Financial institutions have become highly reliant on outsourcing core business processes to third-party service providers. In the past two decades, the growth and expansion of outsourcing has allowed institutions to lower costs and acquire higher-quality services to sustain their competitive advantage. However, there is also evidence that outsourcing has generated new risks. Some of these risks stem from institutions increasingly outsourcing their cyber security and data security functions to a small number of third-party supplied IT systems.

The Great Financial Recession revealed weaknesses in the internal control and monitoring capabilities of some financial institutions. Following the Great Recession, regulators have revised their guidelines for third-party relationships based on a framework that involves service provider selection, contractual terms, ongoing monitoring and termination. The premise underlying the revised guidelines is that institutions should strengthen their third-party risk management programs to mitigate the operational and legal risks to the firm. However, prior research raises the question of whether contractual governance alone can successfully manage outsourcing relationships due to contractual complexity. Of course, contracts contain many control mechanisms that are associated with better outcomes in outsourcing relationships. However, there are few studies on the extent to which financial institutions have implemented measures that have proved sufficient in third-party risk management. 

In our paper, Governance of Financial Services Outsourcing: Managing Misconduct and Third-Party Risks, we conduct a survey of financial institutions on their preferences and beliefs about the potential risks connected with third party activities and the controls to monitor and manage these risks. In our survey, we ask four main questions. First, we ask institutions about the types of functions outsourced, the level of outsourcing risk in the financial sector and the risks associated with service providers. Second, we ask firms to identify the leading types of fraud that arise in the financial sector. Third, we query firms on the most effective governance mechanism to uncover misconduct. Finally, we ask firms about the actions that they are willing undertake when there is misconduct.

We find that institutions, in making the decision to outsource, place the most emphasis on the overall cost and competitive benefits of outsourcing. Also, they tend to outsource for a variety of other important reasons, including access to specific knowledge, greater focus on core processes, scalability, and increased service-level performance. Second, there is very little doubt that the outsourcing of data management and core business processes pose the most risks for financial institutions. Moreover, frequent staff turnover and senior management changes are seen as major sources of fraud or misconduct in service providers. Third, we find that financial institutions rely mainly on internal auditing and whistleblowing to uncover fraud in third-party relationships. Moreover, they also continue to rely on traditional mechanisms, such as site visits and special investigative team monitoring, to monitor fraud risk. Finally, contractual termination does not appear to provide a significant response to supplier misconduct. The data show that vendor dependency and product complexity play a pronounced role in delaying the termination of the contract.

This paper contributes to the literature on the risks arising from financial services outsourcing. Prior literature finds that the link between the outsourcing level and risk is well established. Gonzalez et al. (2010) conclude, for example, that excessive dependence on the service provider is a major outsourcing risk. Other studies emphasize the major risks involved in outsourcing complex products or services, e.g. as reported by Ernst & Young in 2013. Our paper contributes to the literature showing that the link between vendor dependency and product complexity can lead to excessive risk in third-party relationships. Our paper also adds to the literature on fraud and misconduct in financial services outsourcing. Coram et al. (2008) find that firms with an internal audit function are more likely to detect fraud than are those without such a function. Lastly, our findings suggest not only that internal monitoring is the most preferred detection mechanism, but also that whistleblowing plays an important role in this context.