Financial Services Outsourcing: New Roles and Risks under a Consumer Financial Protection Agency

May 18, 2010 by

The financial services industry is facing major regulatory changes following the global sub-prime credit crisis and ensuing recovery plans.  These changes will have a major impact on outsourcers that deal with consumer financial information or in back-office support for financial investment transactions that are deemed unfair, deceptive or abusive.  The adoption of a new Consumer Financial Protection Agency Act would have a significant negative impact on the risks and costs of outsourcing of IT and business process functions by companies that deal with consumers.  It would invite a new view of risk allocation between enterprise customers and independent contractors as outsourcers, increasing the costs of doing business by putting the service provider into a new role of whistleblower.  It remains to be seen whether the analysis of public policy in this arena will spill over into other industries and other types of outsourcing.

Draft Consumer Financial Protection Agency Act

As of mid-May 2010, the U.S. Congress was considering possible enactment of financial regulatory reform.   Among the proposals is the draft “Consumer Financial Protection Agency Act,” as inserted into another draft law, H.R. 4173, “Wall Street Reform and Consumer Protection Act of 2009,” referred to Senate committee after being enacted by the House.  This consumer protection bill was originally H.R. 3126, 111th Cong., 1s Sess.; H. Rept. No. 111-367 (Dec. 9, 2009) (“Draft CFPAA”).  As the dissenting Republicans observed in that December 2009 House report:

    Rather than address the failure of banking regulations related to consumer protection and the failure of the States to police activities under their purview (e.g., mortgage brokers and real estate agents), the proposed legislation to create the CFPA seeks to consolidate the consumer protection jurisdiction of all banking regulators into one new agency and regulate many new activities and persons that largely are unrelated to the financial markets or the crisis of 2008. (Dissenting views).

General Scope. If enacted, this proposed reform would transfer enforcement of consumer financial protection laws from various existing agencies (including the SEC). The new commission would regulate:

    (1) brokers and dealers registered under the Securities Exchange Act of 1934;
    (2) investment advisers under the Investment Advisers Act of 1940;
    (3) investment companies (mutual funds) under the Investment Company Act of 1940;
    (4) national securities exchanges under the ‘34 Act;
    (5) a transfer agent under the ’34 Act;
    (6) clearing corporations under the ’34 Act;
    (7) municipal securities dealers and self-regulatory organizations registered with the SEC;
    (8) national securities exchanges and the Municipal Securities Rulemaking Board.

Regulation of “Financial Activity.” Under H.R. 4173, Sec. 4002 (19) (A), the term `financial activity’ means any of  many activities.  (The list is long, so we have put it in a separate document.) 1

Liability of “Covered Persons” and “Related Persons.” Under the proposed law, a “covered person” subject to regulation would include “any person who engages directly or indirectly in a financial activity, in connection with the provision of a consumer financial product or service.” This definition is so broad, and governmental involvement in financial operations so extensive, the draft specifically excludes the Secretary, the Department of the Treasury, any agency or bureau under the jurisdiction of the Secretary (H.R. 4173, Sec. 4002 (9)(A)(B)), or any federal tax collector.

Vicarious Liability on Certain “Consultants” and “Independent Contractors.” The proposed law would treat “related persons” in the same manner, and impose the same punishments, as for “covered persons.” By adopting a sweeping definition of “covered person” and an equally sweeping definition of “related person,” the proposed law puts outsourcers at risk of direct liability and for merely doing the tasks assigned under a Master Services Agreement in the ordinary course of business. There would be a distinction between consultants and service providers. A “related person” would include either:

  • a “consultant” that, in the view of the new Consumer Financial Protection Commission determines (whether by regulation or on a case-by-case basis), “materially participates in the conduct of the affairs of such covered person” (H.R. 4173, Sec. 4002 (33)(A)(ii)); or
  • “any independent contractor (including any attorney, appraiser, or accountant), with respect to such covered person, who knowingly or recklessly participates in any–(I) violation of any law or regulation; or (II) breach of fiduciary duty.” ( H.R. 4173, Sec. 4002 (33)(A)(iii)).

Liability of Outsourcers for “Unfair, Deceptive or Abusive Acts or Practices.” The proposed Consumer Financial Protection Agency Act would not require “related persons” to register with the commission. However, they would be liable for “unfair, deceptive or abusive act or practice in connection with any transaction with a consumer for a consumer financial product or service, or the offering of a consumer financial product or service.” (H.R. 4173, Sec. 4301(a)).  The proposed law would impose federal criminal liability on anyone (including outsourcers as “related persons”) if they are shown to “knowingly or recklessly provide substantial assistance to another person in violation” of the new statute and regulations on “unfair, deceptive or abusive acts or practices.” “Related persons” would be “deemed to be in violation of that section to the same extent as the person to whom such assistance is provided.” (H.R. 4173, Sec. 4308(3)).

Outsourced Business Functions that Would be Exempt. The draft law would exclude certain functions that are typically outsourced from the scope of “financial activity “ that would be regulated.

  • “Financial data processing” would be excluded from the definition of “financial activity.” H.R. 4371, Sec. 4002(19)(A)(xi). However, even assuming that the mechanical conditions of processing were satisfied under this exclusion, there remains a subjective standard that could ensnare the outsourcer in an ITO or BPO context:  Does the outsourcer provide “a material service to any covered person in connection with the provision of a consumer financial product or service.”  (H.R. 4173, Sec. 4002 (19)(A)(xi)(II)(cc))
  • Providing certain “information products or services” that are “incidental and complementary” to any activity that the new commission defines as a “financial activity” would be excluded.  (H.R. 4173, Sec. 4002 (19)(A)(xvi)(I)(bb))  Specifically, there would be no regulation of such ITO or BPO services that are for identity authentication, fraud or identify theft detection, prevention, or investigation; document retrieval or delivery services; public records information retrieval; or for anti-money laundering activities. That exposes BPO providers of other business functions, such as mortgage and credit card origination, credit verification, and virtually everything else that is not clearly excluded by the draft law.

Neither of these exclusions addresses the growing use by the financial services industry of third party ITO, BPO and LPO services for labor-intensive or labor-value services. This draft law could bring vicarious liability for providers of such services as due diligence for investment banking and finance usually has some consumer financial impact, either in the design of analytics, the design and structuring of financial products or services, document review in an acquisition, divestiture or financing (where “consumers” might be investors in one of the deal participants).

Outsourcers as Auditors and Whistleblowers: The “Knowing or Reckless” Standard of Care for Outsourcers. The draft law would cover independent contractors providing services in support of “financial activity,” but only if their conduct were “knowing” or “reckless.” This standard could establish vicarious liability when the outsourcer “knew” that its actions would be unfair, deceptive or abusive, or because the outsourcer failed to become informed on the legality of its support for its financial institution customer’s unfair, deceptive or abusive practices. In effect, the consultants and outsourcers (other than data transmitters) are enlisted as surrogate auditors and whistleblowers with a duty to cease rendering their services if they “knowingly” or “reckless” participate in their customer’s unfair, deceptive or abusive practices.

Additional Costs of Outsourcing. This role would be a new one.  It would entail additional costs of legal reviews and audits by the service provider’s own independent regulatory experts (more lawyers and accountants) and additional premiums for new “directors and officers” liability insurance (if indeed such insurance would cover such vicarious liability). It would add hidden costs on the outsourcer that would have be added to the service charges in order to segregate service costs from legal compliance costs.

Additional Risks of Termination. Under these circumstances, regulated financial institutions and financial service enterprises would face the risk that a whisteblowing outsourcer could unilaterally terminate an ITO or BPO services agreement. Lawyers would argue about the conditions and consequences of when an outsourcer could do so.  Relationship governance would involve a new discussion about illegality.

  • Service providers would want the right to terminate if, in their good faith opinion, the enterprise customer was engaged in any violation of this draft law or its regulations.
  • Financial services enterprises would want a slower trigger.  One can imagine a series of steps that delay termination, with notices, opportunity to cure, maybe an independent legal opinion as a letter of comfort (thus escaping “recklessness” as a risk but not necessarily escaping “knowingly” risk).

Due Diligence Process. If this draft law is enacted, it would force service providers to clients engaged in any “financial activity” to conduct due diligence into the legality of the proposed customer’s business practices for the protection of consumers’ financial rights. Such an investigation would normally include questions about existing and future practices as well as information on the actions or recommendations of incumbent service providers who might have sought termination to avoid vicarious liability.

Adverse Impact on Business Process Transformation, Process Change and Operational Innovation. The draft law would impose direct liability on “consultants” who “materially participate” in a financial business.  The concepts of “materiality” and “participation” are so broad that any outsourcer who administers any of the “affairs” of its enterprise customer will be treated as such a “consultant” if the outsourcer proposes changes in the “covered person’s” business. This would stifle any proposals by outsourcers for business process transformation, even simple process changes, since the outsourcer might no longer be treated under the “independent contractor” standard of knowing or reckless violation or breach of fiduciary duty.

Spill Over to Other Industries and Outsourcing Services. For perhaps the first time, the draft CFPAA raises the specter of service providers worrying about the risk of vicarious liability because they support a criminal enterprise. “Aider and abettor” liability exists already in relation to the sale or distribution of “securities.” The question now is whether service providers should change their current practices and contract risk allocation in light of such a specter. Informed executives will get more information as this political process unfolds.

Code of Ethics for Auditors: Some Case Studies and Legal Principles in Auditing Standards

October 9, 2009 by

Auditors have their own codes of ethics.   Where there is no code of ethics, or where the code of ethics permits a degree of conflict of intere+/st, the auditors tread at their own risk.  The following case study underscores the traditional common law obligations of auditors as fiduciaries, even before the adoption of the Sarbanes-Oxley Act of 2002.   This section covers some basic issues in auditing standards.

Case Study #1: Cap Gemini and Ernst & Young, Potential Self-Dealing

Responding to SEC criticism of ostensible conflicts of interest, some major accounting firms, such as KPMG and Arthur Andersen, have spun off their consulting arms as independently owned and managed entities. Ernst & Young LLP chose another route. The story of E&Y and its alliance with Cap Gemini leads from a regulatory no-action letter to a court case alleging breach of the accountant’s fiduciary duty. The tale leads to “lessons learned.”

Independence of Auditors: SEC No-Action Letter to Ernst & Young LLP on Alliance with Cap Gemini Ernst & Young LLC.
By no-action letter dated May 25, 2000, the SEC’s Chief Accountant advised Ernst & Young LLP that it would consider E&Y to maintain its independence even though Cap Gemini Ernst & Young were to provide IT services to E&Y audit clients. The no-action letter imposed a number of conditions that ” (1) limit at the outset and within five years end E&Y’s equity interest in Cap Gemini; (2) impose limitations on Cap Gemini’s use of the E&Y name; (3) require a strict separation of E&Y and Cap Gemini’s corporate governance; (4) forbid any revenue sharing between E&Y and Cap Gemini; (5) forbid any joint marketing agreements between E&Y and Cap Gemini; and (6) restrict any shared services between E&Y and Cap Gemini. Letter of Lynn E. Turner, Chief Accountant of SEC, to Kathryn A. Oberly, Esq., Ernst & Young, May 25, 2000.

Litigation Alleging Breach of Accountant’s Fiduciary Duty; Liability for Systems Integrator’s Nonperformance.
Unfortunately, an SEC no-action letter is not a vaccine against client lawsuits. Accountants engaged in management consulting should pay careful attention to a ruling against Ernst & Young, LLP (“E&Y”) and its successor in interest (by sale of consulting business), Cap Gemini Ernst & Young, U.S. LLC (“CGEY”). This case is instructive to anyone in a licensed professional capacity engaged in ancillary or multidisciplinary consulting practice.

Pre-Trial Ruling.
In a pre-trial ruling in early January 2002 on a motion to dismiss, without deciding the final outcome, the court found that E&Y was potentially legally subject to claims of breach of fiduciary duty and punitive damages arising out of a failed software implementation by CGEY, a company in which apparently E&Y is a substantial owner. (The was no allegation or showing of a failure to exercise the skill and care of a reasonably diligent accountant, so the court noted that there were no claims of professional malpractice (whether relating to accounting or computer consulting).

Alleged Misrepresentations by Accountants.
The alleged facts of the case, if true, would be particularly egregious. The following reports are provided according to the court’s pre-trial decision. Whether the allegations will be proven remains to be seen.
In June 2000, E&Y recommended to a client, a medical and nutritional company, to retain CGEY as the vendor to implement a commercial off-the-shelf software package that the client had selected, based on E&Y’s recommendation, for its short and long-term business needs. E&Y made a number of representations to the client to induce the client to hire CGEY, and the court concluded that, without those representations, the client would probably have selected another IT service provider. E&Y reportedly represented that (1) CGEY was competent, experienced and qualified to implement the system selected by E&Y, and (2) CGEY’s performance of services had already been “coordinated” with E&Y.

Existence of Fiduciary Duty.
A fiduciary relationship existed between the accounting firm and its client for several reasons. First, the client had developed a relationship of trusting the accounting firm’s judgment based on prior professional services. Second, the accounting firm offered to provide additional consulting services. Third, the medical and nutritional company was less sophisticated than the accounting firm in the “specialty” for which the accounting firm and the services firm were hired.

Potential Breach of Accountant’s Fiduciary Duty.
Thus, “[w]hen a fiduciary fails to disclose personal interests preliminary to contract, and/or represents the existence of a questionable competence and experience critical to the contract and procures a benefit such as that alleged to E&Y and the newly formed CGEY, the risk of liability for the negligent misrepresentations and a question of fraud is properly alleged.”

Atkins Nutritionals, Inc. v. Ernst & Young, LLP,
NYLJ, Jan. 10, 2002. Accordingly, a fiduciary relationship arose and could have been breached if proven at trial.

Case Study #2: KPMG Canada: Lack of Independence.

In June 2005, the Securities and Exchange Commission entered into a settlement, in an enforcement action, with KPMG LLP (KPMG Canada), a Canadian audit firm, and two of its partners, Gary Bentham, the audit engagement partner, and John Gordon, the concurring and SEC reviewing partner. The SEC asserted that KPMG Canada, Bentham and Gordon lacked independence when they audited the 1999 through 2002 financial statements of Southwestern Water Exploration Co. (Southwestern), a now-bankrupt Colorado corporation.

The SEC claimed that KPMG Canada provided bookkeeping services to Southwestern and then audited its own work. Specifically, after KPMG Canada prepared certain of Southwestern’s basic accounting records and financial statements, it issued purportedly independent audit reports on those financial statements. KPMG Canada’s audit reports were included in Southwestern’s annual reports that were filed with the Commission.

The SEC found that KPMG Canada, Bentham and Gordon engaged in “improper professional conduct” within the meaning of Rule 102(e) of the SEC’s Rules of Practice by virtue of their violations of the auditor independence requirements imposed by the Commission’s rules and guidance and by generally accepted auditing standards in the United States.

Some Rules of Ethics for Auditors

The Sarbanes-Oxley Act sets new standards of independence for auditors.

Public Companies.
Such standards created such friction between public companies and their auditors that decisional gridlock set in.  On May 16, 2005, the Public Company Accounting Oversight Board (established under the Sarbanes-Oxley Act, to oversee the auditors of public companies in order to protect the interests of investors and further the public interest in the preparation of informative, fair, and independent audit reports) issued a policy statement on its Auditing Standard No. 2.  The PCAOB’s Policy Statement sought to give ensure some level of reasonableness and flexibility in the conduct of audits.  As it noted,

In particular, the staff questions and answers seek to correct the misimpression that certain provisions of Auditing Standard No. 2 need to be applied in a rigid manner that discourages auditors from exercising the judgment necessary to conduct an internal control audit in a manner that is both effective and cost-efficient. The Policy Statement expresses the Board’s view that, to properly plan and perform an effective audit under Auditing Standard No. 2, auditors should –

  • integrate their audits of internal control with their audits of the client’s financial statements, so that evidence gathered and tests conducted in the context of either audit contribute to completion of both audits;
  • exercise judgment to tailor their audit plans to the risks facing individual audit clients, instead of using standardized “checklists” that may not reflect an allocation of audit work weighted toward high-risk areas (and weighted against unnecessary audit focus in low-risk areas);
  • use a top-down approach that begins with company-level controls, to identify for further testing only those accounts and processes that are, in fact, relevant to internal control over financial reporting, and use the risk assessment required by the standard to eliminate from further consideration those accounts that have only a remote likelihood of containing a material misstatement;
  • take advantage of the significant flexibility that the standard allows to use the work of others; and
  • engage in direct and timely communication with audit clients when those clients seek auditors’ views on accounting or internal control issues before those clients make their own decisions on such issues, implement internal control processes under consideration, or finalize financial reports.

Private Companies.
Where the audit client is a privately owned business (such as a private enterprise customer or a private service provider), auditor independence rules still apply.  Reviewing Case Studies #1 and 2, the auditors could probably have avoided the claims of breached fiduciary duty if they had made suitable disclosures and had remedied, or caused their consulting affiliate, to remedy a failed software installation.
In that case, the auditors should:

  1. disclose their conflict of interest to the client and obtain waivers (similar to the waivers obtained from medical patients undergoing surgery);
  2. remedy the flaws in the selection of off-the-shelf software, the systems integrator, and the systems integrator’s lack of skills to cure the defects impeding software performance; and
  3. learn from similar client-relationship mistakes that had been subject to prior, unrelated litigation.

The court’s ruling is based under existing rules governing independence of auditors.

Auditors have their own codes of ethics.   Where there is no code of ethics, or where the code of ethics permits a degree of conflict of intere+/st, the auditors tread