The Central Bank of Ireland (CBI) recently opened a consultation on cross-industry guidance on outsourcing. At the same time the CBI published new draft cross-industry outsourcing guidance which will come into effect later this year. The guidance will apply to all regulated firms in Ireland.
The CBI sees the management of outsourcing risk as key from both a Prudential and a Conduct perspective. When a firm outsources, it creates a dependency on a third party, or a chain of third parties, with the potential to influence the operational resilience of the firm, as well as on the quality and service of products delivered to consumers and the operation of the Irish financial services market.
The new guidance sets out the CBI’s expectations in relation to the governance and management of outsourcing risk. This includes the use of intra-group entities in addition to the appointment of third party service providers. The guidance is also intended to remind boards and senior management of regulated firms of their responsibilities and promote standards and practices that underpin robust outsourcing frameworks.
The guidance will complement, rather than replace, existing sectoral laws, regulations and guidelines on outsourcing, such as the Guidelines on Outsourcing Arrangements published by the European Banking Association in February 2019. This is just one of a growing list of sectoral legislation, regulations and guidance on outsourcing issued by various European regulatory agencies, as detailed in Appendix 1 of the guidance.
A key area of focus for the CBI is the outsourcing of “critical or important” functions, particularly in relation to information and communications technology. Special attention is given to the management of risks associated with cloud outsourcing including the potential for high levels of concentration risk (i.e. outsourcing to a small number of hyperscale cloud providers). This includes outsourcing to smaller service providers who subcontract hosting and similar services to the likes of AWS, Google and Microsoft.
Naturally, the guidance also focusses on the data security risks inherent in the use of third parties to store and manage business sensitive and customer confidential data, as well as the increased of complexity of carrying out effective oversight and supervision where a service provider makes extensive use of subcontractors (i.e. chain outsourcing), or where services are offshored particularly outside the EU/EEA.
The guidance calls for proportionate application - a regulated firm may apply the guidance differently depending on the nature, scale and complexity of its business, and the extent to which it engages in outsourcing of “critical or important” functions.
As well as providing useful explanations of the CBI’s position and thinking on various topics (e.g. the CBI sees no distinction between outsourcing and delegation), the guidance covers the following areas:
- Risk Assessment and Management;
- Due Diligence;
- Contractual Arrangements & SLAs;
- Ongoing Monitoring;
- Management of Disaster Recovery/Business Continuity; and
- Reporting to the CBI.
Irish regulated firms which have outsourced, or are contemplating outsourcing, should start planning for the implementation of the guidance now. Some practical measures to take include:
- Adopt (and review annually) a comprehensive outsourcing strategy;
- Refresh supporting policies and procedures, including data management;
- Update existing outsourcing risk management frameworks;
- Review and document critical and important outsourced functions;
- Carry out initial and ongoing due diligence on all relevant outsourcing service providers including reviewing contractual terms and conditions, and service level agreements;
- Review and test disaster recover, business continuity and exit plans etc;
- Step up monitoring and oversight of subcontractors (i.e. chain outsourcing), offshoring, and sensitive data/data security risks; and
- Implement governance structures and review mechanisms so that the Board and senior management team have a comprehensive, end-to-end view of the firm’s outsourcing strategy and arrangements.
The consultation period closes on 26 July 2021 and the guidelines are expected to come into force later in the year. The CBI is planning to introduce a requirement that the firms it regulates maintain and submit outsourcing registers to it on an ongoing basis.
If you have any questions about the CBI’s consultation and draft outsourcing guidance, or if you are contemplating an outsourcing transaction, please contact Tim Wright or your usual Fladgate contact.