On 19 November, the Central Bank published a two-part paper, entitled “ Outsourcing – Findings and Issues for Discussion” arising out of a recent cross-sectoral study of outsourcing activities in the Irish financial services sector. Part A of the paper focuses on the minimum supervisory expectations of the Central Bank in relation to the management of outsourcing risks, while Part B highlights some of the key risks and emerging trends associated with outsourcing.
Among some of the vulnerabilities and issues identified by the Central Bank’s findings were:
- Weaknesses in board control and awareness of how outsourced activities are being carried out;
- Failure to assign clear lines of responsibility in-house to personnel or committees responsible for overseeing outsourced arrangements and to carry out regular on-site assurance testing using clearly defined performance metrics;
- Weaknesses in, or absence of, an outsourcing policy that adheres to relevant regulations and guidelines;
- Failure to have appropriate outsourcing agreements and other contractual arrangements in place that document measures for escalating and resolving service standard issues as they arise;
- Failure to devise, document and test effective ‘exit strategies’ and to retain appropriately skilled staff in-house in the event that outsourced activities need to be repatriated; and
- Not including outsourced service providers within the firm’s business continuity testing.
Emerging trends in outsourcing include: the expansion of its scale and scope in the financial services industry, there are significant increases in outsourcing of risk management and internal control functions. A large portion of sensitive customer and business data is being transferred to outsourced providers and increasingly IT services are outsourced involving fintech and regtech service providers. Offshoring of services is also increasing.
The Central Bank has invited feedback from stakeholders on its paper and it intends to hold an outsourcing industry conference in Q1 2019 to discuss the feedback received and appropriate regulatory responses to the issues identified.
This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.