Outsourcing update
Outsourcing is a key focus for European regulators. The Central Bank of Ireland (Central Bank) is no exception and has recently published draft cross-industry guidance (Guidance) for consultation. The main outsourcing risks highlighted in this consultation paper include cloud outsourcing, chain outsourcing, concentration risk and offshoring. In this article we look at the Central Bank's key proposals.
Scope and Timing
The Guidance will be applied in a proportionate manner to all regulated firms (Firms) and not just those covered by the scope of the existing outsourcing guidelines issued by the European Supervisory Authorities. The proportionate application of the Guidance will be framed by the firm’s outsourcing risk assessment and resulting controls, and whether an outsourced function is critical or important.
Firms have until 26 July 2021 to respond to the consultation. The Central Bank expects the Guidance to be finalised and implemented later on this year.
Requirements
The Guidance will require Firms to assess functions that are outsourced – including both intragroup entities and third party providers - and the relative importance of each function, including intragroup arrangements and delegation arrangements. The identified risks must be managed and governed appropriately and be subjected to ongoing monitoring. Firms can plan for implementation by focusing on the following areas:
Assessment of criticality or importance of outsourced function
Firms must determine the criticality or importance of the function, service or activity that they intend to outsource, as this determines the appropriate risk management measures. Firms should also have a defined and documented methodology for determining the outsourced activity's criticality or importance, and this should be periodically reviewed in conjunction with the outsourcing policy.
Intragroup arrangements
The Central Bank acknowledges intragroup outsourcing carries benefits but it also presents unique risks. When assessing intragroup outsourcing arrangements, Firms should:
- Apply the same rigorous assessment to intragroup and third party outsourcing arrangements
- Consider and be satisfied that the firm can exert sufficient influence on the parent/group outsourced service provider (OSP)
- Consider and be satisfied with the level of prioritisation of remediation of outsourced services which may impact the Firm and/or group
- Provide for the resolution of conflicts of interest in their governance arrangements
- Assess if group policies and procedures are fit for purpose at the Firm and that they comply with the Firm's legal and regulatory obligations.
Outsourcing & delegation
The Guidance reiterates the Central Bank's expectation that the Firm remains ultimately accountable for outsourcing. When assessing delegation arrangements, Firms should:
- Recognise that the Central Bank does not consider "delegation" and outsourcing" to be different concepts
- Apply the same onerous due diligence, oversight and monitoring to delegated arrangements as to other outsourcing arrangements
- Be satisfied that appropriate and effective governance and risk management measures are in place in respect of their delegated arrangements
- Be able to demonstrate appropriate oversight, Board consideration and management of delegation arrangements and the associated risks.
Governance
Boards and senior management are responsible for all outsourced activities. To ensure appropriate governance and oversight, they should:
- Ensure the governance and risk management of their outsourcing framework is appropriate and operating effectively, and in line with relevant sectoral legislation, regulation and guidelines, especially where functions are outsourced to a different jurisdiction
- Have a documented outsourcing strategy aligned to the Firm’s strategy, business model, risk appetite and risk management framework, supported by appropriate policies, procedures and controls
- Ensure the Firm continues to meet its authorisation conditions, that appropriate skills and knowledge are maintained within the Firm to effectively oversee outsourcing arrangements from inception to conclusion and that the Firm does not become an "empty shell"
- Have a comprehensive outsourcing policy which is reviewed by the Board and approved at least annually, and which addresses the minimum requirements contained in the Guidance
- Appoint an appropriate person, function and/or committee with direct accountability to the Board as responsible for outsourcing oversight and risk, to ensure a holistic view of outsourcing
- Have appropriate and effective governance and internal controls to identify, measure, manage, monitor and report the risks associated with outsourcing arrangements, as well as appropriate structures and mechanisms to provide a comprehensive view of the firm’s outsourcing universe to the Board. This should include management information which enables the Board to challenge the establishment and oversight of outsourcing arrangements
- Establish an outsourcing register, to identify and facilitate appropriate oversight and awareness of current and proposed outsourcing arrangements, and their associated risks
- Ensure that outsourcing arrangements do not impede the Firm's resolvability.
Outsourcing risk assessment & management
Firms should conduct comprehensive risk assessments to enable appropriate and adequate oversight of outsourced activities. This involves:
- Ensuring that the risk management framework appropriately considers any outsourcing arrangements and that outsourcing risk is reflected in the Firm’s overarching risk register
- Comprehensive risk assessments in respect of any proposed outsourcing arrangement
- Tailoring the outsourcing risk assessments to take account of specific risks associated with outsourcing
- Considering and documenting the controls in place to minimise exposure to identified risks
- Ensuring that controls and tools to monitor the effectiveness of risk management controls are reflected in the outsourcing contracts and Service Level Agreements (SLAs)
- A regular review of outsourcing arrangements, with particular focus on critical or important arrangements, and a periodical risk assessment refresh to ensure the assessment accurately reflects the Firm's business.
Due diligence
Firms should conduct appropriate and proportionate due diligence reviews in respect of all prospective OSPs or intragroup providers before entering into any arrangements, periodically during the relationship and prior to the expiry of key contracts. These reviews should include a consideration of:
- The OSP's business model, financial performance, regulated status, reputation and ability to keep pace with market innovation
- Existing relationships with the OSP and potential conflicts of interest
- GDPR compliance
- Effectiveness of risk management and internal controls
- Contractual arrangements and SLAs
OSP arrangements should be governed by formal contracts or written agreements, preferably legally binding and supported by SLAs. Intragroup arrangements should be implemented at a minimum, by way of written agreements supported by SLAs. The Firm should monitor all OSPs' adherence to such agreements and SLAs. Agreements governing critical or important functions should be resolution resilient and in line with EBA Guidelines on Outsourcing and general good practice.
Ongoing monitoring and challenge
Outsourcing assurance should be incorporated into the three lines of defence. Firms should have appropriate mechanisms to oversee, monitor, and assess the appropriateness and performance of their outsourced arrangements. Such mechanisms are generally executed by the first line of defence with oversight and challenge through the second line. The effective performance of outsourcing arrangements and controls to mitigate associated risks should form part of the Firm's third line of defence assurance programme. Firms should also assess whether external third party review, third party certifications provided by the OSP and/or pooled audits may be necessary to obtain satisfactory assurance regarding their outsourcing universe.
Disaster recovery and business continuity management
Continuous assessment of the Firm's business processes, disaster recovery (DR) and business continuity management (BCM) is key to ensuring the Firm's resilience and continuity of services. Firms should consider the relevant implications of having outsourced to an OSP and the BCM arrangements that the OSP has in place. Close alignment of the DR/BCM arrangements of the Firm and their OSP is important, particularly where a critical or important function is involved. The Firm's DR/BCM measures should also be linked to their exit strategy planning.
Providing outsourcing information to the Central Bank
Firms must provide the Central Bank with timely notification of all proposed critical or important outsourcing arrangements, and of material changes to existing critical or important outsourcing arrangements. Such changes include existing arrangements redefined as critical or important outsourcing arrangements, changes to OSPs or their location, changes to the Firm's business model and termination of outsourcing arrangements.
Firms must also report to the Central Bank on:
- Significant changes to outsourcing aspects of their business models
- Material events affecting the provision of critical or important services
- Material breaches of contractual arrangements or SLAs which affect customers or the Firm's conduct of regulated services
For further information please contact Dario Dagostino, Kevin Allen, Patrick Brandt and Mark Devane, Partners, Sinéad Prunty, Knowledge Lawyer, Eimear Fay and Vivianne Schwarz, Associates or any member of the Financial Regulation and Investigations team.
With thanks to Caroline O'Byrne, Solicitor.
Date published: 14 April 2021