Outsourcing of Compliance Function

Subject to certain limitations and requirements, including the existence of objective reasons, where applicable, the regulated entities are allowed to outsource the carrying out of compliance tasks to third parties. It is practice that in order to increase the efficiency of the conduct of their business, to optimise the operational processes, save on costs and access better levels of expertise, the regulated entities approach service providers to which they delegate the tasks related to the Compliance Function.

However, the regulated entities should note that they remain responsible for the proper performance of the outsourced compliance tasks and are expected to ensure that all requirements applicable to the Compliance Function continue to be fulfilled where all or part of the Compliance Function is outsourced. They should also ensure that the service provider performs and applies the quality standards which would have been applied by the regulated entities themselves. Ultimately, the ability to control outsourced compliance tasks, and manage the risks associated with the outsourcing of part or all of the compliance duties, should always be retained by the regulated entity initiating the outsourcing.

When outsourcing one or more compliance tasks on its behalf, the regulated entity shall take into consideration, in particular, the following:

General principles of outsourcing – especially the outsourcing requirements for critical or important functions given that a defect or failure in the performance of the Compliance Function would materially impair the continuing compliance of the regulated entity with the conditions and obligations of its authorisation and obligations thereunder, its financial performance, or the soundness and the continuity of its services and activities.

Thus, it is important to take into account and comply with the following general principles of outsourcing:

– the outsourcing should not result in the delegation by senior management of its responsibilities;

– outsourcing structure should not allow for the circumvention of responsibilities or liabilities of the Compliance Function or of the regulated entity;

– the obligations of the regulated entity towards its clients shall not be altered as a result of the outsourcing of all or part of Compliance Function;

– the conditions with which the regulated entity must comply in order to be authorised and carry out its activities are not undermined by the outsourcing.

The regulated entity should ensure that the service provider carries out the outsourced compliance tasks effectively and in compliance with applicable law and regulatory requirements. It should also, at all times, keep sufficient resources to supervise the outsourced functions and should establish methods and procedures for reviewing on an ongoing basis the services provided by the service provider. The regulated entity shall take appropriate action if it appears that the service provider cannot carry out the compliance role effectively or in accordance with applicable laws and regulatory requirements.

Furthermore, the outsourcing arrangement shall take the form of a written agreement concluded between the regulated entity and the service provider. The respective rights and obligations of the regulated entity and the service provider shall be clearly allocated and set out in the outsourcing agreement. In particular, the regulated entity shall contractually ensure its instruction and termination rights, its right to information, and its right to inspections and access to the premises of the service provider.
The regulated entity should supervise effectively the outsourced functions and should ensure that it manages the risks associated with the outsourcing. For this purpose, the regulated entity shall have at all times the necessary expertise and resources to supervise the outsourced compliance tasks. It should also ensure that the permanence and quality of the outsourced compliance tasks are maintained also in the event of termination of the outsourcing either by transferring the performance of these tasks to another third-party service provider or by performing them itself.

Features of the service provider – The regulated entity should be in a position to demonstrate that the service provider is qualified and capable of undertaking the Compliance Function, that it was selected with all due care and that the regulated entity is in a position to monitor effectively at any time the outsourced activity, to give at any time further instructions to the delegate and to withdraw the delegation with immediate effect when this is in the interest of the regulated entity.

In addition, the service provider shall have sufficient resources and shall employ sufficient personnel with the skills, knowledge, and expertise necessary for the proper discharge of the tasks delegated to it and shall have an appropriate organisational structure supporting the performance of the Compliance Function.

The persons who effectively conduct the compliance activities delegated by the regulated entity shall have sufficient experience, appropriate theoretical knowledge and appropriate practical experience in the relevant subject matter. Their professional training and the nature of the functions they have performed in the past shall be appropriate for the conduct of the compliance tasks that have been outsourced.

Effective Supervision – The regulated entity should ensure that the outsourcing of its functions does not prevent the effective supervision of the regulated entity itself. The outsourcing may be deemed to prevent the effective supervision of the regulated entity where the regulated entity, its auditors and the competent authorities do not have effective access to data related to the outsourced functions and to the business premises of the service provider, or the competent authorities are not able to exercise those rights of access.

The effective supervision is also hindered when the service provider does not cooperate with the competent authorities of the regulated entity in connection with the outsourced functions or does not make available on request to the competent authorities all information necessary to enable authorities to supervise the compliance of the performance of the Compliance Function with the requirements of the applicable laws and regulations.

The regulated entity shall take appropriate action if it appears that the service provider cannot comply with the above-mentioned requirements.

Conflicts of Interest – The regulated entity shall take all reasonable steps to avoid conflicts of interest and, when the conflicts of interest cannot be avoided, to identify, manage and monitor and, where applicable, disclose, those conflicts of interest in order to prevent them from adversely affecting the interests of the regulated entity and its clients.

Where the regulated firm and the service provider are members of the same group, the regulated entity may, for the purposes of complying with the applicable rules, take into account the extent to which the regulated entity controls the service provider or has the ability to influence its actions.

To maintain a high standard of investor and customer protection, possible conflicts of interest have to be taken into account prior to any outsourcing of the Compliance Function. Therefore, outsourcing should be admissible only if it does not prevent the regulated entity from acting or carrying out its services and activities in the best interests of its clients.

The information contained above does not cover the subject matter in an exhaustive manner, for further information on outsourcing of the Compliance Function, please contact us at [email protected].

The information contained in this write up is provided for general informational purposes only. It does not, and is not intended to, constitute legal advice on any subject matter. You should not act or refrain from acting on the basis of any content included in this write up without seeking legal or other professional advice for your particular situation.