The Australian Securities and Investments Commission (ASIC) has recently released the results of its review into offshore outsourcing practices among Australian Financial Services (AFS) licensees (ASIC Media Release 25-234MR).
The findings highlight governance gaps and set clearer expectations for how licensees manage their offshore outsourcing arrangements (including direct) particularly around risk management, performance monitoring, access controls, and independent assurance.
At VBP, we welcome this development. Stronger governance, transparency, and accountability have always been central to how we operate. As an offshore outsourcing partner to many AFS licensees and their authorised representatives, our role is to enable compliance, not compromise it.
What ASIC’s Review Means for Offshore Partners
ASIC’s review underscored several areas where licensees must demonstrate stronger oversight of their outsourcing providers (OSPs):
- Performance Monitoring: Regular audits against service standards and policies.
- Access Log Monitoring: Real-time alerts for access violations or system activity logs.
- Independent Cyber Assessments: Verification beyond OSP representations.
- Due Diligence and Ongoing Oversight: Documented processes for selecting and reviewing OSPs.
While the report focused on AFS licensees, the implications for their partners, like VBP, are equally significant. We recognise that ASIC’s expectations will drive greater scrutiny, more frequent due diligence, and a renewed emphasis on governance from financial services firms.
How VBP Enables Licensees to Meet ASIC’s Expectations
VBP maintains frameworks and controls that align with ASIC’s guidance under Regulatory Guide 104 (RG104) and Regulatory Guide 166 (RG166).
Our Information Security Management System (ISMS) and governance structure are designed to give licensees confidence that their outsourced operations remain compliant, secure, and resilient.
-
Governance and Risk Management
VBP’s governance and risk management framework meets the standards of Section 912A(1)(h) of the Corporations Act 2001, supported by our certification-aligned controls under ISO 27001:2022 and ISO 31000:2018.
We conduct annual risk assessments, management reviews, and internal audits to ensure that our controls stay current with both regulatory and industry expectations. Oversight is embedded at board and executive levels, ensuring accountability at the highest tier.
-
Transparent Due Diligence and Onboarding
We provide clients with detailed onboarding documentation that outlines our operational structure, governance frameworks, data protection practices, and compliance alignment with AFSL obligations.
This transparency supports our clients’ own due diligence processes and enables faster, evidence-based decision-making. VBP regularly undergoes external due diligence from listed entities and welcomes these engagements as part of maintaining trust and accountability.
-
Continuous Performance Monitoring
Our performance management framework includes KPI dashboards, audit trails, and monthly service reviews, ensuring visibility and accountability across all service engagements.
This structured approach aligns with ASIC’s expectations for continuous oversight, providing clients with measurable assurance of service quality and operational consistency.
-
Real-Time Access Monitoring and Cybersecurity Controls
VBP maintains a dedicated cybersecurity team that oversees system access logs and real-time alerting.
Unauthorized access attempts or unusual behaviour trigger immediate investigations, ensuring rapid containment and response.
Our controls draw on NIST Cybersecurity Framework principles and the Australian Cyber Security Centre (ACSC) recommendations, combining local compliance with global best practice.
-
Independent Security Assessments
Beyond internal audits, VBP engages independent, qualified assessors to review our cybersecurity and information management systems.
This independent validation provides assurance to clients that our controls are not just self-assessed but objectively verified against international standards — aligning with ASIC’s emphasis on external assurance.
-
Data Privacy and Legal Compliance
VBP operates in compliance with the Australian Privacy Principles (APPs) and the Philippines’ Data Privacy Act and is registered with the National Privacy Commission (NPC).
A dedicated Data Privacy Officer oversees governance, ensuring data protection obligations are met across jurisdictions.
-
Support for Licensee Oversight
VBP empowers licensees to maintain oversight and control over outsourced functions through transparent reporting, structured escalation protocols, and collaborative governance frameworks.
We support the identification and management of material risks and provide practical solutions to assess the ongoing suitability of outsourced services.
Our approach aligns with ASIC’s expectations for licensee oversight, ensuring compliance and accountability across all service engagements.
-
RG104 - AFS Licensing: Meeting the General Obligations
VBP’s Information Security Management System (ISMS) directly supports AFS licensees in meeting their Regulatory Guide 104 (RG104) obligations by ensuring fair and efficient service delivery, robust risk management, strong cybersecurity controls, continuous staff training, and comprehensive oversight of third-party and data security practices.
Supporting AFS Licensees Through a Stronger Compliance Lens
We understand that ASIC’s review will prompt more frequent and in-depth due diligence requests from licensees, and we view this as a positive step forward.
VBP’s team is fully equipped to support clients with the documentation, policies, and evidence needed to demonstrate compliance with ASIC, APRA, and other regulatory expectations, including CPS 230 Operational Risk Management and CSP 230 Information Security.
We remain committed to being a trusted, compliant, and transparent outsourcing partner, helping our clients uphold the integrity of the financial services sector while maintaining efficiency and operational resilience.
