As press reports continually remind us, outsourcing is an important focus of every large business. Banks are no different.
A 2005 study by Deloitte Touche Tohmatsu found that the majority of global financial services companies (including banks) surveyed have at least one outsourcing contract.[FOOTNOTE 1] Operations outsourced by such companies include customer call centers, information technology-related services, data processing, investment management and back office clearing operations. Some banks also are establishing subsidiaries to provide these services (called "captive outsourcing") instead of using third-party service providers such as Accenture, OfficeTiger, Infosys or Metavante.
This article looks at international standards and U.S. regulatory requirements for outsourcing of business operations by a bank.
INTERNATIONAL GUIDANCE
There is no dearth of guidance on how banking organizations should handle their outsourcing relationships. At the international level, for example, the Joint Forum, which consists of international banking, securities and insurance regulators, has issued guidance describing the factors that financial services companies and their regulators need to take into consideration in outsourcing arrangements.[FOOTNOTE 2] The Bank for International Settlement's Basle Committee, a group of international bank regulators that sets standards on international banking issues, has included a discussion of outsourcing issues in its publications.[FOOTNOTE 3]
U.S. GUIDANCE
In the United States, there are laws, regulations and regulatory guidance on outsourcing. Under the federal Bank Service Company Act, a bank, including the U.S. office of an international bank, must provide notice to its primary federal regulator when it outsources certain business operations, such as data processing, within 30 days of entering into such an arrangement.[FOOTNOTE 4] A federal banking regulator also must be provided access to the bank's service provider as part of its examination of the bank.
In New York, state-chartered banking organizations and state-licensed offices of international banks must provide prior notice to the New York State Banking Department (NYSBD) of any "data processing" outsourcing arrangement, although the NYSBD generally applies its requirement to any outsourcing of business operations.[FOOTNOTE 5] The NYSBD requires that the contract provide it with access to the service provider's records, books and staff as necessary to examine the bank.
The Federal Financial Institutions Examination Council, a committee of federal and state bank regulators, has issued detailed guidance on outsourcing through its Information Technology booklets, in particular, "Outsourcing Technology Services" (June 2004) and "Supervision of Technology Service Providers" (March 2003). Individual bank regulators also have issued outsourcing guidance.[FOOTNOTE 6]
In addition, some U.S. laws and regulations carry their own service provider provisions, such as the "Interagency Guidelines on Information Security Standards," adopted by the federal banking regulators. The guidelines, with which the banks are expected to comply, require U.S. banks, including U.S. offices of international banks, to implement written information security programs addressing (i) security and confidentiality of customer information, (ii) anticipated threats or hazards to the security or integrity of such information, (iii) unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer, and (iv) proper disposal of customer and consumer information.[FOOTNOTE 7]
Moreover, the guidelines specifically require banks to oversee service provider arrangements and to include a provision in their contracts that the service provider "implement appropriate measures designed to meet the objectives of these Guidelines." Banks also need to monitor the service providers' compliance with this contract provision, such as by reviewing audit reports.
GENERAL PRINCIPLES
What are the more important general principles to be gleaned from all this guidance?
Ultimate responsibility for outsourcing relationships lies with the board of directors and senior management.
The board of directors and senior management of a bank are responsible both for establishing and approving a comprehensive policy to govern the outsourcing process, and for the consequences of any outsourcing arrangement. No outsourcing arrangement should impede a bank's ability to service customers and comply with relevant laws and regulations.
Effective due diligence on potential service providers is critical.
A due diligence checklist for any potential outsourcing arrangement should include the following:
* Obtaining certified copies of the service provider's organizational documents;
* Considering the qualifications and background of the service provider's senior management;
* Researching the reputation of the service provider in the industry;
* Checking the service provider's references and seeking additional references from others;
* Evaluating the financial condition of the service provider by reviewing its audited financial statements and asking for a certificate or other proof of insurance;
* Assessing the service provider's technological and systems capabilities to determine whether it will be able to do the job effectively;
* Reviewing the service provider's internal controls environment and audit function; if there have been lapses in controls, finding out how these lapses were addressed; and
* Examining the service provider's legal and regulatory compliance record, particularly in its home country and in the United States.
A risk management program must take into account all relevant risks.
There are various potential risks involved in any outsourcing arrangement, particularly one involving a provider in another country:
Country/political risk: How politically stable is the government of the country in which the service provider is located? Is there concern that the government could interfere with the service provider's ability to do the job?
Reputational risk: Could problems with the service provider reflect poorly on the bank and its ability to effectively service customers, or, worse, is the service provider violating regulations or agreed-upon procedures such that the bank regulators will seek an enforcement action against the bank?
Operational risk: Is the service provider going to be able to perform the contracted-for services without undue problems or delays? Does the service provider have a business continuity plan in the event of a disaster that disrupts operations?
Compliance risk: Is the service provider able to comply with all relevant laws and regulations and specified company practices?
Strategic risk: Is the outsourced activity in line with the bank's corporate goals? Is there effective oversight of the service provider to ensure compliance with overall corporate goals?
Information security risk: Does the service provider have adequate systems in place to protect data, such as limiting access to records to only those persons needing to review them, providing adequate physical security at the building and having electronic authentication policies such as frequent change of passwords?
The contract with the service provider should be as specific as possible regarding the expectations of the parties.
All the oral "understandings" reached during negotiations are useless unless they are put in writing. A contract must address all of the parties' expectations and describe specific rights and responsibilities, particularly where the contract is calling for a change in the usual procedures followed by the service provider.
For example, a service provider may subcontract out some of its work under a particular service contract, but subcontracting may raise additional risks for the bank. The contract should provide for disclosure to, and approval by, the bank of all subcontracting relationships.
The contract's provisions should include a discussion of the following items:
* Pricing structure, including additional costs for special services;
* Measurable service levels and performance standards;
* Security and confidentiality of information;
* Preservation of intellectual property rights;
* Audit and oversight rights;
* Regular reporting requirements;
* Business continuity plans;
* Acknowledgement of the regulatory right of access to the service provider's systems, records and personnel as part of an examination of the bank;
* Dispute resolution, assignment and indemnification provisions; and
* Termination provisions (the bank should be able to terminate the contract without penalty if the relevant regulator orders the bank to terminate such relationship).
The service provider must understand and acknowledge the importance of regulatory compliance.
In 2002, the U.S. Treasury Department's Office of the Comptroller of the Currency, which charters and regulates national banks, took regulatory action against both a national bank and its service provider for various reasons, including failure to safeguard customer loan files, some of which had been left in a trash dumpster. The contract must be very specific about the service provider's responsibility to comply with changes in all applicable laws or regulations, even if a particular change is applicable only to one jurisdiction.
The bank must have an effective monitoring and oversight mechanism of the outsourcing relationship.
The bank needs to monitor the service provider's performance under contract on a regular basis through review of periodic required reports, audited financials and SAS-70 reviews of the adequacy of the service provider's policies and procedures controls. There also should be periodic on-site meetings at the service provider's office, and regular telephone or e-mail contact.
Offshoring has special risks to keep in mind.
As noted above, a bank's decision to outsource operations to another country requires heightened scrutiny of the risks involved, such as country/political risk and compliance risk. The bank should carefully consider whether the service provider will be able to deliver on a consistent basis the contracted-for services.
For example, there may be restrictions under particular laws or regulations that could impede full performance, such as the strict European Union data transfer laws that permit transfer of personal data to non-EU countries only under certain conditions. A bank's counsel should carefully review any potential data transfer issues, particularly if information might be transferred from an EU location or concern EU residents, whether or not the information was initially stored or intended to be stored in an EU location.
ACROSS MULTIPLE JURISDICTIONS
International banks may find themselves in a bind when they seek to have only one contract with a service provider encompass multiple jurisdictions. It can take months for a bank to agree with a potential service provider with respect to one jurisdiction, let alone more than one.
Additional problems arise after a contract is in effect and the bank seeks to add a new jurisdiction. The service provider may be reluctant to re-open issues that it thought had been decided. The bank must be able to require what is needed from a service provider with respect to a particular jurisdiction despite potential protests. The service provider likely will be familiar with the principal requirements imposed by various countries.
In negotiating any global master outsourcing agreement, an international bank should plan for an expansion of the contract into other jurisdictions and have the service provider agree to a new schedule if it is necessary to accommodate an expansion of services into the new region. Then, when the time comes to discuss the new schedule for a U.S. office of an international bank, the bank should be able to explain the proposed revisions and whether they are derived from law or regulations such as the Interagency Guidelines, from best practices guidance expected to be followed by banks such as review of audit and SAS-70 reports, or from established company policy such as employee background checks.
CONCLUSION
Outsourcing can save a bank millions of dollars, but cost savings alone cannot dictate a service provider contract. The bank must establish an overall policy on outsourcing, conduct effective due diligence of potential service providers, set out expectations in a well-drafted contract and be able to effectively monitor the service provider. In addition, regulatory compliance is a key element of any outsourcing arrangement.
1/21/2007
Asia Pacific Outsourcing Market Bucks Global Trend
Outsourcing deals inked in the Asia Pacific in 2006 topped US$25 million, a 43 percent increase on the previous year, according to advisory firm TPI Inc. Asia Pacific managing director of the outsourcing consultancy, Arno Franz, said 2006 was a stand-out year for the region accounting for 13 percent of the global market.
"It is the first time market share has exceeded 10 per cent since 2002; but the relative immaturity of the Asia Pacific market makes it prone to spikes in activity so it remains to be seen if this is the start of an ongoing growth trend," Franz said.
The compound annual growth rate for service providers in the region is 10.5 per cent, according to TPI, which is more than double the global rate of 4.5 percent.
Despite the 'lumpy' nature of the Asia Pacific market in terms of yearly contract awards, Franz said the sustained growth in annualized revenues since 2002 suggests there is some strength in the region's outsourcing market.
The big six service providers, namely Accenture Ltd., Affiliated Computer Services Inc., CSC Corp., EDS Inc., Hewlett-Packard Co., and IBM Corp., are losing market share.
This group won 40 percent of the region's contracts last year, compared with a 60 percent share in 2002.
Franz said the increased competition shows clients are more receptive to doing business with the non-Big Six providers.
"Alongside the global giants of outsourcing, there is clearly room for smaller, specialized service providers who can address specific client needs," he said.
"At the moment success for service providers in Australia, India and Japan , seems to be the determining factor for success in the Asia Pacific."
Indian outsourcers are increasingly becoming the big winners in the region.
For example, Tata Consultancy Services Ltd. (TCS) announced today it has become the first Indian IT company to net $1 billion in revenues in one financial quarter (Q3 ending December 31, 2006) and post a 40 percent revenue increase year on year.
TCS recently signed a multi-year application development and support contract worth $90 million with Qantas.
Another provider Infosys Technologies Ltd., said earlier this month it expects full year revenue to be US$3.09 billion, up by 43.6 percent from revenue in the previous fiscal year.
In Australia, more than A$7 billion (US$5.46 billion) worth of outsourcing contracts are up for grabs in 2007.
According to research firm IDC, which has released the results of its 2006 Australian outsourcing end-user survey, a number of large contracts are expected to go with selective sourcing as organizations continue to unbundle mammoth IT contracts and look to best-of-breed providers.
IDC research manager for outsourcing and BPO (Business Process Outsourcing), Aprajita Sharma, said tier one providers face tough competition from Indian offshore outsourcers.
"It is the first time market share has exceeded 10 per cent since 2002; but the relative immaturity of the Asia Pacific market makes it prone to spikes in activity so it remains to be seen if this is the start of an ongoing growth trend," Franz said.
The compound annual growth rate for service providers in the region is 10.5 per cent, according to TPI, which is more than double the global rate of 4.5 percent.
Despite the 'lumpy' nature of the Asia Pacific market in terms of yearly contract awards, Franz said the sustained growth in annualized revenues since 2002 suggests there is some strength in the region's outsourcing market.
The big six service providers, namely Accenture Ltd., Affiliated Computer Services Inc., CSC Corp., EDS Inc., Hewlett-Packard Co., and IBM Corp., are losing market share.
This group won 40 percent of the region's contracts last year, compared with a 60 percent share in 2002.
Franz said the increased competition shows clients are more receptive to doing business with the non-Big Six providers.
"Alongside the global giants of outsourcing, there is clearly room for smaller, specialized service providers who can address specific client needs," he said.
"At the moment success for service providers in Australia, India and Japan , seems to be the determining factor for success in the Asia Pacific."
Indian outsourcers are increasingly becoming the big winners in the region.
For example, Tata Consultancy Services Ltd. (TCS) announced today it has become the first Indian IT company to net $1 billion in revenues in one financial quarter (Q3 ending December 31, 2006) and post a 40 percent revenue increase year on year.
TCS recently signed a multi-year application development and support contract worth $90 million with Qantas.
Another provider Infosys Technologies Ltd., said earlier this month it expects full year revenue to be US$3.09 billion, up by 43.6 percent from revenue in the previous fiscal year.
In Australia, more than A$7 billion (US$5.46 billion) worth of outsourcing contracts are up for grabs in 2007.
According to research firm IDC, which has released the results of its 2006 Australian outsourcing end-user survey, a number of large contracts are expected to go with selective sourcing as organizations continue to unbundle mammoth IT contracts and look to best-of-breed providers.
IDC research manager for outsourcing and BPO (Business Process Outsourcing), Aprajita Sharma, said tier one providers face tough competition from Indian offshore outsourcers.
订阅:
博文 (Atom)
