Outsourcing remains very high on the Central Bank's supervisory agenda, with the recent launch of a consultation on draft cross-industry guidance for all regulated firms (the CBI Guidance). Following on from our recent overview of the CBI Guidance and our detailed briefings on key aspects of the CBI Guidance relating to Governance and Monitoring and Risk Assessments and Due Diligence, this briefing focuses on key aspects of the CBI Guidance relating to contractual requirements.
Focus on outsourcing
In February 2021, the Central Bank (CBI) published CP138 - Consultation on Cross-Industry Guidance on Outsourcing (CP138) together with its draft CBI Guidance.
Outsourcing is a key focus of the CBI's supervisory agenda and, as drafted, the CBI Guidance is applicable to all regulated firms that outsource services and/or functions (see our recent overview: Outsourcing: Central Bank consults on draft cross-industry guidance for regulated firms for further information).
One of the key issues that the CBI Guidance focuses on is the contractual arrangements between regulated firms and outsourced service providers (OSPs). In this briefing we explore this key issue in more detail.
Part B, Section 7 of the CBI Guidance outlines the CBI's expectation that arrangements between regulated firms and OSPs should be governed by formal contracts or written agreements (preferably legally binding) which are supported by service level agreements (SLAs). In practice, an SLA is usually included by way of a schedule to the written agreement between the regulated firm and the OSP.
Section 7 also sets out the key provisions that should be included in those written agreements where they govern the provision of critical or important functions. These key provisions generally align with the contractual provisions prescribed by the EBA Guidelines on Outsourcing and are particularly focussed on ensuring that written agreements governing the provision of critical or important functions are resolution-resilient.
Section 7 also outlines the CBI's expectations in relation to the review of outsourcing agreements by regulated firms.
General Contractual Requirements for Critical or Important Outsourcings
The key provisions that the CBI expects in the written agreement governing the provision of critical or important outsourced function(s) include the following:
- services: a clear description of the services to be provided;
- term; notice: the start and end date of the agreement and the notice periods applicable to each party (e.g. termination notice periods);
- payments: the financial obligations of the parties (e.g. details of the charges payable by the regulated firm);
- sub-outsourcing: confirmation as to whether the OSP is permitted to sub-outsource any of the services and if so, details of the conditions attaching to sub-outsourcing by the OSP;
- location: the location where critical or important function(s) will be provided and/or where relevant data will be kept and processed by the OSP;
- data security: requirements regarding the accessibility, availability, integrity, confidentiality, privacy and safety of data that is processed by the OSP (including minimum cybersecurity requirements and requirements relating to data security management and network security);
- penetration testing: confirmation that, where relevant, the regulated firm is able to carry out security penetration testing to assess the effectiveness of the OSP's ICT security measures and processes;
- service levels: service levels which are able to act as precise and quantifiable performance targets for the OSP to meet, and which allow for timely monitoring of the OSP's performance;
- reporting: an obligation on the OSP to report against service levels in a timely manner;
- material developments: an obligation on the OSP to communicate to the regulated firm any development that may have a material impact on the OSP's ability to effectively carry out the critical or important function(s) in line with the agreed service levels and in compliance with applicable laws and regulatory requirements;
- business contingency plans: requirements to implement and test (e.g. annually) business contingency plans. In practice, the regulated firm may also wish to require the OSP to disclose the results of such testing and require the OSP to take reasonable steps to remedy issues identified as part of the testing;
- termination and exit: termination rights and exit strategies covering both stressed and non-stressed scenarios (see also 'Termination and Exit' below);
- insolvency/resolution: provisions that ensure that data owned by the regulated firm can be accessed in the case of insolvency or resolution of the OSP;
- cooperation: an obligation on the OSP to cooperate with the CBI and any resolution authority of the regulated firm;
- insurance: confirmation as to whether the OSP is required to take out any insurance policies against certain risks and if so, the level of insurance cover requested; and
- inspection and audit: the unrestricted right of the regulated firm and the CBI to inspect and audit the OSP in relation to the critical or important outsourced function(s) (see also 'Rights of Access and Audit' below).
Rights of Access and Audit
In respect of all outsourcing arrangements, regardless of whether the arrangement relates to a critical or important function, the CBI expects the written agreement to recognise and facilitate the information gathering and investigatory powers of competent authorities and resolution authorities.
In respect of critical or important outsourced functions, the CBI expects the written agreement to give the regulated firm and its competent authorities full access to all business premises relevant to the provision of the critical or important function(s) (e.g. the OSP's head office) and to the full range of devices, systems, networks, information and data used to provide such function(s).
Termination and Exit
The CBI expects the written agreement governing the outsourcing of a critical or important function to include certain termination rights for the regulated firm, including a right for the regulated firm to terminate where:
- the OSP is in breach of applicable laws or contractual provisions;
- impediments capable of altering the performance of the outsourced function are identified; or
- the CBI instructs the regulated firm to terminate the agreement.
The agreement should also provide for an appropriate exit strategy to facilitate the smooth transfer of the critical or important function(s) away from the existing OSP. In particular, the agreement should outline the assistance that the OSP will continue to provide to the regulated firm post-termination so as to facilitate the smooth transition from the OSP and the duration for which the OSP will provide such assistance.
In practice, details of such assistance should be recorded in an exit plan and the regulated firm may wish to require the OSP to maintain an exit plan and periodically review and update that plan.
Other Contractual Provisions
The CBI states that as a matter of good practice for written agreements relating to critical or important functions, regulated firms should consider including provisions relating to:
- dispute resolution
- indemnity protection
- limits on liability
- variations to the agreement
It is also noteworthy that while the contractual requirements stipulated in the CBI Guidance are primarily aimed at written agreements governing the provision of critical or important functions, the CBI nonetheless expects agreements governing the provision of non-critical or important functions to include appropriate contractual safeguards to manage the risks relevant to such agreements.
In practice, this means that a regulated firm may reasonably conclude that certain agreements governing the provision of non-critical or important functions should include some of the contractual provisions stipulated in the CBI Guidance (e.g. service levels, reporting requirements, requirements relating to business continuity and exit, etc.).
Outsourcing to Intragroup Entities
The CBI acknowledges that outsourcing to intragroup entities can carry the same risks as outsourcing to third party OSPs. For this reason, the CBI expects intragroup arrangements to be implemented by way of written agreements supported by SLAs and expects regulated firms to apply the same rigour when conducting risk assessments, and putting in place written agreements, for an intragroup outsourcing as they would when assessing, and contracting for, an outsourcing to a third party OSP.
Review of Agreements
The CBI also expects agreements with OSPs to be reviewed periodically including for example, when there are changes to the regulated firm's business model or where there is regulatory change relevant to agreements with OSPs.
The CBI also recommends that reviews of agreements with OSPs take place in good time prior to the date of renewal or expiry of those agreements so as to help ensure smooth transition or continuity of service.
Detailed follow-up briefings
The final briefing in our series of detailed follow-up briefings on the CBI Guidance will focus on outsourcing registers and policies and will set out more practical steps that regulated firms can action in advance of the expected publication of the final CBI Guidelines later this year.
This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.