Outsourcing by Fund Management Companies in Singapore
Fund Management Companies in Singapore
Outsourcing an arrangement by a Fund Management Company (FMC) to a service provider can bring cost and other benefits. However this can also increase the risk profile of the FMC, particularly when there is failure of a service provider in providing the service, breaches in security, or the FMC’s inability to comply with legal and regulatory requirements. The risk can be reputation, compliance and operational risks. Thus, Outsourcing does not diminish the obligations of the FMC, and its board and senior management to comply with relevant laws and regulations in Singapore. The Guidelines on Outsourcing (“Guidelines”) set out the Monetary Authority of Singapore’s (“MAS”) expectations of the FMC that has entered into any outsourcing arrangement or is planning to outsource its business activities to a service provider. The guidelines mainly provide guidance on sound practices on risk management of material outsourcing arrangements.
Examples of material outsourcing arrangements in different fund management models
Outsourcing of all or substantially all of risk management or internal control functions of a FMC, including compliance, internal audit, financial accounting and actuarial (other than performing certification activities) is to be considered a material outsourcing arrangement.
All FMCs are expected to retain ownership and responsibility over the outsourced functions, regardless of whether the function has been outsourced to external service providers or intra-group.
Relevant factors to consider while assessing the outsourced providers
Due Diligence of Service providers
FMCs should subject the service provider to appropriate due diligence processes to assess the risks associated with the outsourcing arrangements. The due diligence should take into account,
- The physical and IT security controls
- The business reputation and financial controls
- The ethical and professional standards
- Ability to meet obligations under the outsourcing arrangement.
- Financial strength and resources.
- Onsite visits to the service provider
- Independent reviews
- Corporate governance, business reputation and culture, compliance, and pending or potential litigation;
- Security and internal controls, audit coverage, reporting and monitoring environment;
- Risk management framework and capabilities, including technology risk management and business continuity management in respect of the outsourcing arrangement
- Disaster recovery arrangements and disaster recovery track record
- Reliance on and success in dealing with sub-contractors
- Insurance coverage
- External environment (such as the political, economic, social and legal environment of the jurisdiction in which the service provider operates)
- Ability to comply with applicable laws and regulations and track record in relation to its compliance with applicable laws and regulations.
Due Diligence of employees of service provider
FMCs should consider whether the service providers have suitable hiring and screening policies for their employees. The due diligence process may vary depending on the nature, and extent of risk of the arrangement and impact to the FMC in the event of a disruption to service or breach of security and confidentiality (e.g., reduced due diligence may be sufficient where the outsourcing arrangements are made within the institution’s group) If the compliance function is outsourced, it is in the FMC’s interest to understand how the service provider performs checks on the credentials and relevant experience of their employees.
Service providers should consider,
- Whether the employees have been the subject of any proceedings of a disciplinary or criminal nature;
- Whether the employees have been convicted of any offence (in particular, that associated with a finding of fraud, misrepresentation or dishonesty);
- Whether the employees have accepted civil liability for fraud or misrepresentation; and
- Whether the employees are financially sound
Due diligence undertaken during the assessment process should be documented and re-performed periodically as part of the monitoring and control processes of outsourcing arrangements.
Outsourcing Agreement
Contractual terms and conditions governing relationships, obligations, responsibilities, rights and expectations of the contracting parties in the outsourcing arrangement should be carefully and properly defined in written agreements. They should also be vetted by a competent authority (e.g., the FMCs’ legal counsel) on their legality and enforceability. The outsourcing agreement should, at the very least, have provisions to address the following aspects of outsourcing:
- The scope of the outsourcing arrangement;
- Performance, operational, internal control and risk management standards
- Confidentiality and security in relation to customer information.
- Business continuity management.
- Audit and inspection
- Notification of adverse developments that could potentially lead to prolonged service failure or disruption in the outsourcing arrangement, or any breach of security and confidentiality of the institution’s customer information.
- Dispute resolution
- Default termination and early exit
- Sub-contracting
- Laws applicable to the arrangement
Monitoring and Control of Outsourcing arrangements
Outsourcing Registers
As a matter of good practice, an FMC should include all outsourcing arrangements in its outsourcing register. This includes intra-group arrangements and material sub-contractors. This should be reviewed by board and senior management of the institution. FMCs are not required to submit their outsourcing registers to MAS on a yearly basis. MAS will give reasonable notice to FMCs when it requires the registers for its supervisory purposes, and FMCs are expected to promptly submit a copy of the register.
Outsourcing Management Control Groups
FMCs should monitor and control the outsourced service on an ongoing basis. Such monitoring should be regular and validated through the review of reports by auditors of the service provider or audits commissioned by the FMC.
Periodic reviews
FMCs should conduct reviews on an annual basis on all material outsourcing arrangements in order to ensure that the outsourcing risks pertaining to such arrangements are adequately mitigated.
Audit and Inspection
The outsourcing agreements for material outsourcing arrangements must contain clauses that allow FMCs to conduct audits on their service providers and their subcontractors and to obtain copies of any report and finding made on the service providers and their sub-contractors. The outsourcing agreements must also contain clauses that allow MAS or an agent appointed by MAS to access and inspect the service provider and its sub-contractors, and obtain records and documents relating to the service provider and its subcontractors.
If any request has been made from MAS to submit any reports on the security and control environment of the service provider and its sub-contractors to MAS, in relation to the outsourcing arrangement, the service provider must comply with it as soon as possible.
The FMC should ensure that independent audits and/or expert assessments of all its outsourcing arrangements are conducted. The scope of the audits and expert assessments should include an assessment of the service providers’ and its sub-contractors’ security and control environment, incident management process (for material breaches, service disruptions or other material issues) and the institution’s observance of the Guidelines in relation to the outsourcing arrangement. Senior management should ensure that appropriate and timely remedial actions are taken to address the audit findings. FMCs and the service providers should have adequate processes in place to ensure that remedial actions are satisfactorily completed.
Additional matters to be considered while outsourcing of Internal Audit to External Auditor
The business activities of a FMC must be subjected to adequate internal audit. The internal audit arrangements should be commensurate with the scale, nature and complexity of its operations.
When the outsourced activity is internal audit additional issues must be deliberated. If the internal audit is outsourced to the external auditor, the external auditor, in its internal audit role, may not criticize itself for the quality of the external audit or consultancy services provided to the institution.
In addition, as operations of the FMC could be complex and involve large transaction volumes and amounts, it should ensure service providers have the expertise to adequately complete the engagement. The FMC should address these and other relevant issues before outsourcing the internal audit function. In addition, as a sound practice, institutions should not outsource their internal audit function to the institution’s external audit firm.
Before outsourcing the internal audit function to external auditors, an institution should satisfy itself that the external auditor would be in compliance with the relevant auditor independence standards of the Singapore accounting profession.
Conclusion
It is thus important for a fund management company to assess whether the service provider whom they have outsourcing arrangements with has met the standards set by MAS. The FMC must satisfy itself that its service providers have acceptable internal governance when appointing and relying on sub-contractors, especially when the outsourcing arrangement between the FMC and the service provider is material.
How can Argus (now Waystone Compliance) help?
Argus (now Waystone Compliance) specializes in regulatory compliance and provides objective insights, subject expertise and a simple approach to all your compliance-related needs. Our diversified client base spans start-ups to mature businesses. All services rendered to clients are checked based on the 4 eyes-principle, wherein a Senior Management member has oversight off all delegated activity. We will be happy to answer your queries, whether specifically to outsourcing or any other regulatory compliance hurdles you may face. Do reach out to us at [email protected].