Legal Updates

Key Points to Note:

• Management Companies are expected to develop an appropriate and effective outsourcing risk management framework in line with the Guidance.

• This will require assessment of existing governance arrangements, policies and procedures and contracts in place with OSPs

• Guidance applies from 17 December 2021 but the Central Bank will be “mindful of the adjustments to be made by the firms relative to the nature, scale and complexity of the use of outsourcing as an element of their business model” in exercising its supervisory power.
  
  

Following its consultation on the topic of outsourcing earlier this year¹ the Central Bank of Ireland (“Central Bank”) has published its finalised Cross-Industry Guidance on Outsourcing (“Guidance”) together with a feedback statement providing the rationale for some of the approaches taken by it in finalising the Guidance (“Feedback Statement”).

While the Guidance will be of relevance to all firms regulated by the Central Bank, in this briefing, we consider the implications of the Guidance on Irish fund management companies² (“Management Companies”).

Purpose of the Guidance

In recognition of the “increasing reliance of many regulated firms on outsourced service providers”, the Guidance is intended to assist regulated firms in developing their outsourcing risk management framework to effectively identify, monitor and manage their outsourcing risks. It is intended to supplement existing sectoral legislation, regulations and guidelines on outsourcing and sets down the Central Bank’s expectations of good practice for effective management of outsourcing risk.

Overview of Some Key Concepts

Before considering some of the specific issues which will arise for Management Companies in complying with the Guidance, we have set out some key concepts which are relevant when considering the implications of the Guidance for Management Companies:

• While Management Companies are already subject to detailed delegation rules under the UCITS and AIFMD frameworks, the Central Bank Fund Management Company Guidance as well as the expectations of the Central Bank as outlined in its October 2020 Dear Chair Letter, (“Dear Chair Letter”), the Central Bank has made clear that it expects Management Companies to assess the adequacy and effectiveness of their existing outsourcing/delegation risk management framework against the provisions of the Guidance. In this regard, the Central Bank notes in the Feedback Statement that the delegation rules set down under the UCITS and AIFMD framework relating to specific tasks should be viewed as “imposing additional requirements not reducing the obligations of the entity in question. In respect of both delegation and outsourcing, all arrangements require effective due diligence, appropriate oversight arrangements and good governance to ensure that any tasks not performed by the regulated entity are carried out to a high standard with ultimate responsibility for the function being retained by the regulated entity.”

• The Central Bank recognises that the Guidance should be complied with in a proportionate manner by regulated firms, taking into account the relevant firm’s nature, scale and complexity of its business activities and the degree to which the firm engages in outsourcing. In other words, the Central Bank does not expect all Management Companies to comply with the Guidance in the same way, acknowledging that “it may not be appropriate for certain smaller, less complex regulated firms to adopt, in full, all measures set out in the Guidance”. When deciding how to implement measures to comply with the Guidance, Management Companies should also have regard to whether the relevant outsourced activity is deemed “critical” or “important”;

• Under the Guidance, it is possible to adopt different practices to those outlined by the Central Bank in order to manage outsourcing risk but in such circumstances, such practices must be considered and approved by the board of directors of the relevant Management Company (“Board”) and the Management Company should be in a position to explain the rationale for any such approach to the Central Bank;

• The Central Bank will expect Management Companies to comply with the Guidance in respect not only of outsourcing arrangements in place with third parties but also those outsourcing arrangements in place with entities within their own groups (referred to in the Guidance as “intragroup” arrangements);

• While Management Companies will be used to complying with specific delegation rules set down in the UCITS framework or AIFMD frameworks which apply in the case of delegation of regulated activities, outsourcing arrangements with unregulated outsourcing service providers, including cloud service providers also fall within the scope of the Guidance; and

• Management Companies will be required to put in place both a documented outsourcing strategy and documented outsourcing policy, each of which is considered in more detail below.
  

Identification of “Critical or Important” Outsourcing Arrangements

Under the Guidance, Management Companies will, for the first time, be required to identify those outsourcing arrangements which relate to activities or services which are critical or important, using the criteria set down in Appendix 2 of the Guidance which incorporates the principles outlined in the recently published IOSCO Principles on Outsourcing. Appendix 2 also incorporates some specific guidance for Management Companies which provides that administrative or technical functions are unlikely to be critical or important and suggests that Management Companies could have regard to the definition of the critical or important functions provided under the ESMA Guidelines on Outsourcing to Cloud Service Providers³ and the criteria for assessment of critical or important functions set down under MiFID II. Functions which are necessary to perform “core business lines” or “critical business functions” should be considered as critical or important⁴ . This assessment should be carried out in respect of all activities or services which are being outsourced by the Management Company, including IT activities. It is worth noting in this regard that certain provisions of the Guidance only apply to the outsourcing of activities or services which have been categorised as critical or important.

The Central Bank expects Management Companies to have a defined and documented methodology for determining whether a service or function is critical or important which should be approved by the Board. It would seem appropriate that this should also identify those within the organisation who are responsible for determining whether or not a specific service or function is critical or important.

The assessment of criticality and importance, including the methodology used in such assessment, must be reviewed at appropriate intervals in conjunction with the outsourcing policy. The Central Bank also suggests that such a review should be carried out if a Management Company decides to scale up its use of the services being provided by the outsourced service provider (“OSP”) or its dependency on such services or if there is an organisational change in the OSP such as a change to the ownership or financial position of that OSP or a material sub-outsourced service provider.

Governance and the role of the Board and Senior Management

The Guidance outlines that Boards and senior management of regulated firms are responsible for all activities undertaken by the regulated firm including those activities which are conducted on the regulated firm’s behalf by any third party, including any group entity. The Central Bank prescribes that the Board and senior management are ultimately accountable for the effective oversight and management of outsourcing risk within its business. This includes ensuring that there are appropriate structures in place to facilitate comprehensive oversight of the outsourcing universe.

Under the Guidance, Boards and senior management will be required to develop existing risk management frameworks to ensure that the governance and risk management of their outsourcing frameworks operates effectively and is in line with the supervisory expectations. Outsourcing risk should also be reflected in the overarching risk register of the Management Company.

In addition, the risk management framework must consider and document the controls to be put in place to minimise exposure to any risks identified and ensure that these controls and the mechanism for monitoring their effectiveness, are reflected in the relevant outsourcing contracts and service level agreements.

Boards are expected to regularly review their outsourcing arrangements, with particular focus on those outsourcing arrangements which relate to critical or important functions.

Such outsourcing governance and risk management structures must be in line with relevant sectoral legislation, regulation and guidelines applicable to Management Companies and should not impede the Management Company’s ability to meet the conditions with which it must comply in order to remain authorised, including any conditions imposed by the Central Bank. Consistent with the concerns raised by it in its Dear Chair Letter, outsourcing arrangements should not be such that they result in a Management Company becoming an “empty shell” or “letter box” entity.

The Guidance outlines that the Central Bank expects firms to appoint a designated individual, function and/or committee to ensure that outsourcing arrangements are overseen and reported on appropriately. This designated function should be directly accountable to the Board. Management Companies should also be satisfied that the reporting framework is such that the Board and senior management receive sufficiently detailed reports on outsourcing arrangements on an ongoing basis and that an appropriate escalation process is in place to ensure that they can adequately govern outsourcing risks arising.

Under the Guidance, Boards are also expected to establish an outsourcing register to identify and facilitate appropriate oversight and awareness of current and proposed outsourcing arrangements, and the associated risks, including the extent of the Management Company’s dependence on critical OSPs. The Guidance sets out the Central Bank’s specific expectations relating to the maintenance of outsourcing registers, including the content and completion of such register which is set down in Appendix 3 thereto. The Central Bank has confirmed in its Feedback Statement that a spreadsheet template for the outsourcing register will be made available for all firms to download from its website during Quarter 1 of 2022. It also confirms that all Management Companies (and other firms regulated by the Central Bank) which have a PRISM Impact Rating of Medium Low or higher must submit their outsourcing register via an online return on an annual basis. The first submission is currently planned for such firms for Quarter 2 of 2022 and the Central Bank will notify such firms “within a reasonable notice period” of the specific filing requirements for 2022. “Low Impact” Management Companies may be required to submit their outsourcing register on a case by case basis by their supervisor.

Outsourcing Strategy and Outsourcing Policy

Under the Guidance, Management Companies are expected to have a documented outsourcing strategy in place which is aligned to their business strategy, business model, risk appetite, and risk management framework. This strategy should be supported through appropriate policies, procedures and controls.

In formulating an outsourcing strategy, consideration must be given to a number of areas, including but not limited to:

• the extent of outsourcing that the Management Company intends to undertake;
• the types of activities and functions it will consider outsourcing;
• the risks which arise from its outsourcing arrangements including how they will be managed and mitigated; and
• the extent to which the Management Company has the skills and capacity to monitor and exercise oversight of outsourcing arrangements. We would anticipate that this should also identify any functions which the Management Company determines are not suitable for outsourcing in light of its risk appetite.

As part of this outsourcing strategy, and in a new departure, Management Companies must have a documented firm-wide outsourcing policy, which is reviewed and approved by the Board at least annually. The Central Bank expects that the policy should outline its risk appetite as it relates to outsourcing, the roles and responsibilities within the Management Company for the oversight and management of outsourcing risk as well the criteria and methodology for the identification and classification of outsourcing arrangements as critical or important. The policy should also address the approach to the identification, assessment, mitigation and management of risks associated with outsourcing as well as the approach to initial and ongoing due diligence on OSPs and the ongoing management, monitoring and review of outsourced arrangements in place.

Amongst other matters identified by the Central Bank in the Guidance, the outsourcing policy should also address:

• the process for approval of new outsourcing arrangements;
• the requirement to put in place appropriate contracts, written agreements and SLAs with the relevant OSP;
• sub-outsourcing particularly with regard to critical or important functions or material parts of such functions;
• the risk management framework and structures for operational oversight and controls;
• conflicts of interest,
• business continuity arrangements as they pertain to the outsourcing arrangements;
• a documented exit strategy for each outsourcing arrangement deemed critical or important; and
• termination processes generally, including in the event of unexpected termination of an outsourcing arrangement and the need for contingency arrangements.

The Guidance also highlights the importance that the Management Company’s outsourcing policy addresses maintenance of appropriate records in relation to its outsourcing universe in order to appropriately manage risk.

Outsourcing of Risk Management and Internal Control Functions

The Central Bank expects Management Companies to apply due care and attention when considering and appointing the outsourcing of those roles which have been designated by the Central Bank as pre-approval controlled functions (“PCFs”) and or controlled functions (“CFs”). It also reiterates that the Management Company remains responsible for compliance with its obligations and that any outsourcing of PCF or CF roles does not diminish the responsibility of the Board or senior management in this regard.

Outsourcing Risk Assessment

A comprehensive risk assessment, which the Central Bank considers to be a “key tool in enabling appropriate and adequate oversight of outsourced activities”, should be conducted prior to entering into any outsourcing arrangement. Such risk assessments should be tailored to take account of specific risks identified by the Central Bank in the Guidance including, inter alia, sub-outsourcing risks, sensitive data risks, concentration risks⁵, offshoring risks, step-in risk and any other additional risks associated with the relevant outsourcing arrangement. Helpfully, the Central Bank has provided specific guidance on the risks associated with outsourcing in the Guidance which should assist Management Companies in designing their risk assessments.

Under the Guidance, Boards are expected to review and refresh their risk assessments on a periodic basis, to ensure that in the case of each Management Company, the risk assessments continue to accurately reflect the business of the Management Company, including for example, its operating environment, legal or regulatory environment and to ensure they remain reflective of the current risks to which the Management Company is exposed. The Guidance sets down certain events which may trigger a review of outsourcing risk assessments.

Due Diligence

The Guidance outlines the expectations of the Central Bank, both at an initial stage and on an on-going basis, regarding the due diligence that regulated firms should carry out on OSPs. The Guidance outlines specific criteria which must be considered prior to any outsourcing taking place. These criteria include by way of example only the OSP’s business model, financial health, ownership and group structure, consideration of its ability to “keep pace with innovation”, potential conflicts of interest (particularly in the case of intragroup arrangements) and the effectiveness of the OSP’s risk management and internal controls.

The Guidance also highlights the importance of periodic reviews of the due diligence being undertaken during the lifecycle of the outsourcing arrangements. In particular, the Central Bank notes the need to periodically review the financial health of key OSPs which provide critical or important services to the Management Company and the need to undertake additional due diligence assessments prior to the expiry of any key outsourcing arrangements in order to determine whether such outsourcing arrangement should be renewed. As considered in more detail below, the Central Bank highlights that intragroup arrangements should be approached with the same rigour as the appointment of external OSPs while noting that the same risks may arise in all situations.

In line with the development of a financial system focused on good governance and the adoption of ESG principles and the ESA Guidelines on Outsourcing, the Central Bank highlights its expectation that the Management Company satisfies itself that any outsourcing is being conducted in an ethical and socially responsible manner and consistent with the values and code of conduct of the Management Company outsourcing the activities.

Contractual Arrangements and Service Level Agreement

The Guidance stresses the importance of ensuring that adequate provisions are included in any outsourcing contract put in place with the OSP which governs the provision of critical or important functions or services. The Central Bank specifically draws attention to twenty-one key provisions which it believes should form the basis for any such contractual arrangement with OSPs, including a clear description of the outsourced function, the circumstances in which sub-outsourcing is permitted, the location(s) of where the services will be performed, data security, reporting obligations imposed on the OSP, business continuity plans and termination and exit provisions. These key provisions generally align with the contractual provisions prescribed by the EBA Guidelines on Outsourcing and are particularly focussed on ensuring that written agreements governing the provision of critical or important functions are resolution-resilient.

In the case of sub-outsourcing of a critical or important function, the Management Company must provide its consent to the sub-delegation / outsourcing arrangement. While the consent of an AIFM must be obtained prior to the appointment of any sub-delegate under existing AIFMD rules, there is currently no such corresponding consent requirement under the UCITS framework, meaning that the sub-outsourcing/sub-delegation provisions in existing contracts entered into by UCITS management companies may, depending on existing terms, need to be revised in light of the finalised Guidance.

In line with the outcome from the “Dear Chair” Letter, the Central Bank again stresses the importance of having service level agreements in place with OSPs which provide critical or important functions or services in order to support the formal contracts in place, whether the relevant OSP is external or internal to the group. Such service level agreements must incorporate key performance indicators to allow the Management Company to monitor performance appropriately.

The Central Bank indicates that any such contract with an OSP should give the Management Company the ability to terminate the arrangement in certain specific circumstances identified in the Guidance. The Guidance also provides that the contract in place with the OSP should facilitate the re-incorporation of outsourced functions to the Management Company upon termination or the transfer of the outsourced function to another OSP. The potential for the Management Company to ‘re-incorporate’ the outsourced functions should be considered in light of the substance requirements of the Central Bank and in light of the Dear Chair Letter.

In line with the Central Bank’s risk based approach to supervision of regulated firms, the Central Bank further outlines its expectation that the internal audit function of regulated firms should, on a contractual basis, be able to review the performance of the outsourced function using a risk-based approach. Management Companies should also consider the investigatory powers of the Central Bank when negotiating agreements with a particular emphasis on the Management Company and the Central Bank having full access to all relevant business premises of the OSP and unrestricted rights of inspection and auditing related to the outsourcing arrangements where the relevant OSP is providing critical or important services to the Management Company.

In keeping with the expectations set out with respect to due diligence, the Central Bank indicates that periodic reviews of contracts and outsourcing arrangements should be undertaken where there are changes to business models or regulatory changes or the completion of risk assessments warrant a re-consideration of the continued suitability of the contract. If relevant, contractual arrangements should also be reviewed in good time before any scheduled renewal or termination dates in order to ensure smooth transitions or continuity of service is a decision is taken to change OSP.

In response to the publication of the Guidance, Management Companies are advised to conduct a review of all existing delegation agreements (including for example existing investment management agreements, administration agreements and distribution agreements) and other outsourcing and sub-outsourcing contractual arrangements in place with OSPs which provide critical or important functions or services to the Management Company in order to consider whether such arrangements meet the expectations of the Central Bank as outlined in the Guidance.

Ongoing Monitoring and Challenge

Similar to the approach adopted by the Central Bank in its Fund Management Company Guidance, the Guidance emphasises the importance of regular and comprehensive monitoring of outsourced services/functions. The Central Bank expects Management Companies to include the three lines of defence as part of its outsourcing assurance (i.e. involving the Risk Management/Compliance function as the second line of defence and the internal audit function as the third line of defence). The Management Company’s outsourcing risk management arrangements should be such that they incorporate a mechanism to oversee, monitor, and assess the appropriateness and performance of its outsourced arrangements is in place.

In line with the key message of challenge which has been emphasised by the Central Bank of the last number of years and most recently in its Dear Chair Letter, the ability to interrogate the effectiveness and performance of the outsourcing and in particular the monitoring of any sub-outsourcing are key elements of the assurance framework which should be in sharp focus for all Management Companies. The expectations highlighted will require Management Companies who currently outsource functions to undertake a review of the existing arrangements in place and to ensure that they have sufficient and appropriately skilled staff within the Management Company to oversee the outsourcing arrangements in line with the supervisory expectations of the Central Bank as outlined in the Guidance.

The third line of defence, the internal audit function, is seen as a key function in supporting the assessment of the appropriateness of outsourcing arrangements. Amongst other matters, the Central Bank expects that an internal audit function’s audit programme will assess, using a risk based approach, whether:

• the outsourcing framework is operating effectively in line with the outsourcing policy and the Management Company’s risk appetite for outsourcing;
• the outsourcing policies have been reviewed and updated to take account of any new legislation, business functions or new or emerging risks;
• the correct classification is being used for outsourcing arrangements in line with the Management Company’s methodology for assessing “criticality and importance”;
• the Management Company’s outsourcing register is being appropriately maintained; and
• the oversight of the Board and the monitoring and management of its outsourcing arrangement is effective.

To the extent that a Management Company uses third party certifications provided by the OSP and/or pooled audits as part of its ongoing monitoring regime, the Management Company should document how such third party certifications and pooled audits⁶ are deemed to provide appropriate levels of assurance in line with its outsourcing policy and its risk assessment. The Guidance also sets down specific requirements which must be met where a Management Company uses third party certifications provided by OPS and/or pooled audits.

Disaster Recovery and Business Continuity Management

In its Feedback Statement, the Central Bank noted that supervisory review has revealed in some cases that there have been weaknesses in the quality of controls implemented by firms in the area of business continuity as well as evidence of a lack of consideration of resiliency risk. Against this backdrop, the Guidance sets out the Central Bank’s expectations for regulated firms in the establishment and oversight of measures to ensure continuity of outsourced functions in the event of a business interruption event. Management Companies must consider the disaster recovery and business continuity measures of their proposed OSPs and must be satisfied that service disruptions can be maintained by the OSPs within the impact tolerances and recovery time objectives of the Management Company. The internal governance of Management Companies, including business continuity plans and exit strategies, must be updated to reflect any implications of the relevant outsourcing arrangement.

In addition, in the case of critical or important services, Management Companies must: (i) document and implement business continuity plans (“BCPs”) in relation to their critical and important outsourced functions and ensure that these plans are tested and updated on a regular basis; (ii) must ensure that OSPs are obliged under the arrangements to carry out testing of their BCPs at least annually and to share the reports with the relevant Management Company; and (iii) allow the Management Company to participate in such OSPs BCP testing “where necessary” and to conduct coordinated testing of the BCP arrangements on a regular basis. In its Feedback Statement, the Central Bank noted that the purpose of setting out its expectations is to ensure that “there is close alignment of the contingency planning and testing of the OSP and that of the regulated firm” which it notes is key to ensuring the “smooth recovery of services critical to the firm in the event of a disaster”. While it notes that it may not always be operationally feasible to participate in the OSP’s business continuity testing or to co-ordinate the testing of the firm’s and the OSP’s arrangements on a regular basis, it does note that it should be possible to conduct “combined “Tabletop Exercises” to walk through the coordinated recovery processes as a form of testing. It also notes that where a firm is relying on the business continuity testing performed by the OSP, that OSP should be able to demonstrate that it has carried out the testing to a level which the firm considers appropriate in light of its risk appetite and impact tolerance requirements.

The Guidance makes clear that it is the responsibility of the Management Company to ensure that corrective action is taken to remediate any deficiencies identified in the performance of the OSP relating to disaster recovery and business continuity management.

Exit Strategies

The Central Bank has also set down a requirement for Management Companies to have in place appropriate strategies and plans to exit outsourcing arrangements should the need arise, providing detailed guidance on the considerations which should be taken into account when finalising such exit strategies.

Such exit plans may potentially involve the transfer of activities to another OSP (substitutability) or for the activities to be taken back in-house by the Management Company. The proposal that a Management Company will retain the ability to take back an outsourced activity in-house may not be viable in many instances for a number of reasons, primarily due to lack of availability of sufficient resources with appropriate expertise and lack of operational capability.

In addition, Management Companies will be expected to test (insofar as is possible) scenarios which may warrant the transfer of activities to another OSP or back in-house and to periodically review and update exit strategies to take account of developments that may alter the feasibility of an exit in stressed or non-stressed circumstances.

In its Feedback Statement, the Central Bank reiterated that the issues arising for intragroup arrangements relating to exit strategies and termination rights are “the same as for any other third party arrangements especially in respect of critical or important arrangements”.

Intragroup Arrangements

In the Guidance, the Central Bank has set down its expectations in respect of intragroup arrangements which will be of particular relevance to “proprietary” or “related” Management Companies. It noted in its Feedback Statement that “intragroup arrangements should not be treated as inherently less risky than arrangements with third parties outside a firm’s group although certain aspects of the arrangements may be managed differently in practice”.

In line with existing rules under the UCITS and AIFMD frameworks, Management Companies entering into intragroup outsourcing arrangements should be satisfied that all potential conflicts of interests arising from such arrangements have been appropriately identified and managed. Consistent with the Central Bank’s existing requirements set down in its Fund Management Company-Guidance, it expects all regulated firms to satisfy themselves that reliance on group policies and procedures is appropriate in each case.

In addition to these pre-existing requirements, the Central Bank expects Management Companies to (i) conduct detailed risk assessments of both third-party outsourcing arrangements and intragroup outsourcing arrangements, and (ii) consider and be satisfied with the extent to which the Management Company can exert sufficient influence on any group company providing the service. Therefore a Management Company should be able to demonstrate to the Central Bank if required that such intragroup delegate is adequately challenged and appropriately supervised by the Management Company on an ongoing basis.

Provision of Outsourcing Information to the Central Bank

Under the Guidance, the Central Bank requires timely notification of any planned “critical or important” outsourcing arrangement or material changes to existing “critical or important” outsourcing arrangements. It identifies specific events which could give rise to an obligation to notify the Central Bank of the proposed or changing outsourcing arrangement and provides guidance on the type of information that must be provided to the Central Bank as part of such notification. These requirements will not involve a change the existing practice for Management Companies in the context of appointment of delegates/OSPs performing regulated services. However, this will reflect a change to existing practice in the context of the appointment of delegates/OSPs performing “non-regulated” services, particularly IT or cybersecurity where these are deemed “critical or important”.

As noted above, the Central Bank has confirmed in its Feedback Statement that Management Companies with a PRISM rating of Medium Low or higher will be required to submit a copy of their outsourcing register (a template for which will be made available on the Central Bank’s website during Quarter 1 of 2022) on an annual basis with the first submission currently planned for Quarter 2 of 2022. “Low Impact” Management Companies may be required to submit their outsourcing register on a case by case basis by their supervisor.

Application of the Guidance to Branches of Oversees Entities

In response to queries raised as part of the consultation process on the application of the Guidance to branches of oversees banks, insurers and other firms (both EU and/or third country branches), the Central Bank has noted in its Feedback Statement that it is of the view that “branch to branch service provision, branch to parent provision and centres of excellence should all be regarded as forms of inter/intragroup service provision and as such are indistinguishable from outsourcing in terms of the risks posed by such arrangements when they are deemed critical or important” and that “consequently, the Central Bank expects the Guidance to be applied and the risks managed in the same manner as any intragroup arrangements”.

Next Steps

The Central Bank confirmed in its Feedback Statement that the Guidance comes into effect on the publication date (being 17 December 2021). However it does note that “the supervisory approach to its implementation will be mindful of the adjustments to be made by firms relative to the nature, scale and complexity of the use of outsourcing as an element of their business model”.

We would suggest that as a first step, Management Companies should now assess their existing arrangements against the Guidance to identify what changes will need to be made in order to comply with the Guidance, the key stakeholders involved and the timeframe within which necessary steps will be taken. Once finalised, this implementation plan should be presented to the Board for its consideration and approval. Once it has been approved by the Board, Management Companies can then take the necessary actions identified in the implementation plan to ensure compliance with the Guidance within the timeframe agreed with the Board.

How Dillon Eustace can help

The team at Dillon Eustace can assist Management Companies in:

• assessing the implications of the Guidance on their business models and outsourcing arrangements;
• updating their governance arrangements as regards the appointment and continued oversight of OSPs in line with regulatory expectations detailed in the Guidance;
• preparing a documented outsourcing strategy and outsourcing policy; and
• reviewing existing contracts in place with OSPs to determine the changes which will need to be made in order to address the Guidance.

If you require any assistance in this regard or have any further questions on the Guidance, please get in touch with your usual Dillon Eustace contact.

Dillon Eustace LLP

21 December 2021

1 https://www.centralbank.ie/docs/default-source/publications/consultation-papers/cp138/cp138-consultation-on-cross-industry-guidance-on-outsourcing.pdf?sfvrsn=5 . This consultation process was preceded by the publication by the Central Bank of a discussion paper on outsourcing in November 2018
2 For the purposes of this briefing, “fund management companies” includes UCITS management companies, AIFMS, internally managed AIFs and self-managed UCITS funds regulated
by the Central Bank.

3 Available from https://www.esma.europa.eu/sit...
4 In its recently published Cross Industry Guidance on Operational Resilience, the Central Bank again uses the concept of “critical or important business services” in order to calibrate its proposed rules on
operational resilience of regulated firms.

5 Page 15 of the Feedback Statement provides clarity on the responsibilities of regulated firms regarding the issue of concentration risk

6 Described by the Central Bank in the Guidance as onsite audits which are conducted with other regulated firms