Earlier this week, the Central Bank published its Outsourcing-Findings and Issues for Discussion (the "Paper").
The Paper is divided into two parts. The first part details its findings of the cross-sectoral review that it has conducted on outsourcing arrangements. The second part of the Paper requires regulated firms to consider a number of key risks and evolving trends relating to outsourcing and asks for feedback from industry to specific questions relating to these risks.
2. What is outsourcing?
The Central Bank describes outsourcing as "a written agreement of any kind between a regulated financial service provider and a service provider (whether regulated or unregulated) whereby the service provider performs an activity which would otherwise be performed by the regulated firm itself." Therefore activities which are not regulated by the Central Bank also fall within the scope of outsourcing. Furthermore, in the Paper the Central Bank draws no distinction between outsourcing to intragroup entities and outsourcing to third party service providers.
It is worth noting at the outset that the Central Bank has explained that the term "outsourcing" is used in place of other terms which may be used in specific sectors such as "delegation". Therefore those sectors which currently impose rules relating to delegation instead of outsourcing will also fall within the scope of the Paper.
3. Next steps for regulated firms
Review of existing outsourcing risk management framework
In light of the "disappointing" findings from its review, the Central Bank has made clear that it expects all regulated firms to analyse the Paper and "take appropriate steps to address issues relevant to their outsourcing practices". It has also stated that Central Bank supervisors "will seek evidence of updates to risk management frameworks to ensure that the paper was considered and an examination of outsourcing was conducted".
What follows is a brief overview of some of the key areas which regulated firms should focus on when conducting a review of the arrangements in place with outsourced service providers ("OSP"). These can be categorised under the headings of governance, risk management and business continuity.
- Board Awareness: Is the Board and senior management fully aware of the scale of existing and proposed outsourcing arrangements and associated risks?
- Outsourcing Policy: Does the firm have a documented and comprehensive outsourcing policy in place which complies with relevant legislation and guidance?
- Oversight Structure: Is there an appropriate oversight structure relating to outsourcing in place, with clearly established lines of responsibility?
- Contractual Arrangements with OSPs: Have contractual arrangements, supported by service level agreements ("SLA") against which performance can be measured, been put in place with all OSP and are there appropriate governance arrangements in place around the development, signoff and maintenance of such SLA?
- Risk Assessments: Does the firm conduct appropriate initial outsourcing risk assessments and review and update such risk assessments on a periodic basis to ensure its risk management framework appropriately captures outsourcing risks?
- Due Diligence: Does the firm carry out appropriate due diligence in respect of both third-party and intra-group OSP?
- Categorisation of Activities: Where relevant, have the outsourced activities been categorised as critical or important in order to ensure that these activities are appropriately overseen, monitored and reported on? Has the regulated firm reviewed all arrangements to determine whether or not they constitute an outsourcing arrangement?
- Skills and Knowledge of Staff: Does the staff of the regulated firm have appropriate skills and knowledge to effectively monitor and manage outsourced activities appropriately and to either substitute the OSP or bring the outsourced function in-house in an orderly manner?
- Monitoring of Performance of OSP: Is the performance of the OSP monitored so that issues can be identified, escalated and resolved as necessary?
- BCM Arrangements of Regulated Firm: Does the BCM arrangements of the regulated firm appropriately address the fact that certain services have been outsourced?
- BCM Testing: When testing its own BCM arrangements, does the firm include OSP in the testing of any activities or processes that involve or rely on the relevant OSP?
- Testing of OSP BCM arrangements: Does the firm test and review the BCM arrangements of the OSP on a periodic basis?
- Exit Strategies: Do the outsourcing contracts incorporate an exit strategy which allows for a "timely and orderly transfer of activities with minimum service disruption"?
Once a regulated firm has conducted a review of its outsourcing arrangements, it should ensure that it can demonstrate to the Central Bank that appropriate action has been taken to address any deficiencies it has identified in its outsourcing risk management framework.
Consideration of key risks and evolving trends
In the second part of the Paper, the Central Bank asks regulated firms to consider and action a range of issues dealing with (i) sensitive data risk, (ii) concentration risk, (iii) offshoring risk; (iv) chain outsourcing and (v) substitutability. Therefore the review of the operational risk management framework should incorporate a consideration of each of these issues.
Separately, the Central Bank has asked industry to provide feedback on a number of questions it has included on each of these topics by 18 January 2019, explaining that this feedback will inform the Central Bank's engagement in domestic, EU and international fora on outsourcing and its ongoing consideration of its policy position relating to outsourcing. It also intends to hold an industry event in 2019 at which these issues will be discussed further.
Regulated firms should now take the time to review their outsourcing arrangements to determine whether they meet or fall short of the Central Bank's expectations in the areas of governance, risk management and business continuity management and where necessary, ensure that appropriate action is taken to address any identified deficiencies.
This review should also consider and action the specific issues raised by the Central Bank in Part B of the Paper relating to sensitive data risk, concentration risk, offshoring risk, chain outsourcing and substitutability risk.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.