Legal Updates

Background

As readers of our recent client briefing will be aware, the Central Bank of Ireland (Central Bank) has published a consultation paper on the topic of outsourcing (Consultation Paper), Schedule 1 of which contains draft Cross-Industry Guidance on Outsourcing (Draft Guidance). This follows the publication of a Central Bank Discussion Paper on Outsourcing in November 2018.

Which firms are within scope?

The Consultation Paper indicates that the Draft Guidance, once finalised, will apply to all “financial service providers regulated by the Central Bank”.

Implications for Irish fund administrators and depositaries

While the Consultation Paper will be of interest to all firms regulated by the Central Bank, in this briefing we consider the possible implications of the Draft Guidance for Irish fund service providers, such as administrators and depositaries (FSPs), should it be finalised in its current form. The implications of the Draft Guidance will depend upon the type of FSP in question.

(i) Administration firms authorised under the Investment Intermediaries Act 1995

For Irish fund administration firms authorised under the Investment Intermediaries Act 1995, as amended (IIA), the current requirements relating to “outsourcing” are found in the Central Bank (Supervision and Enforcement) Act 2013 (Section 48(1)) (Investment Firms) Regulations 2017 (2017 Regulations).

For these entities, the requirements set out in the Draft Guidance are likely to represent a significant departure from the existing regime, particularly in light of the broadening of the scope of the definition of “outsourcing” envisaged under the Draft Guidelines from the definition of “outsourcing” found in the 2017 Regulations (see below under the heading “Definition of Outsourcing”).

(ii) depositaries authorised under the IIA

For Irish depositaries authorised under the IIA, the Draft Guidelines will introduce a new Irish regulatory framework for outsourcings entered into by such firms. Currently there is no separate Irish legislative or regulatory framework applicable to “outsourcing” by such entities, save for the regime applicable to the “delegation” of depositary functions as provided for under the AIFD and UCITS frameworks.

(iii) Irish branches of EU credit institutions

For FSPs which are authorised by the Central Bank as Irish branches of such EU credit institutions, the requirements set out in the Draft Guidance will be broadly familiar. This is because such EU credit institutions currently fall within scope of the Guidelines on outsourcing arrangements published in February 2019 by the European Banking Authority (EBA Guidelines)¹. The Consultation Paper indicates that the Draft Guidance is in keeping with the requirements set out in the EBA Guidelines, as well as the Guidelines on Outsourcing to Cloud Services Providers issued by the European Securities and Markets Authority (ESMA)².

Purpose of the Draft Guidance

In recognition of the increasing reliance of many regulated firms on outsourced service providers, the Draft Guidance, once implemented, is intended to assist regulated firms in developing their outsourcing risk management framework to effectively identify, monitor and manage their outsourcing risks. It is intended to supplement existing sectoral legislation, regulations and guidelines on outsourcing and will set down the Central Bank’s expectations of good practice for effective management of outsourcing risk.

Definition of “Outsourcing”

Appendix 4 of the Draft Guidance defines “outsourcing” as meaning “an arrangement of any form between a regulated firm and an outsourced service provider (OSP) by which that service provider performs a process, a service or an activity that would otherwise be undertaken by the regulated firm itself, even if the regulated firm has not performed that function itself in the past”.

This definition is aligned with the definition contained in the EBA Guidelines. However this definition is considerably broader in scope than the definition of “outsourcing” contained in the 2017 Regulations which refers to the outsourcing of “administration services” as defined therein. This will mean that certain delegation/support services arrangements entered into by IIA authorised administration firms, which are currently not categorised as “outsourcing”, will need to be re-examined once the Draft Guidelines are implemented, to potentially re-characterise those arrangements as outsourcing.

Distinction between “Delegation” and “Outsourcing”

It is important to note that the Draft Guidelines clarify that the Central Bank is of the view that the concept of “delegation” and “outsourcing” are not considered by the Central Bank to be different concepts. Hence the requirements set out in the Draft Guidelines will apply to both the “delegation” by FSPs of regulated activities as well as the “outsourcing” of unregulated activities. This will be a new development for many FSPs and may result in overlapping or duplicative regulatory requirements. For example, the outsourcing requirements will sit alongside the separate regulatory regime applicable to the “delegation” of depositary functions as provided for under the AIFD and UCITS frameworks.

Identification of “Critical or Important” Outsourcing Arrangements

Under the Draft Guidance, FSPs will be required to identify those outsourcing arrangements which relate to activities or services which are critical or important, using the criteria set down in Appendix 2 of the Draft Guidance. Functions which are necessary to perform “core business lines” or “critical business functions” should be considered as critical or important³. This assessment should be carried out in respect of all activities or services which are being outsourced by the FSP, including IT activities. It is worth noting in this regard that certain provisions of the Draft Guidance only apply to the outsourcing of activities or services which have been categorised as critical or important.

The Central Bank expects FSPs to have a defined and documented methodology for determining whether a service or function is critical or important, which should be approved by the Board. It would seem appropriate that this should also identify those within the organisation who are responsible for determining whether or not a specific service or function is critical or important.

The assessment of criticality and importance, including the methodology used in such assessment, must be reviewed periodically in conjunction with the outsourcing policy. The Central Bank also suggests that such a review should be carried out if an FSP decides to scale up the services being provided by OSP or if there is a change to the ownership or financial position of that OSP or a material sub-outsourced service provider.

Governance and the role of the Board and Senior Management

The Draft Guidance outlines that Boards and senior management of regulated firms are responsible for all activities undertaken by the regulated firm, including those activities which are conducted on the regulated firm’s behalf by any third party, including any group entity.

The Central Bank prescribes that the Board and senior management is ultimately accountable for the effective oversight and management of outsourcing risk within its business. This includes ensuring that there are appropriate structures in place to facilitate comprehensive oversight of the outsourcing universe

Under the Draft Guidance, Boards and senior management will be required to develop existing risk management frameworks to ensure that the governance and risk management of their outsourcing frameworks operates effectively and is in line with the supervisory expectations. Outsourcing risk should also be reflected in the overarching risk register of the FSP.

In addition, the risk management framework must consider and document the controls to be put in place to minimise exposure to any risks identified and ensure that these controls and the mechanism for monitoring their effectiveness, are reflected in the relevant outsourcing contracts and service level agreements.

Boards are expected to regularly review their outsourcing arrangements, with particular focus on their critical or important arrangements.

Such outsourcing governance and risk management structures must be in line with relevant sectoral legislation, regulation and guidelines applicable to FSPs, and should not impede the FSP’s ability to meet the conditions with which it must comply in order to remain authorised, including any conditions imposed by the Central Bank.

The Draft Guidance outlines that the Central Bank expects firms to appoint a designated individual, function and/or committee to ensure that outsourcing arrangements are overseen and reported on appropriately. This designated function should be directly accountable to the Board. FSPs should also be satisfied that the reporting framework is such that the Board and senior management receive sufficiently detailed reports on outsourcing arrangements on an ongoing basis and that an appropriate escalation process is in place to ensure that they can adequately govern the outsourcing risks arising.

Boards are also expected to establish an outsourcing register to identify and facilitate appropriate oversight and awareness of current and proposed outsourcing arrangements, and the associated risks, including the extent of the FSP’s dependence on critical OSPs.

Outsourcing Strategy and Outsourcing Policy

Under the Draft Guidance, FSPs are expected to have a documented outsourcing strategy (including policies, procedures and controls) in place which is aligned to their business strategy, business model, risk appetite, and risk management framework.

In formulating an outsourcing strategy, consideration must be given to a number of areas, including but not limited to:

• the extent of outsourcing that the FSP intends to undertake;
• the types of activities and functions it will consider outsourcing;
• the risks which arise from its outsourcing arrangements including how they will be managed and mitigated and the extent to which the FSP has the skills and capacity to monitor and exercise oversight of outsourcing arrangements. We would anticipate that this should also identify any functions which the FSP determines are not suitable for outsourcing in light of its risk appetite.

As part of this outsourcing strategy, FSPs will be expected to have a documented firm-wide outsourcing policy, which is reviewed and approved by the Board at least annually. The Central Bank expects that the policy should outline the roles and responsibilities within the FSP for the oversight and management of outsourcing risk as well the criteria and methodology for the identification and classification of outsourcing arrangements as critical or important. The policy should also address the approach to the identification, assessment, mitigation and management of risks associated with outsourcing as well as the approach to initial and ongoing due diligence on OSPs and the ongoing management, monitoring and review of outsourced arrangements in place.

The outsourcing policy should also address: (i) the process for approval of new outsourcing arrangements; contracts, written agreements and SLAs, (ii) sub-outsourcing particularly with regard to critical or important functions or material parts of such functions, (iii) conflicts of interest, (iv) business continuity arrangements as they pertain to the outsourcing arrangements, (v) a documented exit strategy for each outsourcing arrangement deemed critical or important, and (vi) termination processes generally, including in the event of unexpected termination of an outsourcing arrangement and the need for contingency arrangements.

The Draft Guidance also highlights the importance that the FSP’s outsourcing policy addresses maintenance of appropriate records in relation to its outsourcing universe in order to appropriately manage risk.

Outsourcing of Risk Management and Internal Control Functions

The Central Bank expects FSPs to apply due care and attention when considering and appointing the outsourcing of those roles which have been designated by the Central Bank as pre-approval controlled functions (PCFs) and or controlled functions (CFs). It also reiterates that the FSP remains responsible for compliance with its obligations and that any outsourcing of PCF or CF roles does not diminish the responsibility of the Board or senior management in this regard.

Outsourcing Risk Assessments

A comprehensive risk assessment in respect of any proposed outsourcing arrangement should be conducted prior to entering into such an arrangement and should be tailored to take account of specific risks identified by the Central Bank in the Draft Guidance including, inter alia, sub-outsourcing risks, sensitive data risks concentration risks, offshoring risks and any other additional risks associated with outsourcing. Helpfully, the Central Bank has provided specific guidance on the risks associated with outsourcing in the Draft Guidance which should assist FSPs in designing their risk assessments. The Draft Guidance expects Boards to review and refresh their risk assessments on a periodic basis, to ensure that in the case of each firm, they continue to accurately reflect the regulated firm’s business, including for example, its operating environment, legal or regulatory environment and to ensure they remain reflective of the current risks to which the regulated firm is exposed.

Due Diligence

The Draft Guidance outlines the expectations of the Central Bank, both at an initial stage and on an on-going basis, regarding the due diligence that regulated firms should carry out on OSPs. The Draft Guidance outlines specific criteria which must be considered prior to any outsourcing taking place, including consideration of the ability of the OSP to “keep pace with innovation” and, where that OSP is providing critical or important services, the financial health of the proposed OSP. The Draft Guidance highlights the importance of periodic reviews of the due diligence being undertaken during the lifecycle of the outsourcing arrangements and, in particular, the need to undertake additional due diligence assessments prior to the expiry of any key outsourcing arrangements in order to determine whether such outsourcing arrangement should be renewed. As noted above, the Central Bank highlights that intragroup arrangements should be approached with the same rigour as the appointment of external OSPs while noting that the same risks may arise in all situations.

In line with the development of a financial system focused on good governance and the adoption of ESG principles and the ESA Guidelines on Outsourcing, the Central Bank highlights its expectation that any outsourcing be conducted in an ethical and socially responsible manner and consistent with the values and code of conduct of the FSP outsourcing the activities.

Contractual Arrangements and Service Level Agreements

The Draft Guidance stresses the importance of ensuring that adequate provisions are included in any outsourcing contract which describe the outsourced function, any financial obligations and the requirements which must be satisfied prior to any sub-delegation/sub-outsourcing taking place.

In the case of sub-outsourcing of a critical or important function, the FSP must provide its consent to the sub-delegation / outsourcing arrangement. This will not reflect a change in the existing practice for certain FSPs (such as those currently subject to the EBA Guidelines) but will present a departure in current practice for other types of FSPs.

The Central Bank stresses the importance of having service level agreements in place with all OSP, whether external to the group or internal, which should incorporate key performance indicators to allow the FSP to monitor performance appropriately. The Central Bank specifically draws attention to twenty-one key aspects which should form the basis for any contractual agreement with the OSP, including location, data security, reporting business continuity plans and insolvency matters, and termination and exit provisions. These key provisions generally align with the contractual provisions prescribed by the EBA Guidelines.

The Central Bank also re-emphasises where it believes arrangements should be capable of being terminated and sets out a number of situations where termination would be appropriate and more importantly should facilitate the re-incorporation or transfer of outsourced functions to the regulated firm upon termination.

In line with the Central Bank’s risk based approach to supervision of regulated firms, the Central Bank further outlines its expectation that the internal audit function of regulated firms should, on a contractual basis, be able to review the performance of the outsourced function using a risk-based approach. In light of such expectations, FSPs should consider the investigatory powers of the Central Bank when negotiating agreements with particular emphasis on the Central Bank having full access to all relevant business premises of the OSP and unrestricted rights of inspection and auditing related to the outsourcing arrangements.

In keeping with the expectations set out with respect to due diligence, the Central Bank indicates that periodic reviews of contracts and outsourcing arrangements should be undertaken, specifically where there are changes to business models, regulatory changes or where suitability of the arrangements are to be considered.

If the Draft Guidance is implemented as currently proposed, FSPs will most likely have to conduct a review of all outsourcing and sub-outsourcing contractual arrangements in order to satisfy themselves that such arrangements meet the expectations of the Central Bank as outlined in the Draft Guidance.

Ongoing Monitoring and Challenge

The Draft Guidance emphasises the importance of regular and comprehensive monitoring of outsourced services/functions. It outlines that the Central Bank expects FSPs to include the three lines of defence as part of its outsourcing assurance (i.e. involving the risk management/ compliance function as the second line of defence and the internal audit function as the third line of defence). In developing or reviewing its outsourcing policy, the FSP should ensure that a mechanism to oversee, monitor, and assess the appropriateness and performance of their outsourced arrangements is in place and should also consider any staffing requirements which may arise to ensure robust challenge of the OSP. The Central Bank notes that external providers and third party certifications may be utilised in assessing the appropriateness of outsourcing arrangements provided that in such circumstances the FSP has documented how such third party validation is deemed to provide appropriate levels of assurance in line with its outsourcing policy and its risk assessment.

The third line of defence, the internal audit function, is seen as a key function in supporting the assessment of the appropriateness of outsourcing arrangements. Amongst other matters, the Central Bank expects that an internal audit function’s audit programme will assess, using a risk-based approach, whether:

• the outsourcing framework is operating effectively and the outsourcing policies have been reviewed and updated to take account of any new legislation, business functions or risks;
• the correct classification is being used for outsourcing arrangements in line with the FSP’s methodology for assessing “criticality and importance”;
• the FSP’s outsourcing register is being appropriately maintained; and
• the oversight of the Board and the monitoring and management of its outsourcing arrangement is effective.

These requirements will not involve a significant change to existing practice for certain types of FSPs (such as those currently subject to the EBA Guidelines) but will present a departure in current practice for other types of FSPs.

Disaster Recovery, Business Continuity Management and Exit Strategies

This section of the Draft Guidance sets out the Central Bank’s expectations of regulated firms in the establishment and oversight of measures to ensure support for the continuity of outsourced functions. The draft Guidance makes it clear that FSPs will need to consider the data recovery and business continuity measures of their proposed OSPs and they must be satisfied that service disruptions can be maintained by the OSPs within the impact tolerances and recovery time objectives of the relevant Management Company. The internal governance of FSPs, including business continuity plans and exit strategies, must be updated to reflect any implications of the outsourcing arrangement.

In addition, in the case of critical or important services, FSPs must: (i) document and implement business continuity plans (BCPs) in relation to their critical and important outsourced functions and ensure that these plans are tested and updated on a regular basis; and (ii) must ensure that OSPs are obliged under the arrangements to carry out testing of their BCPs at least annually and to share the reports with the relevant Management Company; and (iii) allow the FSP to participate in such OSPs testing where necessary.

The Draft Guidance makes it clear that it is the responsibility of the FSP to ensure that corrective action is taken to remediate any deficiencies identified in the performance of the OSP.

The Draft Guidance also sets out the requirement for FSPs to have in place appropriate strategies and plans to exit outsourcing arrangements should the need arise.

Such exit plans may potentially involve the transfer of activities to another OSP (substitutability) or for the activities to be taken back in-house. The proposal that an FSP will retain the ability to take back an outsourced activity in-house may not be viable in many instances for a number of reasons, primarily due to lack of availability of sufficient resources and lack of operational capability.

In addition, FSPs will be expected to test (insofar as is possible) scenarios which may warrant the transfer of activities to another OSP or back in-house and to periodically review and update exit strategies to take account of developments that may alter the feasibility of an exit in stressed or non-stressed circumstances.

These requirements will not involve a significant change to the existing practice for certain types of FSPs (such as those currently subject to the EBA Guidelines) but will present a departure in current practice for other types of FSPs.

Intragroup Arrangements

In the Draft Guidance, the Central Bank has set down its expectations in respect of intragroup arrangements which will be of particular relevance to “proprietary” or “related” FSPs. FSPs entering into intra-group outsourcing arrangements are required by the Central Bank to be satisfied that all potential conflicts of interests arising from such arrangements have been appropriately identified and managed. The Central Bank expects all regulated firms to satisfy themselves that reliance on group policies and procedures is appropriate in each case.

In addition to these pre-existing requirements, the Central Bank will expect FSPs to; (i) conduct detailed risk assessments of both third-party outsourcing arrangements and intra-group outsourcing arrangements, and (ii) consider and be satisfied with the extent to which the FSP can exert sufficient influence on any group company providing the service.

In the context of non-regulated services, these requirements will involve a change to the existing practice for those FSPs which are not currently subject to the EBA Guidelines.

Provision of Outsourcing Information to the Central Bank

Under the Draft Guidance, the Central Bank requires timely notification of any planned “critical or important” outsourcing arrangement or material changes to existing “critical or important” outsourcing arrangements.

These requirements will not involve a change to the existing practice for FSPs currently subject to the EBA Guidelines, nor for IIA authorised administration firms who are outsourcing a critical or important administration service. However, this will reflect a change to existing practice for FSPs not currently subject to the EBA Guidelines in the context of the appointment of delegates/OSPs performing “non-regulated” services, particularly IT or cybersecurity where these are deemed critical or important.

In addition, the Central Bank has indicated that regulated firms may be required to submit a copy of their outsourcing register to the Central Bank either cyclically or upon request, depending on the nature, scale and complexity of the firm’s business and the extent of its reliance on outsourcing as part of its business model.

Proportionality

The Central Bank recognises that the Draft Guidance, once finalised, should be complied with in a proportionate manner by regulated firms, taking into account the relevant firm’s nature, scale and complexity of its business activities and the degree to which the firm engages in outsourcing. In other words, the Central Bank does not expect all FSPs to comply with the Draft Guidance (once finalised) in the same way, acknowledging that “it may not be appropriate for certain smaller, less complex regulated firms to adopt, in full, all measures set out in the Guidance”.

When deciding how to implement measures to comply with the Draft Guidance, FSPs should also have regard to whether the relevant outsourced activity is deemed critical or important.

Under the Draft Guidance, it is possible to adopt different practices to those outlined by the Central Bank in order to manage outsourcing risk but in such circumstances, such practices must be considered and approved by the board of directors of the FSP and the FSP should be in a position to explain the rationale for any such approach to the Central Bank.

Next Steps

The CBI is inviting stakeholders to submit feedback on the Guidance. The consultation period closes on 26 July 2021. Stakeholders can submit their feedback by email to outsourcingfeedback@centralbank.ie.

The CBI intends to publish the finalised Guidance in 2021, following the conclusion of the consultation period and consideration of the submissions.

Dillon Eustace is currently working with a number of FSPs to assess the potential implications of the Draft Guidance on their business models and outsourcing arrangements if implemented as currently proposed. If you require any assistance in this regard or have any further questions, please contact your usual Dillon Eustace contact.

1 EBA Final Report on EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02 of 25 February 2019).
2 European Securities and Markets Authority ESMA 50-157-2403 Guidelines on Outsourcing to Cloud Service Providers (December 2020).
3 In its recent Consultation Paper 140 on cross-industry guidance on operational resilience, the Central Bank again uses the concept of “critical or important business services” in order to calibrate its proposed rules on operational resilience of regulated firms.