Banks: The Benefits and Risks of Outsourcing
The regulatory framework has evolved considerably over the last few years and banks now find themselves under increased scrutiny by regulators, as they strive to meet more challenging capital, financial reporting and corporate governance requirements.
Some financial institutions have had to significantly reduce their exposure to global capital markets to focus on more ‘core’ activities, often commercial and retail banking, in their domestic markets. Others have decided to stick to a more diversified operating model providing a range of financial services across borders.
Opinions still diverge on what the perfect balance is and what a sound and well-structured bank should look like. What everybody agrees on, however, is that managing these global operating models has become more expensive and that the focus for banks is, more than ever, on cost optimisation. Simply put, as capital requirements are impacting the pricing of financial products, banks need to lower their operating costs in order to remain competitive.
Outsourcing to remain competitive
In the first years following the crisis, banks have divested –sometimes significantly– their riskier activities and applied their capital to more cost-efficient businesses. More recently, and as there is only so much restructuring a financial institution can undergo, they’ve had to find more innovative ways to manage their costs and have started, amongst other strategies, to look to outsourcing as a way to delegate costly parts of their operational functions that external providers can manage more productively.
Outsourcing in the financial industry isn’t new, as banks have been on the forefront of the trend since outsourcing and offshoring started to become the norm in the service sector. Over the last ten years, however, this phenomenon has gathered momentum and the nature of the outsourced tasks has evolved.
Up until recently, IT processes and client relationship management (especially in retail banking) accounted for the majority of large-scale outsourcing, whereas we see an increasing number of banks starting to use managed services for critical processes and support activities. The types of functions now being outsourced range from compliance processing tasks to critical day-to-day business activities.
From regulatory processes to post-trade processing
It’s not uncommon for smaller US operations of global European commercial banks and wealth managers to contract external providers to help them comply with local AML (Anti Money Laundering) laws and KYC (Know Your Customer) requirements, instead of dedicating internal resources from their Legal and Risk functions to these tasks. Similarly, in the UK, some banks have chosen to outsource the management of their PPI claims, rather than having to build and train entire teams to deal specifically with this matter (likely to be dissolved when the FCA sets a deadline for customers to file their claims).
In an effort to even further reduce the cost of compliance processes, several of the world’s biggest banks are joining forces to create and manage centralised due-diligence KYC registries. These systems, which are populated by the banks with their own KYC data, follow standardised processes to make sure that the documentation provided (consisting of customer identity and tax information) is consistent from one institution to the next and across multiple jurisdictions.
In investment banking and capital markets, banks have also started mutualising some of their processing activities. And according to many securities executives, that might be the future model for securities processing. Over the last few years, several post-trade processing solutions have appeared. They cater to banks looking to streamline their securities businesses by outsourcing key post-trade functions such as settlement, books and records, control, etc. Some of these platforms are on the verge to become standardised solutions, shared by all their clients.
What are the risks for banks?
A well thought-out outsourcing strategy –combined with carefully carried out due diligence– can set a bank apart from its competitors. That is, when everything goes well… But what happens when a vendor doesn’t hold to his end of the bargain or, more likely, makes an unintentional mistake? What then, are the risks for banks? Companies often focus on making sure vendors deliver, but they sometimes forget about the ancillary, operational risks of outsourcing. These risks can be very large and significantly impact capital requirements.
There have been multiple instances in recent years where consumer banks had to face serious reputational and financial debacles due to a third party’s error. Several years ago a retail bank left millions of customers unable to withdraw funds or view their balances due to a computer failure, which occurred as one of the bank’s IT vendors was performing a software update. The failure resulted in paralysis of critical banking systems –a costly error. Another one had to compensate thousands of customers whose personal information had been stolen and sold illegally. The data had been stored by a vendor on a USB stick which was subsequently lost.
It is important to understand that by importing efficiency, companies are also importing risks
Scandals have also been frequent in the investment world where rogue traders have lost billions before computer control systems, managed by third party vendors, detected unauthorised trading patterns. On a specific instance, a bank lost over a billion dollars because data incriminating one of its traders, collected by a third party, never made it to its compliance team. It had been deleted by error as part of a system upgrade – performed by a vendor.
By increasing their business’ efficiency through outsourcing, these financial organisations have imported significant operational risks into their organisation, which resulted in serious financial losses and reputational damage.
So how can banks mitigate these “outsourcing risks”?
For a bank or any financial institution, following a carefully developed and detailed outsourcing methodology is paramount to significantly lower its operational risks. They should have a clear due diligence approval process for potential companies they outsource to and outsourcing policies to ensure that both parties understand what is expected and how business should be conducted.
In addition, methods should be put in place to monitor those risks related to outsourcing in any particular operational function and controls must be set up to address crisis prevention and contingency planning, potential customer issues and upcoming changes to both parties’ processes. Compliance and Operational Risk teams should carry out regular reviews to verify that their suppliers are compliant.
Given the potential for extreme loss events, it is also critical to plan ahead and have a capital efficient solution to mitigate these risks – naturally imported when a company decides to outsource some of its activities. Risk managers should talk to their brokers about operational risk insurance as risk transfer is a pertinent solution to address such large risks. They should be looking for a cover managed by a carrier with sufficient strength and capacity.
While outsourcing provides financial institutions with competitive benefits in today’s challenging business and regulatory environment, it is important to understand that by importing efficiency, companies are also importing risks, which should be addressed by implementing an effective compliance and risk management strategy and the use of tailored operational risk insurance.