The answer to this question is both 'yes' and 'no.'
Do be accountable.
Financial services organization cannot outsource the accountability of compliance. When bad things happen, it is the financial services organization that will ultimately be left accountable and liable for a state of non-compliance. One of the elements courts (as well as regulators) use to measure the effectiveness of a compliance program is oversight (read the United States Sentencing Commission Organizational Sentencing Practices) and oversight cannot be outsourced.
Do know what can be outsourced.
What can be outsourced are specific requirements and processes to maintain compliance. Within financial services it is common to see many aspects of information security outsourced such as event monitoring, security testing, and perimeter defenses. Requirements for information security compliance can be traced to elements of the Gramm-Leach-Bliley Act (GLBA), Payment Card Industry Data Security Standard (PCI DSS), and other regulations impacting financial service firms.
Do let others in.
The most significant growth area in compliance outsourcing is in compliance audit and assessment. As organizations have outsourced and extended business relationships across a range of vendors and third party relationships, managing compliance across these relationships has become difficult. Financial organizations are now looking to outsource the overall assessments and audits of third party relationships against compliance and risk criteria.
Don't ignore differences.
What is required to be compliant is becoming vaguer. Outside of the U.S., there is an increased focus on principle-based compliance. This is different from the rules-based approach common among U.S. regulators. A principle approach to compliance tells an organization what it has to achieve, not how. The shift towards a principle-based approach is lead by the United Kingdom's Financial Services Authority and is also the core of the European Union's Better Regulatory Policy. It is also found within the financial services regulation in Canada and Australia. The net of this is that the number of outsourced security and IT processes that come under the purview of compliance broadens as there is not a specific checklist to meet and maintain compliance.
As compliance processes mature and become better defined, more financial services firms will aim to outsource elements of compliance. While this streamlines costs and provides the outsourced management of pieces of compliance, it can become an issue if the organization becomes lax and over-confidently thinks that someone else is doing it right. As mentioned, accountability cannot be outsourced. Which begs the question: Who watches the watcher? Financial services organizations looking to outsource compliance requirements and processes need to demonstrate diligence that they are validating that the compliance outsourcing is done correctly.
About the author:
Michael Rasmussen (firstname.lastname@example.org) is with Corporate Integrity, LLC. Michael is the authority in understanding governance, risk and compliance (GRC). He is a sought-after keynote speaker, author and collaborator on GRC issues around the world and is noted for being the first analyst to define and model the GRC market for technology and professional services. Corporate Integrity, LLC is a strategy & research advisory firm providing education, research and analysis on enterprise governance, risk management and compliance.
This was first published in August 2008