Outsourcing in the Banking Sector in the Bailiwick of Guernsey

Outsourcing in the Banking Sector in the Bailiwick of Guernsey A Thematic Report issued by the Guernsey Financial Services Commission November 2008

• 1 - Table of contents 1 Executive summary...........................................................................................- 2 - 2 Introduction and methodology..........................................................................- 3 - 2.1 Introduction...............................................................................................- 3 - 2.2 Methodology.............................................................................................- 3 - 3 Findings.............................................................................................................- 5 - 3.1 Overview...................................................................................................- 5 - 3.2 Findings from the industry wide survey and on-site visits.......................- 5 - 3.3 Entity-specific findings from the on-site visits.........................................- 8 - 3.3 a Good practice .......................................................................................- 8 - 3.3 b Exceptions............................................................................................- 9 - 4 Acknowledgements...........................................................................................- 9 - 5 Useful websites.................................................................................................- 9 -

• 2 - 1 Executive summary The main findings of the Commission‟s thematic review of outsourcing in the banking sector of the Bailiwick of Guernsey are as follows: A majority of the key functions that are outsourced are carried out intra-group, either utilising centres of excellence within a group, taking advantage of efficiencies from economies of scale, or making use of areas where resource constraints are less of an issue than they are in Guernsey; Functions that are outsourced to third parties are mainly non-core functions, and for the most part are non-critical to the day-to-day running of the bank; Core functions that are outsourced to third parties tend to be historical relationships where the service provider was once part of the group; In general there is a service level agreement (SLA) or agreements, or some such other document or documents serving a similar purpose, in place, or in a few cases being put in place, for the functions that are outsourced; There was a handful of examples where SLAs were not in place, one in relation to investment management support provided by group, and the rest relating to treasury services provided by group; On those SLAs that were reviewed, there were some gaps observed pertaining to dispute resolution and fee structure, though these gaps were only observed on agreements with third parties in relation to non-core functions, or with group; There is still some inconsistency in the definition of outsourcing with only some banks including services provided by intra group companies within the definition. Including intra-group service providers is considered good practice; From our limited review, the policies and procedures addressing the outsourcing process seem to be of an acceptable standard.

• 3 - 2 Introduction and methodology 2.1 Introduction As an integral part of its on-going supervision of licensed banks, the Guernsey Financial Services Commission (“the Commission”) carried out a review of outsourcing as a key element of the operational risk faced by the banking industry in the Bailiwick of Guernsey. The Commission is committed to ensuring the compliance of the Guernsey banking industry with The Core Principles for Effective Banking Supervision. Core Principle 15 “Operational risk”, essential criteria 8 states: “The supervisor determines that banks have established appropriate policies and processes to assess, manage and monitor outsourced activities. The outsourcing risk management programme should cover: conducting appropriate due diligence for selecting potential service providers; structuring the outsourcing arrangement; managing and monitoring the risks associated with the outsourcing arrangement; ensuring an effective control environment; and establishing viable contingency planning. Outsourcing policies and processes should require the institution to have comprehensive contracts and/or service level agreements with a clear allocation of responsibilities between the outsourcing provider and the bank.” The aim of the review was to identify and confirm the nature and extent of outsourcing within the banking industry in Guernsey, the materiality of any functions outsourced, and the controls and other risk mitigation undertaken in order to assess whether there were significant gaps or deviations from good practice that could set operational risk at a level that was unacceptable to the Commission. The purpose of this thematic report is to summarise the key findings of the Commission‟s review in order to improve risk management practice in relation to outsourcing and ensure that the local banking industry has identified and mitigated against the operational risk involved in outsourcing functions to other parties. The report is not intended to give a comprehensive description of all risks faced by Guernsey banks that carry out outsourcing, nor do the findings cited in the report represent issues faced by all banks. Rather, the report is intended to highlight both weaknesses and good practice in mitigating against the risk involved in outsourcing and to devise measures and supervisory responses to any issues identified. It is the Commission‟s intention that outsourcing will be regularly reviewed as part of the on-site visits programme in order to ensure the industry is keeping pace with a changing environment and changing risk profiles of businesses, as well as to follow up on any recommendations made to individual banks. 2.2 Methodology The Commission‟s thematic review was based on the “Outsourcing in Financial Services” paper („the Outsourcing Paper‟) issued by the joint forum of the Basel

• 4 - Committee on Banking Supervision dated February 2005 and took account of the GFSC guidance note “Outsourcing of Functions by entities licensed under the Protection Of Investors (Bailiwick of Guernsey) Law, 1987” updated in September

The Commission‟s review was structured in two stages: Stage 1 was carried out in June 2008 and consisted of an industry wide survey to identify outsourced functions, the service providers to whom those functions were outsourced, whether a service level agreement was in place, and the rationale for outsourcing those functions. Stage 2 involved on-site visits to a selection of banks and was completed by the middle of August 2008. For the second stage, the Commission selected five banks which would provide a diverse sample of businesses banking on the island (e.g. clearing banks, deposit takers, subsidiaries and branches) as well as considering individual responses to the industry-wide survey. The questionnaire used for gathering information on these on￾site visits was largely based on the Outsourcing Paper which sets out the responsibilities of regulated entities when they outsource their activities. The five on-site visits addressed the high level principles set out in the Outsourcing Paper: Policy and procedures; Risk management; Due diligence on service providers; Regulated entity‟s ability to fulfil local regulatory obligations; Written contractual arrangements; Contingency planning; and Protection of confidential information. As well as covering the above topics in discussions with relevant staff at the licensees being visited, the review teams also assessed service level agreements against the seven key provisions detailed within the Outsourcing Paper, which should be addressed by a written service level agreement. The Commission also looked at documents evidencing monitoring of outsourced business as part of the licensees risk framework. The seven key provisions are: Activities to be outsourced / service and performance levels; Meeting regulatory obligations; Access to books, records and information; Continuous monitoring and assessment / Corrective measures; Termination clauses; Material issues unique to a particular outsourcing arrangement; and

• 5 - Conditions of subcontracting all or part of the outsourced activity where appropriate. 3 Findings 3.1 Overview A majority of core banking functions not provided by the licensed bank were outsourced to group companies. Core functions outsourced to non-group third parties tended to have a historical connection to the group or licensee. Functions outsourced to unconnected third parties were largely non-core support functions. In the handful of cases where service level agreements were missing, one related to investment advice from group and the other six related to treasury functions performed by group. Other missing service level agreements were between the Guernsey branch and its head office bank. There was still some inconsistency in the definition of outsourcing and in the criteria for when a service level agreement is required. 3.2 Findings from the industry wide survey and on-site visits The initial survey covered four key questions:

1. Which material functions are currently outsourced by the bank?
2. Whether the regulated entity used a third party service provider or an intra group service provider?
3. Is a Service Level Agreement in place for each outsourced function?
4. What the main rationale was to why these functions are outsourced? We will address the responses received to each question in turn below.
5. Outsourced functions. The survey revealed that a wide range of functions were outsourced. For the purposes of our analysis, we have analysed the material functions into two groups namely core and non-core banking functions. The majority of the functions outsourced related to core banking functions. Those non-core functions outsourced represented fairly predictable ancillary functions. It was noted that the core banking functions most heavily outsourced included IT systems, treasury; investments - dealing, management and administration; banking operations (for the managed banks in the Bailiwick); payments; credit; custodian services; banking debit and credit card related services; the design and production of structured products. The main non-core banking functions outsourced include facilities management, human resources and payroll, marketing and IT support.

• 6 - The overall split between core and non-core banking functions is illustrated in figure 1 below: Figure 2 further analyses this by outsourced function (core and non-core). Figure 1 - Core / non-core functions outsourced (expressed as a percentage of all functions outsourced) non-core banking functions outsourced 37% core banking functions outsourced 63% Figure 2a - Core banking functions outsourced (expressed as a percentage of all core functions outsourced) IT systems 21% Banking operations 10% Payments 9% Credit 7% Custody 5% Cards services 6% Structured products 3% Risk management 3% Compliance 3% Back office 2% Investments dealing, management and administration 14% Treasury 17%

• 7 -

2. Third party or inter group service providers. The majority of core banking functions are outsourced to intra group companies according to our survey. Only a few reported using external third party service providers for outsourcing core banking functions. In such cases these were normally smaller banks using a member of a large international banking group for such services as clearing. Overall the extent of the third party non-group outsourced services reported was minimal and limited to support and administration functions. Figure 3 illustrates the split between the use of third party and intra group service providers and how this relates to core and non core banking functions. Figure 2b - Non-core banking functions outsourced (expressed as a percentage of all non-core functions outsourced) Internal audit 23% HR 17% Cheque books 8% Marketing 7% Legal 7% Other 3% Finance 20% Payroll 7% Archiving 8% Figure 3a - Core functions outsourced to (expressed as a percentage of all cores functions outsourced) Intra-group 79% Third party 12% Administrator of a managed bank 9%

• 8 -

3. Service level agreements. The survey revealed that the majority of banks had a written service level agreement in place. The Commission did note that a number of banks reported that their service level agreements were „under draft‟ or „awaiting approval‟. The Commission would expect these banks to prioritise the finalisation of these service level agreements especially where a core banking function is involved (such as treasury), irrespective of whether the service provider is intra group (such as a parent or sister company) or a third party. Having such a service level agreement in place will remove any doubt as to each entity‟s role and responsibilities and the exposure each entity faces should an operational issue/loss arise. The Commission will continue to monitor this area closely. With regard to branch entities that outsource to their parent, service level agreements should be strongly considered for material activities in order that the Guernsey branch has a documented record of what the service provider‟s obligations are to the branch.
4. Rationale for outsourcing The reasons for usage of outsourcing service providers varied widely with the spectrum of the functions covered. The most common reasons were: cost efficiency and economies of scale, using group expertise and resources, usage of centralised group service teams, difficultly in obtaining specialist expertise locally and ensuring consistency with group. 3.3 Entity-specific findings from the on-site visits 3.3 a Good practice The Commission observed a number of areas of good practice during the visits: All of the entities visited had a formal written policy on outsourcing where outsourcing was clearly defined usually in line with group policy. Figure 3b - Non-core functions outsourced to (expressed as a percentage of all non-core functions outsourced) Intra-group 67% Third party 33%

• 9 - Three of the five banks visited included intra group outsourcing in their definition of outsourcing. Three of the five banks visited had a formal due diligence / tender documentation checklist already in place. The majority of the banks visited had existing signed and approved service level agreements already in place. At least one of the banks visited had had sight of the service provider‟s business continuity plan in order to understand recovery times. 3.3 b Exceptions The Commission observed some areas where improvements should be made. Each bank concerned was notified individually and are actively addressing the points raised. Bank‟s definition of outsourcing needs to be expanded to include intra group outsourcing as one bank had functions outsourced within group without any service level agreements in place. One service level agreement was observed to have no section dealing with dispute resolution and payment arrangements. One bank had no active and ongoing assurance of the outsourcing function. One bank had no formal due diligence / tender policy in place for an ancillary function considered a minor service but conceivably this point could be more important for others. In some cases, there seems to be little formal ongoing monitoring at senior management level of the performance of outsourced functions (such as key performance indicators or standing agenda points in the risk meetings). This is especially true if the outsourced function is intra group. 4 Acknowledgements The Commission would like to thank all banking licensees in Guernsey for contributing to the island-wide survey, and five specifically selected banks for participating in the on-site visits. 5 Useful websites Basel Committee on Banking Supervision The “High Level Principles for Business Continuity” document. http://www.bis.org/publ/joint12.pdf Financial Services Authority (FSA) The UK regulator requirements http://fsahandbook.info/FSA/html/handbook/SYSC/8 Guernsey Financial Services Commission (GFSC) Guidance note on outsourcing http://www.gfsc.gg/UserFiles/File/Investments/OutsourcingGuideRevision.pdf

• 10 - The Institute of Operational Risk (IOR) The Institute of Operational Risk was created in January 2004 as a professional body to establish and maintain standards of professional competency in the discipline of Operational Risk Management. www.ior-institute.org Disclaimer The foregoing is not intended as formal regulatory guidance, nor should it be taken to cover all relevant aspects of the subjects touched upon. Rather, it highlights shortcomings identified which, if addressed at an early stage, may help mitigate risk levels and avoid specific pitfalls. The Commission would welcome comments on any aspects of this paper and would also be happy to address any concerns or questions that readers may have in this respect. Any such communications should be addressed to: Philip J Marr Director of Banking Guernsey Financial Services Commission F:\Banking Administration\Outsourcing\Thematic report - Outsourcing 2008 v3.doc