Outsourcing is back in the news this month with the Central Bank issuing consultation paper CP 138 on “Cross-Industry Guidance on Outsourcing”.
The consultation is issued pursuant to the Central Bank’s statutory mandate in relation to stability of the financial system, maintaining proper and effective regulation of financial service providers and markets, and resolution of financial difficulties in credit institutions, investment firms and credit unions.
Why focus on outsourcing?
As well as offering benefits to firms, outsourcing poses risks if not effectively managed. Outsourcing risk raises prudential and conduct issues in terms of the dependency of third parties, both regulated and unregulated, and potentially affecting operational resilience or service to customers. The guidance will set out the CBI’s expectations in terms of the governance and management of outsourcing risk.
A cross sector survey carried out by the CBI in 2017 identified:
- significant deficiencies in board awareness/understanding of the extent of reliance on outsource service providers (OSPs);
- major governance and risk management control weaknesses.
The CBI recognises the increased role of technology, increased IT outsourcing and outsourcing of “critical or important” services to cloud service providers (CSPs) in the financial services arena. This raises data security risks, involving potentially up to 80 countries (many outside of the EEA) in terms of contractual relationships, monitoring and recovery and exit strategies. The proposed guidance recognises the resilience risks that can arise from greater reliance on outsourcing, the need for additional technological input to control and exercise oversight of outsourcing arrangements and the need for boards and management to understand the specific risks arising from outsourcing of critical or important services. The proposed guidance will build on existing EBA Guidelines on outsourcing in effect since September 2019 and other sectoral guidance from EIOPA, ESMA and the FSB.
Critical or important functions are those functions necessary to perform core business lines or critical business functions where a failure to provide that function would have an adverse effect on the operational continuity of the core business line or critical business function.
Application of the Guidance
The CBI intend the guidance to apply to all regulated firms adopting outsourcing on a proportionate basis to the nature, scale and complexity of their business. The Guidance applies to critical or important outsourcing arrangements except where stated to apply to all outsourcing arrangements. Notwithstanding this, all regulated firms must have appropriate measures in place to govern and manage outsourcing risk in their business and adhere to relevant sectoral guidance/rules. Insofar as sectoral guidance/rules are more prescriptive, they will take precedence over the Guidance.
The Consultation is open for responses until the 26 July 2021.
Outsourcing – Areas of focus for firms
- Establish criteria/methodology to assess criticality of a function to enable consistent decision-making, reflecting the nature, scale and complexity of the business.
- Document and reflect in the firm’s outsourcing policy.
- Subject to periodic review, including prior to entering an outsourcing arrangement, intervals during the arrangement, any scaling up of the arrangement or any organisational change to the OSP or sub-outsourcing.
- Should be assessed with the same rigor as third-party arrangements.
- Consider ability to influence/monitor the intra-group entity providing the service.
- Consider prioritisation of remediation of services in the case of outages.
- Ensure the agreements address conflicts of interest and polices/procedures are fit for purpose across the group and are consistent with its regulatory obligations.
Outsourcing and delegation
- Whether arrangements are termed “outsourcing” or “delegation” the same considerations should apply in terms of risk assessment, governance and oversight of the arrangement.
- Notwithstanding any outsourcing or delegation arrangement the regulated firm remains responsible for all obligations.
- The board and senior management are responsible for effective oversight and management of outsourcing risk and cannot outsource their responsibility.
- Maintain a documented outsourcing policy and strategy, to be reviewed annually.
- Ensure outsourcing does not impede compliance with regulatory obligations.
- Outsourcing must not render a firm an empty shell or letter box entity.
- Assign responsibility for oversight of outsourcing risk with the role directly reporting to the board.
- Structures and mechanisms facilitate a comprehensive view of all outsourcing to the board.
- Risk management framework must consider outsourcing and outsourcing risk.
- Risk assessments must be tailored to take account of specific outsourcing risks.
- Regularly review outsourcing arrangements.
- Recognise and account for sub-outsourcing and actively manage risks.
- Management of concentration risks, data-security risks, off-shoring risks
- Firms must carry out appropriate, proportionate due diligence reviews. For critical functions, ensure that the OSP has the capability to perform appropriately.
- Consideration of substitutability of the OSP, SLA provisions, concentration risk, the firm’s ability to oversee the OSP, and the OSPs ability to manage termination arrangements.
- Refresh and maintain due diligence on an ongoing basis.
Contracts and SLAs
- Outsourcing arrangements must be governed by formal contracts and SLAs which should address:
- the use of sub-outsourcing arrangements, and termination/business continuity provisions.
- rights of access/cooperation with the firm and regulators, rights to carry out audits.
- express rights of termination for breach by the OSP of applicable law, failures to perform the outsourced functions, material changes affecting the OSP, regulatory direction to terminate.
- exit strategy recognising continuity of service and orderly transfer of functions.
- be subject to periodic reviews allowing for developments/changes and in advance or renewals or termination to ensure continuity of service.
Ongoing monitoring and challenge
- Ensure mechanisms to oversee, monitor and assess appropriateness and performance of outsourced arrangements, with appropriately skilled staff, reporting from the OSP, benchmarking against KPIs in the SLA and assessing business continuity measures.
- Appropriate internal audit review must be undertaken of the OSP.
Disaster recovery (DR) and business continuity management (BCM)
- Consider DR and BCM at the time of entry into outsourcing arrangements.
- Document BCM plans and update regularly.
- Ensure each OSP has a BCM and this is tested and results reported and considered by the firm.
- Consider how a firm would exit an arrangement at the outset for failure to meet requisite standards, unexpected termination, stressed circumstances or other scenario.
- Set documented impact tolerances for business interruptions, clearly define exit strategies including substitutability of an OSP.
It is important to note that the Central Bank requires to be notified of any proposed critical or important outsourcing arrangement to be entered into by a regulated firm, material changes to existing arrangements, changes in OSPs for critical functions, termination of critical or important outsourcing arrangements or the entry of off shore outsourcing of such critical functions.
What should regulated firms do now?
Whilst the Consultation and draft Guidance are helpful to supplement the existing EU sectoral guidance and in clarifying the CBI’s regulatory expectations, clearly the CBI are of the view that current practice is not meeting their expectations for good practice. Firms and OSPs would be wise to use the consultation as an opportunity to carry out a targeted review of their outsourcing practices by:
- considering the last outsourcing review carried out and reassess existing procedures, in particular their outsourcing policy;
- reviewing their outsourcing register to ensure it is comprehensive and complete;
- considering their assessment of critical or important functions;
- reviewing existing outsourcing agreements and SLAs;
- reviewing latest OSP reporting and KPIs to ensure they are fit for purpose, and considering and testing/auditing requirement.
For further information in relation to the above article, please contact Simon O’Neill.