ASIC has told licensees to strengthen governance over the use of offshore service providers after a review found weaknesses that could expose consumers to harm.
The review produced separate reports outlining the expectations for licensees and responsible entities.
The licensee review covered six intermediary businesses offering offshore outsourcing services for licensees which were based in the Philippines, India and Sri Lanka.
These businesses reported having 1000 licensees or their representatives as clients and conducted services including the provision offinancial planning assistants to complete a range of tasks, including client data entry and product research; insurance application and document support; and client communication.
The review also examined sample data from two large fund managers “to understand the extent” individuals located offshore enquired about Australian client superannuation and managed fund data, which found one fund manager reported 900 enquiries in a 30-day period and another 16,500 enquiries originating from 24 countries in a 12-month period.
Earlier this year, Vision Super refuted claims it would not work with financial advice firms that employ offshore staff, but would only provide information to advice staff located within Australia, after an adviser complained about the fund’s processes.
ASIC had also reviewed 10 AFSLs that authorised advice business of “varying size”. The main offshore outsourced servicesused were advice support services, including paraplanning and administrative operations.
Of the licensees reviewed, 300 of their representatives used offshore providers at some point in the past two years and the regulator raised concerns about potential loss of control over some outsourced tasks or business functions that can impede a licensee’s ability to protect the confidentiality of its own and client information.
The report recommended that when functions are outsourced, licensees should have protocols are place to adequately choose providers, that the performance of those providers should be continuously monitored and deal with any actions that breach service level agreements or the licensee’s general obligations outlined in RG 104.
The report identified instances of one licensee not having any policies or procedures in place for appointing an offshore provider but identified better practice from six licensees that provided a checklist that could be used by its network.
Four licensees did not have a policy that disclosed the use of an offshore provider, but three had identified this usage in their financial services guide.
None of the licensees reviewed conducted audits of the application of their offshoring policies.
Three licensees did not maintain an approved list of offshore providers for their network to use, but ASIC noted that better practice was found with four licensees that had established a panel of approved providers that involved due diligence around service delivery and cybersecurity.
Five licensees didn’t explicitly require offshore providers to comply with the licensees’ cyber frameworks.
There were two instances of licensees that did not identify representatives that were using offshore service providers, which ASIC said is a breach of meeting general licensee obligations.
None of the licensees reviewed audited system access, activity logs or had real-time alert systems for access violations. Furthermore, they all had broad, undefined polices for critical system recovery timeframes to restore services and recover data in the case of a breach or system failure.
The report also noted added risks with data privacy by giving third-party firms access to internal systems and that licensees should confirm that the outsourced providers meet an information technology standard consistent with the licensee’s existing cyber policies and that any contracts contain specific clauses relating to use, access, retention and disposal of data.
ASIC Commissioner Alan Kirkland said licensees should have sufficient skills to independently identify material risks and to assess the performance and ongoing suitability of third-party offshore providers.
“The more critical the outsourced function, the greater the risks to consumers and investors,” Kirkland said.
“The risks can be exacerbated when outsourced functions are not supervised adequately, particularly if they are outsourced internationally.”
The corporate regulator announced last year it would be reviewing the use of offshoring arrangements by licensees as part of its corporate plan.
At the Professional Planner Licensee Summit in June, Kirkland said the regulator will maintain an “agnostic” stance on offshoring arrangements by licensees with findings from a review expected to be released later in the year.
