top of page
The Range

Fiduciary Rules - Outsourcing

Outsourcing

Before the Fiduciary Rules there was no guidance or rules for fiduciaries on outsourcing although GFSC’s Handbook on Countering Financial Crime and Terrorist Financing outlines expectations from a prevention of financial crime perspective. It draws attention to GFSC’s guidance on outsourcing for investment firms; insurance business and banks.

 

The Handbook states that the principles contained within those guidance notes were “relevant across industry and provide a useful reference when considering an outsourcing arrangement”. Presumably this will be updated in due course to reflect the Fiduciary Rules.

 

The Fiduciary Rules introduce new, formal requirements for fiduciaries who outsource some or all of their activities. These are less detailed than the guidance for other sectors, but significantly are Rules as opposed to guidance. They do not apply to personal fiduciary licensees.

 

What is outsourcing?

The Rules define outsourcing as:

An arrangement, of any form, between a licensed fiduciary and an outsourced service provider, by which that outsourced service provider performs an activity that would otherwise be undertaken by the licensed fiduciary.

 

What’s new?
  • Fiduciaries must carry out a risk assessment before outsourcing - Rule 2.7.3 (in addition to the ML/TF assessment required by GFSC Handbook Rule 2.32)

  • Formalised due diligence in selection and monitoring of outsourced service providers and their performance - Rule 2.7.4

  • Ensuring that there is an appropriate contingency plan - Rule 2.7.6

  • Where maintenance of a fiduciary’s and/or its clients' records is outsourced it will have to ensure the requirements of Rule 2.6.5 are met (secure; readily accessible; laws complied with; and GFSC has reasonable access at all times)

  • A requirement to notify GFSC of any significant outsourcing arrangements entered into or material changes to significant outsourcing arrangements

  • Notification where there is a failure of an outsourced service provider or other breakdown in the provision of outsourced services which causes significant disruption to your business.

 

What’s familiar?
  • The Board retains responsibility and accountability for the outsourced functions at all times including:

    • effective oversight of the outsourced functions; and

    • ensuring that the fiduciary continues to comply with the Rules and all other relevant legislation. Rule 2.7.2(1)

  • A written outsourcing agreement must be in place for each outsourced activity. Rule 2.7.5

 

Easy hits
  • Compile a list of all your outsourcing arrangements and ensure written agreements are in place with them that meet the requirements of Rule 2.7.5(2)

  • Establish (and continue to maintain) contingency plans for each outsourcing provider in line with Rule 2.7.6. GFSC guidance confirms you don’t have to have excess capacity to cover the contingency of failure, but you will need to show how you can act fast to fill any gap.

 

Tricky bits
  • Deciding who is an outsourcing provider and who a service provider. You will need to examine the new definition of outsourcing (above) and focus on the phrase “that service provider performs an activity that would otherwise be undertaken by the licensed fiduciary”

  • Services which are provided to the fiduciary within its wider group will need to be examined to decide if they fall within the definition of outsourcing; many will. GFSC Guidance confirms that intra-group outsourcing also has to meet the requirements of the Rules

  • For each outsourcing provider, fiduciaries will need to:

    • Risk assess the provider including at least an assessment of risks:

      • associated with a breakdown in the service provided

      • that could arise if the outsourced provider fails

  • If you have a business risk assessment that includes non-ML/FT risks this could be carried out as part of your BRA. There is also a requirement to carry out a ML/FT risk assessment of outsourced activities under the GFSC Handbook

  • Carry out due diligence on providers to ensure they have ability and capacity to provide the service effectively. Keep a record of this and update it regularly

  • Make sure their conduct is monitored and MI on them is reported to the Board at regular intervals (this might include how they have met KPIs over the period)

  • It may be difficult to decide what is a significant outsourcing arrangement to be notified to GFSC. Another a matter of judgement will be what is a material failure of an outsourced service provider, the key being to consider whether there has been significant disruption to your business.

bottom of page