Outsourcing compliance strategies

The answer to this question is both 'yes' and 'no.' There are specific processes and requirements of regulatory compliance that can be outsourced, and others that shouldn't. Here are some dos and don'ts.

Do be accountable.
Financial services organization cannot outsource the accountability of compliance. When bad things happen, it is the financial services organization that will ultimately be left accountable and liable for a state of non-compliance. One of the elements courts (as well as regulators) use to measure the effectiveness of a compliance program is oversight (read the United States Sentencing Commission Organizational Sentencing Practices) and oversight cannot be outsourced.

Do know what can be outsourced.
What can be outsourced are specific requirements and processes to maintain compliance. Within financial services it is common to see many aspects of information security outsourced such as event monitoring, security testing, and perimeter defenses. Requirements for information security compliance can be traced to elements of the Gramm-Leach-Bliley Act (GLBA), Payment Card Industry Data Security Standard (PCI DSS), and other regulations impacting financial service firms.

Do let others in.
The most significant growth area in compliance outsourcing is in compliance audit and assessment. As organizations have outsourced and extended business relationships across a range

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Compliance and Governance Digest Red Flags Rule compliance How AML compliance applies to remote deposit capture Tokenization and PCI compliance Data governance and classification The PCI compliance case for source code review Identity management for financial firms in turbulent times PCI DSS: Best practices for compliance Red Flag Rules compliance demands a risk-based approach Understanding the impact of new state data protection laws Understanding the FFIEC remote deposit capture guidance Auditing, testing and assessment for financial services compliance Regulatory reform will require much work ahead Red Flags Rule compliance Download presentations from Financial Information Security Decisions 2009 Two conversations about risk assessment Federal examiners need to pay more attention to IT risks PCI certification isn't always the right answer Forensic accounting success depends on information security support The truth about vendor management Opinion: Why you should document your security policies Financial firms fight cyberthreats, brace for difficult year

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Common Vulnerabilities and Exposures  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

of vendors and third party relationships, managing compliance across these relationships has become difficult. Financial organizations are now looking to outsource the overall assessments and audits of third party relationships against compliance and risk criteria.

Don't ignore differences.
What is required to be compliant is becoming vaguer. Outside of the U.S., there is an increased focus on principle-based compliance. This is different from the rules-based approach common among U.S. regulators. A principle approach to compliance tells an organization what it has to achieve, not how. The shift towards a principle-based approach is lead by the United Kingdom's Financial Services Authority and is also the core of the European Union's Better Regulatory Policy. It is also found within the financial services regulation in Canada and Australia. The net of this is that the number of outsourced security and IT processes that come under the purview of compliance broadens as there is not a specific checklist to meet and maintain compliance.

As compliance processes mature and become better defined, more financial services firms will aim to outsource elements of compliance. While this streamlines costs and provides the outsourced management of pieces of compliance, it can become an issue if the organization becomes lax and over-confidently thinks that someone else is doing it right. As mentioned, accountability cannot be outsourced. Which begs the question: Who watches the watcher? Financial services organizations looking to outsource compliance requirements and processes need to demonstrate diligence that they are validating that the compliance outsourcing is done correctly.

About the author:
Michael Rasmussen (mrasmussen@corp-integrity.com) is with Corporate Integrity, LLC. Michael is the authority in understanding governance, risk and compliance (GRC). He is a sought-after keynote speaker, author and collaborator on GRC issues around the world and is noted for being the first analyst to define and model the GRC market for technology and professional services. Corporate Integrity, LLC is a strategy & research advisory firm providing education, research and analysis on enterprise governance, risk management and compliance.