COVID-19: Impact on outsourcing arrangements

Tuesday, May 5, 2020

Outsourcing by financial institutions has become commonplace; the current COVID-19 crisis has demonstrated the significance of having comprehensive business continuity processes in place. Social distancing restrictions have affected the business and operations of regulated firms as well as the rest of the economy. Some banks have had to close branches, staffing has been under pressure in other firms due to remote working being implemented.

For regulated financial services providers however, business continuity forms the bedrock of any outsourcing arrangement and those processes will certainly have been tested recently.

The CRD (Capital Requirements Directive 2013/36/EU) gives the European Banking Authority power under Article 74(3) to issue guidelines on governance arrangements for regulated firms and in terms of outsourcing this takes the form of its February 2019 ‘Guidance on Outsourcing Arrangements’. Both the MiFID directive (2014/65/EU) and Payment Services directive (2015/2366/EU) impose outsourcing requirements also for firms operating in those sectors.

The overriding principle where outsourcing is concerned, is that the regulated firm’s management body remains responsible at all times for its activities and performance of responsibilities, outsourcing must not lead to an institution becoming an ‘empty shell’.

In the context of the current COVID-19 crisis, regulated firms and to some extent, outsourcing service providers (OSPs) also who will need to prepare for ad hoc requests and support by their regulated customers, should consider the following issues with respect to their outsourcing arrangements:

Outsourcing Register: Firms should consult their register of outsourcing arrangements and conduct a risk analysis of any heightened exposures the regulated firm might anticipate, in particular relating to continuity of payment services.
Risk Analysis: Identify all ‘critical functions’ that are subject to outsourcing and prioritise accordingly. Assess whether there are any ‘sub’ or ‘chain’ outsourcing arrangements involved and whether there any geographical risks arising for example where the outsourced activity may involve interaction with different jurisdictions.
Business Continuity: Review its business continuity policy and take appropriate measures to prepare for service outages, data back up etc. Where the outsourced function is continuing to be delivered, firms should consider, and OSPs should be prepared for, ramping up business continuity testing as a precaution.
Cooperation: Engage and consult with OSPs in respect of their business continuity plan and agree any measures that may require to be put in place to maintain service. Firms should seek to identify the extent to which individual OSPs might have any concentration risk exposure.
Recovery/Resolution: Update risk assessments and if necessary, implement additional recovery planning or resolution planning measures.
Audit: Review inspection and audit processes and prepare for internal and possibly external audit/inspection in particular by the Central Bank of Ireland as regulator at both the firm level and the OSP. Contractual provisions around audit and the regulator’s access to information and premises should be considered.
Exit Measures: Is there need to take measures to terminate or reintegrate the outsourced function? What are the contractual provisions governing such actions in terms of termination, force majeure etc. having regard to required service levels and risk analysis conducted. Does a risk to delivery/compliance with regulatory obligations arise? Is there necessity to make additional fall back preparations or for transfer of the outsourced functions to a new OSP?

The current COVID-19 pandemic and the resultant disruption of the restrictive measures adopted across jurisdictions will test the strength and preparedness of regulated firms and OSPs to respond to crises on a systemic scale and of the nature that will likely not have been anticipated at the time relevant outsourcing arrangements were entered into.

In the short-term regulators will seek to be supportive of firms as they work through the immediate crisis. However, depending on how individual firms or OSPs react, manage and deal with this crisis there may be wider consequences in the longer term.

If you have any concerns or questions about your outsourcing arrangements please get in touch with the Philip Lee team.

Back To News

Author

Simon O’Neill

PARTNER

Cookie	Type	Duration	Description
Necessary
cookielawinfo-checkbox-non-necessary	session	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Non Necessary".
viewed_cookie_policy	session	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
cookielawinfo-checkbox-necessary	session	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
Analytics
_gat_gtag_UA_180138433_1	third-party	1 minute	Google uses this cookie to distinguish users.
GPS	session	30 minutes	This cookie is set by Youtube and registers a unique ID for tracking users based on their geographical location
_gid	session	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
_ga	persistent	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, camapign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assigns a randoly generated number to identify unique visitors.
Preferences
_gat_UA-25168621-1	session	1 minute	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
Advertisement
VISITOR_INFO1_LIVE	third-party	5 months	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
IDE	persistent	2 years	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
Performance
YSC	third-party		This cookies is set by Youtube and is used to track the views of embedded videos.

Contact The Team

Subscribe

COVID-19: Impact on outsourcing arrangements

Author

Simon O’Neill