Risk Assessment on the Outsourcing of the Compliance Function

When outsourcing one or more compliance tasks, the regulated entities remain responsible for the proper performance of all the outsourced functions and are expected to ensure that all requirements applicable to the Compliance Function continue to be fulfilled.

Thus, it is important that prior to entering into an outsourcing arrangement, the regulated entity conducts careful due diligence on the service provider and undertakes an exercise of risk assessment to identify the possible risk factors and risk scenarios emanating from the outsourcing of all or part of the Compliance Function.

When assisting our clients in relation to the above, we often suggest that such exercise is carried out by means of a risk analysis assessment, duly documented, which outlines the risk analysis methodology utilised, identifies the risk scenarios, lays down the control measures that the regulated entity has in place in relation to outsourcing of compliance tasks, and assesses the effectiveness of such measures and controls in mitigating the risk scenarios identified. Furthermore, this analysis shall identify and assess any eventual conflicts of interest that the outsourcing of these tasks may cause.

The ultimate purpose is to identify, assess, monitor, and control risks to which the regulated entity is exposed as a result of outsourcing the Compliance Function. The other purpose behind carrying out this assessment is to ensure that there is, amongst the management and the key personnel of the regulated entity, clear awareness and understanding of the risks of outsourcing compliance related tasks.

There are various methods how an assessment may be conducted. However, it shall always identify the most relevant risk factors and risk scenarios in relation to the outsourcing of the Compliance Function to which the regulated entity may be exposed. In order to facilitate such identification, the regulated entity shall detect and analyse the internal vulnerabilities and the external threads to which it is exposed when outsourcing part or all of the compliance tasks.

The most common and practical way of evaluating the outsourcing risks is by assessing the likelihood of occurrence of the relevant risk scenarios and the impact on the regulated entity of such risk scenarios, should they materialise. Then, the regulated entity can compare the likelihood and the impact of the relevant identified risk scenario, in order to assess the level and degree of the risk inherent thereof.

Once the regulated entity has a clear and complete understanding of the risks involved in the outsourcing of the compliance tasks, it shall identify the internal control measures in place against the risk scenario in question. These measures may vary based on the nature and the complexity of the outsourced functions. Independently from their nature and complexity, the regulated entity shall assess the effectiveness of such internal control measures.

In addition, the regulated entity should subject to the effectiveness assessment the measures and the controls that the prospective service provider has implemented in mitigating the identified risk scenarios, such as the extent of resources and personnel employed by the service provider, the skills, knowledge, and expertise of the persons who will effectively conduct the compliance activities outsourced by the regulated entity, the organisational structure supporting the performance of the outsourced Compliance Function, the nature of the functions they have performed in the past etc.

Considering that the regulated entity should ensure that the outsourcing of the Compliance Function does not prevent the effective supervision of the regulated entity itself, any arrangement in place between the regulated entity and the service provider in relation to audit access granted, should form part of the risk analysis assessment and should be accounted for in the assessment of effectiveness of the internal control measures and control measures implemented by the service provider.

By comparing the findings of the above-mentioned effectiveness assessment with the level and degree of the risks identified, the regulated entity should be able to determine the amount of any eventual remaining risk. Based on the residual level of risk, the regulated entity will be in a position to determine whether it is well-equipped against such risk scenarios from materialisation, and therefore proceed with the outsourcing of the Compliance Function, or whether notwithstanding the control measures in place, the risk scenarios cannot be prevented and therefore additional control measures need to be implemented to prevent the risks from materialising.

When the regulated entity concludes that there are no additional measures to be established and implemented to mitigate high levels of residual risks, then it should refrain from outsourcing part or all of the tasks related to the Compliance Function and should ensure that these tasks are carried out in house in compliance with the applicable laws and regulatory requirements.

The information contained above does not cover the subject matter in an exhaustive manner, for further information on how to conduct a risk analysis concerning the outsourcing of the Compliance Function, please contact us at [email protected].

The information contained in this write up is provided for general informational purposes only. It does not, and is not intended to, constitute legal advice on any subject matter. You should not act or refrain from acting on the basis of any content included in this write up without seeking legal or other professional advice for your particular situation.