The Australian Securities & Investments Commission (ASIC) published findings from a review of Australian financial services advice licensees’ use of offshore service providers (OSPs), particularly where services are accessed through intermediary businesses. The review found wide variation in risk management quality and raised concerns that most licensees did not have adequate arrangements to assess, appoint and monitor offshore outsourced services used by their representatives, despite licensees retaining ultimate responsibility under the Corporations Act 2001. ASIC reviewed 10 advice licensees and conducted an end-to-end assessment of onboarding due diligence, ongoing performance monitoring and supervision, and cyber arrangements for protecting personal and sensitive client information. More than 300 representatives across these licensees had used OSPs at some point over the past two years, and ASIC also engaged with six intermediary providers connecting Australian businesses with offshore resources including in the Philippines, India and Sri Lanka. The review highlighted gaps such as missing or incomplete offshore outsourcing policies, information technology policies that did not set specific requirements for offshore staff, lack of regular audits of representatives’ OSP use, inability to identify all representatives using OSPs, absence of real-time alerts and access logs for OSP activity, and reliance on intermediaries’ cyber security representations without independent verification. ASIC set out practical considerations for licensees across areas including appointing and disclosing use of OSPs, monitoring compliance, managing cyber and privacy risks, monitoring system access and incident response. It will continue to monitor financial services entities’ governance and risk management frameworks and hold them to account where they lack processes to protect consumers and investors from harm.

Original source View in tracker