Legal Updates

Key Points:

• The Guidance applies from 17 December 2021.
  
• However the Central Bank has stated that it will be “mindful of the adjustments to be made by the firms relative to the nature, scale and complexity of the use of outsourcing as an element of their business model” in exercising its supervisory powers.
  
• The Feedback Statement contains certain clarifications provided by the Central Bank which are likely to be of particular interest for Depositaries and Fund Administrators. See Page 2 below.

Background

Following its consultation on the topic of outsourcing during 2021¹, the Central Bank of Ireland (“Central Bank”) has published its finalised Cross-Industry Guidance on Outsourcing (“Guidance”) together with a feedback statement providing the rationale for some of the approaches taken by it in finalising the Guidance (“Feedback Statement”).

While the Guidance will be of relevance to all firms regulated by the Central Bank, in this briefing, we consider the implications of the Guidance for depositaries and fund administrators regulated by the Central Bank.

Purpose of the Guidance

In recognition of the “increasing reliance of many regulated firms on outsourced service providers”, the Guidance is intended to assist regulated firms in developing their outsourcing risk management framework to effectively identify, monitor and manage their outsourcing risks.

Application of Guidance to Depositaries and Fund Administrators

The Guidance applies to all “financial service providers regulated by the Central Bank”. Certain queries were raised as part of the consultation process by Industry participants to the Central Bank as to the application of the Guidance to branches of oversees banks, insurers and other firms (both EU and/or third country branches). The Central Bank has noted in its Feedback Statement, by way of a response, that it is of the view that “branch to branch service provision, branch to parent provision and centres of excellence should all be regarded as forms of inter/intragroup service provision and as such are indistinguishable from outsourcing in terms of the risks posed by such arrangements when they are deemed critical or important” and that “consequently, the Central Bank expects the Guidance to be applied and the risks managed in the same manner as any intragroup arrangements”. No mention is made of parent to branch service provision. Further clarification on this point will be required from the Central Bank. This is an important point for Irish depositaries and fund administrators established as branches of overseas entities. Such branches typically rely on certain infrastructure and services/supports available from the overseas functions within the same legal entity.

The Central Bank has clarified in its Feedback Statement that the provision of custodial services generally carries the same risks as other forms of outsourcing arrangements and consequently the requirements of the Guidance should apply to the management of such risks. No distinction has been drawn by the Central Bank between the delegation of safekeeping duties and the delegation of supporting tasks that are linked depositary tasks other than safekeeping. Hence the provision custodial/ safekeeping services fall within the scope of the Guidance.

In addition, the Central Bank has clarified in its Feedback Statement that the Guidance will apply to outsourcing arrangements involving critical financial market infrastructure (such as clearing, settlement and provided by Central Securities Depositories (CSDs) and Central Counterparties (CCPs)) “in a manner consistent with the firm’s nature, scale and complexity is not exempt from the definition of outsourcing under the Guidance”.

For Irish fund administrators authorised under the Investment Intermediaries Act 1995, as amended (IIA), the regulatory requirements relating to “outsourcing” are found in the Central Bank (Supervision and Enforcement) Act 2013 (Section 48(1)) (Investment Firms) Regulations 2017 (2017 Regulations). Regulation 2(1) of the 2017 Regulations defines “outsourcing” as “an arrangement of any form between a fund administrator and an outsourcing service provider by which the outsourcing service provider performs administration services which would otherwise be undertaken by the fund administrator itself and “outsourced” shall be construed accordingly”. “Administration services” are defined in Regulation 2(1) as “services pertaining to the administration of an investment fund including, but not limited to, the following: (a) the performance of valuation services; (b) fund accounting services; (c) acting as a transfer agent or a registration agent for an investment fund”. In contrast, the Guidance defines “outsourcing” as meaning “an arrangement of any form between a regulated firm and an outsourced service provider (OSP) by which that service provider performs a process, a service or an activity that would otherwise be undertaken by the regulated firm itself, even if the regulated firm has not performed that function itself in the past”. For fund administrators the expansion of the definition of “outsourcing” will represent a significant departure from the current regime.

The Central Bank recognises that the Guidance should be complied with in a proportionate manner by regulated firms, taking into account the relevant firm’s nature, scale and complexity of its business activities and the degree to which the firm engages in outsourcing. In other words, the Central Bank does not expect all depositaries and fund administrators to comply with the Guidance in the same way, acknowledging that “it may not be appropriate for certain smaller, less complex regulated firms to adopt, in full, all measures set out in the Guidance”. When deciding how to implement measures to comply with the Guidance, depositaries and fund administrators should also have regard to whether the relevant outsourced activity is deemed “critical” or “important”;

The Central Bank will expect depositaries and fund administrators to comply with the Guidance in respect not only of outsourcing arrangements in place with third-parties but also those outsourcing arrangements in place with entities within their own groups (referred to in the Guidance as “intragroup” arrangements);

Depositaries and fund administrators will be required to put in place both a documented outsourcing strategy and documented outsourcing policy, each of which is considered in more detail below.

Identification of “Critical or Important” Outsourcing Arrangements

Under the Guidance, fund administrators will, for the first time, be required to identify those outsourcing arrangements which relate to activities or services which are critical or important. Current outsourcing requirements for fund administrators as set out in the 2017 Regulations did not distinguish between functions, which are critical or important. Appendix 2 incorporates some specific guidance for depositaries which provides that administrative or technical functions are unlikely to be critical or important and suggests that depositaries and fund administrators could have regard to the definition of the critical or important functions provided under the ESMA Guidelines on Outsourcing to Cloud Service Providers² and the criteria for assessment of critical or important functions set down under the MiFID II³ framework. For fund administrators “core management functions” are specifically mentioned in the context of the assessment of functions as critical or important⁴.This assessment should be carried out in respect of all activities or services which are being outsourced by the Depositary/fund administrator, including IT activities. It is worth noting in this regard that certain provisions of the Guidance only apply to the outsourcing of activities or services which have been categorised as critical or important.

The Central Bank expects depositaries and fund administrators to have a defined and documented methodology for determining whether a service or function is critical or important which should be approved by the Board. It would seem appropriate that this should also identify those within the organisation who are responsible for determining whether or not a specific service or function is critical or important.

The assessment of criticality and importance, including the methodology used in such assessment, must be reviewed at appropriate intervals in conjunction with the outsourcing policy. The Central Bank also suggests that such a review should be carried out if a depositary/fund administrator decides to scale up its use of the services being provided by the OSP or its dependency on such services or if there is an organisational change in the OSP such as a change to the ownership or financial position of that OSP or a material sub-outsourced service provider.

Governance and the role of the Board and Senior Management

The Guidance outlines that Boards and senior management of regulated firms are responsible for all activities undertaken by the regulated firm including those activities which are conducted on the regulated firm’s behalf by any third-party, including any group entity. The Central Bank prescribes that the Board and senior management are ultimately accountable for the effective oversight and management of outsourcing risk within its business. This includes ensuring that there are appropriate structures in place to facilitate comprehensive oversight of the outsourcing universe.

Under the Guidance, Boards and senior management will be required to develop existing risk management frameworks to ensure that the governance and risk management of their outsourcing frameworks operates effectively and is in line with the supervisory expectations. Outsourcing risk should also be reflected in the overarching risk register of the depositary/fund administrator.

In addition, the risk management framework must consider and document the controls to be put in place to minimise exposure to any risks identified and ensure that these controls and the mechanism for monitoring their effectiveness, are reflected in the relevant outsourcing contracts and service level agreements.

Boards are expected to regularly review their outsourcing arrangements, with particular focus on those outsourcing arrangements which relate to critical or important functions.

Such outsourcing governance and risk management structures must be in line with relevant sectoral legislation, regulation and guidelines applicable to depositaries and fund administrators and should not impede the depositary/fund administrator’s ability to meet the conditions with which it must comply in order to remain authorised, including any conditions imposed by the Central Bank.

The Guidance outlines that the Central Bank expects firms to appoint a designated individual, function and/or committee to ensure that outsourcing arrangements are overseen and reported on appropriately. This designated function should be directly accountable to the Board. Depositaries and fund administrators should also be satisfied that the reporting framework is such that the Board and senior management receive sufficiently detailed reports on outsourcing arrangements on an ongoing basis and that an appropriate escalation process is in place to ensure that they can adequately govern outsourcing risks arising.

Under the Guidance, Boards are also expected to establish an outsourcing register to identify and facilitate appropriate oversight and awareness of current and proposed outsourcing arrangements, and the associated risks, including the extent of the depositary/fund administrator’s dependence on critical OSPs. This is a new requirement for fund administrators.

The Guidance sets out the Central Bank’s specific expectations relating to the maintenance of outsourcing registers, including the content and completion of such register which is set down in Appendix 3 thereto. The Central Bank has confirmed in its Feedback Statement that a spreadsheet template for the outsourcing register will be made available for all firms to download from its website during Quarter 1 of 2022. It also confirms that all depositaries and fund administrators (and other firms regulated by the Central Bank) which have a PRISM Impact Rating of “Medium Low” or higher must submit their outsourcing register via an online return on an annual basis. The first submission is currently planned for such firms for Quarter 2 of 2022 and the Central Bank will notify such firms “within a reasonable notice period” of the specific filing requirements for 2022. “Low Impact” depositaries and fund administrators may be required to submit their outsourcing register on a case-by-case basis by their supervisor.

Outsourcing Strategy and Outsourcing Policy

Under the Guidance, depositaries and fund administrators are expected to have a documented outsourcing strategy in place which is aligned to their business strategy, business model, risk appetite, and risk management framework. This strategy should be supported through appropriate policies, procedures and controls.

In formulating an outsourcing strategy, consideration must be given to a number of areas, including but not limited to:

• the extent of outsourcing that the depositary/fund administrator intends to undertake;
• the types of activities and functions it will consider outsourcing;
• the risks which arise from its outsourcing arrangements including how they will be managed and mitigated; and
• the extent to which the depositary/fund administrator has the skills and capacity to monitor and exercise oversight of outsourcing arrangements. We would anticipate that this should also identify any functions which the depositary/fund administrator determines are not suitable for outsourcing in light of its risk appetite.

As part of this outsourcing strategy, and in a new departure, depositaries and fund administrators must have a documented firm-wide outsourcing policy, which is reviewed and approved by the Board at least annually. The Central Bank expects that the policy should outline its risk appetite as it relates to outsourcing, the roles and responsibilities within the depositary/fund administrator for the oversight and management of outsourcing risk as well the criteria and methodology for the identification and classification of outsourcing arrangements as critical or important. The policy should also address the approach to the identification, assessment, mitigation and management of risks associated with outsourcing as well as the approach to initial and ongoing due diligence on OSPs and the ongoing management, monitoring and review of outsourced arrangements in place.

Amongst other matters identified by the Central Bank in the Guidance, the outsourcing policy should also address:

• the process for approval of new outsourcing arrangements;
• the requirement to put in place appropriate contracts, written agreements and SLAs with the relevant OSP;
• sub-outsourcing particularly with regard to critical or important functions or material parts of such functions;
• the risk management framework and structures for operational oversight and controls;
• conflicts of interest,
• business continuity arrangements as they pertain to the outsourcing arrangements;
• a documented exit strategy for each outsourcing arrangement deemed critical or important; and
• termination processes generally, including in the event of unexpected termination of an outsourcing arrangement and the need for contingency arrangement.

The Guidance also highlights the importance that the depositary/fund administrator’s outsourcing policy addresses maintenance of appropriate records in relation to its outsourcing universe in order to appropriately manage risk.

Outsourcing of Risk Management and Internal Control Functions

The Central Bank expects depositaries and fund administrators to apply due care and attention when considering and appointing the outsourcing of those roles which have been designated by the Central Bank as pre-approval controlled functions (“PCFs”) and or controlled functions (“CFs”). It also reiterates that the depositary/fund administrator remains responsible for compliance with its obligations and that any outsourcing of PCF or CF roles does not diminish the responsibility of the Board or senior management in this regard.

Outsourcing Risk Assessments

A comprehensive risk assessment, which the Central Bank considers to be a “key tool in enabling appropriate and adequate oversight of outsourced activities”, should be conducted prior to entering into any outsourcing arrangement. Such risk assessments should be tailored to take account of specific risks identified by the Central Bank in the Guidance including, inter alia, sub-outsourcing risks, sensitive data risks, concentration risks⁵, offshoring risks, step-in risk and any other additional risks associated with the relevant outsourcing arrangement. Helpfully, the Central Bank has provided specific guidance on the risks associated with outsourcing in the Guidance which should assist depositaries and fund administrators in designing their risk assessments.

Under the Guidance, Boards are expected to review and refresh their risk assessments on a periodic basis, to ensure that in the case of each depositary/fund administrator, the risk assessments continue to accurately reflect the business of the depositary/fund administrator, including for example, its operating environment, legal or regulatory environment and to ensure they remain reflective of the current risks to which the depositary/fund administrator is exposed. The Guidance sets down certain events which may trigger a review of outsourcing risk assessments.

Due Diligence

The Guidance outlines the expectations of the Central Bank, both at an initial stage and on an on-going basis, regarding the due diligence that regulated firms should carry out on OSPs. The Guidance outlines specific criteria which must be considered prior to any outsourcing taking place. These criteria include by way of example only the OSP’s business model, financial health, ownership and group structure, consideration of its ability to “keep pace with innovation”, potential conflicts of interest (particularly in the case of intragroup arrangements) and the effectiveness of the OSP’s risk management and internal controls.

The Guidance also highlights the importance of periodic reviews of the due diligence being undertaken during the lifecycle of the outsourcing arrangements. In particular, the Central Bank notes the need to periodically review the financial health of key OSPs which provide critical or important services to the depositary/fund administrator and the need to undertake additional due diligence assessments prior to the expiry of any key outsourcing arrangements in order to determine whether such outsourcing arrangement should be renewed. As considered in more detail below, the Central Bank highlights that intragroup arrangements should be approached with the same rigour as the appointment of external OSPs while noting that the same risks may arise in all situations.

In line with the development of a financial system focused on good governance and the adoption of ESG principles and the ESA Guidelines on Outsourcing, the Central Bank highlights its expectation that the depositary/fund administrator satisfies itself that any outsourcing is being conducted in an ethical and socially responsible manner and consistent with the values and code of conduct of the depositary/fund administrator outsourcing the activities.

Contractual Arrangements and Service Level Agreements

The Guidance stresses the importance of ensuring that adequate provisions are included in any outsourcing contract put in place with the OSP which governs the provision of critical or important functions or services. The Central Bank specifically draws attention to twenty-one key provisions which it believes should form the basis for any such contractual arrangement with OSPs, including a clear description of the outsourced function, the circumstances in which sub-outsourcing is permitted, the location(s) of where the services will be performed, data security, reporting obligations imposed on the OSP, business continuity plans and termination and exit provisions. These key provisions generally align with the contractual provisions prescribed by the EBA Guidelines on Outsourcing and are particularly focussed on ensuring that written agreements governing the provision of critical or important functions are resolution resilient. Hence the requirements set out in the Guidelines will be familiar to depositaries. For fund administrators the new requirements under the Guidelines are more comprehensive than those currently applying under the 2017 Regulations.

In the case of sub-outsourcing of a critical or important function, the depositary/fund administrator must provide its consent to the sub-delegation/outsourcing arrangement. As a result, the sub-outsourcing/sub-delegation provisions in existing contracts entered into by depositaries and fund administrators may, depending on existing terms, need to be revised in light of the finalised Guidance.

The Central Bank indicates that any such contract with an OSP should give the depositary/fund administrator the ability to terminate the arrangement in certain specific circumstances identified in the Guidance. The Guidance also provides that the contract in place with the OSP should facilitate the re-incorporation of outsourced functions to the depositary/fund administrator upon termination or the transfer of the outsourced function to another OSP. This requirement is likely to be problematical for those depositaries/fund administrators established as a branch of an overseas entity if the Central Bank seeks to apply the Guidelines to parent to branch services provision. We refer you to page 2 of this briefing paper (Application of Guidance to depositaries and Fund Administrators) where we have mentioned that further clarity on this point will be sought from the Central Bank.

In line with the Central Bank’s risk-based approach to supervision of regulated firms, the Central Bank further outlines its expectation that the internal audit function of regulated firms should, on a contractual basis, be able to review the performance of the outsourced function using a risk-based approach. Depositaries and fund administrators should also consider the investigatory powers of the Central Bank when negotiating agreements with a particular emphasis on the depositary/fund administrator and the Central Bank having full access to all relevant business premises of the OSP and unrestricted rights of inspection and auditing related to the outsourcing arrangements where the relevant OSP is providing critical or important services to the depositary/fund administrator.

In keeping with the expectations set out with respect to due diligence, the Central Bank indicates that periodic reviews of contracts and outsourcing arrangements should be undertaken where there are changes to business models or regulatory changes or the completion of risk assessments warrant a re-consideration of the continued suitability of the contract. If relevant, contractual arrangements should also be reviewed in good time before any scheduled renewal or termination dates in order to ensure smooth transitions or continuity of service is a decision is taken to change OSP.

In response to the publication of the Guidance, depositaries and fund administrators are advised to conduct a review of all existing delegation agreements (including for example existing investment management agreements, administration agreements and distribution agreements) and other outsourcing and sub-outsourcing contractual arrangements in place with OSPs which provide critical or important functions or services to the depositary/fund administrator in order to consider whether such arrangements meet the expectations of the Central Bank as outlined in the Guidance.

Ongoing Monitoring and Challenge

The Guidance emphasises the importance of regular and comprehensive monitoring of outsourced services/functions. The Central Bank expects depositaries and fund administrators to include the three lines of defence as part of its outsourcing assurance (i.e. involving the Risk Management/Compliance function as the second line of defence and the internal audit function as the third line of defence). The depositary/fund administrator’s outsourcing risk management arrangements should be such that they incorporate a mechanism to oversee, monitor, and assess the appropriateness and performance of its outsourced arrangements is in place. Depositaries and fund administrators who currently outsource functions will be required to undertake a review of the existing arrangements in place and to ensure that they have sufficient and appropriately skilled staff within the depositary/fund administrator to oversee the outsourcing arrangements in line with the supervisory expectations of the Central Bank as outlined in the Guidance.

The third line of defence, the internal audit function, is seen as a key function in supporting the assessment of the appropriateness of outsourcing arrangements. Amongst other matters, the Central Bank expects that an internal audit function’s audit programme will assess, using a risk-based approach, whether:

• the outsourcing framework is operating effectively in line with the outsourcing policy and the depositary/fund administrator’s risk appetite for outsourcing;
• the outsourcing policies have been reviewed and updated to take account of any new legislation, business functions or new or emerging risks;
• the correct classification is being used for outsourcing arrangements in line with the depositary/fund administrator’s methodology for assessing “criticality and importance”;
• the depositary/fund administrator’s outsourcing register is being appropriately maintained; and
• the oversight of the Board and the monitoring and management of its outsourcing arrangement is effective.

To the extent that a depositary/fund administrator uses third-party certifications provided by the OSP and/or pooled audits as part of its ongoing monitoring regime, the depositary/fund administrator should document how such third-party certifications and pooled audits⁶ are deemed to provide appropriate levels of assurance in line with its outsourcing policy and its risk assessment. The Guidance also sets down specific requirements which must be met where a depositary/fund administrator uses third-party certifications provided by OPS and/or pooled audits.

Disaster Recovery and Business Continuity Management

In its Feedback Statement, the Central Bank noted that supervisory review has revealed in some cases that there have been weaknesses in the quality of controls implemented by firms in the area of business continuity as well as evidence of a lack of consideration of resiliency risk. Against this backdrop, the Guidance sets out the Central Bank’s expectations for regulated firms in the establishment and oversight of measures to ensure continuity of outsourced functions in the event of a business interruption event. Depositaries and fund administrators must consider the disaster recovery and business continuity measures of their proposed OSPs and must be satisfied that service disruptions can be maintained by the OSPs within the impact tolerances and recovery time objectives of the depositary/fund administrator. The internal governance of depositaries and fund administrators, including business continuity plans and exit strategies, must be updated to reflect any implications of the relevant outsourcing arrangement.

In addition, in the case of critical or important services, depositaries and fund administrators must: (i) document and implement business continuity plans (“BCPs”) in relation to their critical and important outsourced functions and ensure that these plans are tested and updated on a regular basis; (ii) must ensure that OSPs are obliged under the arrangements to carry out testing of their BCPs at least annually and to share the reports with the relevant depositary/fund administrator; and (iii) allow the depositary/fund administrator to participate in such OSPs BCP testing “where necessary” and to conduct coordinated testing of the BCP arrangements on a regular basis. In its Feedback Statement, the Central Bank noted that the purpose of setting out its expectations is to ensure that “there is close alignment of the contingency planning and testing of the OSP and that of the regulated firm” which it notes is key to ensuring the “smooth recovery of services critical to the firm in the event of a disaster”. While it notes that it may not always be operationally feasible to participate in the OSP’s business continuity testing or to co-ordinate the testing of the firm’s and the OSP’s arrangements on a regular basis, it does note that it should be possible to conduct “combined “Tabletop Exercises” to walk through the coordinated recovery processes as a form of testing. It also notes that where a firm is relying on the business continuity testing performed by the OSP, that OSP should be able to demonstrate that it has carried out the testing to a level which the firm considers appropriate in light of its risk appetite and impact tolerance requirements.

The Guidance makes clear that it is the responsibility of the depositary/fund administrator to ensure that corrective action is taken to remediate any deficiencies identified in the performance of the OSP relating to disaster recovery and business continuity management.

Exit Strategies

The Central Bank has also set down a requirement for depositaries and fund administrators to have in place appropriate strategies and plans to exit outsourcing arrangements should the need arise, providing detailed guidance on the considerations which should be taken into account when finalising such exit strategies.

Such exit plans may potentially involve the transfer of activities to another OSP (substitutability) or for the activities to be taken back in-house by the depositary/fund administrator. The proposal that a depositary/fund administrator will retain the ability to take back an outsourced activity in-house may not be viable in many instances for a number of reasons, primarily due to lack of availability of sufficient resources with appropriate expertise and lack of operational capability.

In addition, depositaries and fund administrators will be expected to test (insofar as is possible) scenarios which may warrant the transfer of activities to another OSP or back in-house and to periodically review and update exit strategies to take account of developments that may alter the feasibility of an exit in stressed or non-stressed circumstances.

In its Feedback Statement, the Central Bank reiterated that the issues arising for intragroup arrangements relating to exit strategies and termination rights are “the same as for any other third-party arrangements especially in respect of critical or important arrangements”.

Intragroup Arrangements

In the Guidance, the Central Bank has set down its expectations in respect of intragroup arrangements. It noted in its Feedback Statement that “intragroup arrangements should not be treated as inherently less risky than arrangements with third-parties outside a firm’s group although certain aspects of the arrangements may be managed differently in practice”.

The Central Bank expects depositaries and fund administrators to (i) conduct detailed risk assessments of both third-party outsourcing arrangements and intragroup outsourcing arrangements, and (ii) consider and be satisfied with the extent to which the depositary/fund administrator can exert sufficient influence on any group company providing the service. Therefore, a depositary/fund administrator should be able to demonstrate to the Central Bank, if required, that such intragroup delegate is adequately challenged and appropriately supervised by the depositary/fund administrator on an ongoing basis.

Provision of Outsourcing Information to the Central Bank

Under the Guidance, the Central Bank requires timely notification of any planned “critical or important” outsourcing arrangement or material changes to existing “critical or important” outsourcing arrangements. It identifies specific events which could give rise to an obligation to notify the Central Bank of the proposed or changing outsourcing arrangement and provides guidance on the type of information that must be provided to the Central Bank as part of such notification. These requirements will not involve a change the existing practice for depositaries and fund administrators in the context of appointment of delegates/OSPs performing regulated services. However, this will reflect a change to existing practice in the context of the appointment of delegates/OSPs performing “non-regulated” services, particularly IT or cybersecurity where these are deemed “critical or important”.

As noted above, the Central Bank has confirmed in its Feedback Statement that regulated firms with a PRISM rating of “Medium Low” or higher will be required to submit a copy of their outsourcing register (a template for which will be made available on the Central Bank’s website during Quarter 1 of 2022) on an annual basis with the first submission currently planned for Quarter 2 of 2022. “Low Impact” firms may be required to submit their outsourcing register on a case-by-case basis by their supervisor.

Next Steps

The Central Bank confirmed in its Feedback Statement that the Guidance comes into effect on the publication date (being 17 December 2021). However, it does note that “the supervisory approach to its implementation will be mindful of the adjustments to be made by firms relative to the nature, scale and complexity of the use of outsourcing as an element of their business model”.

We would suggest that as a first step, depositaries and fund administrators should now assess their existing arrangements against the Guidance to identify what changes will need to be made in order to comply with the Guidance, the key stakeholders involved and the timeframe within which necessary steps will be taken. Once finalised, this implementation plan should be presented to the Board for its consideration and approval. Once it has been approved by the Board, depositaries and fund administrators can then take the necessary actions identified in the implementation plan to ensure compliance with the Guidance within the timeframe agreed with the Board.

How Dillon Eustace can help

The team at Dillon Eustace can assist depositaries and fund administrators in:

• assessing the implications of the Guidance on their business models and outsourcing arrangements;
• updating their governance arrangements as regards the appointment and continued oversight of OSPs in line with regulatory expectations detailed in the Guidance;
• preparing a documented outsourcing strategy and outsourcing policy; and
• reviewing existing contracts in place with OSPs to determine the changes which will need to be made in order to address the Guidance.

If you require any assistance in this regard or have any further questions on the Guidance, please get in touch with your usual Dillon Eustace contact.

Dillon Eustace LLP

5 January 2022

¹https://www.centralbank.ie/docs/default-source/publications/consultation-papers/cp138/cp138-consultation-on-cross-industry-guidance-on-outsourcing.pdf?sfvrsn=5
.This consultation process was preceded by the publication by the Central Bank of a discussion paper on outsourcing in November 2018.

² Available from https://www.esma.europa.eu/sit...

³ Directive 2014/65/EU and Commission Delegated Regulation (EU) No 2017/56

⁴ In its recently published Cross Industry Guidance on Operational Resilience, the Central Bank again uses the concept of "critical or important business services" in order to callibrate its proposed rules in operational resilience of regulated firms.

⁵ Page 15 of the Feedback Statement provides clarity on the responsibilities of regulated firms regarding the issue of concentration risk

⁶ Described by the Central Bank in the Guidance on onsite audits which are conducted with other regulated firms