ASIC calls for stronger governance over finance firms using offshore service providers

ASIC is calling on financial services entities to strengthen governance and risk management after a review found weaknesses in the use of offshore service providers (OSPs).

The review into the use of OSPs by financial advice licensees and responsible entities (REs) of registered managed investment schemes found that the quality of risk management arrangements relating to their use varied "significantly", with some entities failing to have a framework in place.

Where functions are outsourced, licensees must have measures in place to ensure that due skill and care is taken in choosing suitable service providers; monitor the ongoing performance of service providers; and appropriately deal with any actions by service providers that breach service level agreements or the licensee’s general obligations.

Failing to adequately supervise outsourced functions could lead to "detrimental effects" on the operation of the licence, its compliance with legal obligations and cause harm to consumers, according to ASIC.

Earlier this year, ASIC took enforcement action against both FIIG Securities and Fortnum Private Wealth for alleged failures to adequately manage cybersecurity risks.

ASIC Commissioner Alan Kirkland said that Australian financial services (AFS) licensees are ultimately responsible for the operation of their businesses, even when they outsource to offshore service providers directly or through an intermediary.

"Advice licensees and REs can outsource services but they cannot outsource their fundamental obligations," he said.

"When licensees neglect their responsibilities, consumers, investors, and financial services businesses can be exposed to harm, such as exposure of personal information through cyber incidents."

Kirkland said Australian AFS licensees should have sufficient skills to independently identify material risks and to assess an OSP’s performance and ongoing suitability.

"The more critical the outsourced function, the greater the risks to consumers and investors," Kirkland said.

"The risks can be exacerbated when outsourced functions are not supervised adequately, particularly if they are outsourced internationally."

He also flagged critical risks associated with the loss of control over a businesses’ key functions to OSPs, disruptions to operational services and conflicting obligations for OSPs subject to foreign laws.

"Financial services firms cannot drop their guard. Cyber-attacks, for example, are more prevalent and growing in sophistication," he said.

"All licensees must proactively review governance frameworks and address issues that threaten to undermine public confidence in their business and in turn, the financial system."