European Union: Five Ways To Minimise Outsourcing Risk

Kevin Curtis, Head of AIFM Oversight - Ireland, examines the recently published guidelines on outsourcing by the Central Bank of Ireland under CP138 and outlines the steps managers can take to reduce exposure to risk.

The role of outsourcing throughout the broader financial services industry has gained significant traction in the past decade. Frequently used as a strategic tool, businesses of all sizes across the financial spectrum have turned to outsourcing to deliver on specific objectives.

Nowhere is this more true than in funds services industry - where outsourced and delegated relationships are increasingly playing a critical role in the industry.

Considering the level of regulation that exists across the broader financial services landscape, it's perhaps unsurprising, then, that outsourcing is becoming a key point of focus. The most recent development being the publication by the Central Bank of Ireland ("CBI") in February 2021 of Consultation Paper 138 ("CP138") to consult on the proposed Cross Industry Guidance on Outsourcing (the "Guidance"), together with draft sectoral guidance issued thereafter and then the final publication of the Guidance in December 2021.

The focus on outsourcing isn't new, however, it is an area in which the CBI has a continued history, having previously published a discussion paper on outsourcing (Discussion Paper 8: Outsourcing - Findings and Issues for Discussion) in 2018 and held a conference on the matter in 2019.

In recent years we have also seen several high-profile financial services firms reprimanded by the Central Bank and receive fines because of regulatory breaches relating to outsourcing, and for serious failings in the firms' outsourcing frameworks. CP138 and the Guidance is therefore a clear step up in intent and expectations from the CBI.

Indeed, the CBI's paper builds on existing directives from the European Banking Authority ("EBA"), European Insurance and Occupational Pensions Authority ("EIOPA") and the European Securities and Markets Authority ("ESMA"), with the aim of enhancing minimum requirements for outsourcing. The consultation period ended in July 2021 and the CBI issued its final guidelines in December 2021.

While the CBI acknowledges the benefits that outsourcing can bring, it's also of the opinion that it can come with significant risk if managed poorly. As such, it has published guidance 'seeks to confirm that regulated firms have effective governance, risk management and business continuity processes in place in relation to outsourcing, to mitigate potential risks of financial instability and consumer detriment.'

The CP138 Cross-Industry Guidance on Outsourcing guidelines are set out under 10 headings as follows:

• Assessment of criticality or importance - the proposed guidance will be
  predominantly applied in respect of outsourcing of activities, services or functions that are deemed to be critical or important to a firm's business.
• Intragroup arrangements - the guidance applies equally to intragroup outsourcing arrangements as it does to arrangements with third-party outsourcing providers ("OSPs").
• Outsourcing and delegation - clarifies the CBI's view that outsourcing and delegation aren't different concepts.
• Governance - this section sets out the CBI's expectations around the appropriate and effective governance of outsourcing, including the details of the responsibilities of boards and senior management in this regard. It also highlights the expectation that regulated firms consider their strategy and risk appetite in relation to outsourcing and details the elements, which should be incorporated in a regulated firm's outsourcing policy.
• Outsourcing risk assessment and management - highlights the importance of conducting and maintaining comprehensive outsourcing risk assessments and details the issues which should be considered when assessing and designing controls to manage and/or mitigate several key outsourcing risks.
• Due diligence - sets out the expectation that regulated firms undertake appropriate due diligence in respect of their OSPs prior to entering an outsourcing arrangement and at appropriate intervals during its life cycle of the arrangement.
• Contractual arrangements and service level agreements (SLAs) - sets out the key contractual provisions that should be incorporated into written outsourcing agreements, and highlights that such agreements should be supported by SLAs.
• Ongoing monitoring and challenge - highlights the importance of regular, comprehensive monitoring of the delivery of the service or function that has been outsourced.
• Disaster recovery and business continuity management - sets out expectations in the establishment and oversight of measures to ensure support for the continuity of outsourced functions. It also sets out the requirement to have in place appropriate strategies to exit outsourcing arrangements should the need arise.
• Provision of outsourcing information to the CBI - sets out the requirements for regulated firms to establish and maintain a register (database) of all outsourcing arrangements and the information (data elements) that such registers should contain. It also sets out the CBI's proposals to establish an online regulatory return for submission by regulated firms of their outsourcing registers. It is proposed that submission of registers will be required from regulated firms on a cyclical basis, with the first filing potentially due in Q2 2022

Although the guidelines aren't specifically aimed at investment funds or fund management companies, CP138 most certainly applies to the funds industry. What it effectively does is take the EBA guidelines that weren't initially applicable to fund service providers (including management companies) and brings them up to these standards.

Steps that fund managers can take

On the surface, the CBI's published guidelines seem to have taken a clear and structured approach to outsourcing oversight. However, as with any piece of regulation (or guidance), practice is often very different to theory and the devil is always in the detail.

Considering that, for some fund managers, the implementation of such guidelines might entail significant operational change, here are five steps they can take to best prepare themselves.

1. Conduct a full audit of outsourced services

The main challenge from a fund manager's point of view, in terms of dealing with this guidance, is how to bring it all together and document everything. This is because many firms have a wide variety of delegations and outsourcing agreements in place - such as admin services, investment management services, different tech providers, intragroup arrangements and so on.

Generally, all third-party providers will expose a fund manager to a certain level of risk but not all will constitute outsourcing. This is easier to determine in a regulated environment, but grey areas do exist, such as around cloud service providers, who may hold confidential and sensitive data.

Overall, the key is to have a clear definition within the firm as to what constitutes outsourcing and stick to it. Remain cognisant, however, of the areas that carry third-party risk that aren't part of outsourcing - firms are still required to have some level of oversight over these service providers.

2. Create a standardised approach for delegating oversight

Businesses must ensure there is strong delegate oversight in place, but issues can arise when the oversight and due diligence functions are managed by different teams or parts of an organisation. These teams may have different approaches. So, the challenge and goal here is around standardising the process and creating a synchronised firmwide approach to delegate oversight. This will be particularly important where businesses have oversight responsibilities in different European jurisdictions that have not yet implemented the same rigour and level of expectations in terms of oversight that the CBI have through CP138.

With this in mind, managers may try to develop a standard due diligence approach to critical service providers, and a common framework for reviewing service level agreements (SLAs), KPIs and so on. Try to centralise oversight, criticality assessments and the documentation of Registers. This could be achieved by establishing an outsourcing committee to oversee the implementation of the Guidance.

3. Review service-level agreements with intragroup arrangements front of mind

Oftentimes it can be more difficult to get the same level of service/responsiveness from an intragroup agreement than from a third-party organisation whose services are being paid for - particularly in the area of formal SLAs and high-quality detailed KPIs.

As part of CP138 and the Guidance, the CBI have made it explicit that they expect an equal approach to be taken to intragroup arrangements as they do to third-parties. Firms need to be clear on the responsibilities of both sides when entering an intragroup arrangement and ensure it is as well documented as it would be for a third-party agreement.

4. Keep an eye on the bigger regulatory picture

Firms have found themselves caught in the middle of CP138 - this is especially true for administrators and fund management companies where, in many cases, they outsource some of their activities but at the same time services are being outsourced to them. One of the biggest challenges for administrators with a global operating model and a number of centres of excellence around the world is that the CBI, with CP138 and the Guidance, is now deviating in certain areas from the current requirements outlined in EBA or ESMA regulation.

This supervisory convergence issue is becoming a problem as there is a higher bar in Ireland now compared to, say, Luxembourg. Common toolkits and oversight procedures that the Group may have now need to be adapted for Ireland, which is a challenge.

5. Initial steps to consider now the Guidance has been published

The CBI have confirmed in the accompanying Feedback Statement that the Guidance comes into immediate effect from 17 December 2021, the publication date. Boards and senior management should now examine the Guidance and assess which areas of their current outsourcing practices will need to be enhanced to meet the new Central Bank expectations. The Central Bank did note however, that "the supervisory approach to its implementation will be mindful of the adjustments to be made by firms relative to the nature, scale and complexity of the use of outsourcing as an element of their business model". Establishing a clear plan, identifying any potential areas that should be prioritised, and a timeline for the necessary enhancements is a great place to start for firms.

Additionally, within the Feedback Statement the Central Bank have confirmed that management companies with a PRISM rating of Medium Low or above will be required to complete an Outsourcing Register (described within the Guidance) on an annual basis, with the first submission potentially due in Q2 2022. The Central Bank is expected to provide a submission template on their website for this in Q1 2022 so do keep an eye out for this to be ready for the first filing.

Realise your investment strategy

For investment managers looking to domicile and market their alternative investment funds ("AIFs") in Europe, outsourcing core alternative investment fund manager ("AIFM") functions to a provider of third-party management company ("ManCo") and AIFM services is a quick, cost effective, and compliant route to cross-border distribution.

With the recent authorisation of Ocorian (AIFM) Ireland Limited, Ocorian can provide a platform for third-party AIFM management company services and facilitate access to the European market. With an experienced team and comprehensive outsourcing oversight framework, we can provide the outsourcing oversight and risk management function whilst helping you navigate the changing regulatory landscape as described above.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.