Cross-Industry Guidance on Outsourcing is Published by Central Bank

PUBLISHED: 21st January 2022

Photo to illustrate article https://www.lkshields.ie/images/uploads/news/Web_-_Central_Bank_Guidance.png.

In recognition of the increased prevalence of outsourcing in the financial services sector, the Central Bank of Ireland has published Cross-Industry Guidance on Outsourcing. It is the result of a significant amount of work that the Central Bank has undertaken in the area in recent years. It is acknowledged that outsourcing is part of the response to ongoing change in the sector and provides many benefits to regulated firms, but the Central Bank is clear that it also presents risks, which must be managed.

The objective of the Guidance is to assist regulated firms to manage those risks.

Guidance Applies to Regulated Financial Services Providers (RFSPs)

The Cross-Industry Guidance on Outsourcing was issued by the Central Bank in December 2021, following on from consultation CP138. The Central Bank also published a Feedback Statement which summarises the CP138 feedback, provides commentary on industry views and explains changes made to the Guidance.

The Guidance applies to all Irish regulated financial services providers (RFSPs) in relation to the management of outsourcing activities and has immediate effect.  Boards and senior management of RFSPs should review the Guidance to identify and address any gaps in their internal outsourcing policies and procedures.

The Central Bank has stated that it “will be mindful of the adjustments to be made by firms relative to the nature, scale and complexity of the use of outsourcing as an element of their business model”.

The Guidance

Some of the essentials from the Guidance are outlined below.

Central Bank’s Expectations

The Guidance sets out the Central Bank’s expectations on:

1.     Governance and management of outsourcing risk.

2.     Outsourcing frameworks to manage associated risks.

3.     Responsibilities of directors and senior management when outsourcing.

RFSPs should view the Guidance as a guide to good practice with regard to outsourcing. In particular, the Central Bank notes that RFSPs should:

1.     Determine the criticality or importance to the RFSP of the function, service or activity to be outsourced. This should determine the risk management measures that should be adopted to ensure resilience and continuity of operations.

2.     Apply the same level of oversight and rigour when conducting an intra-group outsourcing risk assessment as would be applied for any other externally outsourced service provider.

3.     Treat delegation and outsourcing as the same concepts:  any delegation arrangements be subject to the same oversight and monitoring as other outsourcing arrangements; and be able to demonstrate that any risks associated with  delegation have been considered by the board of the RFSP.

4.     Take appropriate measures to ensure that outsourcing frameworks align with the Guidance and that boards and senior management are fully accountable and responsible for setting the RFSP’s outsourcing strategies and policies.

5.     Document an outsourcing strategy that aligns with the RFSP’s overall business model and risk appetite.

6.     Implement an outsourcing policy that details the methodology for the identification, assessment, mitigation and assessment of outsourcing risks; the procedures for approving new outsourcing arrangements; and the structures for operational oversight and control.

7.     Review the outsourcing policy at least on an annual basis or when a material change has occurred to the RFSP’s business model.

8.     Cover outsourcing risks in the overall risk management framework and risk register, conduct risk assessments prior to entering into an outsourcing arrangement, and adopt procedures for overseeing, monitoring, and assessing the outsourced service provider.

9.     Conduct detailed initial due diligence on prospective outsourced service providers; review outsourced service providers of critical services annually; in addition to annually reviewing key contractual arrangements.

10.  Document arrangements with outsourced service providers using formal contracts or written agreements covering specific provisions as set out in the Guidance.

11.  Train employees to manage, review, and test outsourced functions.

12.  Ensure the outsourced service providers have adequate business continuity management and disaster recovery measures.

13.  Notify the Central Bank of planned critical or important outsourcing arrangements and of material changes to existing critical or important outsourcing arrangements.

14.  Develop and maintain an outsourcing register to include prescribed information for all existing and future outsourcing arrangements.

Central Bank Submissions and Notifications

The submission of data contained in a RFSP’s register will be submitted to the Central Bank through a periodic regulatory return. The frequency and timing of the returns will be relayed to sectors by way of a supervisory communication.

Templates for the notification of planned critical or important outsourcing arrangements, or material changes to existing arrangements, will be published by the Central Bank on its website in Q1 2022.  Templates for banks will be published through the Single Supervisory Mechanism.

The Central Bank will require all RFSPs with a PRISM impact rating of medium-low or above (or its equivalent) to submit their outsourcing register annually using a new online return.  The first submission is planned for Q2 2022 and RFSPs will be given prior notice of the submission date.

Next Steps

The Central Bank expects boards and senior management of RFSPs to review the Guidance and enhance their outsourcing risk management frameworks to effectively identify, monitor and manage their outsourcing risks.

If you have any questions concerning the Guidance, please contact David Naughton at dnaughton@lkshields.ie or Eric Brouwer at ebrouwer@lkshields.ie member from our Financial Services team.

By using this website you allow us to place cookies on your computer. Our cookies do not personally identify you.