Legal Updates

Background

On 25 February 2021, the Central Bank of Ireland (CBI) published Consultation Paper 138 on Cross-Industry Guidance on Outsourcing (CP138). The draft Guidance is contained in Schedule 1 to CP138 (Guidance). The publication of CP138 follows on from the publication of the CBI discussion paper Outsourcing – Findings and Issues for Discussion in November 2018.

The CBI has recognised that while the increasing reliance by firms on outsourced service providers (OSPs) can be considered central to the successful delivery of a firm’s strategic objectives, it also poses risks if not effectively managed.

The Guidance sets out the CBI’s minimum supervisory expectations regarding effective governance, risk management and business continuity processes that should be applied by firms when using outsourcing as part of their business model and aims to reduce the occurrence of risks such as financial instability and consumer detriment. The Guidance also seeks to remind boards and senior management of their responsibilities when considering outsourcing as part of their business model.

Who does the Guidance apply to?

The Guidance, once finalised, will apply to all financial services providers regulated by the CBI (Regulated Firms). The Guidance addresses outsourcing to both intragroup entities and to third party OSPs, regulated and unregulated.

The CBI intends that Regulated Firms will adopt the Guidance in a manner that is proportionate to the nature, scale and complexity of their businesses.

The Guidance is intended to be supplemental to existing sectoral legislation, regulations and guidelines on outsourcing, details of which are included in Appendix 1 to the Guidance.  

The CBI is of the view that the existing sectoral guidelines on outsourcing published by the European Insurance and Occupational Pensions Authority (EIOPA), the European Securities and Markets Authority (ESMA) and the European Banking Authority (EBA) align with the CBI’s own supervisory expectations. The CBI expects that Regulated Firms within the scope of the existing sectoral guidelines will make every effort to comply with those guidelines in addition to the Guidance.

What does the Guidance require?

The Guidance sets out the expectations of the CBI under ten headings. The CBI’s key expectations are summarised below.

1. Assessment of Criticality or Importance of activity/service to be outsourced

The CBI expects Regulated Firms to:

• Have a defined methodology for determining the criticality or importance of the function to be outsourced; and
• Document the methodology in its outsourcing policy, ensuring that it is approved by the board and reviewed periodically.

The criteria to be considered by Regulated Firms in assessing criticality or importance are set out at Appendix 2 to the Guidance.

2. Intragroup Arrangements

The CBI expects Regulated Firms to:

• Apply the same rigour when conducting outsourcing risk assessments for intragroup arrangements as they would for third party arrangements;
• Consider and be satisfied with the extent to which the Regulated Firm is in a position to exert sufficient influence on the group entity providing the service; and
• Consider the risks particular to intragroup arrangements such as conflicts of interest, the remediation of outsourced services where outages impact the wider group, and the appropriateness of the application of group-wide policies and procedures to the Regulated Firm.

3. Outsourcing and Delegation

The CBI expects Regulated Firms to:

• Take note that the terms “delegation” and “outsourcing” are not considered by the CBI to be different concepts; and
• Treat delegated arrangements to the same onerous due diligence, oversight and monitoring as for other outsourcing arrangements and ensure that appropriate risk management measures are in place.

4. Governance

The CBI expects the boards and senior management of Regulated Firms to:

• Have taken appropriate action to ensure that the governance and risk management of their outsourcing framework is appropriate and operating effectively so as to fulfil their responsibilities for the management of outsourcing risk and is in line with the Guidance;
• Have a documented outsourcing strategy in place, aligned with their business strategy, business model, risk appetite, and risk management framework, supported by appropriate policies, procedures and controls which are in line with the relevant sectoral legislation and updated to reflect the Guidance;
• Have a documented outsourcing policy in place, addressing items such as the Regulated Firm’s risk appetite in relation to outsourcing, the roles and responsibilities within the Regulated Firm, the methodology for the identification of critical or important outsourcing, due diligence, operational oversight, conflicts of interest, sub-outsourcing, exit strategy, etc.;
• Ensure that appropriate skills and knowledge are maintained within the Regulated Firm to effectively oversee the outsourcing arrangements;
• Maintain appropriate records in relation to their outsourcing arrangements and establish an outsourcing register (see 10 below); and
• Apply due care and attention in respect of the outsourcing of any part of their risk management or internal control functions and carefully consider the risks of outsourcing such functions.

5. Outsourcing Risk Assessment and Management

The CBI expects Regulated Firms to:

• Ensure that their risk management framework appropriately considers any outsourcing arrangements;
• Conduct comprehensive risk assessments in respect of any proposed outsourcing arrangement prior to entering into such an arrangement and consider and document the controls to be put in place to minimise exposure to the risks identified; and
• Ensure that such risk assessments are tailored to take account of the specific risks associated with outsourcing, such as sub-outsourcing risks, sensitive data risks, data security/availability/integrity, concentration risks and offshoring risks. The Guidance sets out detailed expectations in relation to each of these categories of risk.

6. Due Diligence

The CBI expects appropriate and proportionate due diligence reviews to be conducted in respect of all prospective OSPs (including intragroup providers) before entering into any arrangements with them, and periodically thereafter. The Guidance sets out the criteria which Regulated Firms are expected to consider when carrying out this due diligence, including the OSP’s regulatory status, financial performance, ownership and reputation, as well as factors such as the substitutability of the OSP, concentration risk, use of sub-contractors, etc.

Where using OSPs located in third countries, the CBI expects Regulated Firms to satisfy themselves that the OSP acts in an ethical and socially responsible manner and adheres to international standards on human rights, environmental protection and appropriate working conditions, including the prohibition of child labour.

Regulated Firms are expected to periodically review the financial health of OSPs providing critical or important services and to review their due diligence assessment prior to the expiry of key contracts before making a decision to renew the contract.

7. Contractual Arrangements and Service Level Agreements (SLAs)

The CBI expects Regulated Firms to:

• Put in place formal contracts or written agreements with OSPs, preferably that are legally binding, supported by SLAs;
• Ensure that contracts relating to critical or important outsourcing are in line with the detailed requirements in relation to content set out in the Guidance and in the EBA Guidelines on Outsourcing; and
• Monitor agreements and SLAs to ensure they are adhered to and review their terms when appropriate.

8. Ongoing Monitoring and Challenge of the Outsourcing Framework

The CBI expects Regulated Firms to incorporate outsourcing assurance into its three lines of defence and to:

• Put in place mechanisms to oversee, monitor and assess the appropriateness and performance of their outsourced arrangements using a risk-based approach, including conducting onsite reviews of the OSP;
• Incorporate assurance testing related to the management of outsourcing into their risk management and compliance monitoring programmes;
• Ensure that assessment of the outsourcing arrangement forms part of its third line of defence (i.e. via the Regulated Firm’s internal audit plan or an independent external third party review where necessary); and
• Utilise third party certifications or pooled audits only where appropriate.

9. Disaster Recovery and Business Continuity Management

The CBI expects Regulated Firms to:

• Ensure continuity of services through robust disaster recovery and business continuity management when engaging the services of an OSP;
• Document and implement business continuity plans in relation to their critical or important outsourced functions and ensure that these plans are tested and updated on a regular basis; and
• Ensure that a viable exit strategy addressing scenarios such as a failure on the part of the OSP to provide the service to the requisite standard, insolvency or any other unexpected termination is developed, kept up-to-date and tested.

10. Provision of Outsourcing Information to the CBI

The CBI expects that Regulated Firms will:

• Notify the CBI of proposed critical or important outsourcing arrangements and of material changes to existing critical or important outsourcing arrangements. The CBI reserves the right to take appropriate action in respect of such arrangements where there is, for example, an unacceptable risk posed to financial stability;
• Report to the CBI when adverse incidents occur, such as material events affecting the provision of critical or important services or breaches of contractual arrangements or SLAs; and
• Establish and maintain an outsourcing register containing the detailed information set out in the Guidance. Regulated Firms will be required to submit the data contained in the register by way of periodic regulatory return, the frequency and timing of which is to be confirmed.

Next Steps

The CBI is inviting stakeholders to submit feedback on the Guidance. The consultation period closes on 26 July 2021. Stakeholders can submit their feedback by email to outsourcingfeedback@centralbank.ie.

The CBI intends to publish the finalised Guidance in 2021, following the conclusion of the consultation period and consideration of the submissions.

The CBI expects that the boards and senior management of Regulated Firms will review the Guidance and adopt appropriate measures to improve their outsourcing frameworks and management of outsourcing risk in line with the Guidance. The CBI also expects Regulated Firms to be able to demonstrate that they have considered the supervisory expectations set out in the Guidance.

Queries

We are considering the impact of the Guidance on specific industry sectors and we will be publishing further briefings on this topic shortly. In the meantime, if you have any queries about the information contained in this article, please contact the Financial Regulation Team or your usual Dillon Eustace contact.