On 10 October 2025, the Australian Securities and Investments Commission (ASIC) issued a media release urging financial services entities to strengthen governance and risk management in relation to offshore service providers (OSPs), following a review that identified significant weaknesses.

Licensees

ASIC reviewed the use of OSPs by Australian financial services advice licensees and their representatives. Advice licensees retain ultimate responsibility under the Corporations Act 2001 for the operation of their financial services businesses, including where services are outsourced to OSPs. ASIC found material variation in the quality of risk management arrangements across the licensees it examined, with different areas for improvement identified for each. In response, ASIC has outlined practices and findings from its review that licensees should consider when developing, reviewing, and refining risk management arrangements for engagements with OSPs, whether directly or via intermediaries.

Some good practices observed by ASIC include:

  • Appointing an OSP: providing a checklist that could be used by the licensee or their representatives to assess whether an OSP was suitable to be engaged
  • Disclosing use of an OSP: having a policy that requires disclosure from the representatives (e.g. in their Financial Services Guide) that client information may be provided to an OSP. Alternatively, requiring representatives to obtain explicit client consent prior to providing client information to an OSP.
  • Monitoring ongoing compliance: conducting audits at appropriate intervals and formally recording the application of their policy and use of OSPs to ensure it complies with the licensee’s policies and procedures, as well as general licence obligations.
  • Approved offshore outsourcing provider panel: establishing a panel of approved OSPs for use by their representatives.
  • Identifying and managing cyber risks: documenting and monitoring OSP risk as part of the licensee’s organisational risks register, even when the OSP services are being used and monitored by the licensee’s representative.
  • Incident response management: requiring OSPs to have documented response strategies for high-risk scenarios (like ransomware attacks), regular disaster recovery testing, and participate in scheduled recovery testing.

ASIC has warned that it will continue to monitor licensees’ governance and risk management frameworks and, where appropriate, take action where processes are inadequate to protect consumers and investors from harm.

Responsible entities

ASIC also reviewed the use of OSPs by responsible entities (REs) of registered managed investment schemes. The review found significant variability in the quality of risk management arrangements, including instances where no framework was in place. ASIC has set out practices and findings that REs should consider when developing, reviewing, and refining their risk management arrangements for OSP engagements.

Some good practices observed by ASIC include:

  • Due diligence processes: documenting processes that enable assessment before selection and on an ongoing basis of the OSP’s capabilities to perform the outsourced tasks to a high standard.
  • On-going performance monitoring: implementing processes for establishing clearly defined metrics to measure service levels, enabling effective assessment and reporting on the quality of tasks.
  • Service level agreements: entering into a legally binding written contract with each OSP.
  • Handling breaches of service level agreements: having mechanisms to identify, escalate and resolve in a timely manner any actions by service providers that breach service level agreements.
  • Identifying and managing cyber risks: documenting and monitoring an OSP’s risk as part of the organisational risks register, with changes in an OSP’s cyber risk escalated to an appropriate board committee of the RE.
  • Data privacy: regularly assessing OSP controls to manage sensitive and confidential information and response procedures to report any breaches of personal and confidential information, as part of initial and ongoing due diligence.
  • Monitoring OSP system access: auditing activity of the OSP, accessing logs, actions and compliance status on a regular basis. REs could use real-time alert tools to detect unauthorised access or anomalous behaviour by OSPs.
  • Incident response and escalation: reviewing and testing the OSP’s incident response capability regularly. REs should consider integrating an OSP’s incident management and contingency plan with the RE’s contingency plans.
  • Business continuity: requiring OSPs to have documented response strategies for high-risk scenarios (e.g. ransomware attacks), regular disaster recovery testing and participate in scheduled recovery testing.
  • Ongoing security reviews: performing audits of OSPs’ data handling protection arrangements on a regular basis, as well as establishing predefined trigger events, such as changes to standards and cyber breaches that would trigger further reviews.

ASIC has encouraged all REs to consider how the findings from the review apply to their business if they are using OSPs or planning to do so in the future.