The Australian Securities and Investments Commission (ASIC) has issued a warning regarding the risks of offshore outsourcing.

ASIC is calling on financial services entities to strengthen governance and risk management after a review found weaknesses in the use of offshore service providers (OSPs) exposing consumers and investors to potential harm.

The review into the use of OSPs by financial advice licensees and responsible entities (REs) of registered managed investment schemes found that the quality of risk management arrangements relating to their use varied significantly, with some entities failing to have a framework in place.

ASIC Commissioner Alan Kirkland said that Australian financial services (AFS) licensees are ultimately responsible for the operation of their businesses, even when they outsource to offshore service providers directly or through an intermediary.

‘Advice licensees and REs can outsource services but they cannot outsource their fundamental obligations,’ said Commissioner Kirkland.

‘When licensees neglect their responsibilities, consumers, investors, and financial services businesses can be exposed to harm, such as exposure of personal information through cyber incidents.’

Commissioner Kirkland said Australian AFS licensees should have sufficient skills to independently identify material risks and to assess an OSP’s performance and ongoing suitability.

‘The more critical the outsourced function, the greater the risks to consumers and investors,’ Commissioner Kirkland said.

‘The risks can be exacerbated when outsourced functions are not supervised adequately, particularly if they are outsourced internationally.’

Commissioner Kirkland also flagged critical risks associated with the loss of control over a businesses’ key functions to OSPs, disruptions to operational services, and conflicting obligations for OSPs subject to foreign laws.

‘Financial services firms cannot drop their guard. Cyber-attacks, for example, are more prevalent and growing in sophistication. All licensees must proactively review governance frameworks and address issues that threaten to undermine public confidence in their business and in turn, the financial system.’

ASIC will continue to monitor the governance and risk management frameworks of financial services entities, and where necessary, hold them to account for failing to have the right processes in place to protect consumers and investors’ interests.

In relation to general concerns about cybersecurity, ASIC has taken enforcement action against FIIG Securities and Fortnum Private Wealth for alleged failures to adequately manage cybersecurity risks.

In 2022, the Federal Court also ruled in ASIC’s favour in a landmark case against RI Advice, which was found to have breached its license obligations to act efficiently and fairly when it failed to have adequate risk management systems to manage its cybersecurity risks.

Where functions are outsourced, licensees must:

• have measures in place to ensure that due skill and care is taken in choosing suitable service providers,
• monitor the ongoing performance of service providers, and
• appropriately deal with any actions by service providers that breach service level agreements or the licensee’s general obligations.

Failing to adequately supervise outsourced functions could lead to detrimental effects on the operation of the licence, its compliance with legal obligations and cause harm to consumers.