05/03/2021 Briefing

Click here to view the briefing in PDF format.

The Central Bank (CBI) has published CP138 – Consultation on Cross-Industry Guidance on Outsourcing (CP138) together with its draft Cross-Industry Guidance on Outsourcing (CBI Guidance). This follows on from its November 2018 Discussion Paper on Outsourcing.

Outsourcing as a Strategic Tool

Outsourcing is very widely used by regulated firms in Ireland, in particular due to technological innovation, the need for flexible and agile business models and the opportunity to leverage broader group resources and expertise.

The CBI has long viewed the management of outsourcing risks by regulated firms as key from a prudential and conduct perspective, and as being closely linked to two of the five priority themes in its Strategic Plan 2019-2021: ‘Strengthening Resilience’ and ‘Strengthening Consumer Protection’.

The CBI’s 2018 Discussion Paper, which summarised the results of its 2017 cross-sectoral survey on outsourcing activity, highlighted weaknesses in board awareness, governance and risk management.  In CP138, the CBI notes that this position has not materially improved.  As such, outsourcing remains extremely high on the CBI’s supervisory agenda, and the draft CBI Guidance is designed to:

  • set out the CBI’s expectations regarding the governance and management of outsourcing risk by regulated firms;
  • remind boards and senior management of regulated firms of their responsibilities; and
  • promote standards and practices that underpin robust outsourcing frameworks.

Scope

Notably, the draft CBI Guidance is relevant to all regulated firms that outsource services and/or functions. Many of the existing outsourcing frameworks, such as the EBA Guidelines on Outsourcing Arrangements (February 2019) (the EBA Guidelines)[1], apply only to sub-sets of regulated firms (such as, in the case of the EBA Guidelines, banks, CRD investment firms, payment institutions and e-money institutions).

The draft CBI Guidance is also intended to complement, and not replace, existing sectoral laws, regulations and guidelines on outsourcing (a list of these is set out in Appendix 1 to the draft CBI Guidance).  This will be challenging for many regulated firms who will need to comply with multiple sets of outsourcing requirements.

The CBI is particularly focused on the outsourcing of “critical or important” functions (in line with the EBA Guidelines) but not exclusively so.

The CBI envisages regulated firms “predominantly” (but not exclusively) applying the CBI Guidance in respect of any outsourcing of their “critical or important” functions.  However, the draft CBI Guidance contemplates proportionate application, whereby a regulated firm may apply the CBI Guidance differently by reference to the nature, scale and complexity of its business, and the extent to which it engages in outsourcing of “critical or important” functions.

The CBI Perspective – Key Points to note from CP138

  • Increased Reliance: regulated firms are increasingly reliant on outsourced service providers (OSPs) (both group companies and third parties, not all of which are regulated).
  • ICT: the CBI is particularly focused on outsourcing relating to information and communications technology (ICT) and the outsourcing of “critical or important” services to cloud service providers (CSPs).
  • Key Risks: four key risks are highlighted by the CBI in both CP138 and the draft CBI Guidance:
    • data security risks inherent in the use of third parties (including other group companies) to store and manage business-sensitive and/or customer-confidential information;
    • oversight risks where sub-/chain outsourcing structures are used;
    • challenges to effective oversight and supervision where outsourcing is offshored, particularly outside the EU/EEA; and
    • higher levels of concentration risk (particularly in respect of cloud outsourcing).

Format of the Draft CBI Guidance

The draft CBI Guidance is structured as follows:

Section Key Points
Part A, Section 1

(Introduction)

Confirms that the CBI Guidance can be applied proportionately depending on nature, scale and complexity of the regulated firm’s business.

 

A regulated firm taking a proportionate approach must be able to explain its approach to the CBI on request. In light of this, such firms should carefully document the rationale underpinning their decision to apply proportionality.

Part B, Section 1

(Assessment of criticality or importance)

Sets out factors for regulated firms to consider when deciding if an outsourced function is “critical or important”. Appendix 2 to the draft CBI Guidance brings together the criteria set out in other applicable outsourcing-related laws, regulations and guidelines.

 

The CBI highlights the following definition in the EBA Guidelines “[f]unctions that are necessary to perform core business lines or critical business functions should be considered as critical or important, unless the institution’s assessment establishes that a failure to provide the outsourced Function or the inappropriate provision of the outsourced Function would not have an adverse impact on the operational continuity of the core business line or critical business function”.

 

The CBI expects regulated firms to establish defined and documented methodologies that underpin their assessment of criticality or importance. Those methodologies should be regularly reviewed by regulated firms.

Part B, Section 2

(Intragroup Arrangements)

Confirms that the CBI Guidance also applies to intragroup outsourcing, but notes that the manner in which it is applied may differ.

 

The CBI is particularly focused on whether sufficient influence can be exercised over intragroup OSPs and how conflicts of interest will be resolved.

Part B, Section 3

(Outsourcing and Delegation)

Confirms the CBI view that outsourcing and delegation are not different concepts (this may be of particular relevance for regulated Irish funds and fund managers).

 

The CBI expects regulated firms to apply the same standards of diligence, oversight and monitoring to delegated arrangements as they to do outsourcing arrangements.

Part B, Section 4

(Governance)

Sets expectations regarding appropriate and effective governance, and sets out the roles and responsibilities of boards and senior management.

 

Reiterates the ultimate accountability of the board and senior management, and summarises steps they must take.

Part B, Section 5

(Outsourcing Risk Assessment and Management)

Deals with risks assessments for outsourcing, and sets out the CBI’s expectations regarding the regulated firm’s risk management framework and the conduct of outsourcing risk assessments.
Part B, Section 6

(Due Diligence)

Sets expectations regarding the due diligence that regulated firms should carry out on OSPs, including a list of criteria by reference to which that diligence should be carried out. For key OSPs, or where “critical or important” services are being outsourced, the financial health of the OSP should be reviewed at least annually.
Part B, Section 7

(Contractual Arrangements and Service Level Agreements)

Lists key provisions that should be included in written outsourcing agreements, and confirms that outsourcing agreements should be supported by service level agreements.  The CBI expects agreements with OSPs to be reviewed regularly.
Part B, Section 8

(Ongoing Monitoring)

Highlights the importance of regular and comprehensive monitoring of outsourced services/functions. The CBI expects regulated firms to include outsourcing assurance in its three lines of defence (risk owners, risk management and compliance functions, and internal audit).
Part B, Section 9

(Disaster Recovery and Business Continuity Management)

Sets out the CBI’s requirements regarding measures to ensure continuity of outsourced functions and appropriate exit strategies.

 

Among other matters, the CBI expects robust disaster recovery and business continuity management, close alignment with the equivalent plans of OSPs, and effective contingency measures such as exit strategies so as to ensure a smooth transition away from OSPs where required.

Part B, Section 10

(Provision of Outsourcing Information to the CBI)

Sets out requirements for regulated firms in connection with:

  • notifying the CBI of the planned outsourcing of “critical or important” services/functions or material changes to existing outsourcing arrangements in respect of those services/functions
  • the establishment and maintenance of registers of outsourcing arrangements (a separate industry letter will set out the CBI’s requirements regarding how and when those registers are to be submitted to it).

What Happens Next?

The consultation period closes on 26 July 2021 and the CBI plans to publish its final Guidelines later this year.  It is unclear whether there will be an implementation period or grandfathering arrangements.

We will publish a series of detailed briefings in the coming weeks, focusing on the following areas and setting out practical steps that regulated firms can take:

  • governance and ongoing monitoring
  • contractual requirements
  • risk assessment and due diligence
  • registers and outsourcing policies

In the meantime, based on the content of the draft CBI Guidelines (which realistically we do not expect to be changed materially after the consultation process), boards and senior management of regulated firms should start planning for the following:

  • the requirement for a documented outsourcing strategy, supported by policies, procedures, controls and due diligence on all OSPs;
  • the requirement for a comprehensive outsourcing policy (reviewed at least annually);
  • the need for existing risk management frameworks to be updated to take account of the CBI Guidance;
  • the need to put in place/review structures and mechanisms to ensure the timely flow of management information to the board and senior management;
  • the need to maintain appropriate skills and knowledge within the regulated firm to effectively oversee outsourcing arrangements from inception to conclusion (in particular for technical and/or complex outsourced activities, such as outsourcing to CSPs) – this will need to be taken into account as part of recruitment processes for oversight/monitoring roles and training for boards and senior management may be needed;
  • a review of which outsourced functions are critical and important”;
  • if a proportionate approach is planned, how that will be decided upon and documented;
  • a review of the content of template and existing outsourcing agreements and SLAs by reference to the draft CBI Guidelines;
  • an assessment the work involved in setting up and maintaining an outsourcing register;
  • ensuring appropriate organisational awareness of the requirements applicable to the regulated firm when outsourcing; and
  • the management and monitoring of sub-outsourcing and sensitive data/data security risks.

[1] Further information on the EBA Guidelines is set out here: COVID-19 Practical Considerations: EBA Guidelines on Outsourcing Arrangements.