Is AFSL offshoring a risky business?

The degree to which Australian financial service licenses have been utilising overseas service providers has been highlighted by the Australian Securities and Investments Commission pointing to just six offshore businesses having a combined total of 1000 licensees on their books.

ASIC’s review of offshore outsourcing by AFSLs stated the following:

“Our engagement with the six OSP intermediary businesses identified the following as some of the offshore services these intermediaries offer Australian advice licensees:

• financial planning assistants to complete a range of tasks, including client data entry and product research
• paraplanning services
• insurance application and document support, and
• client communication, such as client situation updates or business updates.

The six intermediary businesses reported having a combined total of over 1000 licensees or their representatives as clients and over 600 representatives of licensees had engaged with one of the six intermediary businesses in the in the past two years.

Of the 10 licensees we reviewed, the main offshore outsourced services used are advice support services, including paraplanning and administrative operations.”

ASIC then outlined the key risks it had uncovered as part of its review as including:

• risk of loss of control over some outsourced tasks or business functions that can impede a licensee’s ability to protect the confidentiality of its own and client information
• risks related to data and technology, particularly protection of sensitive client information, because OSPs subject to foreign government laws may have to comply with directions that conflict with Australian laws or may lose control over, or access to, the data provided by the licensee
• risks related to the effective detection and management of a breach of data or cyber incident for an Australian business if the business function or outsourced task is undertaken offshore
• risk of operational disruption to the service that can harm consumers (offshore infrastructure may also be less reliable than that available in Australia, causing unnecessary disruptions to information technology services), and
• risk of a licensee losing control over the people and processes dealing with outsourced business functions, which may pose challenges to the effectiveness of supervisory regimes and systems.

ASIC said it is concerned that most of the advice licensees did not have adequate arrangements in place for the assessment, appointment and ongoing monitoring of offshore outsourced services used by their representatives.

“Instead, they rely on the representative to ensure risks are managed appropriately.

ASIC said some of the licensees it reviewed recognise the risks of using OSPs and have taken, or are taking, steps to manage these risks. The degree of sophistication and rigour of risk management practices varied significantly, as highlighted below:

• three licensees who used OSPs did not have a formal offshore outsourcing policy in place, and one licensee did not have offshore outsource policies at all, despite using OSPs
• seven of the licensees’ information technology policies did not specifically reference or set additional requirements for offshore staff. In these cases, the policies were generic and applied to all staff, regardless of physical location or employment arrangement
• there was no evidence that the licensees undertook regular audits of their representatives’ use of OSPs
• were unable to identify all of their representatives that were using OSPs
• none of the licensees we reviewed have systems for real-time alerts for OSP access violations or any audit system access or activity logs
• when using an OSP intermediary business, licensees and their representatives appear to rely on the representations made by those businesses in relation to cyber security, without independent assessment or verification, and
• of the six licensees with offshore outsourcing policies in place, only one provided comprehensive steps the licensee or their representatives need to take before appointing an OSP. In the policies of the other five licensees, the appointment requirements were broad and did not identify the minimum requirements that should be expected to satisfy the licensee that the OSP meets an adequate standard.