Challenges such as data sharing
aren’t insurmountable—they just need to be carefully
managed. A mature outsourcing provider can be engaged
in various outsourcing models—company owned
captive, joint-captive, company defined data security
& privacy governance model, offshore, near shore and
on-site delivery. Since outsourcing is the core business
for the service providers, they would potentially have
more stringent security policies, ISO and other industry
security certifications, extensive background checks and
tightly monitored logical and physical security controls.
In some cases, outsourcing vendors might provide a
relatively more secure environment.
It might not be feasible to outsource all
compliance activities, so why bother? If a company can’t
outsource its entire compliance function, should it just
keep everything in house? Outsourcing bits and pieces
might increase complexity without adding much value.
Compliance is a special activity
where selective outsourcing makes sense. Unlike
outsourcing of HR or IT, compliance outsourcing often
focuses on just part of the overall compliance function.
In fact, it’s generally better to retain processes that
currently have regulatory compliance issues, require
high levels of subjective judgment, or are subject to
particular local/global regulatory constraints.
Given today’s growing compliance and
talent challenges, compliance outsourcing is an idea whose
time has come. Many organizations are already struggling
to find the qualified talent they need to achieve compliance
in an increasingly complex regulatory environment.
They are also struggling to justify and fund an in-house
compliance function that is large and constantly growing.
Compliance outsourcing can help an organization
satisfy its regulatory requirements and achieve a high
level of compliance using a delivery model that is both
highly responsive and cost-effective. In addition, it allows
the organization’s leaders and managers to focus more
of their attention on core business functions and go-to-
market strategies that drive financial performance and
shareholder value. Although the organization remains
responsible for compliance and its associated risks,
the use of an outsourcing model can enable leadership
to selectively employ a mix of internal and external
resources to meet compliance demands. When making
a decision about compliance outsourcing, leadership
should look closely at a provider’s capabilities, experience,
culture, values, and ability to fit in seamlessly as part of the
organization’s extended enterprise. After all, compliance—
even when outsourced—still requires a strong connection
to the organization’s day-to-day business operations.
In the wake of the economic downturn,
In this difficult regulatory environment, the compliance
function has taken center stage and the Chief Compliance
Officer (CCO) is now an official member of the C-Suite.
In our conversations with CCOs from some larger
banking institutions, it was obvious that many were
reaching a tipping point in terms of maintaining sufficient
levels of experienced compliance professionals to deal
with the new requirements of financial reform legislation
and more demanding regulators.
CCOs are now seriously considering compliance
outsourcing as an important option for them in stabilizing
their resource model and maintaining an effective and
efficient compliance program. If certain compliance
processes are outsourced, regulators would have high
expectations in terms of an institution’s ability to carefully
select a highly qualified third party vendor and to provide
for effective oversight of the execution of the outsourced
compliance activities. In today’s demanding regulatory
environment, compliance outsourcing is a viable strategic
resource alternative to have in a CCO’s toolkit.
Vishal Chawla is a Principal with Deloitte & Touche LLP.
Thomas F. Rollauer is the Executive Director, Center for
Regulatory Strategies Deloitte & Touche LLP.