19 October 2007

3rd Party Outsourcing: Compliance Management...

Hedge Funds who require outsourcing products or services in conjunction with their broker-dealers and clearing banks are still under the "Regulators" microscope. The focus on "Red Flags" is a continuous challenge in addition to the latest operational risk mandates and due diligence on 3rd parties.

This was highlighted by Geofrey L. Master of Mayer Brown last May in one of his articles from Mondaq:

"Further, and even more significantly, hedge funds must deal with many compliance requirements that are applicable to other parties that are part of the fund’s operating environment. An example of such indirectly applicable requirements is the compliance obligations faced by the fund’s investment advisor, its broker-dealers, and its clearing banks. These parties face distinct, and often significant, legal and regulatory requirements that necessarily impact the fund’s operations. In addition, the demands of fund investors, as well as other business environment realities, result in a variety of selfimposed operational requirements that function effectively as (and in some cases may actually become — through fraud claims, for example) legal requirements." "With regard to laws applicable to the service provider, compliance requirements range from licensing and authority-to-do-business issues to those directly impacting service performance, such as health and safety and environmental regulations and data safeguarding requirements."

The Governance, Regulatory, and Compliance (GRC) business process within the ranks of the hedge fund has a fundamental requirement to assure that outsourced entities are executing their responsibilities. Service providers are an extension of the Hedge Funds supply chain of information services and financial intelligence that investors have taken as a natural extension of the funds operational infrastructure. The EU Market in Financial Instruments Directive (MiFID) takes effect on November 1, 2007 and directly intersects with outsourcing services to 3rd parties.

Mark A. Prinsley also of Mayer Brown sums up the impact of MiFID on firms and how they are currently managing the risk associated with outsourced services:

In substance, the rules should largely reflect no more than sound and prudent practice in any outsourcing relationships. However, in relation to the management of the outsourcing relationships, firms will be required to retain skills and exercise risk management not just for the services provided by the service provider, but also in relation to the way in which the firm manages its outsourced activities. Inevitably, this will lead to the need for more resources and skills in the areas of management and audit to be retained by firms in the financial services sector that outsource their activities.

It is also important to note that the new rules will apply retroactively. Thus, while firms will not be required to re-write their existing outsourcing arrangements, it will be prudent for them to confirm, particularly for arrangements that may not have been "material contracts" - and therefore not previously notified to the FSA - that the arrangements do meet the new rules in areas such as retention of appropriate skills and resources and management of risk.

One solution for addressing this increased scrutiny within the EU and other firms who are looking to enhance their outsourcing resilience can look no further than the BS 25999 standards for Business Continuity Management.

"Continued operations in the event of a disruption, whether due to a major disaster or a minor incident, is a fundamental requirement for any organization. BS 25999, the world’s first British standard for business continuity management (BCM), has been developed to help you minimize the risk of such disruptions.

By helping to put the fundamentals of a BCM system in place, the standard is designed to keep your business going during the most challenging and unexpected circumstances – protecting your staff, preserving your reputation and providing the ability to continue to operate and trade.

BS 25999 has been developed by a broad based group of world class experts representing a cross-section of industry sectors and the government to establish the process, principles and terminology of Business Continuity Management.

It provides a basis for understanding, developing and implementing business continuity within your organization and gives you confidence in business-to-business and business-to customer dealings. It also contains a comprehensive set of controls based on BCM best practice and covers the whole BCM lifecycle."

This new standard utilizes the same Plan-Do-Check-Act life cycle that many practitioners are already familiar with from previous implementation standards such as ISO 27001 for Information Security Management Systems. BS 25999 is suitable for any organization, large or small, from any sector. It is particularly relevant for organizations which operate in high risk environments such as finance, telecommunications, transport and the public sector, where the ability to continue operating is paramount for the organization itself and its customers and stakeholders.

No comments:

Post a Comment