Outsourcing in the Banking Sector in the Bailiwick of Guernsey. A Thematic Report issued by the Guernsey Financial Services Commission

Similar documents
Statement of Guidance: Outsourcing Regulated Entities

Outsourcing Guidelines. for Financial Institutions DRAFT (FOR CONSULTATION)

ASX CLEAR (FUTURES) OPERATING RULES Guidance Note 9

ASX CLEAR OPERATING RULES Guidance Note 9

BOM/BSD 17/May 2006 BANK OF MAURITIUS. Guidelines on Outsourcing by Financial Institutions

Banking Regulation and Policy Department Bangladesh Bank Head Office Dhaka

Framework for Risk Management in Outsourcing Arrangements by. Financial Institutions

London Borough of Newham

Embedding risk in decision making

Use of External Consultants

Third Party Trust Manage your outsourcing arrangements

Recommendations on outsourcing to cloud service providers (EBA/REC/2017/03)

A Case Review Process for NHS Trusts and Foundation Trusts

HEA Procurement Practices Review 2016 HEA Procurement Summit

BRIEFING REPORT ON VERBAL FEEDBACK FROM HEALTH & SAFETY MANAGEMENT AUDIT 2012/13

RECOMMENDATIONS ON CLOUD OUTSOURCING EBA/REC/2017/03 28/03/2018. Recommendations. on outsourcing to cloud service providers

Guidance for the Tripartite model Clinical Investigation Agreement for Medical Technology Industry sponsored research in NHS Hospitals managed by

Registration and Inspection Service

Managing Risks and Security in Outsourced Environment

OUTSOURCING TRENDS THAT WILL HELP YOU PREPARE FOR 2017

Amendments to IFRS 3 and IFRS 11: Previously Held Interest Analysis of feedback on the proposed amendments.

Local Health Integration Network Authorities under the Local Health System Integration Act, 2006

Outsourcing in Financial Services

OUTSOURCING IN 2010 RECENT TRENDS & KEY ISSUES FOR IRISH BUSINESSES

Support for Applied Research in Smart Specialisation Growth Areas. Chapter 1 General Provisions

Fair Processing Strategy

Chapter 3: Business Continuity Management

Main Report. June Link2US G.A. n Task 1.3

Revalidation Annual Report

IAF Guidance on the Application of ISO/IEC Guide 61:1996

COMMISSION IMPLEMENTING REGULATION (EU)

INTEGRATION SCHEME (BODY CORPORATE) BETWEEN WEST DUNBARTONSHIRE COUNCIL AND GREATER GLASGOW HEALTH BOARD

Practice Review Guide

Panhandle Public Library Cooperative System

ACI AIRPORT SERVICE QUALITY (ASQ) SURVEY SERVICES

National review of domiciliary care in Wales. Wrexham County Borough Council

Topical Peer Review 2017 Ageing Management of Nuclear Power Plants

APT Ministerial Conference on Broadband and ICT Development 1-2 July 2004, Bangkok, Thailand

The State Hospitals Board for Scotland. Transfer/Discharge Care Programme Approach (CPA) and Multi Agency Public Protection Arrangements (MAPPA)

Outsourcing. a practical guide on how to create successful outsourcing solutions

Fundación Repsol Fondo de Emprendedores 5th Call. Terms and conditions

Outsourcing Risk Management. UniCredit Group Experience

Standardization of the Description of Competencies of Western Canadian Licensed Practical Nurse (LPN) Practitioners Project

Towards Quality Care for Patients. National Core Standards for Health Establishments in South Africa Abridged version

Document Details Clinical Audit Policy

Clinical Audit Policy

Models of Support in the Teacher Induction Scheme in Scotland: The Views of Head Teachers and Supporters

Charter of the Credit and Risk Committee Danske Bank A/S CVR no

BIRMINGHAM CITY COUNCIL

IAF MLA Document. Policies and Procedures for a MLA on the Level of Single Accreditation Bodies and on the Level of Regional Accreditation Groups

EXECUTIVE MEDICAL DIRECTOR JOB DESCRIPTION. Medical Education Leads Clinical Directors (professional leadership) Director of Clinical Audit

Application for Funding

NAS Grant Number: 20000xxxx GRANT AGREEMENT

Investigation Report H2017-IR-02 Investigation into multiple alleged unauthorized accesses of health information at South Health Campus

Quality Governance (Audit, Compliance and CQC) Manager

EVALUATION OF THE SMALL AND MEDIUM-SIZED ENTERPRISES (SMEs) ACCIDENT PREVENTION FUNDING SCHEME

BOT Notification No (4 September 2017)-check

Developing a framework for the secondary use of My Health record data WA Primary Health Alliance Submission

Fulfilling lives: Supporting people with multiple and complex needs

Reservation of Powers to the Board & Delegation of Powers

NIHR Policy Research Programme. Research Specification. Research Call on Epidemiology for Vaccinology

Cradle to Grave research grant administration

Policy Rules for the ORIO Grant Facility

Review of due diligence undertaken by PWC January 2014

Charities SORP 2005 Information Sheet Number 1

Guide to delivering European funding

Consolidated pathology network Clinical governance guide

Finance and Accounting function outsourcing analysis

HPV Health Purchasing Policy 1. Procurement Governance

Performance audit report. Department of Internal Affairs: Administration of two grant schemes

III. The provider of support is the Technology Agency of the Czech Republic (hereafter just TA CR ) seated in Prague 6, Evropska 2589/33b.

Procurement Support Centre

FIRST TEAM PROGRAMME EVALUATION FORM FOR REVIEWERS

Version September 2014

Final Report. Recommendations on outsourcing to cloud service providers EBA/REC/2017/ December 2017

Toolbox for the collection and use of OSH data

practice standards CFP CERTIFIED FINANCIAL PLANNER Financial Planning Practice Standards

Integrating care: contracting for accountable models NHS England

VET Student Handbook

This policy is intended to ensure that we handle complaints fairly, efficiently and effectively.

Current Trends in Business Process Outsourcing

DRAFT FOR CONSULTATION

SUPPORT SUPERVISION GUIDE for orphans and other vulnerable children (OVC) service delivery MINISTRY OF GENDER LABOUR AND SOCIAL DEVELOPMENT

Frequently Asked Questions

East Asia Pacific Infrastructure Regulatory Forum

ADVOCATE HEALTH CARE GUIDELINES FOR VENDOR RELATIONS

Contents. CLUB LICENSING QUALITY STANDARD Edition 2012

Mis-reporting of Cervical Pathology by Locum Consultant Pathologist. Status: Information Discussion Assurance Approval

The Care Values Framework

CONDITIONS OF AWARD FOR ESA SCHOLARSHIPS AND FELLOWSHIPS

Call for Submission of Proposals

EARLY-CAREER RESEARCH FELLOWSHIP GRANT AGREEMENT

Final Report ALL IRELAND. Palliative Care Senior Nurses Network

Re-entry to practice - nursing and midwifery

australian nursing federation

Charter of the Remuneration Committee Danske Bank A/S CVR no

Regulatory Compliance. Operations and Systems Outsourcing: Compliance Considerations for Broker-Dealers.

ICTpsp I C T P O L I C Y S U P P O R T P R O G R A M M E. CIP ICT PSP Pilots A, Pilots B, Thematic Networks, Best Practice Networks, PPI Pilots

Methods: Commissioning through Evaluation

Response to Objector s Evidence: Mr Henry Church of CBRE and Mr Andrew Johnson of Marshalls plc (CPO Reference Plot 8/5)

Transcription:

Outsourcing in the Banking Sector in the Bailiwick of Guernsey A Thematic Report issued by the Guernsey Financial Services Commission November 2008

Table of contents 1 Executive summary... - 2-2 Introduction and methodology... - 3-2.1 Introduction... - 3-2.2 Methodology... - 3-3 Findings... - 5-3.1 Overview... - 5-3.2 Findings from the industry wide survey and on-site visits... - 5-3.3 Entity-specific findings from the on-site visits... - 8-3.3 a Good practice... - 8-3.3 b Exceptions... - 9-4 Acknowledgements... - 9-5 Useful websites... - 9 - - 1 -

1 Executive summary The main findings of the Commission s thematic review of outsourcing in the banking sector of the Bailiwick of Guernsey are as follows: A majority of the key functions that are outsourced are carried out intra-group, either utilising centres of excellence within a group, taking advantage of efficiencies from economies of scale, or making use of areas where resource constraints are less of an issue than they are in Guernsey; Functions that are outsourced to third parties are mainly non-core functions, and for the most part are non-critical to the day-to-day running of the bank; Core functions that are outsourced to third parties tend to be historical relationships where the service provider was once part of the group; In general there is a service level agreement (SLA) or agreements, or some such other document or documents serving a similar purpose, in place, or in a few cases being put in place, for the functions that are outsourced; There was a handful of examples where SLAs were not in place, one in relation to investment management support provided by group, and the rest relating to treasury services provided by group; On those SLAs that were reviewed, there were some gaps observed pertaining to dispute resolution and fee structure, though these gaps were only observed on agreements with third parties in relation to non-core functions, or with group; There is still some inconsistency in the definition of outsourcing with only some banks including services provided by intra group companies within the definition. Including intra-group service providers is considered good practice; From our limited review, the policies and procedures addressing the outsourcing process seem to be of an acceptable standard. - 2 -

2 Introduction and methodology 2.1 Introduction As an integral part of its on-going supervision of licensed banks, the Guernsey Financial Services Commission ( the Commission ) carried out a review of outsourcing as a key element of the operational risk faced by the banking industry in the Bailiwick of Guernsey. The Commission is committed to ensuring the compliance of the Guernsey banking industry with The Core Principles for Effective Banking Supervision. Core Principle 15 Operational risk, essential criteria 8 states: The supervisor determines that banks have established appropriate policies and processes to assess, manage and monitor outsourced activities. The outsourcing risk management programme should cover: conducting appropriate due diligence for selecting potential service providers; structuring the outsourcing arrangement; managing and monitoring the risks associated with the outsourcing arrangement; ensuring an effective control environment; and establishing viable contingency planning. Outsourcing policies and processes should require the institution to have comprehensive contracts and/or service level agreements with a clear allocation of responsibilities between the outsourcing provider and the bank. The aim of the review was to identify and confirm the nature and extent of outsourcing within the banking industry in Guernsey, the materiality of any functions outsourced, and the controls and other risk mitigation undertaken in order to assess whether there were significant gaps or deviations from good practice that could set operational risk at a level that was unacceptable to the Commission. The purpose of this thematic report is to summarise the key findings of the Commission s review in order to improve risk management practice in relation to outsourcing and ensure that the local banking industry has identified and mitigated against the operational risk involved in outsourcing functions to other parties. The report is not intended to give a comprehensive description of all risks faced by Guernsey banks that carry out outsourcing, nor do the findings cited in the report represent issues faced by all banks. Rather, the report is intended to highlight both weaknesses and good practice in mitigating against the risk involved in outsourcing and to devise measures and supervisory responses to any issues identified. It is the Commission s intention that outsourcing will be regularly reviewed as part of the on-site visits programme in order to ensure the industry is keeping pace with a changing environment and changing risk profiles of businesses, as well as to follow up on any recommendations made to individual banks. 2.2 Methodology The Commission s thematic review was based on the Outsourcing in Financial Services paper ( the Outsourcing Paper ) issued by the joint forum of the Basel - 3 -

Committee on Banking Supervision dated February 2005 and took account of the GFSC guidance note Outsourcing of Functions by entities licensed under the Protection Of Investors (Bailiwick of Guernsey) Law, 1987 updated in September 2007. The Commission s review was structured in two stages: Stage 1 was carried out in June 2008 and consisted of an industry wide survey to identify outsourced functions, the service providers to whom those functions were outsourced, whether a service level agreement was in place, and the rationale for outsourcing those functions. Stage 2 involved on-site visits to a selection of banks and was completed by the middle of August 2008. For the second stage, the Commission selected five banks which would provide a diverse sample of businesses banking on the island (e.g. clearing banks, deposit takers, subsidiaries and branches) as well as considering individual responses to the industry-wide survey. The questionnaire used for gathering information on these onsite visits was largely based on the Outsourcing Paper which sets out the responsibilities of regulated entities when they outsource their activities. The five on-site visits addressed the high level principles set out in the Outsourcing Paper: Policy and procedures; Risk management; Due diligence on service providers; Regulated entity s ability to fulfil local regulatory obligations; Written contractual arrangements; Contingency planning; and Protection of confidential information. As well as covering the above topics in discussions with relevant staff at the licensees being visited, the review teams also assessed service level agreements against the seven key provisions detailed within the Outsourcing Paper, which should be addressed by a written service level agreement. The Commission also looked at documents evidencing monitoring of outsourced business as part of the licensees risk framework. The seven key provisions are: Activities to be outsourced / service and performance levels; Meeting regulatory obligations; Access to books, records and information; Continuous monitoring and assessment / Corrective measures; Termination clauses; Material issues unique to a particular outsourcing arrangement; and - 4 -

Conditions of subcontracting all or part of the outsourced activity where appropriate. 3 Findings 3.1 Overview A majority of core banking functions not provided by the licensed bank were outsourced to group companies. Core functions outsourced to non-group third parties tended to have a historical connection to the group or licensee. Functions outsourced to unconnected third parties were largely non-core support functions. In the handful of cases where service level agreements were missing, one related to investment advice from group and the other six related to treasury functions performed by group. Other missing service level agreements were between the Guernsey branch and its head office bank. There was still some inconsistency in the definition of outsourcing and in the criteria for when a service level agreement is required. 3.2 Findings from the industry wide survey and on-site visits The initial survey covered four key questions: 1. Which material functions are currently outsourced by the bank? 2. Whether the regulated entity used a third party service provider or an intra group service provider? 3. Is a Service Level Agreement in place for each outsourced function? 4. What the main rationale was to why these functions are outsourced? We will address the responses received to each question in turn below. 1. Outsourced functions. The survey revealed that a wide range of functions were outsourced. For the purposes of our analysis, we have analysed the material functions into two groups namely core and non-core banking functions. The majority of the functions outsourced related to core banking functions. Those non-core functions outsourced represented fairly predictable ancillary functions. It was noted that the core banking functions most heavily outsourced included IT systems, treasury; investments - dealing, management and administration; banking operations (for the managed banks in the Bailiwick); payments; credit; custodian services; banking debit and credit card related services; the design and production of structured products. The main non-core banking functions outsourced include facilities management, human resources and payroll, marketing and IT support. - 5 -

The overall split between core and non-core banking functions is illustrated in figure 1 below: Figure 1 - Core / non-core functions outsourced (expressed as a percentage of all functions outsourced) non-core banking functions outsourced 37% core banking functions outsourced 63% Figure 2 further analyses this by outsourced function (core and non-core). Credit 7% Structured products 3% Custody 5% Cards services 6% Payments 9% Figure 2a - Core banking functions outsourced (expressed as a percentage of all core functions outsourced) Risk management 3% Compliance Banking operations 10% 3% Back office 2% IT systems 21% Treasury 17% Investments dealing, management and administration 14% - 6 -

Figure 2b - Non-core banking functions outsourced (expressed as a percentage of all non-core functions outsourced) Payroll 7% Marketing 7% Legal 7% Other 3% Internal audit 23% Archiving 8% Cheque books 8% HR 17% Finance 20% 2. Third party or inter group service providers. The majority of core banking functions are outsourced to intra group companies according to our survey. Only a few reported using external third party service providers for outsourcing core banking functions. In such cases these were normally smaller banks using a member of a large international banking group for such services as clearing. Overall the extent of the third party non-group outsourced services reported was minimal and limited to support and administration functions. Figure 3 illustrates the split between the use of third party and intra group service providers and how this relates to core and non core banking functions. Figure 3a - Core functions outsourced to (expressed as a percentage of all cores functions outsourced) Administrator of a managed bank Third party 9% 12% Intra-group 79% - 7 -

Figure 3b - Non-core functions outsourced to (expressed as a percentage of all non-core functions outsourced) Third party 33% Intra-group 67% 3. Service level agreements. The survey revealed that the majority of banks had a written service level agreement in place. The Commission did note that a number of banks reported that their service level agreements were under draft or awaiting approval. The Commission would expect these banks to prioritise the finalisation of these service level agreements especially where a core banking function is involved (such as treasury), irrespective of whether the service provider is intra group (such as a parent or sister company) or a third party. Having such a service level agreement in place will remove any doubt as to each entity s role and responsibilities and the exposure each entity faces should an operational issue/loss arise. The Commission will continue to monitor this area closely. With regard to branch entities that outsource to their parent, service level agreements should be strongly considered for material activities in order that the Guernsey branch has a documented record of what the service provider s obligations are to the branch. 4. Rationale for outsourcing The reasons for usage of outsourcing service providers varied widely with the spectrum of the functions covered. The most common reasons were: cost efficiency and economies of scale, using group expertise and resources, usage of centralised group service teams, difficultly in obtaining specialist expertise locally and ensuring consistency with group. 3.3 Entity-specific findings from the on-site visits 3.3 a Good practice The Commission observed a number of areas of good practice during the visits: All of the entities visited had a formal written policy on outsourcing where outsourcing was clearly defined usually in line with group policy. - 8 -

Three of the five banks visited included intra group outsourcing in their definition of outsourcing. Three of the five banks visited had a formal due diligence / tender documentation checklist already in place. The majority of the banks visited had existing signed and approved service level agreements already in place. At least one of the banks visited had had sight of the service provider s business continuity plan in order to understand recovery times. 3.3 b Exceptions The Commission observed some areas where improvements should be made. Each bank concerned was notified individually and are actively addressing the points raised. Bank s definition of outsourcing needs to be expanded to include intra group outsourcing as one bank had functions outsourced within group without any service level agreements in place. One service level agreement was observed to have no section dealing with dispute resolution and payment arrangements. One bank had no active and ongoing assurance of the outsourcing function. One bank had no formal due diligence / tender policy in place for an ancillary function considered a minor service but conceivably this point could be more important for others. In some cases, there seems to be little formal ongoing monitoring at senior management level of the performance of outsourced functions (such as key performance indicators or standing agenda points in the risk meetings). This is especially true if the outsourced function is intra group. 4 Acknowledgements The Commission would like to thank all banking licensees in Guernsey for contributing to the island-wide survey, and five specifically selected banks for participating in the on-site visits. 5 Useful websites Basel Committee on Banking Supervision The High Level Principles for Business Continuity document. http://www.bis.org/publ/joint12.pdf Financial Services Authority (FSA) The UK regulator requirements http://fsahandbook.info/fsa/html/handbook/sysc/8 Guernsey Financial Services Commission (GFSC) Guidance note on outsourcing http://www.gfsc.gg/userfiles/file/investments/outsourcingguiderevision.pdf - 9 -

The Institute of Operational Risk (IOR) The Institute of Operational Risk was created in January 2004 as a professional body to establish and maintain standards of professional competency in the discipline of Operational Risk Management. www.ior-institute.org Disclaimer The foregoing is not intended as formal regulatory guidance, nor should it be taken to cover all relevant aspects of the subjects touched upon. Rather, it highlights shortcomings identified which, if addressed at an early stage, may help mitigate risk levels and avoid specific pitfalls. The Commission would welcome comments on any aspects of this paper and would also be happy to address any concerns or questions that readers may have in this respect. Any such communications should be addressed to: Philip J Marr Director of Banking Guernsey Financial Services Commission F:\Banking Administration\Outsourcing\Thematic report - Outsourcing 2008 v3.doc - 10 -

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback