COVID-19: Impact on outsourcing arrangements

Tuesday, May 5, 2020

Outsourcing by financial institutions has become commonplace; the current COVID-19 crisis has demonstrated the significance of having comprehensive business continuity processes in place. Social distancing restrictions have affected the business and operations of regulated firms as well as the rest of the economy. Some banks have had to close branches, staffing has been under pressure in other firms due to remote working being implemented.

For regulated financial services providers however, business continuity forms the bedrock of any outsourcing arrangement and those processes will certainly have been tested recently.

The CRD (Capital Requirements Directive 2013/36/EU) gives the European Banking Authority power under Article 74(3) to issue guidelines on governance arrangements for regulated firms and in terms of outsourcing this takes the form of its February 2019 ‘Guidance on Outsourcing Arrangements’. Both the MiFID directive (2014/65/EU) and Payment Services directive (2015/2366/EU) impose outsourcing requirements also for firms operating in those sectors.

The overriding principle where outsourcing is concerned, is that the regulated firm’s management body remains responsible at all times for its activities and performance of responsibilities, outsourcing must not lead to an institution becoming an ‘empty shell’.

In the context of the current COVID-19 crisis, regulated firms and to some extent, outsourcing service providers (OSPs) also who will need to prepare for ad hoc requests and support by their regulated customers, should consider the following issues with respect to their outsourcing arrangements:

1. Outsourcing Register: Firms should consult their register of outsourcing arrangements and conduct a risk analysis of any heightened exposures the regulated firm might anticipate, in particular relating to continuity of payment services.
2. Risk Analysis: Identify all ‘critical functions’ that are subject to outsourcing and prioritise accordingly. Assess whether there are any ‘sub’ or ‘chain’ outsourcing arrangements involved and whether there any geographical risks arising for example where the outsourced activity may involve interaction with different jurisdictions.
3. Business Continuity: Review its business continuity policy and take appropriate measures to prepare for service outages, data back up etc. Where the outsourced function is continuing to be delivered, firms should consider, and OSPs should be prepared for, ramping up business continuity testing as a precaution.
4. Cooperation: Engage and consult with OSPs in respect of their business continuity plan and agree any measures that may require to be put in place to maintain service. Firms should seek to identify the extent to which individual OSPs might have any concentration risk exposure.
5. Recovery/Resolution: Update risk assessments and if necessary, implement additional recovery planning or resolution planning measures.
6. Audit: Review inspection and audit processes and prepare for internal and possibly external audit/inspection in particular by the Central Bank of Ireland as regulator at both the firm level and the OSP. Contractual provisions around audit and the regulator’s access to information and premises should be considered.
7. Exit Measures: Is there need to take measures to terminate or reintegrate the outsourced function? What are the contractual provisions governing such actions in terms of termination, force majeure etc. having regard to required service levels and risk analysis conducted. Does a risk to delivery/compliance with regulatory obligations arise? Is there necessity to make additional fall back preparations or for transfer of the outsourced functions to a new OSP?

The current COVID-19 pandemic and the resultant disruption of the restrictive measures adopted across jurisdictions will test the strength and preparedness of regulated firms and OSPs to respond to crises on a systemic scale and of the nature that will likely not have been anticipated at the time relevant outsourcing arrangements were entered into.

In the short-term regulators will seek to be supportive of firms as they work through the immediate crisis. However, depending on how individual firms or OSPs react, manage and deal with this crisis there may be wider consequences in the longer term.

If you have any concerns or questions about your outsourcing arrangements please get in touch with the Philip Lee team.