ASIC flags ‘risks’ in offshore outsourcing, despite its affordability to advisers

ASIC’s calls follow a review that “found weaknesses in the use of offshore service providers (OSPs) exposing consumers and investors to potential harm”.

The review, according to ASIC, found that financial advice licensees and responsible entities (REs) have risk management arrangements that “varied significantly” in terms of assessing the quality of offshore services, with some having no framework.

According to ASIC commissioner Alan Kirkland, AFS licensees are ultimately responsible for the operation of their businesses, including when outsourcing to offshore providers, directly or through an intermediary.

“Advice licensees and REs can outsource services but they cannot outsource their fundamental obligations,” Kirkland said in a statement.

“When licensees neglect their responsibilities, consumers, investors, and financial services businesses can be exposed to harm, such as exposure of personal information through cyber incidents.”

The commissioner also said that AFS licensees need to have the skills to independently identify risks and assess an OSP’s performance and ongoing suitability.

“The more critical the outsourced function, the greater the risks to consumers and investors,” Commissioner Kirkland said.

“The risks can be exacerbated when outsourced functions are not supervised adequately, particularly if they are outsourced internationally.”

Advice practices, especially smaller ones, are often reliant on OSP services to cover operational matters like cyber security, with outsourcing becoming more essential due to the rising costs of running practices.

“While outsourcing has traditionally been a trend only seen in large corporations, it has become a lifeline for small to medium-sized businesses looking to improve efficiency,” said Brian Jones, CEO of VAP.

Speaking with ifa, founder of The Cyber Collective Fraser Jack said: “Just like estate planning, if you don’t have things in place and they go wrong, it’s going to cost you 10 to 100 times more to fix than it would to protect.”

Kirkland echoed this sentiment: “Financial services firms cannot drop their guard. Cyber attacks, for example, are more prevalent and growing in sophistication.”

“All licensees must proactively review governance frameworks and address issues that threaten to undermine public confidence in their business and, in turn, the financial system.”

ASIC said it will continue to monitor the governance and risk management frameworks within financial services entities, stating it will hold them to account “where necessary” when failures occur.

The regulator cited its enforcement actions against FIIG Securities and Fortum Private Wealth, which ASIC said exposed the firm to an “unacceptable level of risk” as a result of alleged cyber security failures, as examples.