Outsourcing arrangements can be an efficient and effective way of subcontracting a business activity to an external third party, perhaps because of a dearth of resources, knowledge or IT infrastructure. However, the risks that they present should not be underestimated; a business is only as strong as its weakest link and remains accountable for all its contractors' actions, both good and bad.

Businesses must retain the enough skills and knowledge in their own right to allow their boards and senior managers to oversee the activities that they are outsourcing properly. If this is not possible, they should seek 'assurance' (in the form of checks and tests) from experienced practitioners.

In the Guernsey financial services sector, the regulator (the Guernsey Financial Services Commission) pronounces on outsourcing in a variety of places, especially in its guidelines for each sector, in its AML/CFT rulebook and in the accounts of thematic reviews that it publishes periodically. The compliance officer in question must view these obligations not only as regulatory requirements but also as a way to show regulators (or any other officials) that his firm governs itself well and can offset its risks, the better to preserve its all-important good name and perhaps also to harness a competitive advantage.

Regulators expect businesses to consider whether the following factors and risks, amongst others, apply to each particular outsourcing arrangement. These always vary and depend on the nature and scale of the outsourced activity. Most importantly, businesses should show their regulators that they have reviewed things regularly, remembering that intra-group arrangements may also be involved in these requirements.

"Due diligence and ongoing monitoring"

The compliance officer in question must check the background of the outsourcer at the outset of his firm’s relationship with it, the better to make sure that it is 'fit and proper' (a phrase used by all regulators) to do the job, in much the same way that he checks the background of a prospective client. He must take into account the nature and extent of the activity that he is outsourcing.

For example, cleaning and facilities management firms may lay the customer-firm open to the theft of data, because they have access to business premises outside office hours. The compliance officer ought to think of countering this by operating a "clear desk and screen" policy and making sure that people store paperwork in locked drawers or cabinets. He should ensure that the third party has policies and procedures that vet its staff to a standard that his own firm can gauge. It might, for example, insist on seeing police disclosure reports and reliable references.

An IT service provider is likely to present a financial firm with a very wide range of risks. Not only might it have access to the firm's premises outside office hours; it might also have full access to, and control of, systems and the data contained therein. It is equally important for the compliance officer to keep monitoring that provider, categorising it according to the risks that he thinks that it poses to the business and writing down a procedure by which he plans to revisit various matters again and again. He must review those arrangements periodically with a frequency determined by his perception of this-or-that risk.

He must also consider whether the third party does anything controversial that directly contradicts his own business' culture and policies – for example, it might display a disregard for climate change or it might use child labour in its supply chains. The compliance officer ought to keep a record of this review in case the regulator comes to call. There is no inherent reason why the regulator should care about the firm's prejudices, but regulators in the English-speaking world seem to be very annoyed when banks deviate from any of their written policies, especially nowadays in the field of ESG or Environmental, Social and Governance factors.

He must measure the performance of the third party by implementing appropriate service-level agreements and monitoring its performance against them. Whenever it fails to meet its obligations, he must already have a written procedure in place to spot its underperformance and deal with it.

Contractual obligations

A legally binding, written contract keeps a record of the contractor's responsibilities in a clear and unambiguous manner. Where appropriate, it should say whether or not sub-contracting is permissible, the extent to which it is, whether the contractor is obliged to notify the compliance officer before it undertakes it and whether the compliance officer has a right to object to any sub-contracting. The compliance officer ought to think about the risks posed by that additional party. Is it 'fit and proper'? Does it satisfy the requirements? Who oversees it?

Depending on the nature and scale of the arrangement, the contract should also cover matters such as:

• client confidentiality;
• IT security;
• fees and arrangements;
• liability in the event of transgressions or underperformance;
• guarantees and indemnities;
• the third party's obligation to provide relevant records to the business, regulators or auditors;
• dispute resolution protocols;
• business continuity obligations;
• the choice of law; and
• the termination of the contract.

Data and cyber security; business continuity

As we said earlier, a supply chain is only as strong as its weakest link. The service provider is almost certainly exposed to the risk of a data or cyber-security attack or general problems that affect its business infrastructure and operations, such as floods or the failure of a telephone system.

In addition to the contractual provisions we have mentioned above, the compliance officer must put practical measures and safeguards in place to protect confidential data that is stored on his firm’s systems. Owing to the digital nature of the age in which we live, data and cyber security attacks are inevitable. The compliance officer should ask the provider to swear that it has identified its weaknesses and set up effective controls to deal with the risks. He should ask it to testify to the fact that its data and cyber-security response plan is comprehensive, reviewed and tested regularly. He should also ask it to avow that its business continuity/disaster recovery plan is comprehensive and resilient and that somebody is reviewing it and testing it regularly. He should demand to know when the last test was conducted, whether there were any adverse findings and whether the third-party firm has done anything about them.

The third party may feel reluctant to give other companies specific details about its weaknesses, but the compliance officer must at least persist in asking for confirmation from its most senior officers that it has carried out tests and resolved all the problems.

Confidentiality

The compliance officer must determine whether the third party in question is a data controller or processor (as defined in the European Union's General Data Protection Regulation) and, if necessary, ensure that it has effective ways of guaranteeing data privacy. The GDPR states that the data protection standards to which the outsourcer's jurisdiction adheres must be 'adequate.'

In the event of a data breach (an EU term that pertains to any mishandling of data that contravenes the GDPR), the compliance officer must ensure that he has procedures in place to report problems to the authorities as soon as he has identified them. The business may have to report the breach to its own data-protection authority and the data subjects (people on whom it or its contractor hold information) and strict reporting timeframes apply here. He must ensure that the third party does not cause the business to breach its own obligations to report various things.

If the third party has access to other confidential information, such as intellectual property, the compliance officer must ensure that it is clear that nobody should be allowed to misappropriate it.

Termination of the relationship

Both parties must be able to terminate the contract in a timely and orderly manner, especially if it is broken. One might expect a contract to be null and void in its entirety if broken, but there are clauses that can survive such an event (known as 'termination breach'), especially those that concern confidentiality. It is often possible, alternatively, for the wronged party (in this case the private bank that has received some bad service) to tell the contractor that the contract is now null and void but nevertheless to ask it to keep providing the sub-standard service during a period of transition. The contractor often agrees to this because it is still able to earn some money from the continuation. This allows the customer-firm enough time to teach internal staff new skills or to find a suitable replacement.

Concentration of outsourcing

The compliance officer must ensure that the third party has enough resources and capacity to fulfil the objectives that he has set it in the service-level agreement. He must look for signs that it is struggling and must communicate with it proactively to find out whether this-or-that problem is related to internal resourcing or to infrastructure and must find out whether it is doing anything about it.

The compliance officer ought to impose these controls on both regulated and unregulated businesses, such as accountancy firms or estate agents. He must remember, at all times, that his firm's reputation is on the line.

* Sandra Lawrence can be reached on +44 1481 734808 or at sandra.lawrence@collascrill.com