By Yashoda Fezah, General Manager, CASS
In an era of increasing regulatory scrutiny, businesses struggle to focus on their core operations in the face of complex compliance requirements that take up much of their time, energy and effort. In parallel, compliance with laws, regulations, and industry standards is emerging as a pressing requirement for organisations across various sectors. No wonder then that regulators are making provision to alleviate the burden and ensure effective compliance management by paving the way for Compliance Outsourcing or Regulatory Compliance Services.
Compliance Outsourcing can offer significant benefits to an organisation, such as:
- allowing businesses to leverage specialised expertise;
- mitigating risks;
- facilitating focus on core operations;
- availing cost-effective solutions; and
- accessing advanced technologies.
Indeed, jurisdictions across the world have started dipping their toes in the compliance outsourcing waters, with the Seychelles recently seeing higher uptake of this global trend. At CASS, we have been offering outsourced compliance services in Mauritius for more than two years and are now pleased to extend this service offering to our clients in the Seychelles and internationally as well.
Outsourcing in the Seychelles
As from January 2020, the code on outsourcing of compliance has been issued by the Financial Services Authority (FSA) of the Seychelles under section 33 of the Financial Services Authority Act, 2013, allowing regulated entities to appoint an outsourced Compliance Officer.
At the outset, the FSA notes that there is a lack of qualified individuals in Seychelles to undertake the compliance function of a licensee. Taking into consideration that compliance is a core function, and as an initiative to promote the growth of the Capital Markets and Collective Investment Schemes Sector, this Code stipulates the requirements for the FSA to approve compliance outsourcing.
At the same time, the Code is clear that where a licensee opts to outsource its compliance function, the ultimate responsibility and accountability towards regulatory authorities and clients for outsourcing shall remain with the licensee’s board of directors. As such, the licensee should ensure that the outsourced service provider is effectively conducting the Compliance function and the board of directors should continuously monitor the performance of the outsourced service provider in carrying out this fundamental function. Crucially, the Code notes that the outsourcing function shall only be conducted by an outsourced service provider who is resident in Seychelles.
Moreover, it highlights that the Code for Outsourcing of Compliance Function is only applicable to licensees under the Securities Act, 2007 and the Mutual Fund and Hedge Fund Act, 2008.
Outsourcing in Mauritius
All Management Companies and Designated Non-Financial Businesses and Professions (DNFBPs) are required as per the latest Anti Money Laundering Legislations and Regulations in Mauritius to implement and adopt a Risk-Based AML/CFT Programme. In order to comply with these stringent regulations, business enterprises are expected to appoint a Compliance Officer, a Money Laundering Reporting Officer (MLRO) and a Deputy MLRO.
The Financial Services Commission of Mauritius (FSC Mauritius) has released guidelines on 19 January 2022 in the form of a consultation paper on compliance services. It notes far-sightedly that, with a view to enhance the current compliance culture in place, it wishes to ensure that domestic players involved in both financial and non-financial services can rely on a regulated corporate entity to carry out their compliance functions on their behalf – particularly in view of the increasing complexity of the business activities, the risks involved in performing such activities, and the lack of knowledge and expertise in complying with laws, rules, regulations and directives issued.
However, the FSC Mauritius highlights that management companies and domestic long-term insurers, general insurers and professional reinsurers will not be allowed to outsource their compliance/MLRO functions to any third party. While the FSC Mauritius reserves the right to mandate the services of a Professional Compliance Service provider to provide MLRO and Compliance Officers should the need arise, these specific licensees must rely on an in-house full time Compliance Officer.
While the consultation paper gives an insight into the intention of the regulator, the compliance licence remains to be launched. Meanwhile, the regulatory framework does not provide for the possibility for regulated entities to outsources the core functions of Compliance Officer, MLRO and DMLRO externally.
However, onboarding external compliance expertise as a means to support the internal compliance functions remains possible. Currently, several compliance service providers based in Mauritius are providing expert support to compliance officers and MLROs of entities that are required to have an AML/CFT programme. The reporting entities remain responsible for satisfying their compliance obligations.
Outsourcing in Singapore
In Singapore, a company seeking to outsource its compliance must consider the Monetary Authority of Singapore’s obligations on outsourcing, especially the due diligence and risk assessment, and that too, not only at the start but on an ongoing basis. Consideration must be given to the following:
- Some companies have adopted intra-group outsourcing, however, this may not always cover the full requirements and outsourcing externally on some elements might still be needed.
- This includes general outsourcing and data security requirements, managing the amount of data being stored, processed or transmitted by third-party providers on behalf of your company, and how critical to operations that data is.
- Any outsourced function must implement an appropriate level of security to protect outsourced data (personal, confidential, commercial etc), including for relevant data protection requirements and other guidelines that are separate from the MAS regulations.
- Risk management is key. The company must have appropriate risk management systems and controls to manage the risks associated with the provider services.
Once again, companies are reminded that they are responsible and accountable for all the regulatory responsibilities that apply to outsourcing and third-party service arrangements, and cannot delegate any part of this responsibility to a third party.
Outsourcing in the UK and the EU
In the UK, the Financial Conduct Authority’s (FCA’s) Handbook Glossary sets out the definition of outsourcing. It also notes that firms using outsourced and other third party service providers should take responsibility for managing risk arising from those arrangements. Greater levels of risk management are needed when a firm increases its dependence on outsourced and third party service providers, the FCA states, noting that this includes the delivery of services that could affect the firm’s ability to remain authorised. The requirements include identifying and managing the associated operational risks throughout the life span of third-party arrangements from beginning to end. The FCA ultimately expects firms to be risk-based and proportionate, considering the nature, scale and complexity of their operations when meeting their obligations for outsourcing and third parties.
In Europe as well, the European Banking Authority (EBA) notes that its regulated institutions are expected to conduct pre-outsourcing analysis to identify risks before entering into any new outsourcing arrangements and consider any notification requirements; undertake due diligence to ascertain the service provider’s expertise, capacity, business reputation, and security of systems; ensure that the contract for any new outsourcing arrangement, especially of critical or important functions, contains the features prescribed by the EBA Guidelines such as full audit rights and specific termination clauses; and to plan an exit strategy in relation to each outsourcing arrangement.
Looking to the future, we noted recently on LinkedIn that the EU is preparing to usher in major progress with its newly promulgated AML laws and the formation of the Anti-Money Laundering Authority (AMLA). As a key pillar, the final Anti-Money Laundering Regulation (AML-R) defines a clear boundary around ‘Non outsourceable tasks’, thereby carving out the core responsibilities of an AML/CFT Compliance Officer. Thus, high-stakes decisions such as customer risk profiling, approving business relationships and suspicious transactions reporting – essentially activities that assume that the incumbent has intimate knowledge and a nuanced judgement around the obliged entity’s operations – continue to be the sole responsibility of the in-house Compliance Officer.
Moreover, the attendant conditions on outsourcing are stringent. First, the AML-R notes that obliged entities will have to ensure sufficient quality of the service provider to be able to carry out the outsourced tasks. Furthermore, obliged entities will have to make sure that current service providers as well as subsequent service providers apply policies and procedures effectively. This obligation goes alongside the responsibility to carry out regular controls, with the frequency determined by the critical nature of the outsourced tasks. Finally, the AML-R stipulates that tasks cannot be outsourced to service providers located outside the EU with their own AML/CFT legislation or enforcement regimes. Under strict conditions, a transfer to service providers located in a third country may be possible.
Where does the Financial Action Task Force (FATF) stand on compliance outsourcing
The FATF, as the global standard setter on AML/CFT compliance, has not pronounced itself on the outsourcing of compliance services or the use of external compliance resources to fulfill the essential compliance functions of Compliance officers or Money Laundering Reporting Officers.
In the absence of such guidance, it is left at the discretion of each jurisdiction to decide on its own regulatory approach on this matter, hence the reason for varying takes from each jurisdiction.
How CASS can help
At CASS, our compliance offerings for institutions that are regulated for AML/CFT purposes in Mauritius and Seychelles cover specialised services. These include assistance to implement a compliance framework; ongoing compliance support; and compliance audit, among others. As such, we support clients to undertake compliance functions such as performing a gap analysis; putting together a robust AML/CFT Compliance Manual; conducting risk assessment; doing an independent audit of the AML/CFT framework; as well as conducting CDD and providing ongoing monitoring assistance with regulatory inspections.
Coming back to the Seychelles’ FSA, the Code of outsourcing makes clear that compliance outsourcing attracts specialist skills and knowledge which are lacking in-house; increases ability to extend improved services to clients; brings cost benefits attendant on economies of scale; access to intellectual property such as propriety software; and frees up management time for other core business areas.
Ultimately, as the regulatory landscape continues to evolve, compliance outsourcing will remain a valuable service, with outsourced compliance officers extending the necessary support for organisations to achieve and maintain regulatory excellence. By partnering with experienced providers, organisations are empowered to charter their course confidently amid the ever-changing regulatory landscape, ensuring long-term success and sustainability.
