9 Things You Must Consider for Full Vendor Management Compliance
We take a look at what financial services must consider, ensuring their outsourcing arrangements comply against 2020 outsourcing regulations.
Since the financial crisis in 2008, local authorities and regulators around the world have drastically increased the amount of regulation being published for financials service businesses. This accelerated in 2013 when the perceived to have failed Financial Services Authority (FSA) was restructured into the Financial Conduct Authority (FCA) who today work very closely with the Prudential Regulation Authority (PRA).
The FCA now acts as watchdog for the conduct of all regulated and authorised firms and individuals alike, whilst the PRA, under the watchful eye of the Bank of England (BoE) and Financial Policy Committee (FPC), are responsible for prudential matters, ensuring financial stability of the larger organisations.
It is believed by many subject matter experts that the amount of new or updated regulation published each year has plateaued and will remain consistent but what hasn’t yet had the time to mature is the levels of compliance to meet the regulations across businesses themselves. Much like when changing an operating model or transforming a team, the amending of key business processes and embedding of metrics can take a long time to create, review and iteratively improve over time before becoming effective. With many organisations still only conducting annual reviews of their process and associated controls frameworks, it’s easy to see why it is anticipated to be a 2-5 year lag between the regulation and the desired level of compliance to be achieved. Ideally, there would be a way to accelerate through this change curve by using digital tools to minimise the windows of non-compliance.
Over the last decade, consulting papers, supervisory statements and guidance has outlined activities relating to the outsourcing of critical or important business process in part, or as a whole. However in the past these were more often sub sections of some much wider regulatory change such as MIFID II and Solvency II to name two examples. The focus increased through out 2017 and 2018 with the introduction of specific and extensive guidance for outsourcing and the use of managed service providers for cloud, a huge growth area across all of financial services and beyond. Much of this came into affect in Sept 2018 and is expected to be deployed across the board and complied with by December 2021.
There are many aspects to the regulation which references several keys processes that needs to be consistently applied at the time of contracting and then periodically throughout the contract lifecycle, coupled with a need to capture and record much more data than before which can be reviewed and referenced quickly.
The 9 questions below do not intend to be all encompassing but if you can’t answer them in a way that would satisfy a local authority that you are taking reasonable steps with, alongside the necessary evidence available, your ability to comply may be in doubt!
- Do you map all vendor management activity from the front line teams running the process in to a central repository to ensure compliance with any regulation currently in place or being introduced?
- Are you able to demonstrate compliance to the regulator at any single point in time or at multiple points during the life time of the regulation, linked to all the associated activity and reference material?
- Can you easily identify and alert the regulator, in a timely fashion to any failed obligations or events that would be considered reportable?
- Are you at any time always fit for audit and ensure your policy is in a state of continuous audit through digital measures?
- Are you able to conduct assurance and oversight at any time and be automatically alerted with live real time dashboards to assure historic and on going compliance?
- Do you assure compliance with regulatory requirements at a qualitative level as opposed to quantitative. E.g. you ensure that a checked box exhibits all the hygiene factors associated with high-quality work backed up by corresponding controls embedded with in the operational process?
- Do the front line know how to identify and capture risk within the context of the business process during its delivery, without needing to be a risk specialist or even necessarily skilled in risk management, having the ability to reduce the cost of change and weather a staff attrition?
- Can you manage and communicate policy changes in real time, across fast iterative steps, with inbuilt feedback loops, as opposed to infrequent quarterly or perhaps yearly ‘Big Bang’ approaches that need a lot of hand holding, embedding and communicating?
- And finally, can you meet all the above but specifically for internally delivered or intragroup services provided by different entities in both a pre and post contract sense? This is now also considered to fall under outsourcing guidelines.
If you aren’t confident in your answers, and feel you may not have embedded the appropriate controls into your existing business process, then it is highly unlikely you can comply with these regulations, or at least not efficiently or effectively!