there are many specialist functions that are outsourced to third parties for a more cost-and time-effective solution, compliance being a shining example. IT is usually outsourced, especially for large companies who don’t want to employ those skills, and in financial services, asset management and administration are often outsourced too. Keeping a close eye on these types of mission-critical functions in your business should be high on the compliance and C-Suite agendas,” stated Rattue.
“The reality is, if you’ve outsourced a function, but your outsourced provider makes an error, you are still held responsible, so doing everything you can to prevent third-party risk is the most practical approach. A standard on outsourcing is expected from the Financial Sector Conduct Authority (FSCA), so if the regulator is concerned enough to put together a standard on outsourcing, compliance departments should be equally concerned - and should ensure that all outsourcing activities are handled with care,” he continued.
Pros and cons of outsourcing
A compliance function within any organisation, according to Members of Law Firm, Fasken’s Insurance Team, requires a skilled and experienced representative(s) to navigate the everchanging regulatory sphere by constantly developing, implementing, maintaining compliance and ensuring that the organisation adheres to the applicable standards and legislation. An organisation, by way of procuring third-party services, diminishes the burden of having to employ an internal representative that is skilled and qualified, and ensures that the required compliance activities are attended to by those who have the expertise.
The biggest pro, according to Rattue, is access to specialised skills at a reasonable cost, as opposed to employing those skills inhouse. “You get access to firms who specialise in regulatory compliance work and, thus, are more likely to be keeping up to speed with industry developments. Internal compliance officers typically have a lot on their plate and can easily fall behind on the latest industry news. As regulatory activity becomes increasingly specialised and the skills become niche, it’s then difficult to employ one person who has the complete skillset, making outsourcing a sensible choice.”
Members of Law Firm, Fasken’s Insurance Team mentioned that in the event of non-compliance, although the third-party service provider in an outsourcing arrangement may also be an accountable institution in its own right in terms of the Financial Intelligence Centre Act 38 of 2001, the organisation that procures the third-party services is not absolved from being held accountable. “An organisation that appoints a third-party for compliance activities also risks losing sensitive data and the loss of confidentiality. Moreover, an organisation would not be able to control the operations of activities or processes of the third-party to ensure compliance and is forced to rely on the competence of the third-party.”
The cons, according to Rattue, are that you lose direct line of sight, and you are beholden to your outsourced provider to ensure they are doing their jobs properly and not exposing you to any risk. “You abdicate control to a certain respect but remain liable for the actions of the outsourced supplier - you are the primary and they are your contracted partner. The FSCA will likely not accept the outsourcing party passing blame for conduct errors to their outsourced partners. The regulator will expect that a level of due diligence is done on outsourced providers and their ongoing deliverables.”
New compliance challenges
Rattue mentioned that the new compliance challenges to come are typically related to outcomes-based oversight. “It’s about looking at the outcomes for the client, not about spending time worrying that you have ticked all ten boxes on the checklist. You will need to look beyond the CRMP (Compliance Risk Management Plan) at what the outcome was, and whether it was a fair and equitable result or sale for your customer.”
“Legislation will provide far less hard guidance than it used to, in terms of what you need to do to be compliant. The CRMP gives way to something new, requiring more than just ticking boxes. The challenge is finding the new ‘sweet spot’, where both the customer and the business have a happy outcome,” he concluded.
According to Members of Law Firm, Fasken’s Insurance Team, a fundamental shift from pure rules-based compliance to one where flexible and ethical decision making will be needed.
“As the financial sector gears towards full implementation of the Twin Peaks regulatory framework, the impact that the Conduct of Financial Institutions COFI Bill (COFI) will have on the financial sector still cannot be overstated and the insurance industry, is no exception. The proposed Act is aimed at consolidating the conduct standards of financial institutions housed in various pieces of legislation into one statute; moving away from the regulation of conduct according to the specific activity undertaken by that institution,” they said
The inclusion of the Treating Customers Fairly (TCF) principles in COFI will render those principles legally binding and enforceable across all financial institutions, according to the team.
“TCF is an outcome based regulatory and supervisory method that assures that regulated financial institutions provide, clearly defined fairness outcomes for their customers. Throughout the product life cycle, from product design and advertising, to advising and servicing, to complaints and claims processing, regulated companies will be asked to demonstrate that they offer the six TCF outcomes to their customers.[1] Additionally, Environmental, Social and Governance (ESG) issues have risen to prominence in the past years and the effects of climate change and the need for stringent environmental regulation have been felt worldwide. Thus, companies may be expected to establish a company strategy at the board and executive management levels to identify, assess, manage and monitor ESG issues in business operations.[2] As result, the full implementation of the Twin Peaks, TCF principles and ESG issues gears the insurance industry from the pure rules-based compliance to one where flexible and ethical decision making is of paramount importance,” the team concluded.
Writer’s Thoughts:
As mentioned above, it would be imperative for organisations to understand the possible risks that emanate from third-party services and understand the obligations they are required to meet, both legally and contractually, in order to ensure a sufficient management plan is put into place, to better reduce the risks on a continuous monitoring basis. Do you believe third-party risk should be high on the agenda, due to how commonplace outsourcing has become in business? Please comment below, interact with us on Twitter at @fanews_online or email me your thoughts myra@fanews.co.za.
[1]https://www.fsca.co.za/Regulatory%20Frameworks/Pages/Treating-customers-fairly.aspx#:~:text=Treating%20Customers%20Fairly%20(TCF)%20is,fairness%20outcomes%20for%20financial%20customers
- Customers can be confident they are dealing with firms where TCF is central to the corporate culture;
- Products & services marketed and sold in the retail market are be designed to meet the needs of identified customer groups and are targeted accordingly;
- Customers are provided with clear information and kept appropriately informed before, during and after the point of sale,
- Where advice is given, it is suitable and takes account of customer circumstances, products perform as firms have led customers to expect, and service is of an acceptable standard and as they have been led to expect;
- Customers do not face unreasonable post-sale barriers imposed by firms to change products, switch providers, submit a claim or make a complaint; and
- Chief among the changes in the revised COFI draft is the interface of the Bill with other financial sector legislation. The proposed changes aim to reduce inconsistencies with other legislation and will lead to the amendment of some statutes and the repeal of others.
[2] https://www.unepfi.org/psi/the-principles/ for Funds, see King IV principle 1 of the Sector Supplements.
Comments