Governance of Financial Services Outsourcing: Managing Misconduct and Third-Party Risks
Financial institutions increasingly rely on third parties to provide their core business processes and information technology. With the rapid growth and spread of outsourcing in the financial services market, the key question is how to establish a governance framework to limit agency problems and manage risk. In our paper, we examine the preferences of financial institutions themselves for managing third-party functions. The challenge is to assess the extent to which financial transactions influence management’s overall strategy for projects most likely to be outsourced to a third party. Specifically, we focus on the cost effectiveness of outsourcing, the extent to which core business processes are outsourced and the specialized capacity of the vendor that is necessary for accomplishing the project.
We find that most financial institutions mention IT and data management systems as the most frequently outsourced activities, together with traditional accounting and compliance processes as the next most common outsourced activities. In making the decision to outsource, we find that financial institutions place the most emphasis on the overall cost and competitive benefits of outsourcing. Moreover, institutions outsource for a variety of other important reasons, including access to specific knowledge, greater focus on core processes, scalability, and increased service-level performance. We show that the outsourced activities that pose the most risk are data management and core business processes. We further examine how and to what extent different types of risk affect the outsourcing relationship. We find that a number of factors, including frequent staff and senior management changes, will contribute to the increased likelihood of fraud.
Next, we study the governance mechanisms of outsourcing and the institution’s ability to monitor third parties. We find that firms rely mainly on internal auditing and whistleblowing to uncover fraud in third-party relationships. Firms also use several specific actions to detect fraud: site visits and special investigative team monitoring are examples of techniques that firms employ to monitor fraud risk. Finally, we investigate contractual termination as a response to supplier misconduct. We find that vendor dependency and product complexity play a pronounced role in delaying the termination of the contract. Our results suggest that there are great difficulties associated with replacing a supplier, suggesting that well-designed contingency plans are important.