Operational risk created by outsourcing custody rests primarily with the entity that contracts the service, but is distributed across a network of actors and legal regimes. Regulatory guidance and market practice make clear that the primary custodian remains the party ultimately responsible to clients for safekeeping, control failures, and regulatory compliance. Thomas J. Curry, Office of the Comptroller of the Currency articulates that banks cannot transfer away accountability simply by using third parties; they must conduct due diligence, ongoing oversight, and contingency planning.
Legal and contractual allocation
Contracts determine immediate loss allocation between a contracting custodian and its subcustodian, but contractual terms do not erase regulatory obligations. A subcustodian bears operational risk for its direct failures in its jurisdiction, and local law may create proprietary or insolvency outcomes that differ from the principal contract. International rulemaking bodies including the Committee on Payments and Market Infrastructures and the International Organization of Securities Commissions emphasize that outsourcing can alter operational exposure across borders, requiring both the principal custodian and the subcustodian to address custody chains, reconciliation processes, and business continuity.
Causes and consequences
Key causes of operational risk in outsourced custody include weak due diligence, inadequate contractual protections, fragmented control environments across jurisdictions, and insufficient oversight of technology and settlement processes. Consequences range from client asset misplacement and delayed settlements to regulatory sanctions, reputational harm, and in extreme cases cross-border market disruptions. In emerging markets the cultural and territorial nuances of local legal systems amplify risk, because differing property regimes, recordkeeping practices, and political conditions can change who effectively controls assets during a failure.
Mitigation centers on the contracting custodian retaining robust governance, performing independent audits, and requiring clear indemnities and escalation rights. Regulators expect documented oversight frameworks and recovery plans that mirror obligations articulated in supervisory guidance. While subcustodians and technology providers carry their own operational exposures, the practical and legal reality is that the primary custodian bears the residual operational risk to clients and supervisors, with consequences shaped by contractual clarity, regulatory enforcement, and the cross-border legal environment.