CP138: Central Bank of Ireland Publishes Cross-Industry Outsourcing Guidance
22 Dec 2021
On 17 December 2021, the Central Bank of Ireland ("Central Bank") issued its Cross Industry Guidance Paper on Outsourcing ("Guidance").
The publication follows its consultation on a draft form of the Guidance ("CP138"). For further details see our recent client update.
The Guidance is accompanied by a feedback statement ("Feedback Statement") summarising the CP138 feedback, providing commentary on industry views and explaining changes made to the final Guidance.
Scope and Purpose
The Guidance is relevant to all regulated firms which use outsourcing as part of their business model and is applicable proportionately, based on the nature, scale and complexity of each firm's business model and degree to which it engages in outsourcing.
The Guidance supplements existing sectoral legislation, regulations and guidance on outsourcing, which apply to specific firms.
- Sets out the Central Bank's expectations on governance and management of outsourcing risk;
- Highlights the responsibilities of the board of directors (the "Board") and senior management when outsourcing; and
- Outlines the Central Bank's expectations for outsourcing frameworks to manage the associated risks.
Managing Outsourcing Risk
The following key factors should be considered when developing frameworks to manage outsourcing risks:
Assessment of Criticality or Importance of the Outsourced Activity
A defined methodology for determining the 'criticality or importance' of an outsourced service should be documented and reviewed periodically, in conjunction with a firm's outsourcing policy.
In respect of fund management companies, it is noted that functions which are considered to be administrative or technical functions are unlikely to be critical or important functions.
The same level of oversight and rigour should be applied when conducting an intragroup outsourcing risk assessment as would be applied for any other external outsourced service provider ("OSP"). Firms should be satisfied they can exert sufficient influence on the group / or parent entity providing the service, and that an appropriate level of prioritisation of remediation can limit the impact of service outage.
Outsourcing and Delegation
The Central Bank notes delegation and outsourcing "are not considered by the Central Bank to be different concepts". Accordingly, any delegation arrangements must be subject to the same oversight and monitoring as other outsourcing arrangements, and firms should be able to demonstrate that any associated risks have been considered by the Board. In respect of fund management companies, it is noted that it is common for certain functions to be delegated extensively. Such delegation will be subject to the Guidance.
Governance, Outsourcing Strategy and Outsourcing Policy
Boards and senior management must be fully responsible and accountable for setting a firm's strategies and policies (including risk appetite and risk framework), and take appropriate action to ensure that the firm's outsourcing frameworks align with the Guidance.
A documented outsourcing strategy must align with a firm's overall business model and risk appetite.
A firm-wide outsourcing policy should detail the methodology for the identification, assessment, mitigation and assessment of outsourcing risks; the procedures for approving new outsourcing arrangements and the structures for operational oversight and control. This policy should be subject to at least annual board review and approval or when there has been a material change to the firm's business model.
Outsourcing Risk Assessment and Management:
Outsourcing risk should be adequately covered in the overall risk management framework and risk register. Tailored risk assessments should be conducted prior to entering into an outsourcing arrangement which should be reviewed annually to ensure there have been no changes to the OSP's operations that would have a material impact on the firm's risk profile. Procedures should be in place for overseeing, monitoring and assessing the appropriateness and performance of OSPs.
Firms must conduct detailed initial due diligence on prospective OSPs and OSPs of critical services should be reviewed annually. A review should also be undertaken prior to the end of any key contractual arrangements.
Contractual Arrangements and SLAs
The Central Bank expects that arrangements with OSPs are governed by formal contracts or written agreements covering specific provisions as outlined in the Guidance.
Precise quantitative and qualitative performance targets (using key performance indicators) should be included in service level agreements ("SLAs") with all OSPs providing critical or important functions (whether third parties or intragroup providers).
Ongoing Monitoring and Challenge
Employees should be appropriately trained to manage, review and test the effectiveness of the outsourced arrangement. Firms should monitor the performance of OSPs using a risk-based approach and ensure any deficiencies in service provision are appropriately remedied. An internal audit plan should be developed and, in certain circumstances, an independent third party review may be necessary.
Disaster Recovery and Business Continuity Management
Noting that robust disaster recovery ("DR") and business continuity management ("BCM") are key to effective governance and risk management with any outsourced arrangement, firms should ensure that OSPs have adequate BCM and DR measures. SLAs should include a requirement for an OSP to carry out testing of its own business continuity plans at least annually. Firms should conduct their own testing of outsourcing arrangements and report findings to the Board and the relevant OSP. Viable exit strategies should be in place and be appropriately planned, documented and regularly tested.
Notification and Reporting Requirements
While some firms are already subject to notification and reporting requirements under existing requirements, the Guidance broadens the scope of firms required to notify the Central Bank within a reasonable time period of any intended critical or important outsourcing arrangements and / or any material changes to an existing critical or important arrangement.
Each firm must develop and maintain an outsourcing register to include prescribed information for all existing and future outsourcing arrangements. The submission of data to the Central Bank register will be by periodic regulatory return. The Central Bank may require firms to provide further information on any outsourcing arrangement, even if the function concerned is not deemed critical or important. The frequency and timing of such returns will be specified through a supervisory communication.
The Feedback Statement notes that 21 responses were received to CP138.
While some minor adjustments have been made to provide additional clarity or context, the final Guidance remains largely unchanged from the draft.
On proportionality, the Central Bank acknowledges that certain aspects of the Guidance may be appropriate for all regulated firms however the ″test for proportionality should always be underpinned by a robust outsourcing risk assessment and a consideration of the appropriate control environment such that the firm can demonstrate that it has appropriate measures in place to effectively govern and manage outsourcing risk″.
Some additional feedback is provided to fund administrators, depositaries and fund management companies (as referenced above) in the context of their existing regulatory frameworks.
Next Steps and Submissions
Templates for the notification of planned critical or important outsourcing arrangements, or material changes to existing arrangements, applicable to each sector and aligned with the EBA Guidelines requirements, are to be published on the Central Bank's website in Q1 2022, with the exception of the template for banks, which is expected later in 2022.
A downloadable spreadsheet template for the register will be published on the Central Bank's website in Q1 2022. It is proposed that all firms with a PRISM impact rating of medium low or above (or its equivalent) will submit their outsourcing register annually via a new online return. The first submission is planned for Q2 2022 and firms will be given prior notice of the submission date.
Required Actions and Timing
The Guidance comes into immediate effect. Boards and senior management are expected to review the Guidance and enhance their outsourcing risk management frameworks to effectively identify, monitor and manage their outsourcing risks. However, the Feedback Statement notes that "the [Central Bank's] supervisory approach to its implementation will be mindful of the adjustments to be made by firms relative to the nature, scale and complexity of the use of outsourcing as an element of their business model."
The Guidance indicates that the Central Bank will apply a risk-based approach to assess the effectiveness of a firm's governance and management of outsourcing arrangements and their implementation of the Guidance.
How We Can Help
Our Irish Financial Services Regulatory Group has extensive experience in designing effective governance, risk management and business continuity processes in and carrying out operational reviews of existing outsourcing frameworks in line with relevant legal and regulatory requirements and supervisory expectations.
Further information on our Irish Financial Services Regulatory Group, and the services we provide is available on our website page and in our brochure.
If you would like further information, please liaise with the below or your usual Maples Group contact.
Our Financial Services Regulatory group in Ireland comprises of leading lawyers and experienced industry professionals with a wealth of experience in advising clients on regulatory requirements and how to manage regulatory risk within their business. Our highly technical team deliver pragmatic and solutions-focused advice to our clients.
T: +353 1 619 2023
T: +353 1 619 2125
T: +353 1 619 2122
Senior Regulatory Executive Dublin
T: +353 1 619 2158