On 25 February 2021, the Central Bank of Ireland ("Central Bank") published a consultation paper on Cross-Industry Guidance on Outsourcing. The publication of the consultation paper follows on from the publication of the Central Bank's Discussion Paper "Outsourcing – Findings and Issues for Discussion" in November 2018. In line with the objectives set out in the Central Bank's Strategic Plan 2019-2021, the Central Bank views management of outsourcing risk as key from both a prudential and conduct perspective. The draft guidance is proposed to apply to all "financial service providers regulated by the Central Bank", which will include funds and their service providers ("FSPs"). The Central Bank is proposing the introduction of the guidance to assist boards and senior management with the development of their outsourcing risk management frameworks to effectively identify, monitor and manage their outsourcing risks. The guidance will supplement existing sectoral legislation, regulations and guidelines.

Impact on Funds and their Service Providers

"Outsourcing" is defined in the draft guidance as "an arrangement of any form between a regulated firm and an outsourced service provider by which that service provider performs a process, a service or an activity that would otherwise be undertaken by the regulated firm itself, even if the regulated firm has not performed that function itself in the past." This definition is aligned with the definition set out in the Guidelines on outsourcing arrangements published by the European Banking Authority ("EBA") in February 2019 (the "EBA Guidelines"). The Central Bank has clarified that, in its view, delegation and outsourcing are not considered to be different concepts. The draft guidance will therefore apply to the delegation of regulated activities as well as the outsourcing of unregulated activities and will sit alongside the requirements applicable to delegation of functions provided for under the AIFMD and UCITS frameworks. Board of directors of funds established as ICAVs or investment companies and fund management companies, together with their service providers, will have to assess the implications of the draft guidance on their outsourcing arrangements. The extent of the impact on FSPs will depend on the type of authorisation they currently hold.

Service Provider

Impact

Depositaries authorised under the Investment Intermediaries Act 1995

The draft guidance constitutes a new regulatory framework for outsourcing as currently there is no Irish legislative or regulatory framework beyond the requirements applicable to the delegation of depositary functions set out in the AIFMD and the UCITS Directive.

Irish branches of EU credit institutions

EU credit institutions are currently subject to the EBA Guidelines. The Central Bank's consultation paper indicates that the draft guidance is aligned with the requirements set out in the EBA Guidelines and the ESMA Guidelines on Outsourcing to Cloud Service Providers.

Administration firms authorised under the Investment Intermediaries Act 1995

The current requirements on outsourcing applicable to these administrators are set out in the Central Bank (Supervision and Enforcement) Act 2013 (Section 48(1)) (Investment Firms) Regulations 2017. In light of the broader definition of "outsourcing" contained in the draft guidance, there may be significant implications for these firms (see further below).

The consultation includes proposed guidance on the following:

  • Assessment of Criticality or Importance – the proposed guidance is predominantly to be applied in respect of the outsourcing of services that have been identified by the FSP as being "critical or important to the firm's business". The Central Bank expects FSPs to have a defined and documented methodology for determining whether a service or function is critical or important, which should be approved by the board.
  • Outsourcing Strategy and Outsourcing Policy – FSPs will be expected to have a documented outsourcing strategy (supported through appropriate policies, procedures and controls) in place which is aligned to their business strategy, business model, risk appetite and risk management framework.
  • Intragroup Arrangements – the guidance will apply equally to both intragroup outsourcing arrangements and arrangements with third party outsourcing service providers ("OSPs").
  • Outsourcing Risk Management Frameworks – the guidance requires comprehensive outsourcing risk assessments to be conducted and firms to apply robustly a strong outsourcing risk management framework to ensure the effective monitoring, management and mitigation of outsourcing risk.
  • Data Security – Availability and Integrity – firms are required to ensure the secure transmission and storage of data and to put backup arrangements in place that include ring-fencing offline and protection against corruption.
  • Contractual Arrangements and Service Level Agreements (SLAs) – the guidance sets out key contractual provisions that should be incorporated into written outsourcing agreements, which includes provisions around access, audit and information rights.
  • Disaster Recovery and Business Continuity Management – appropriate strategies to exit outsourcing arrangements must be put in place.
  • Provision of Outsourcing Information to the Central Bank – regulated firms will be required to set up and maintain a register of all outsourcing arrangements. The Central Bank also proposes to establish an online regulatory return for submission by the regulated firms. It proposes to implement this requirement on a cyclical basis commencing January 2022.

Next Steps

The Central Bank proposes to publish the final guidance later this year following the conclusion of the consultation period and consideration of submissions from respondents. The consultation period will run from 25 February 2021 to 26 July 2021.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.