The corporate regulator has urged financial services firms to tighten governance and risk controls around offshore outsourcing after a review uncovered patchy practices that could expose consumers and investors to harm.
ASIC said its examination of financial advice licensees and responsible entities (REs) for registered managed investment schemes found widely varying standards in how offshore service providers (OSPs) are used and overseen. In some cases, entities did not have a framework in place to manage the risks.
Commissioner Alan Kirkland said Australian financial services licensees remain accountable for how their businesses operate, even when functions are outsourced to overseas providers directly or via intermediaries. ‘Advice licensees and REs can outsource services but they cannot outsource their fundamental obligations,’ said Commissioner Kirkland.
‘When licensees neglect their responsibilities, consumers, investors, and financial services businesses can be exposed to harm, such as exposure of personal information through cyber incidents.’
ASIC said licensees should be able to independently identify material risks, and assess an offshore provider’s performance and ongoing suitability. ‘The more critical the outsourced function, the greater the risks to consumers and investors,’ Commissioner Kirkland said. ‘The risks can be exacerbated when outsourced functions are not supervised adequately, particularly if they are outsourced internationally.’
The regulator highlighted the potential for loss of control over key functions, operational disruptions, and conflicts where offshore providers face foreign legal obligations. It warned the industry against complacency as cyber threats proliferate. ‘Financial services firms cannot drop their guard. Cyber-attacks, for example, are more prevalent and growing in sophistication. All licensees must proactively review governance frameworks and address issues that threaten to undermine public confidence in their business and in turn, the financial system.’
ASIC said it will continue to scrutinise governance and risk management frameworks and would hold entities to account where processes were inadequate to protect consumers and investors.
The warning comes amid increased enforcement around cybersecurity failings. ASIC has commenced proceedings against FIIG Securities and Fortnum Private Wealth over alleged failures to manage cyber risks. In 2022, the Federal Court found in favour of ASIC in a landmark case against RI Advice, ruling the firm breached its licence obligations to act efficiently and fairly by failing to maintain adequate risk management systems for cybersecurity.
Regulatory guidance allows AFS licensees to outsource functions, but they remain responsible for complying with their obligations. ASIC expects firms to exercise due skill and care in selecting suitable providers, monitor performance on an ongoing basis, and respond appropriately to any breaches of service levels or general obligations, consistent with Regulatory Guide 104. Failure to adequately supervise outsourced functions can undermine licence operations, lead to legal non-compliance and cause consumer harm.
ASIC has published separate reviews of offshore outsourcing by financial advice licensees and by responsible entities, outlining common gaps and better-practice approaches. The regulator also pointed to existing guidance for funds management compliance and oversight, and risk management systems for fund operators, to support firms in lifting standards.
