The Australian Securities & Investments Commission published a review of how responsible entities (REs) of registered managed investment schemes use offshore service providers (OSPs) and manage the associated risks, with a focus on oversight frameworks and cyber security and resilience. It reiterated that REs, as Australian financial services licensees, retain ultimate responsibility under the Corporations Act 2001 for fund operations, and found that the quality of risk management arrangements for offshore outsourcing varied across the REs reviewed. The review was conducted in two phases, covering 30 REs and a deeper end-to-end assessment of 10 REs, together responsible for 392 funds and AUD 191,364 million in assets under management. Seventeen of the 30 REs reported outsourcing at least one business function offshore over the preceding two financial years, with commonly outsourced services including investment process management and oversight, portfolio administration, custody, fund administration and transaction processing. ASIC highlighted risks including loss of control over outsourced functions, data and technology risks arising from foreign legal regimes, challenges in detecting and managing cyber incidents, operational disruptions, and reduced effectiveness of supervision where people and processes are offshore. While the 10 REs generally maintained appropriate oversight systems, areas for improvement included due diligence processes, clearer service level agreement metrics, ongoing performance monitoring, resourcing and skills for oversight, mechanisms to address service level breaches, and stronger cyber security and resilience. ASIC encouraged REs to apply the review’s findings alongside existing guidance on risk management and compliance oversight, particularly where they use or plan to use OSPs. It will continue monitoring governance and risk management frameworks across financial services entities and may hold firms to account where inadequate controls expose consumers and investors to harm.
Australian Securities & Investments Commission 2025-10-10
Australian Securities & Investments Commission review finds uneven risk management for offshore outsourcing by fund responsible entities
The Australian Securities & Investments Commission (ASIC) reviewed offshore service providers used by responsible entities (REs) of registered managed investment schemes, focusing on oversight frameworks and cyber security. The review, covering 30 REs and a detailed assessment of 10, found varied quality in risk management for offshore outsourcing, highlighting risks like loss of control, data and technology issues, and cyber incident management. ASIC urged REs to improve due diligence, service level agreements, and cyber resilience, and will continue monitoring governance and risk management frameworks.