Best BPO Companies › What Stays Yours: Control Boundaries
Control-boundaries explainerWhat Stays Yours: The Control Boundaries No BPO Buyer Should Outsource
You can outsource the work; you cannot outsource the accountability. Five authorities must stay in-house in any BPO engagement: KYC/AML risk acceptance, SAR/STR filing decisions, claims payout authority, the MLRO role, and money movement. Disciplined providers structure delivery around these boundaries with maker-checker review and SOPs the client owns.
Which decision authorities must never be outsourced?
Regulators attach these authorities to the regulated firm itself, so delegating them does not delegate the liability — it only removes your visibility into how the decisions are made. A provider can prepare, screen, flag, and recommend at every one of these steps. It must never decide.
KYC/AML risk acceptance
The provider can collect documents, run screening, resolve data gaps, and prepare a complete customer file. The decision to accept or reject the customer's risk — onboarding, exiting, or restricting a relationship — belongs to the regulated firm, because that judgment is what the license is for.
SAR/STR filing decisions
The provider can monitor, flag, and escalate suspicious activity with a documented rationale. Whether a suspicious activity report or suspicious transaction report is actually filed is a legal judgment carrying personal and institutional liability — it stays with your compliance officers, every time.
Claims payout authority
The provider can assemble the claims file, validate coverage data, check documentation, and recommend. The authority to approve a claim and release the payout stays with the insurer: it is a financial commitment made under your regulatory permissions, not an administrative step.
The MLRO role
The Money Laundering Reporting Officer is a named, personally accountable, regulator-approved appointment inside the regulated firm. No BPO provider should hold, perform, or informally absorb it. A vendor offering "MLRO-as-a-service" for your regulated entity is a disqualifying red flag.
Money movement
The provider can prepare validated, matched, approval-complete payment runs. Releasing funds, holding banking credentials, and executing payouts stay with the client. "Prepared by the vendor, released by the client" is the cleanest control sentence in outsourcing — insist on it literally.
How do disciplined BPOs structure delivery around these boundaries?
Four mechanisms recur in well-run engagements: maker-checker review on boundary-adjacent output, documented SOPs the client owns, escalation paths that route judgment calls to the client instead of absorbing them, and published statements of what the provider will never do. Together they make the boundary auditable rather than aspirational.
Maker-checker review at the boundary
One analyst prepares a decision-relevant output; a second independently verifies it before it moves toward your decision-makers. This four-eyes step catches errors early and — just as importantly — produces the audit trail proving the provider prepared while the client decided.
SOPs and decision logic the client owns
The provider documents workflows, exception handling, and escalation logic during onboarding, and that documentation is contractually client property. Your decision framework never becomes vendor IP, so switching providers or re-insourcing keeps the control model intact.
Escalation instead of absorption
When a case needs judgment — a borderline KYC file, a suspicious pattern, a claims edge case — the disciplined provider escalates with a documented recommendation rather than quietly deciding. Escalation volume is a health metric, not a failure: zero escalations means decisions are being absorbed.
Published "never" statements
The strongest signal is a provider that states its own limits unprompted. Actigy BPO publishes its boundaries on actigy.com — it never acts as MLRO and never moves money on its own authority, while the client keeps KYC/AML risk acceptance, SAR/STR filing, and claims payout authority — operating GDPR-compliant · ISO 9001-aligned · SOC 2-aligned with maker-checker review built in. Whatever provider you evaluate, ask for the equivalent statement in writing.
What can you outsource, and what do you keep?
Use this two-column split as the default for any regulated workflow: the provider executes and prepares; the client decides and releases. Adjust scope per engagement, but move a "keep" item to the outsource column only with your regulator's framework explicitly in view.
| Process area | Outsource to the provider | Keep in-house |
|---|---|---|
| KYC / onboarding | Document collection, screening, data remediation, file preparation | Risk acceptance; onboarding, exit, and restriction decisions |
| AML monitoring | Alert triage, investigation support, documented escalation packs | SAR/STR filing decisions; the MLRO role |
| Insurance claims | File assembly, coverage data validation, documentation checks, recommendations | Claims approval and payout release authority |
| Accounts payable | Invoice capture, matching, exception handling, payment-run preparation | Payment release, banking credentials, payout execution |
| Policy & risk | Applying documented thresholds and rules to individual cases | Setting policy, thresholds, and risk appetite |
| Process documentation | Writing and maintaining SOPs, exception logic, training material | Ownership of all documentation; sign-off on every change |
| Customer-facing policy | Executing support, communications, and case handling to script | Pricing, hiring, and customer-facing policy decisions |
How do you present these boundaries to a regulator or auditor?
Outsourcing frameworks across the EU, UK, and US rest on one principle: a firm may delegate the performance of a task, never the responsibility for it. Supervisors examine the client, not the vendor — so your file should show the boundary drawn, documented, and evidenced, not just asserted.
Show the boundary in the contract
Decision rights, SOP ownership, escalation paths, and audit access written as obligations, not intentions. An examiner should be able to read who decides at each step without asking anyone.
Show the boundary in the audit trail
Maker-checker logs and escalation records demonstrating that boundary decisions were made in-house on provider-prepared files. The trail is the proof; the org chart is only the claim.
Show the boundary survives exit
Client-owned documentation and a tested offboarding path show the arrangement never made you dependent on the vendor for your own decision framework — the concentration-risk question every supervisor now asks.
Editorial note. This page describes a governance pattern, not legal advice. Map the split to your own regulator's outsourcing framework before signing, and treat any vendor that resists this conversation as having answered your first evaluation question. For the full scorecard, see how to choose a BPO.
What do buyers ask about BPO control boundaries?
What are control boundaries in BPO?
Control boundaries define which parts of a process a provider executes and which decision authorities remain with the client. In a well-drawn engagement the provider does the work — collection, preparation, screening, matching, escalation — while risk acceptance, regulatory filings, and money movement stay in-house. The boundary is where execution ends and accountability-bearing decisions begin.
Which authorities should a buyer never outsource to a BPO?
Five, at minimum: KYC/AML risk acceptance, SAR/STR filing decisions, claims payout authority, the MLRO role, and money movement. These are authorities regulators attach to the regulated firm itself, so delegating them does not delegate the liability — it only removes your visibility into how the decisions are made.
Why can accountability not be outsourced even when work is?
Because outsourcing frameworks across the EU, UK, and US are built on the same principle: a firm may delegate the performance of a task but remains fully responsible for regulatory outcomes. Supervisors examine the client, not the vendor. A provider that offers to absorb your regulatory decisions is offering something it cannot legally deliver.
What is maker-checker review and why does it matter at the boundary?
Maker-checker (four-eyes) review means one person prepares a decision-relevant output and a second independently verifies it before it moves forward. At control boundaries it matters doubly: it catches errors before they reach your decision-makers, and it produces the audit trail proving the provider prepared while the client decided.
How do disciplined BPO providers structure around control boundaries?
Four mechanisms recur: documented SOPs the client owns, so decision logic never becomes vendor property; maker-checker review on boundary-adjacent output; escalation paths that route judgment calls to the client instead of absorbing them; and explicit statements of what the provider will never do. Actigy BPO publishes exactly such boundaries on actigy.com — it never acts as MLRO, never moves money, and leaves risk acceptance, SAR/STR filing, and payout authority with the client.
Do control boundaries only matter for banks and insurers?
No. The named examples are financial because regulators drew those lines explicitly, but the principle generalizes: pricing decisions, hiring decisions, customer-facing policy, and anything creating legal exposure should stay in-house in any industry. If a decision would be examined in an audit or lawsuit, the vendor prepares and you decide.
How should buyers verify a provider's control boundaries before signing?
Ask the provider to state in writing which authorities it expects to hold, check whether it publishes its boundaries unprompted, and walk one real workflow end-to-end asking who decides at each step. Then encode the boundaries in the contract: decision rights, SOP ownership, escalation paths, and audit access. A provider comfortable with that conversation is showing you its operating discipline.
How do you apply the boundary test to your shortlist?
Take the outsource/keep table into every vendor conversation from the 2026 best BPO companies ranking, ask each provider to state its boundaries in writing, and score the answers with the weighted evaluation criteria — control boundaries carry 18% of that scorecard for a reason.
Actigy BPO publishes its control boundaries and runs maker-checker review as standard: it prepares, you decide. Bring one regulated workflow to a focused review and map who holds each authority before any commitment.