CP138: Central Bank of Ireland Consults on Cross-Industry Outsourcing Guidance

On 25 February 2021, the Central Bank of Ireland ("Central Bank") published a consultation paper and draft cross sectorial guidance on outsourcing ("CP138"). The deadline for responses to CP138 is 26 July 2021.

CP138 highlights the continued focus of the Central Bank in the area of outsourcing and follows the publication of the discussion paper "Outsourcing – Findings and Issues for Discussion" in November 2018.

The Central Bank has emphasised the importance of operational resilience when outsourcing key functions particularly in light of the recent COVID-19 pandemic.

Purpose and Scope

If adopted as currently drafted, the Cross-Industry Guidance on Outsourcing (the "Guidelines") will apply to all regulated firms. This will represent a change for many firms which are not currently subject to any formal outsourcing requirements (though supervisory expectations have been communicated by the Central Bank both publicly and privately through engagement with firms, including under risk mitigation programmes and supervisory engagement).

The Guidelines will apply in addition to any existing legal and regulatory requirements which apply to specific categories of firms, for example, under the Central Bank (Supervision and Enforcement) Act 2013 (Section 48(1)) (Investment Firms) Regulations 2017; MiFID II; PSD2; EMD2; the European Banking Authority's Guidelines on Outsourcing Arrangements and guidance issued by other European Supervisory Authorities (the European Insurance and Occupational Pensions Authority or the European Securities and Markets Authority) or by the Central Bank.

The Guidelines represent a guide to good practice for outsourcing and set out the Central Bank's expectations concerning governance and management of outsourcing risk.

Firms should consider the nature, scale and complexity of their outsourcing operations when applying the Guidelines and apply a risk based approach to managing outsourcing risk.

Managing Outsourcing Risk

The Central Bank acknowledges the significant benefits that outsourcing can bring to regulated firms but is also of the view that outsourcing can pose significant risks to firms if not managed effectively. Outsourcing risks include: sub-outsourcing risk, data security risk, concentration risk, offshore risk and intra-group risk.

The Guidelines state that firms should consider the following key factors when developing frameworks to manage outsourcing risk:

• Assessment of Criticality or Importance of the Outsourced Activity: Firms should have a defined methodology for determining the criticality or importance of a service being outsourced, which should be documented in the firm's outsourcing policy.

• Intragroup Arrangements: Firms should apply the same level of oversight to intragroup outsourcing arrangements as they would for any other external outsourced service provider ("OSP"). Firms should ensure that group policies are sufficient to satisfy Irish legal and regulatory obligations, including the Guidelines.

• Outsourcing and Delegation are not Considered to be Different Concepts: Firms should be able to demonstrate to the Central Bank that any delegation arrangements are subject to the same oversight and monitoring as other outsourcing arrangements and that any associated risks have been considered by the board of directors (the "Board").

• Outsourcing Strategy and Policy: Firms should formulate a documented outsourcing strategy which aligns with their overall business model and risk appetite. Firms should have a firm-wide outsourcing policy in place which details, inter alia: the methodology for the identification, assessment, mitigation and assessment of outsourcing risks; the procedures for approving new outsourcing arrangements and the structures for operational oversight and control. The outsourcing policy should be reviewed and approved by the Board at least annually or where there has been a material change to the firm's business model.

• Role of the Board: The Central Bank expects Boards to take appropriate action to ensure that the firm's outsourcing frameworks are in line with the expectations in the Guidelines.

• Oversight and Control: Firms should ensure that outsourcing risk is adequately covered in its overall risk management framework and risk register. Firms are expected to conduct tailored risk assessments in advance of entering into an outsourcing arrangement which should be reviewed and refreshed annually to ensure there have been no changes to the operations of the OSP(s) that would have a material impact on the risk profile of the firm. Firms are expected to have procedures in place for overseeing, monitoring and assessing the appropriateness and performance of OSPs.

• Due Diligence: The Central Bank expects firms to conduct detailed initial due diligence on prospective OSPs. Periodic due diligence reviews should also be undertaken, with key OSPs of critical services being reviewed on an annual basis. There is also an expectation that a review will be undertaken prior to the end of key contract arrangement (i.e. as a necessary step before a rollover).

• SLAs: Service level agreements ("SLAs") with OSPs providing critical or important functions should include precise quantitative (measurable) and qualitative performance targets (using key performance indicators).

• Business Continuity Planning: When entering into outsourcing arrangements, firms should ensure that OSPs have adequate business continuity and disaster recovery measures in place. The Central Bank expects firms to have contractual arrangements in place to ensure OSPs regularly test their own business continuity plans (at least annually) and ensure that the firm can undertake such testing, where required. Firms should conduct its own testing of its outsourcing arrangements and report findings to the Board and the relevant OSP. Firms should have exit strategies in place which are viable, appropriately planned, documented and regularly tested.

• Notification and Reporting Requirements: Firms are required to notify the Central Bank within a reasonable time period of any intended critical or important outsourcing arrangements and/or any material changes to an existing critical or importance arrangement. Some firms are already subject to notification and reporting requirements under existing requirements.

Ongoing Reporting Obligations – Outsourcing Register

The Guidelines introduce a new requirement for certain firms to develop and maintain an outsourcing register. The Guidelines set out a list of information to be included in the register for all existing and future outsourcing arrangements. Certain firms will be required to submit their outsourcing register to the Central Bank through an online regulatory return. The frequency of this filing will be dependent on the nature, scale and complexity of the firm's business model and the degree of its reliance on outsourcing arrangements. The frequency and timing of these returns will be specified by way of an industry letter to the relevant sectors.

Further Information

Further information on our Financial Services Regulatory Group, and the services we provide, is available on our website and in our brochure.

If you would like further information, please liaise with your usual Maples Group contact or one of the members of our Irish Financial Services Regulatory Group.