Regulation supports outsourcing proposition
Increasing regulations around cybersecurity, data protection and privacy are reinforcing the proposition of outsourced third party service providers. They themselves already operate under a strict data governance framework and recommend robust risk management and data governance strategies to clients so legislation by governing bodies further underlines the importance of the service they offer.
The UK’s Financial Conduct Authority, the US Securities and Exchange Commission and public bodies like the National Institute of Standards and Technology and the Information Commissioner’s Office have elevated the importance of issues related to cybersecurity and data protection.
The regulatory progress around these matters has undoubtedly strengthened the infrastructure within which outsourced providers operate. However, fund managers need to be aware that the ultimate responsibility for risk remains within their remit.
George Ralph (pictured), managing director at RFA, explains: “When managers outsource, it’s important to remember that they are not relinquishing control or outsourcing risk. Risk management can be outsourced, but ultimately the responsibility for risk remains with the manager. Neither the regulators nor investors would accept that an outsourced partner was entirely responsible if something went very wrong. The manager must retain a firm understanding of the risks to the business and portfolio companies, and a view of the mitigations in place. Regular meetings between the outsourcing partner and the manager should always include risk reviews.”
Discussing the current trends in the outsourcing space, Ralph says there has been a growing acceptance of public cloud services over the past 12 months and beyond: “Clients definitely have more confidence in the security, availability and reliability of the public cloud coupled with our cross cloud cybersecurity controls, toolsets and experience.”
Another development which has seen increased focus is outsourced partner due diligence, a sign that managers are taking risk management more seriously. In part, this is also driven by more stringent operational due diligence investigations being carried out by investors ahead of investing. Ralph comments: “We are seeing a greatly increased demand for support with the operational elements of DDQs and have standards we can use to help managers to complete, which save them time when answering questions about their IT provider and systems.
“We provide compliance packs annually and give regularly updated overview papers for this very purpose. Having our own in-house compliance team really helps clients in this area as well as being able to call on a senior RFA member to sit in a DDQ meeting to directly answer questions when needed.”
This sharpened focus on due diligence is also accompanied by growing demands for machine learning-enabled data analytics and data warehousing, without the need for in-house automation teams. “RFA has developed a suite of data management services to meet this demand, and can now support clients with API builds, business process automation and system integration, alongside data analysis and visualisation,” Ralph says.
Keeping abreast of the latest technology developments is a difficult job for most managers, as new and emerging technology springs up every day. According to Ralph: “Evaluating technology then integrating it into an existing environment can take up a lot of time and energy. Outsourcing takes away the guesswork, we continually evaluate new technology and update our systems for our customers.
“Small and emerging managers almost always outsource technology operations as the quickest and simplest way to launch their business, negating the need to recruit IT specialists, who, as we know only too well, are in short supply.”
Managing Director, RFA
George Ralph CITP, has successfully founded three technology firms along with C-level advisory services include M&A to numerous firms. George is a true leader and has been managing teams internationally, and leading technology transformation projects for over 20 years. A certified GDPR, Cyber assessor, Auditor, Architect and widely experienced cybersecurity and RegTech professional, George has extensive technical experience in network and server architecture, large scale migrations utilising leading technology brands, and IaaS offerings.