CP138: Central Bank of Ireland publishes Cross-Industry Outsourcing Guidelines – Finance and Banking

On December 17, 2021, the Central Bank of Ireland (“Central Bank”) opened its Cross-industry guidance paper on outsourcing (“Orientation aid”).

The publication follows the consultation on a draft guidance document (“CP138”). Further details can be found in our current client update.

The instructions are accompanied by a Feedback statement (“Feedback Statement”) summarizing feedback from CP138, providing comments on industry views and explaining changes to the final guidance.

Scope and purpose

The guide is relevant to all regulated companies that use outsourcing as part of their business model and applies according to the nature, scope and complexity of each company’s business model and the degree to which they outsource.

The guide complements existing sectoral laws, ordinances and guidelines on outsourcing that apply to specific companies.

The leadership:

  • sets out the central bank’s expectations for the governance and management of outsourcing risks;
  • Emphasizes the responsibilities of the Board of Directors (the “Board of Directors”) and senior management in outsourcing; and
  • Describes the central bank’s expectations of outsourcing frameworks to manage the associated risks.

Management of outsourcing risks

The following key factors should be considered when developing frameworks to manage outsourcing risk:

Assessment of the criticality or importance of the outsourced activity

A defined methodology for determining the “criticality or importance” of an outsourced service should be documented and regularly checked in connection with a company’s outsourcing policy.
With regard to fund management companies, it should be noted that functions that are considered administrative or technical functions are unlikely to be critical or important functions.

In-group agreements

The same level of supervision and rigor should be applied in performing an in-house outsourcing risk assessment as any other third-party outsourced service provider (“OSP”). Organizations should be confident that they have sufficient control over the group / or parent company providing the service and that appropriate prioritization of remedial action can limit the impact of a service failure.

Outsourcing and delegation

Note delegation and central bank outsourcing “are not viewed by the central bank as different concepts”. Accordingly, all delegation arrangements must be subject to the same supervision and oversight as other outsourcing arrangements and companies should be able to demonstrate that all related risks have been considered by the board of directors. In the case of fund management companies, it should be noted that it is customary for certain functions to be largely delegated. This delegation is subject to the guidelines.

Governance, Outsourcing Strategy and Outsourcing Policy

Directors and senior management must have full responsibility and accountability for setting a company’s strategies and policies (including risk appetite and risk limits) and taking appropriate steps to ensure that the company’s outsourcing framework is in line with the policy.

A documented outsourcing strategy must be consistent with the overall business model and risk appetite of a company.

A company-wide outsourcing policy should describe in detail the methodology for identifying, assessing, mitigating and assessing outsourcing risks; the procedures for approving new outsourcing agreements and the structures of operational supervision and control. This policy should be subject to at least annual review and approval by the board of directors or whenever there are significant changes to the company’s business model.

Outsourcing Risk Assessment and Management:

The outsourcing risk should be adequately covered in the overall risk management framework and in the risk register. Before entering into an outsourcing agreement, tailor-made risk assessments should be carried out, which should be reviewed annually to ensure that no changes have occurred in the OSP’s business that would have a material impact on the company’s risk profile. There should be procedures in place to monitor, monitor and assess the adequacy and performance of OBSs.

Due diligence

Organizations must perform detailed initial due diligence on potential OSPs, and OSPs of critical services should be reviewed annually. A review should also be done before the end of important contractual arrangements.

Contractual agreements and SLAs

The central bank understands that arrangements with OSPs are governed by formal contracts or written agreements with specific provisions as described in the guidelines.

Exact quantitative and qualitative performance targets (using key performance indicators) should be included in Service Level Agreements (“SLAs”) with all OSPs that perform critical or important functions (be they third-party providers or in-house providers).

Ongoing monitoring and challenge

Employees should be adequately trained to manage, review, and test the effectiveness of the outsourced agreement. Organizations should monitor the performance of OSPs using a risk-based approach and ensure that deficiencies in service delivery are adequately addressed. An internal audit plan should be developed and, in certain circumstances, an independent third party review may be required.

Disaster recovery and business continuity managementnot

Since robust disaster recovery (“DR”) and business continuity management (“BCM”) are key to effective governance and risk management in any outsourced arrangement, organizations should ensure that OSPs have adequate BCM and DR measures in place . SLAs should include a requirement for an OSP to conduct tests of its own business continuity plans at least once a year. Companies should conduct their own tests of outsourcing agreements and report the results to the board of directors and the relevant OSP. There should be viable exit strategies that are appropriately planned, documented and regularly tested.

Notification and reporting obligations

While some companies are already subject to reporting and reporting obligations due to existing requirements, the guideline extends the scope of the companies that are obliged to inform the central bank about intended critical or important outsourcing agreements and / or significant changes to an existing critical or important arrangement within a reasonable period of time.

Outsourcing Register

Every company must create and maintain an outsourcing register that contains mandatory information for all existing and future outsourcing agreements. The data are transmitted to the central bank register through regular official returns. The central bank may require companies to provide further information on outsourcing arrangements even if the function concerned is not considered critical or important. The frequency and timing of these returns will be determined by a regulatory notice.

CP138 feedback

The feedback statement indicates that CP138 received 21 responses.

While some minor adjustments have been made to provide additional clarity or context, the final guide remains largely unchanged from the draft.

With regard to proportionality, the Central Bank recognizes that certain aspects of the guidelines may be appropriate for all regulated entities, however the “test of proportionality should always be underpinned by a solid risk assessment of the outsourcing and a consideration of the appropriate control environment that the firm is operating.” can prove “. that it has appropriate measures in place to effectively control and manage the outsourcing risk?

Fund administrators, custodians and fund management companies (as mentioned above) receive some additional feedback in the context of their existing regulatory frameworks.

Next steps and submissions

Templates for reporting planned critical or important outsourcing agreements or material changes to existing agreements that apply to each sector and meet the requirements of the EBA guidelines will be published on the central bank’s website in the first quarter of 2022, with the exception of the template for banks, which will be published later expected in 2022.

A downloadable table template for the register will be published on the Central Bank’s website in the first quarter of 2022. It is suggested that all companies with a PRISM Impact Rating of medium low or higher (or equivalent) return their outsourcing register annually via a new online. The first submission is planned for the second quarter of 2022 and the companies will be informed of the submission date in advance.

Required actions and timing

The guidelines take effect immediately. The boards of directors and senior management are expected to review the guidelines and improve their outsourcing risk management frameworks to effectively identify, monitor and manage their outsourcing risks. However, the feedback statement states that “the [Central Bank’s]In its implementation, the supervisory approach takes into account the adjustments companies have to make with regard to the type, scope and complexity of the use of outsourcing as part of their business model. “

The guidelines indicate that the central bank will use a risk-based approach to assess the effectiveness of the corporate governance and management of outsourcing arrangements and their implementation of the guidelines.

How we can help

Our Irish Financial Services Regulatory Group has extensive experience designing effective governance, risk management and business continuity processes as well as conducting operational reviews of existing outsourcing frameworks in accordance with relevant legal and regulatory requirements and supervisory expectations.

The content of this article is intended to provide general guidance on the subject. Expert advice should be sought regarding your specific circumstances.

Comments are closed.