The Australian Securities and Investments Commission’s (ASIC) review into the use of offshore service providers (OSPs) by AFS licensees and responsible entities found that risk management arrangements “varied significantly” in terms of assessing the quality of offshore services, with some having no framework.
According to ASIC commissioner Alan Kirkland, Australian Finance Services (AFS) licensees are ultimately responsible for the operation of their businesses, including when outsourcing to offshore providers, directly or through an intermediary.
“Advice licensees and REs can outsource services, but they cannot outsource their fundamental obligations,” Kirkland said last month.
One potential unintended consequence of outsourcing, particularly if due diligence has not been undertaken, is exposing a practice to cyber security threats.
Already, smaller to medium sized firms are attractive targets for cyber criminals due to the quantities of information they hold on clients, with off-shore out-sourcing adding another level of vulnerability if the organisation’s security practices are not up to standard.
VBP chief executive Nathan Jacobsen said the ASIC report highlighted the wide discrepancies that can exist between outsourcing models in terms of governance and compliance.
“VBP is highly supportive of ASIC’s recommendations and heightened focus on offshore outsourcing to ensure that both consumers and advice businesses are not unnecessarily exposed to harm, such as their data being stolen through cyber incidents,” he said.
According to ASIC, licensees and advisers are exposed to critical risks associated with the loss of control over key functions to OSPs, disruptions to operational services and conflicting obligations due to foreign laws, requiring them to urgently close governance gaps and address weaknesses in their use of offshore providers.
Jacobsen added: “Whether a business has a direct outsourced contracting arrangement or uses an intermediary, the obligations around areas like data, privacy and cyber security are the same.
“For those that choose to go direct, sole responsibility for assessing and monitoring outsourcing risk can be a significant burden.”
He also suggested the advice profession should expect a greater level of scrutiny of offshore outsourcing arrangements, given the growing number of practices looking overseas to help them scale sustainably.
“It is in the best interests of consumers, advisers and the broader industry that all parties involved in the provision of advice, including suppliers and contractors, operate with a continuous focus on improving information security practices,” Jacobsen said.
“The risks are only rising guaranteeing further regulatory scrutiny, and possibly intervention, if the industry cannot effectively and proactively manage these risks.”
