Published in Wall Street Journal: https://deloitte.wsj.com/articles/compliance-outsourcing-weighing-the-risks-and-opportunities-1386133343?tesla=y

With compliance requirements on the rise, along with demands on in-house compliance teams, the risks of failing to meet those demands have increased in many industry sectors. The Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank), U.S. health care reform, the Physician Payment Sunshine Act, the Foreign Account Tax Compliance Act (FATCA) and the Markets in Financial Instruments Directive II are just a few developments that have resulted in increased compliance responsibilities. In addition, there have been impacts from longer standing, and often evolving, regulations in areas such as product safety, quality, anti-money laundering and others.

For some organizations, there is a need to keep all compliance activities in-house due to regulatory requirements or other sensitivities, where outsourcing is not an option. For others, outsourcing part or all of their compliance function may be an alternative worth considering. The decision to outsource may be driven by one or more of the challenges that compliance functions face, including:

• Coping with talent shortages.

• Sub-optimal compliance processes.

• Investing in technology infrastructure.

• Addressing global compliance needs.

• Increasing operating costs.

However, the decision to outsource can be filled with risks and challenges that should be carefully assessed. To gain the intended value from outsourcing, there is a range of decisions that need to be understood. “Before an organization decides to outsource its compliance function, it should clearly lay out the objectives it wants to achieve,” says Vishal Chawla, a principal at Deloitte & Touche LLP. “Is the organization seeking to benefit mainly in terms of talent or skills, or does it want to contain costs—or is it all of the above?” Mr. Chawla adds.

Using a decision framework early in the review process to analyze the various compliance functions and processes across the organization is important. This framework can help decision-makers understand to what extent certain functions should be kept in-house versus those that should be potentially outsourced, or those that should be done by a combination of in-house resources and outside vendors, known as selective outsourcing. Depending on the industry sector, compliance activities that may be outsourced include:

• Collecting compliance data and information from systems and individuals.

• Assisting with internal and external compliance reporting.

• Testing and monitoring business processes and systems for compliance.

• Performing trend analysis and predictive modeling for compliance operations.

Sorting Out the Risks

Each model contains its own set of risks. “Compliance is not a revenue-generating business function, but it is a core component of managing enterprise risk and effectively executing business strategies,” says Mr. Chawla. An important aspect of outsourcing to consider carefully is the distinction between those areas that are the vendor’s responsibilities and those that are the company’s responsibilities. “Regulatory guidance has been fairly clear on this point,” says Mr. Chawla. “If a company outsources compliance activities, the company still owns the accountability for meeting its regulatory obligations from the regulator’s perspective.”

There are a range of other factors to consider when determining the appropriate outsourcing model, such as regulatory complexity, talent shortages and the need to reduce operating costs. “Outsourcing compliance is a journey for any organization, much like what happened to IT 20 years ago, when companies started outsourcing one or two processes at a time. The compliance function is going through the same model,” says Mr. Chawla. “Companies should use a strategic way to look at what compliance processes or activities to outsource, and what not to outsource. If they decide to outsource, they should review how well the processes to be outsourced are working and how stable they are in the first place. If a process is not working well when it is executed in-house, outsourcing by itself won’t fix it.”

Shifting Compliance Demands and Talent Needs

In several industries, especially those with large global companies, such as financial services and life sciences, regulatory scrutiny has resulted in companies having to expand compliance efforts while integrating them within core business operations, notes Mr. Chawla. Consequently, the skills required for effective compliance management are changing and becoming more complex.

“To run compliance operations in such large global organizations requires compliance talent with strong operations experience, not only compliance and legal analytical skills,” says Mr. Chawla. “There’s a need for compliance experience, but also skills in regulatory matters, project and process management, process improvement and an understanding of how the business operates. There is only so much of this kind of talent to go around,” he adds.

Other talent considerations that should go into a company’ decision on whether or not to outsource include the costs of training compliance teams and keeping them current with the latest regulations, as well as the costs of attrition.

The benefits that outsourcing can offer may be especially attractive to midsize organizations. Take compliance analytics technologies, for example. “For midsize companies, outsourcing can provide them access to this and other technologies and relieves them from having to build them,” says Mr. Chawla.

Addressing Data Security Concerns

Outsourcing can present risks to data security, including risks to intellectual property and information on strategies and operations. As such, an organization will want its third-party compliance provider to take appropriate measures to protect the security of the organization’s data. To protect data security when outsourcing compliance, organizations should consider the following:

• At the request for proposal stage or third-party vetting stage, clearly define the data security requirements and expectations for the security environment.

• During the provider selection process, assess the provider’s IT security and business continuity capabilities and plans.

• In contracting, require the provider to maintain a client-specific security and control environment.

• In the contract, define the frequency and types of provider audits the organization may conduct (e.g., scheduled or ad hoc, complete or partial).

• Provider selection criteria, service contracts and service-level agreements should place high priority on data security and specify the tools and techniques that can be employed to achieve it.