Compliance Outsourcing—Differing Points of View

Arrows Is it a viable option for tackling today’s growing compliance challenges?

By Vishal Chawla and Thomas F. Rollauer

Compliance risks and costs are on the rise. An increasingly complex regulatory environment is stretching many corporate compliance departments to the breaking point and sending the cost of compliance through the roof. Meanwhile, the fines, lawsuits, and reputational damage that can result from non-compliance continue to grow. In extreme cases, they might even threaten an organization’s existence.

In response to these challenges, a number of leading organizations are now outsourcing some or all of their compliance activities to vendors that specialize in compliance operations.
Is this a good idea, or is it better to keep all compliance activities in house? Deloitte & Touche executives Vishal Chawla and Thomas F. Rollauer offer different opinions on the topic.


CHAWLA SAYS: Outsourcing compliance might reduce quality or increase costs. Using world-class specialists who can be relied upon to do a good job seems likely to cost more than using in-house staff.

ROLLAUER SAYS: Outsourcing can actually improve compliance quality while lowering costs. Outsourcing vendors are able to deliver world-class compliance services at a competitive cost by capitalizing on economies of scale that result from standardized tools and processes and resource sharing across multiple clients.


CHAWLA SAYS: Regulators might not be comfortable with outsourced compliance. Compliance has traditionally been managed as an integral part of business operations. Shifting responsibility for compliance activities to an outside party could lead to increased scrutiny from regulators.

ROLLAUER SAYS: Regulators welcome new approaches that improve compliance. With outsourcing, the vendor provides specialization and handles day-to-day compliance operations but the organization ultimately retains responsibility for its own compliance. Typically, regulators are very open to non-traditional approaches if it helps an organization achieve a high level of compliance.


CHAWLA SAYS: Compliance talent is scarce so companies need to stock up. Growing compliance demands and increased regulatory complexity are creating a severe shortage of compliance specialists. Finding qualified compliance talent is fast becoming a strategic imperative.

ROLLAUER SAYS: Compliance talent is scarce so companies need to share. Organizations around the world require top-notch compliance talent, but they don’t need it each second of every day. The core business of outsourcing service providers is to recruit, train and deploy world-class talent with a significant scale. In addition they provide a leveraged talent model aligned with complexity and specialization as per compliance process requirements. The outsourcing model gives access to this talent on an as needed basis. This is a more efficient and effective talent approach for compliance skills.


CHAWLA SAYS: Sharing sensitive data with third parties could be a deal breaker. Outsourcing compliance is likely to require sharing sensitive or private data beyond organizational and national boundaries. This could be a problem in some situations.

Challenges such as data sharing aren’t insurmountable—they just need to be carefully managed. A mature outsourcing provider can be engaged in various outsourcing models—company owned captive, joint-captive, company defined data security & privacy governance model, offshore, near shore and on-site delivery. Since outsourcing is the core business for the service providers, they would potentially have more stringent security policies, ISO and other industry security certifications, extensive background checks and tightly monitored logical and physical security controls. In some cases, outsourcing vendors might provide a relatively more secure environment.


It might not be feasible to outsource all compliance activities, so why bother? If a company can’t outsource its entire compliance function, should it just keep everything in house? Outsourcing bits and pieces might increase complexity without adding much value.

ROLLAUER SAYS: Compliance is a special activity where selective outsourcing makes sense. Unlike outsourcing of HR or IT, compliance outsourcing often focuses on just part of the overall compliance function. In fact, it’s generally better to retain processes that currently have regulatory compliance issues, require high levels of subjective judgment, or are subject to particular local/global regulatory constraints.


CHAWLA SAYS: Given today’s growing compliance and talent challenges, compliance outsourcing is an idea whose time has come. Many organizations are already struggling to find the qualified talent they need to achieve compliance in an increasingly complex regulatory environment. They are also struggling to justify and fund an in-house compliance function that is large and constantly growing.
Compliance outsourcing can help an organization satisfy its regulatory requirements and achieve a high level of compliance using a delivery model that is both highly responsive and cost-effective.

In addition, it allows the organization’s leaders and managers to focus more of their attention on core business functions and go-to-market strategies that drive financial performance and shareholder value. Although the organization remains responsible for compliance and its associated risks, the use of an outsourcing model can enable leadership to selectively employ a mix of internal and external resources to meet compliance demands. When making a decision about compliance outsourcing, leadership should look closely at a provider’s capabilities, experience, culture, values, and ability to fit in seamlessly as part of the organization’s extended enterprise. After all, compliance—even when outsourced—still requires a strong connection to the organization’s day-to-day business operations.

In the wake of the economic downturn, the financial services industry is still reeling, including dealing with a multitude of new regulations emanating from the Dodd-Frank Wall Street Reform and Consumer Protection Act and a regulatory regime determined to prevent such a situation from ever happening again. Regulators are now laser-focused on the “systemically important financial institutions” (SIFIs) and have made their heightened expectations very clear that these large complex organizations will have strong risk management, compliance and control programs in place.

In this difficult regulatory environment, the compliance function has taken center stage and the Chief Compliance Officer (CCO) is now an official member of the C-Suite. In our conversations with CCOs from some larger banking institutions, it was obvious that many were reaching a tipping point in terms of maintaining sufficient levels of experienced compliance professionals to deal with the new requirements of financial reform legislation and more demanding regulators.

CCOs are now seriously considering compliance outsourcing as an important option for them in stabilizing their resource model and maintaining an effective and efficient compliance program. If certain compliance processes are outsourced, regulators would have high expectations in terms of an institution’s ability to carefully select a highly qualified third party vendor and to provide for effective oversight of the execution of the outsourced compliance activities.

In today’s demanding regulatory environment, compliance outsourcing is a viable strategic resource alternative to have in a CCO’s toolkit.

Vishal Chawla is a Principal with Deloitte & Touche LLP. Thomas F. Rollauer is the Executive Director, Center for Regulatory Strategies Deloitte & Touche LLP.