Journal: December 2003 Issue 54

Regulation of outsourcing in the financial services sector in the Asia Pacific

by Graham Jefferson, Deutsche Bank

Graham Jefferson analyses the complex technological and commercial issues which arise when doing business in the Asian region in his article "Regulation of outsourcing in the financial services sector in the Asia Pacific". Graham analyses recent outsourcing trends in the financial services industry such as 'offshoring' and business process outsourcing, and the unique challenge that this trend presents to businesses and financial services regulators. He further discusses the regulatory environment in which outsourcing occurs, the risks involved for financial institutions and the complications that arise from the diversity of approaches among countries in the region.

Graham Jefferson is a technology lawyer with Deutsche Bank AG based in Sydney. He provides legal advice to the bank's technology and operations functions in the Asia Pacific region, working on a range of matters from smaller software licences to complex multi-jurisdiction business process outsourcings. He has degrees in computer science and law. The opinions expressed in this note are those of the author.

1 Introduction

Outsourcing remains popular within the financial services sector, particularly in these cost conscious times. Current trends include business process outsourcing and 'offshoring', or outsourcing from high cost locations to lower cost locations. At the same time, there has been an increase in regulatory scrutiny of outsourcing. Most financial services regulators now have some form of control over, or guidance in respect of, outsourcing. While the general emphasis is one of risk management, this guidance is not harmonised. This article examines some examples of regulatory guidance in the Asia Pacific region and examines how the different approaches taken by regulators potentially complicates outsourcing in the financial services sector.

2 Outsourcing trends in financial services - 'offshoring' and business process outsourcing

Outsourcing in the financial services sector has been popular for some time. However, recent disappointing economic conditions and other factors have introduced an emphasis on cost containment and outsourcing is increasingly seen as a means of reducing fixed costs or converting fixed costs into variable costs.[1] If one is able to outsource to a service provider operating in a location where wage and other costs are low the potential savings increase dramatically. This has led to a significant amount of outsourcing to India and other lower cost locations.[2]

Deutsche Bank has engaged in a sophisticated program to 'offshore' technology and operations functions from high cost locations to low cost locations.[3] In 2002, it divested its Bangalore based IT functions to a joint venture with the Indian technology provider, HCL Technology, with a view to creating a leading Indian based outsourcing services company. The end result, DSL Limited, now provides a wide range of technology and back-office services to Deutsche Bank businesses operating in London, New York, Frankfurt, Sydney and Singapore.

Deutsche Bank is not alone among financial services institutions in identifying offshoring as a strategy to manage down costs and increase efficiencies. On 13 October 2003, Bank of America announced that it would extend its outsourcing activities in emerging markets by establishing an Indian subsidiary. Analyst commentary at the time reported that two-thirds of US based banks outsource technology and operations work to developing countries such as India, China and Russia.[4] In the following week HSBC announced plans to employ 8,000 people in global processing centres located in China, Malaysia and India.[5] The predictions are that activity of this type will increase dramatically in the next few years.[6]

The second interesting outsourcing trend in the financial services sector is business process outsourcing (BPO). Most outsourcing that has occurred in financial services to date has involved the transfer of management of data-centres, desktop services, computing infrastructure and applications development. BPO extends what can be outsourced and involves engaging a third party service provider to perform actual business processes or functions. These functions are usually very closely aligned to the core processes of the client business. Examples from the financial services sector include cheque processing, reconciliation functions and middle and back-office operations. Payroll and human resources functions and procurement and accounts payable processes are also potentially the subject of BPO activity. Because operational expenses in financial institutions are typically seven times larger than technology spending,[7] the potential scale of the BPO market is enormous and predictions extend to US$100bn over the next five years.

One aspect of BPO that deserves particular attention is the potentially increased complexity and interdepedence between service provider and client that results from the outsource. The transfer of technology and business knowledge to the outsourcing service provider exposes the client to increased risks in the event that the relationship breaks down. Generally speaking there are more complex processes involved, which introduce additional operational risks.

Offshoring and BPO each have the potential to dramatically alter the risk profile of banks. This presents a unique challenge to financial services regulators. What are they doing about it?

3 An increased regulatory focus on outsourcing

At the same time as offshoring and BPO have become attractive to the financial services sector, there has been increased interest by financial services regulators in outsourcing activity. The regulatory focus is probably a consequence of a more general move to scrutinise and seek to supervise operational risk.[8] In the case of technology outsourcing the experiences of the so-called Year 2000 or Y2K problem may play a part. While Y2K proved to be less disastrous than many had predicted, the potential operational risks to the financial services community were significant.[9] Modern banks are completely reliant on technology and, in a very real sense, regulators came to appreciate how poorly managed technology can lead to serious operational and market risks. It is therefore not surprising that banking regulators have started to focus on the implications of outsourcing within the financial services sector.

How does the various regulatory guidance on outsourcing operate? The threshold question is obviously 'what activity is actually regulated?' The difficulty for regulators is to cast the net wide enough to catch activity that is likely to expose banks to increased prudential or operational risk, without casting it so widely that every type of service contract becomes the subject of additional regulatory scrutiny.

Some regulators have considered this issue closely and decided how best to narrow the scope of their outsourcing guidance. The most common solution is the adoption of some materiality criteria. The Australian Prudential Regulatory Authority (APRA) Standard[10] applies only to outsourcing of business activities that are 'material' in nature, e.g. "one that has the potential, if disrupted, to impact significantly on the [financial institution's] business activity, reputation or profitability".[11] Factors to be considered in determining materiality include:

1. financial and reputational impact of a failure of the service;
2. the cost of the outsourcing relative to the financial institution's total costs;
3. the degree of difficulty in replacing the service provider or bringing the service back in-house; and
4. the ability of the financial institution to meet regulatory requirements if there was a failure of the service provider.

The UK Financial Services Authority guidance adopts a similar approach[12] and specifically states that "the purchase of a standardised service from, for example, Bloomberg or Reuters and the provision of custody arrangements fall outside of the definition material outsourcing".[13]

Unfortunately, this challenge does not seem to have been met by the majority of financial services regulators operating in Asia Pacific. The regulatory guidance surveyed in the region does not generally limit the definition of outsourcing in any meaningful way.[14] As a result, a wide range of relatively low risk activities that are regularly delegated to third party service providers[15] may now be the subject of regulatory guidance. This adds to the workload of the regulators in question. It also has the potential to complicate what should be straightforward contractual arrangements.

4 Complications arising from regulation

Once the scope of the regulated activity is determined, the focus of interest moves to the substance of the guidance. What is actually required? Not surprisingly, a variety of approaches are exhibited. In some cases the emphasis is primarily on confidentiality,[16] for others the location of the service provider is important.[17]

Fortunately, much of the detail of the regulatory guidance regarding outsourcing is little more than a statement of best practice. For example, there are numerous recommendations that outsourcing arrangements be the subject of written contracts.[18] Other recommendations relating to termination rights, service levels, charges and dispute resolution are similarly non-contentious.

That said, there does not seem to have been much, if any, consultation between regulators as to the best approach to take to controlling risks associated with outsourcing or adoption of common standards. This diversity of approach creates logistical issues in projects involving multiple jurisdictions, for example, consolidating operations in Sydney, Singapore, Hong Kong and Kuala Lumpur into a single outsource service provider based in Bangalore.

Further, not all the guidance is consistent with common outsourcing practice and some regulatory requirements may complicate the process in ways that were probably not intended. For example, APRA requires that the relevant outsourcing contract grant APRA access to the service provider's premises and facilities.[19] The rationale for this is understandable and an appropriate clause can often be negotiated into the agreement with the service provider itself. However, the matter becomes more complicated when one appreciates that many outsourcing arrangements rely upon complex agreements between the principal service provider and sub-contractors. Often these relationships have been established before the financial services institution in question decides to outsource and the web of contracts may not readily be changed. Where the sub-contractors are themselves overseas it becomes even more difficult to negotiate in visits by a foreign regulator. While APRA indicates that it will only conduct on-site visits if they are considered necessary and would normally seek the information from the financial institution, questions do arise in negotiations about the frequency of visits, who bears the costs etc. Obviously, this could be identified as an issue during due diligence. How often this occurs in practice is another matter.

In the Singapore Guidance, the primary issue is confidentiality. However, the conditions under which outsourcing may be carried out require that the contract be terminable where there is a change of control in the service provider.[20] This right to terminate is something that service providers often resist quite forcefully. Is including a clause conferring this right the best way to manage the perceived risks? If so, why do other regulators not insist upon it?

Another interesting example of where the relevant regulatory guidance complicates cross border outsourcings occurs in the case of Malaysia. Bank Negara Malaysia's approach is to provide a blanket permission in respect of outsourcing certain functions to "resident service providers". Outsourcing to non-resident suppliers requires prior approval. The justification for this approach is the need to "develop and nurture a group of domestic outsourcing providers to cater for the need of the economy".[21] This justification goes some distance from managing operational or other prudential risk and appears to be motivated by more pragmatic economic considerations.

The Hong Kong and Singaporean regulators also identify concerns with offshoring. In Hong Kong financial institutions "should not outsource to a jurisdiction which is inadequately regulated or which has secrecy laws that may hamper access to data by the HKMA".[22] Where an offshore tax or police authority seeks access to Hong Kong data, the financial institution is to advise the HKMA and "if such access seems unwarranted the HKMA reserves the right to require the [financial institution] to take steps to make alternative arrangements for the outsourced activity".[23] The Singapore Guidance is less prescriptive but does require that offshore supervisory authorities seek permission from the Monetary Authority of Singapore before accessing Singaporean customer data.[24]

5 Conclusions

It is evident that offshoring involving Hong Kong, Singapore and Malaysia becomes complicated. Interestingly, the regulatory approaches discussed seem to reflect more general issues with outsourcing in the region, and to some extent the regulatory guidance issued in Asia Pacific reinforces themes identified in studies of outsourcing activity. The Gartner Group identified security and privacy issues among the top reasons that companies based in Asia Pacific choose not to outsource.[25] In individual discussions with users, the Gartner analysts detected that business and IT executives running Asian based businesses were uncomfortable with the idea of losing direct personal and physical control of their business data. This factor was identified as being uniquely strong in the Asia Pacific region.[26]

One consistent theme in the regulatory guidance (in Asia Pacific and elsewhere) is that senior management of the relevant financial institution remains responsible for the risks associated with the outsourced activity.[27] APRA summarises the position as follows: "[W]hile outsourcing may result in day-to-day managerial responsibility moving to the service provider, accountability for the business activity remains with the [financial institution]".[28] One doubts if any regulated institution would seriously argue against this proposition, but it nevertheless serves to reinforce the important point that outsourcing cannot be seen as a tool to shunt operational and other risks.

Footnotes

1. "The Economics of IT Services and Outsourcing in Europe", Gartner Group, 18 March 2003.

2. The locations typically identified include India, China and Russia. In Australia there has been much comment in the press about Telstra's decision to outsource jobs to India: see "Telstra deals send jobs to India", Australian Financial Review, 28 October 2003. However, Australia itself is considered a lower cost location and stands to benefit from this phenomenon. UBS recently announced the establishment of a global support centre to be based in Sydney. The facility will deliver technical support to 16,000 UBS staff on a 24 hours a day, 7 days a week basis: Australian Financial Review, 23 September 2003.

3. "More than offshoring: SmartSourcing", Michael Baldwin, 7 Journal of Financial Transformation 95, 102.

4. "Bank of America outsources to India", 13 October 2003, DBNetwork.

5. "HSBC cuts 4000 UK jobs by outsourcing to India", Australian Financial Review, 20 October 2003.

6. "Global Outsourcing: Financial Services Industries Options", Gartner Group, 31 May 2002; "Service industries go global", Financial Times, 19 August 2003.

7. "Outsourcing in Financial Services: Cost Savings or Competitive Advantage", BankTech, 27 February 2003.

8. New "Basle Accord" operational risk guidelines which come into effect in January 2005 have generated discussion on the operational risk implications of outsourcing within the financial services sector. When the new capital adequacy regime takes effect in 2005, this issue becomes more important. In simple terms, a bank's capital adequacy requirements will take account of operational risk, including that introduced by outsourcing.

9. Two of the earlier regulatory guidances were issued in 1999. The Federal Reserve Bank of New York guidance on outsourcing was published in October 1999: see "Outsourcing Financial Services Activities: Industry Practices to Mitigate Risks", Federal Reserve Bank of New York, October 1999. The UK Financial Services Authority position was first released in June 1999: see now "Interim Prudential sourcebook: Banks", Vol 2 (www.fsa.gov.uk/handbook/ipru_bank.pdf) (FSA Guidance). See also G. Jefferson, "Y2K: A Selfless Pursuit of Self Interest", published in "The Millennium Bug: Aspects of Banking, Computer, Insurance and Company Law" (1999) Sweet & Maxwell.

10. APRA Prudential Standard APS 231 - Outsourcing together with Guidance Note AGN 231.1 - Managing Outsourcing Arrangements May 2002 (APRA Guidance).

11. APRA Prudential Standard APS 231, para. 5.

12. "Material outsourcing is the use of third parties to provide services to a bank which are of such importance to the bank that: (a) a weakness or failure in any of the activities outsourced would cast into serious doubt the bank's continuing compliance with the Principles for Business and Threshold Conditions; and (b) the outsourcing is by business units which are significant units.", FSA Guidance, para. 3.

13. FSA Guidance, para. 3. Draft guidance, from the Bank of Thailand appears to import a materiality threshold by adopting a definition of outsourcing that involves "any work concerning information technology and having material effect to the financial institution." See Bank of Thailand letter, 21 January 2003, para. 1.

14. Hong Kong Monetary Authority Supervisory Policy Manual SA-2 Outsourcing v.1 28 December 2001 (HKMA Guidance); Reserve Bank of India Guidelines on Risks and Controls in Computers and Telecommunications 4 February 1998 (Indian Guidance); Bank Negara Malaysia letter 14 April 2000 (BNM Guidance); Bankgo Sentral NG Pilipinas Circular No. 268 Series of 2000, 5 December 2000 (Philippines Guidance); Monetary Authority of Singapore "Banking Secrecy - Conditions for Outsourcing" 19 February 2003 (Singapore Guidance); Ministry of Finance Outsourcing Guidelines for Financial Institutions, 11 December 2001 (Taiwan Guidance); Bank of Thailand letter, 21 January 2003 (Thailand Guidance).

15. For example, infrastructure maintenance services and facilities management services.

16. Singapore Guidance.

17. HKMA Guidance, BNM Guidance.

18. APRA Guidance, BNM Guidance, Philippines Guidance, Singapore Guidance and Thailand Guidance.

19. APRA Guidance, para. 15.

20. Singapore Guidance, para. 10(a).

21. Bank Negara Malaysia Guidance on Outsourcing of Banking Operations, 14 April 2000.

22. HKMA Guidance, para. 2.9.1.

23. HKMA Guidance, para. 2.9.1.

24. Singapore Guidance, para. 14.

25. "Why Asia/Pacific enterprises outsource and why they don't", Gartner Group Research, February 2003.

26. "Why Asia/Pacific enterprises outsource and why they don't", Gartner Group Research, February 2003.

27. For example, APRA Prudential Standard APS 231, paras 2 and 9, HKMA Guidance, para. 2.1.

28. APRA Prudential Standard APS 231, paras 2.

December 2003 contents