Increased outsourcing of services involving sensitive customer data calls for stricter reporting standards
As outsourcing and demand for third-party assurance (TPA) reporting continue to rise, some outsourced service providers (OSPs) are proposing to take a cue from the Olympics by rating the quality of assurance reporting according to the various medals athletes can win in competition.
Despite a 20 percent increase in outsourcing and demand for third-party assurance reporting over the past five years, neasrly half (48 percent) of OSPs recently surveyed remain unclear about whether their organizations are using the best method to improve the TPA reporting process, according to the results of a June 2016 poll by Deloitte Advisory, published in a report titled Outsourcing assurance and compliance: Driving upside opportunity while addressing downside risk.The poll surveyed 2,070 professionals from a variety of industries, including banking and securities, technology, investment management, and insurance.
TPA reports are often complex and reflect the differing requirements of customers. Outsourcing a firm’s business can introduce risks ranging from cyber-security lapses, which can result in the compromising of customer data, to failure of third parties to adhere to a client company’s own compliance practices. Customers often have security concerns about the way their personal data is being handled and it’s imperative that companies hold OSPs they contract with to the same standards of risk monitoring and regulatory compliance as the companies themselves are held to.
‘An effective TPA assurance program can provide the compliance-related information that OSPs and users are required to communicate and report,’ says Dan Kinsella, a partner at Deloitte Advisory and head of its third-party risk management practice..‘For users of outsourced services, it’s critical to manage any potential risk to the organization and to have proper assurances that the OSP is managing data in a safe environment.’
‘TPA programs must create value through strengthening trust between parties, managing costs, and sustaining relationships through effective compliance management,’ Kinsella says. In order to create a TPA optimization plan, OSPs need to consider a customer’s risk environment and identify gaps and overlap in current reporting processes in order to meet customer needs. Before hiring an OSP, companies need to have clear expectations of what they require in a TPA report and communicate those needs to the OSP.
The multi-tier quality control system that some servicer providers have proposed would allow a company that is outsourcing compliance to specify in its contract with a service provider the level of assurance reporting it is paying for – designated as gold, silver and bronze, for example, Kinsella says. The idea is based on the premise that customers would be willing ‘to pay more for higher levels of third-party assurance and other reporting.’