IT Compliance Institute, December 14, 2004:

Best Practices

Best Practices for Basel II Outsourcing

Third-party “service banks” may provide the manpower, but liability remains with the regulated institution.

By Mathew Schwartz

How can banks maintain Basel II best practices? One approach is to work with third-party “service banks” that offer traditional outsourcing benefits: by pooling resources, banks can decrease operational risk and operating costs.

Yet simply relying upon such firms won’t be enough, cautions Jost Hoppermann, vice president of research for European financial services at Forrester Research. Banks must strengthen not only management oversight of outsourcing, but also in-house compliance controls, because no matter the outsourcing arrangement, the regulated bank is still liable for any Basel II violations. ComplianceNOW spoke with Hoppermann to learn more.

What’s the deadline for Basel II compliance?

There is no single deadline for Basel II compliance anymore. The non-advanced Basel II approaches for credit and operational risk must be in place by the end of 2006, according to the Basel committee on banking supervision. The more advanced approaches are subject to different timelines. The most advanced approaches to risk measurement, for example, will be available for implementation by year-end 2007, in order to allow banks and supervisors to benefit from an additional year of impact analysis or parallel capital calculations under the existing and new rules. But, and here’s a large “but,” Basel II has no automatic impact on national law, so at least in theory each national regulator is free to change anything.

The U.S. regulators, for example, are still working on a benchmarking study on the advanced-measurement approach. A summary may be expected in early 2005. Current plans for Basel II focus on the implementation of the Advanced Management Approach for Credit Risk and the Advanced Internal Ratings Based method for operational risk. U.S. banking agencies anticipate that the framework would become fully effective in the United States in January 2008. Additional U.S. banks may opt in if they meet the necessary requirements. All other banks will remain under the current Basel I-based U.S. regime.

Are there examples yet of how banks are using outsourcing arrangements to help meet Basel II requirements?

There are a couple of instances in Europe, not in regard to Basel II and outsourcing companies, but in regard to what I call a “service bank.” Depending on its operating mode and on the European country, these services banks may or may not need a banking license. These service banks offer credit and mortgage processing, [and] payment and custodian services, as well as settlement to other banks. So the idea is quite close to saying that if banks can offer payment services and credit and mortgage processing services to other banks, maybe it would make sense to also create certain Basel II centers, where all of the necessary and maybe improved risk-management processes and interfaces are in the scope of a credit factory service to banks.

In fact, some banks already use credit factories with partnering banks or sub-contractors. Such a credit factory may have these improved processes for operational risk. It is obvious that improved operational risk management process and improved risk reporting can cause increased operational costs, but this cost burden will be carried by a number of banks.

In an outsourcing relationship, who’s liable for Basel II violations?

A bank cannot outsource the responsibility for Basel II compliance. If operational risk goes up with the outsourcing operation of a bank, it’s obviously a challenge for the bank. What can be done is that a bank could try to cover this risk by covering the risk with the capital of the outsourcing company. Depending on many factors including the size of the outsourcing company, the number and size of its customer banks, this is not very realistic option for too many banks from my viewpoint. The outsourcer could also cover the risk via an insurance policy, but both solutions will drive the cost up.

So it comes down to having a look at how the outsourcing company is managing its operational risk. It’s probably a good candidate for a selection criterion for choosing an outsourcer. What kinds of processes are there, what kind of data did they collect, also what kind of contingency plans do they have, [and what are their] availability concepts?

Do you think overseeing Basel II outsourcing relationships will challenge banks?

So the question is, will banks have to improve a lot with regard to outsourcing management? A typical analyst answer: it depends. And just to be a bit more concrete, there are some banks that have established quite good, quite sophisticated, outsourcing management functions. And I think these banks will not have to improve their outsourcing management functions too much. But, they still have to have a look at the operational risk issues, because there is a direct impact on the capital requirements, so there’s a stronger impact on the business side.

There are also banks that neglect outsourcing management, and they will obviously have to improve. They need to establish some operational-level control and management oversight of outsourcing. Basel II requires a strengthened position of a bank’s internal compliance function. This compliance function must collaborate with the outsourcing management function or—if there is none—the compliance function must be augmented by oversight of outsourcing.

Will it be difficult to find Basel II outsourcers?

I’m getting a lot of questions from the user side, as well as from the vendor side—“Can you tell me which companies are working in the Basel II space?”—and the problem is the answer is, who is not? Or to be a bit more serious, Basel II is definitely a huge effort that’s commercially attractive for most, if not all, IT service providers, software infrastructure vendors … and also a large number of general, risk-management software providers as well as software companies with dedicated Basel II software products.

But as there is no single piece of software that alone will make a bank Basel II compliant, there is no “Basel II outsourcer” yet. There are IT services companies with special Basel II offerings. These offerings include predefined Basel II architectures for the Basel II planning and design phase as well as Basel II pooling for later phases. Is it difficult to find a company offering outsourcing services in business domains related to Basel II, such as credit processing? Probably not. However, it will be necessary to have a look at its operational risk management experience and expertise as well as its history regarding Basel II and related topics.

Mathew Schwartz is a former contributing editor for the IT Compliance Institute. You can contact him about this and other articles at Mat@PenandCamera.com.

This article originally appeared in IT Compliance Insitute and is reprinted by permission of 1105 Media, Inc.