Outsourcing remains very high on the Central Bank's supervisory agenda, with the February 2021 launch of a consultation on draft cross-industry guidance for all regulated firms (the CBI Guidance). Following on from our recent overview of the CBI Guidance and our detailed briefings on key aspects of the CBI Guidance relating to Governance and Monitoring, Risk Assessments and Due Diligence, and Contractual Requirements, this briefing focuses on key aspects of the CBI Guidance relating to Registers and Outsourcing Policies.
Focus on Outsourcing
In February 2021, the Central Bank (CBI) published CP138 – Consultation on Cross-Industry Guidance on Outsourcing (CP138) together with its draft CBI Guidance.
Outsourcing is a key focus of the CBI's supervisory agenda and, as drafted, the CBI Guidance is applicable to all regulated firms that outsource services and/or functions (see our overview: Outsourcing: Central Bank consults on draft cross-industry guidance for regulated firms for further information).
One of the key issues that the CBI Guidance focuses on is the requirement to implement and maintain a comprehensive outsourcing policy alongside a detailed register of outsourcing arrangements. In this briefing, we explore this key issue in more detail.
Part B, Section 4.2 of the CBI Guidance outlines the CBI's expectation that each regulated firm must have a documented firm-wide outsourcing policy. This policy should align with the regulated firm's business strategy, business model, risk appetite and risk management framework. The outsourcing policy should also be reviewed and approved by the regulated firm's board at least annually.
Section 4.2 also lists key matters that should be addressed in the outsourcing policy. This list will be helpful to many regulated firms as it provides considerable detail on the content requirements of an outsourcing policy and is more specific to the outsourcing policy than the EBA Guidelines on Outsourcing. The key matters identified in Section 4.2 for inclusion in the outsourcing policy include:
- the regulated firm's risk appetite for outsourcing;
- the roles and responsibilities in the regulated firm in respect of the oversight and management of outsourcing risk, including responsibilities of the board;
- the criteria and methodology used for identifying outsourcing arrangements and for classifying them as critical or important;
- the approach to identifying, assessing, mitigating and managing outsourcing risks;
- the approach to ongoing management of outsourced service providers (OSPs), and to the initial and ongoing due diligence on those OSPs;
- the process for approval of new outsourcings and the requirement for written agreements (including service level agreements (SLAs)) with OSPs;
- the approach towards sub-outsourcing (i.e. whether it is permitted and if so, whether certain conditions must be met for the OSP to sub-outsource);
- the approach towards identifying and addressing potential conflicts of interest affecting the outsourcing arrangement (particularly in the case of intra-group arrangements);
- details of the outsourcing risk management framework and structures for operational oversight and controls (e.g. procedures for notification of changes to outsourcing arrangements and approach towards regular review of OSP performance);
- the approach towards business continuity arrangements, exit strategies for critical or important outsourcing arrangements (including the process for implementing the exit strategy), termination procedures and related contingency arrangements;
- the approach towards safeguarding and maintaining the integrity of the regulated firm's data and systems. In practice, this could cross-refer to other relevant policies (e.g. InfoSec policy);
- the documentation and record keeping requirements applicable to outsourcing arrangements; and
- any differences in approach in respect of different outsourcing arrangements (e.g. intra-group outsourcings versus external third party outsourcings).
Register of Outsourcing Arrangements
Part B, Section 10.2 outlines the CBI's expectation that each regulated firm establish and maintain an outsourcing register (the Register) and prescribes certain information that must be included on that Register as follows:
Overarching General Information
The CBI expects the Register to include the following overarching general information in respect of all outsourcing arrangements entered into by the regulated firm:
- the total number of outsourcing arrangements;
- the total number of critical or important outsourcings;
- the total number of cloud outsourcings;
- whether it acts as an OSP for another regulated firm;
- confirmation that it has an outsourcing risk management framework together with an outsourcing policy (and that the policy has been approved by its board);
- confirmation that its written outsourcing agreements are supported by SLAs.
In practice, a regulated firm could seek to capture this general information in an overview or introductory section at the outset of its Register.
Information in respect of all Outsourcing Arrangements
The following information must be included on the Register in respect of all outsourcing arrangements:
- a reference number for the outsourcing arrangement;
- the start date of the outsourcing agreement, the contract renewal or expiry date, and any notice periods;
- a brief description of the outsourced function, including the data processed by the OSP;
- an assigned category within which the outsourced function sits, which should reflect the nature of that function (e.g. information technology);
- corporate and regulatory information for the OSP;
- the country or region where the outsourced function is to be performed and where data is located;
- confirmation as to whether the outsourced function is a critical or important function and why, along with the date of the most recent assessment of criticality or importance of the function; and
- where outsourcing to the cloud, the cloud service and deployment models (i.e. public/private/hybrid/community).
Information Requirements for Material or Important Outsourcings
In addition to the information outlined above, the CBI also expects the Register to include the following information for outsourcings of critical or important functions:
- details of all entities within the regulated firm's group making use of the services;
- whether or not each (sub-)OSP is part of the regulated firm's group;
- the date of the most recent due diligence or risk assessment in respect of each (sub-)OSP and a brief summary of the main results;
- the decision-making body (or individual) in the regulated firm that approved the relevant outsourcing arrangement. In practice, this is likely to be the board of the regulated firm;
- the governing law of the written agreements;
- the dates of the most recent and next scheduled audits and reviews applicable to each OSP;
- the names and details of any sub-contractors to whom material parts of a critical or important function are sub-outsourced;
- the outcome of an assessment of each OSP's substitutability (including identification of alternative service providers), the possibility of re-integrating the relevant outsourced function into the regulated firm and the impact of discontinuing a critical or important outsourced function;
- confirmation as to whether the relevant outsourced critical or important function supports business operations that are time-critical;
- confirmation and most recent dates of testing of business continuity plans and exit strategies;
- the estimated annual budget cost for the outsourced critical or important function (i.e. total annual OSP fees and expenses); and
- details of terminated arrangements relating to a critical or important function. Such details should only be retained for an appropriately limited period in line with the regulated firm's record retention policy.
Structure and Submission of Outsourcing Register
In light of the additional information that must be recorded on the Register for outsourced critical or important functions, some regulated firms may find it helpful to maintain all of the necessary information for critical or important outsourcings in one section of their Register and maintain all of the necessary information for non-critical or important outsourcings in another section of their Register.
These two sections could also be supplemented by an overview at the outset of the Register which captures the overarching general information on outsourcings prescribed by the CBI (see 'Overarching General Information' above).
The CBI also plans to require regulated firms to submit their Registers to the CBI on a periodic basis. The exact frequency and timing of such submissions will be communicated by the CBI to different sectors by way of sector-specific letters.
This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.