Implementation of Central Bank’s Guidance on Outsourcing – Fund Service Providers
Given the importance of ensuring that outsourcing arrangements are regulatory compliant, an immediate priority for fund service providers is implementation of the Cross-Industry Guidance on Outsourcing issued by the Central Bank of Ireland (the “CBI”) in December 2021 here (the “Guidance”).
Background
The CBI states that it is strongly focused on outsourcing due to its increasing prevalence across the financial services sector and its potential, if not effectively managed, to threaten the operational resilience of regulated firms and the Irish financial system. The CBI expects all regulated firms to be in a position to demonstrate that they have appropriate measures in place to effectively govern and manage outsourcing risk and to ensure compliance with the sectoral legislation, regulations and guidance applicable to their business.
Application of the Guidance
The CBI states that the Guidance is relevant to any regulated firm which utilises outsourcing as part of its business model. For the investment funds sector, the CBI has confirmed that the Guidance is intended to supplement existing and future legislation, regulations and guidelines which apply to regulated firms, and that the Guidance will apply in a proportionate manner to the fund service providers associated with the operation of the fund and not to the investment fund itself1. The CBI has also stated that the board of directors of an externally managed investment company and/or ICAV should ensure that it supports the ability of the fund management company to comply with all regulatory obligations, including the Guidance.
Key Aspects of the Guidance
A table is set out below highlighting key aspects of the Guidance which fund service providers should be aware of.
Key Aspects of the Guidance | |
---|---|
What outsourcing arrangements does the Guidance apply to? |
The measures in the Guidance are intended to be applied in respect of a regulated firm’s critical or important outsourcing arrangements, except where it is highlighted that the requirements should take account of all outsourcing arrangements. |
Must Firms apply the Guidance in full? |
The CBI acknowledges that certain aspects of the Guidance may not be appropriate to all regulated firms, due to their nature, scale and complexity. The CBI also states that regulated firms may decide to adopt different practices to those covered in the Guidance to ensure compliance with relevant sectoral legislation, regulation and guidelines and in order to prudently manage any exposure to outsourcing risk. Where they do so, the regulated firm is expected to be in a position to explain the reason, upon request, to the CBI. Regulated firms must be able to clearly evidence the rationale for their approach and that the approach has been considered and approved by the board or equivalent. |
Assessment of Criticality or Importance of Activity/Service to be outsourced |
Regulated firms should (a) have a defined methodology for determining the ‘criticality or importance’ of a service, (b) document the methodology and any related definitions of ‘critical or important’ in the regulated firm’s outsourcing policy, which should be approved by the board, and (c) review the methodology periodically in conjunction with its outsourcing policy. |
Intragroup Arrangements |
Regulated firms should apply the same rigor when conducting intragroup outsource risk assessments as for third party outsourcing service provider (“OSP”) assessments. |
Outsourcing & Delegation |
Regulated firms should take note that ‘delegation’ and ‘outsourcing’ are not considered by the CBI to be different concepts and delegated arrangements are required to be treated with the same onerous due diligence, oversight and monitoring as other outsourcing arrangements. |
Governance |
The board and senior management of regulated firms are ultimately accountable for the effective oversight and management of outsourcing risk within their business. |
Strategy and Policy for Outsourcing |
Regulated firms should have a documented outsourcing strategy in place which is aligned to the regulated firm’s business strategy, business model, risk appetite and risk management framework. |
Outsourcing of Risk Management and Internal Control Functions |
Regulated firms should be able to demonstrate to the CBI that the firm has carefully considered the outsourcing risks of these functions and that the board or senior management of the firm has satisfied itself that there are no significant concerns about the governance, risk management or internal control arrangements and that it can maintain adequate oversight of these functions. |
Outsourcing Risk Assessment & Management |
Regulated firms should ensure that their risk management framework appropriately considers any outsourcing arrangements and that outsourcing risk is reflected in the firm’s risk register. Regulated firms should also conduct comprehensive risk assessments in respect of any proposed outsourcing arrangement. |
Sub-Outsourcing Risk |
Regulated firms should determine their appetite for sub-outsourcing as part of their outsourcing policy and actively manage the associated risks via their contractual arrangements and monitoring and oversight mechanisms. |
Sensitive Data Risk |
Regulated firms should implement appropriate measures to secure and protect their data and to set out these measures in the firm’s outsourcing policy and the agreements governing outsourcing arrangements, particularly for critical and important services. |
Data Security – Availability and Integrity |
Regulated firms should ensure implementation of appropriately designed and operationally effective controls for data-in-transit, data-in-memory and data-at-rest, whether the controls are implemented by the regulated firm or an OSP on the regulated firm’s behalf. |
Concentration Risk |
Regulated firms should regularly assess and take appropriate measures to recognise and manage overall exposure, and reliance on, OSPs and sub-contractors, and concentration risks or vendor lock-in at firm or group level. |
Offshoring Risk |
Regulated firms should evaluate the particular risks associated with countries to which they are planning to outsource activities ensuring that their outsourcing risk assessments pay sufficient attention to ‘country risk’ and the assessment should be documented. |
Due Diligence |
Regulated firms should consider specified criteria when conducting the initial due diligence review in respect of OSPs. The CBI also expects regulated firms to conduct an initial due diligence review, periodic reviews and undertake a due diligence assessment prior to the expiry of key contracts. |
Contractual Arrangements and Service Level Agreements |
Arrangements with OSPs should be governed by formal contracts or written agreements, preferably that are legally binding. The formal contract/written agreement should be supported by service level agreements (“SLAs”). Intragroup arrangements should be implemented at a minimum by way of written agreements supported by SLAs. The Guidance sets out extensive detail on the expected content of these agreements. |
Ongoing Monitoring and Challenge |
Regulated firms should incorporate outsourcing assurance into their three lines of defence. |
Disaster Recovery and Business Continuity Management |
Regulated firms should consider disaster recovery and business continuity management when proposing to engage the services of an OSP. The Guidance sets out specific provisions for cloud outsourcing arrangements as part of business continuity planning. Regulated firms should have a clearly defined and documented exit strategy in place (in particular for their critical or important outsourcing arrangements). |
Provision of Outsourcing Information to the CBI and Maintenance of Outsourcing Register |
Regulated firms should inform the CBI, by way of notifications, in respect of proposed ‘critical or important’ outsourcing arrangements as required by supervisory guidance, sectoral regulation and/or as a matter of good practice. The CBI also requires timely notification of material changes to existing ‘critical or important’ outsourcing arrangements. In addition, each regulated firm is required to establish and maintain an outsourcing register. |
Comment and next steps
Fund service providers will need to assess and analyse the Guidance with a view to implementing same within their outsourcing frameworks in a proportionate manner.
- With the exception of ‘self-managed’ funds, where relevant. See P7, CBI Feedback Statement – Consultation Paper 138: Cross-Industry Guidance on Outsourcing here.
This document has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.
Select how you would like to share using the options below