On 17 December 2021, the Central Bank of Ireland (the “Central Bank”) published its final cross industry guidance on Outsourcing (the “Guidelines”). The feedback statement ("Feedback Statement") which accompanied the Guidelines sets out the Central Bank’s views on the submissions received from stakeholders on the February 2021 consultation paper on draft guidelines on Outsourcing (the “Draft Guidelines”).
There were no major changes from the Draft Guidelines which isn’t surprising as in our experience there rarely are major changes after such consultations. There are some useful clarifications and the Feedback Statement itself is useful to read to get a sense of the Central Bank’s perspective on these issues. It is not a surprise to Matheson who advises extensively in this area, but Outsourcing is clearly a very important issue for the Central Bank and in many respects the Guidelines pull together and codify expectations that have been developing over the past several years. It’s something of a statement of the obvious but firms really do need to take notice of this development and dealing with it needs to be a priority for all in 2022.
In general, the feedback “welcomed the publication of the Guidance and the clarity it brings in setting out the Central Bank’s expectations for the management of outsourcing risk” and therefore the Guidelines remain largely unchanged from those contained within the Draft Guidelines. However, the Central Bank has “taken on board a number of constructive comments” and made some specific revisions to the Guidelines. The Central Bank highlights that it may issue additional guidance on a sector specific basis.
We have summarised below the topics which the Central Bank identified as areas where feedback, amendment or further clarification was warranted:
- Alignment with existing guidance from the European Supervisory Authorities (“ESAs): A number of stakeholders commented on the relationship between the Draft Guidelines and current ESA Guidelines. In particular, there were requests received that the Draft Guidelines be aligned to the EBA Outsourcing Guidelines so as not to place additional expectations on firms, or deviate from international standards. The Central Bank notes that it considers that the expectations in the Guidelines are aligned with the EBA Guidelines on Outsourcing, the ICT Guidelines and the Cloud Guidelines as set out by EIOPA and ESMA and highlighted its expectation that ‘where existing relevant sectoral legislation, regulations or guidance is less prescriptive or is silent on certain matters, it is the Central Bank’s expectation that regulated firms refer to the supervisory expectations set out in this Guidance”.
- The Principal of Proportionality: In relation to queries on whether specific sections would apply to certain sectors, the Central Bank clarifies the Guidelines are deemed relevant to any regulated firm, which utilises outsourcing as part of its business model. It acknowledged that certain aspects of the Guidelines may not be appropriate to all regulated firms and firms should always have regard to the nature, scale and complexity of its business model and the degree to which it engages in outsourcing.
- Application of the Guidance to Branches: A number of respondents requested clarification on the applicability of the Guidelines to branches of overseas regulated financial services providers (both EU and third country branches). The Central Bank clarifies that branch to branch service provision, branch to parent provision and centres of excellence should all be regarded as forms of inter / intragroup service provision and the Guidelines should be applied and the risks managed in the same manner as any intragroup arrangements.
- Intragroup Arrangements: The Central Bank’s position remains that intragroup arrangements should not be treated as inherently less risky than arrangements with third parties outside a firm’s group, although certain aspects of the arrangements may be managed differently in practice. The Central Bank notes that firms should be particularly conscious of the possibility that serious conflicts of interest can arise in respect of intragroup arrangements.
- Sub-Outsourcing: The Central Bank clarifies that it does not expect firms to directly monitor sub-outsource service providers in all circumstances. However, before entering into a critical or important outsourcing agreement, firms should consider the potential impact on service delivery of large, complex sub-outsourcing chains on their operational resilience and their capacity to monitor such arrangements and oversee such complexity.
- Contractual Arrangements and Service Level Agreements (“SLAs”): A number of firms raised questions relating to various aspects of the ‘good practice’ expectations in respect of contractual agreements SLAs with some suggesting that perhaps many of the expectations should only apply to critical or important outsourcing arrangements. Some firms suggested that many of the expectations would be rejected by OSPs / Cloud Service Providers (“CSPs”). The Central Bank in its Feedback Statement highlights that the purpose of setting out the expectations with the degree of granularity used is to trigger consideration, by firms, of their appropriateness when drawing up new or revised contracts and associated SLAs and this requirement also anticipates the implementation of the draft EU Directive on Digital Operational Resilience Act (“DORA”).
- Outsourcing Registers: A number of respondents asked the Central Bank for the data requested in the outsourcing registers to be consistent with the EBA Guidelines and the frequency for be linked to the Central Bank’s PRISM Impact Rating of firms. The Central Bank clarifies that the additional data requested above the EBA Guidelines is to assist it in performing its regulatory responsibilities, including the assessment of concentration risk and provides clarity within the registers with respect to the service providers with whom firms are contracting.
- Disaster Recovery, Business Continuity Management and Exit Strategies: In response to queries raised as to the need for the granularity of the expectations and the inclusion of references to Recovery and Resolution, the Central Bank notes that these are areas where supervisory review has shown that there have been weaknesses in the quality of controls and a lack of consideration of resiliency risk. The Central Bank believes that the provision of greater granularity around its policy expectations with respect to these controls will raise board and senior management awareness of its resiliency concerns and the need to address these in a cohesive manner.
- Feasibility of Disaster Recovery and Business Continuity Management Expectations: A number of respondents raised a concern regarding the feasibility of the expectations referenced at Part B Section 9 of the Guidance - Disaster Recovery and Business Continuity Management Sub Paragraphs (g), (h), and (i). The Central Bank has responded noting its intention to amend these sections to include the term “and feasible” at the end of sub paragraph (g) and “use best efforts” at the beginning of sub paragraph (h). These changes have not yet been made in the Guidance. The Central Bank notes that the purpose of laying out these specific expectations is to ensure that there is close alignment of the contingency planning and testing of the OSP and that of the regulated firm. While the Central Bank acknowledges that this may not always be operationally feasible, it highlights its expectation that it should be possible to conduct combined “Tabletop Exercises” to walk through coordinated recovery processes as a form of testing.
- Audit and Access Rights: Some respondents raised doubts about the ability of firms to require OSPs / CSPs to agree to audit and access rights in the manner required by the EBA Guidelines and the Central Bank’s Guidelines and suggested that the Central Bank should not restrict the use of “Pooled Audits” or “Certifications”. The Central Bank acknowledges that some service providers are endeavouring to restrict audit and access rights, however, the Central Bank is of the view that such a stance is unhelpful for both the firm and the Central Bank and stresses that audit and access rights should be insisted upon by regulated firms in the course of contractual negotiations. The Central Bank also clarifies that it has no objection to the use of pooled audits or certifications provided that the regulated firm has satisfied itself and can demonstrate that the work can be conducted by appropriately qualified staff and is aligned to the requirements of the firm.
- Concentration Risk: A number of respondents raised the issue relating to the responsibility of individual firms in respect of concentration risk and in particular systemic concentration risk. The Central Bank clarifies that at firm level, firms obliged to consider the potential implication for the firm with respect to concentration risk and should consider the following questions:
- What services will I be outsourcing to a particular supplier / OSP?
- Are the services critical or important?
- If there are multiple services, does it expose the firm to concentration risk?
- Is the OSP readily substitutable?
- Are other FS firms outsourcing to the same OSP and if so is the firm satisfied that the OSP has the capacity to ensure service even in stressed circumstances?
At the systemic level the Central Bank accepts that individual firms have limited market intelligence in respect of their possible contribution to systemic risk, but it is a factor that they should be aware of and the risk each firm carries. In addition, firms should understand the Central Bank’s obligations in this regard. Over time, the Central Bank expects to be in a position to discuss such considerations with individual firms and industry sectors, as its knowledge base grows from the data collected via the outsourcing registers.
- Offshoring: Some respondents raised concerns that the Central Bank’s position on offshoring could impede the use of global technologies and infrastructure by Irish based firms and some requested that the Central Bank publish a list of jurisdictions, which might be subject to constraints. The Central Bank noted that the Guidelines are not intended to impede the use of global strategies, infrastructure and or specific locations or technologies as part of outsourcing arrangements provided that firms can demonstrate prudent risk management and appropriate governance for same.
- Board Oversight: A number of respondents queried the need for the annual review and board approval of the firm’s outsourcing policy, however, the Central Bank noted that, in the interests of sound governance, the provisions relating to review and approval will remain unchanged.
- Application of Outsourcing to Investment Funds industry: The Central Bank considered submissions by a number of respondents within the investment funds industry that the final guidance should have regard to the specific regime in relation to “delegation” of services by investment funds and their service providers. In particular, those respondents had been of the view that the specific rules previously applied in relation to “delegation” (for example, in the context of depositaries delegating custody and sub-custody arrangements) should continue to apply, to the exclusion of certain of the proposals in respect of “outsourcing” under the Guidelines. The Central Bank re-affirmed the view in the initial consultation that delegation and outsourcing are one and the same and that no difference should be inferred where these terms are used. This conclusion could raise challenges for depositaries in the context of their engagement with critical financial market infrastructure, including clearing and settlement services provided by Central Securities Depositories (CSDs) and Central Counterparties (CCPs). The Central Bank feedback acknowledged those challenges and confirmed that their might be merit to such an approach in terms of clarity. However, it seems to have been concerned as to the unintended consequences of removing such entities entirely from scope and concluded instead that the Guidelines should apply to outsourcing arrangements involving critical financial market infrastructure in manner consistent with the firm’s nature, scale and complexity.
The Guidelines came into effect on the date of publication (17 December 2021), however, the Central Bank has clarified that its supervisory approach to its implementation will be “mindful of the adjustments to be made by firms relative to the nature, scale and complexity of the use of outsourcing as an element of their business model”.
With regard to the expectations set out in the Guidelines around the notification of planned critical or important outsourcing arrangements, or material changes to existing arrangements, notification templates appropriate to each sector and aligned with the requirements of the EBA Guidelines will be published on the Central Bank website in Q1 2022 with the exception of the template for banks, which will be published by the SSM and is expected during 2022.
The Central Bank has clarified that notification of such proposed arrangements does not constitute a pre-approval process and specific timings in respect of the submission of notifications are not prescribed unless required by existing regulation.
With regard to the submission of outsourcing registers, the general content of the registers is contained in Appendix 3 of the finalised Guidelines. A spreadsheet template for the outsourcing register will be made available for all firms to download from the Central Bank website during Q1 2022.
The Central Bank intends that all firms whose PRISM Impact Rating is Medium Low or above will submit their outsourcing register via a new Online Return on an annual basis. The timing of the first submission is planned for Q2 2022. Low Impact firms may also be asked to submit their outsourcing register on a case by case basis by their supervisor. The details and instructions for completion will be communicated to all impacted firms at the earliest possible date giving sufficient advance notice to allow firms to meet the submission deadline.
Firms will be advised within a reasonable notice period in advance of making a submission in 2022 (except systemically important banks who will make their submission to the SSM).
The Central Bank has continuously emphasised that responsibility and accountability for effective oversight for all regulated activities, whether outsourced or not, ultimately rests with the board and senior management. As outsourcing is such a key area of focus for regulators both in Ireland and internationally at the moment, it is important that firms are cognisant of the Guidelines when using outsource service providers.
Matheson have significant experience in assisting clients in relation to all stages of an outsourcing agreement from initial risk analysis, due diligence, contract negotiation, dealing with the regulator and Exit Strategy. We have prepared a series of checklists which may be of assistance for firms to use throughout the life-cycle of an outsourcing arrangement. If you would like a copy of our checklists or have queries in respect to any aspect of Outsourcing, we are happy to assist.
This article was co-authored by partners Joe Beashel, Shay Lydon and Elaine Long, Consultant Niamh Mullholland and Senior Associates Ian O’Mara and Catherine Macfarlane. For further information, please contact any one of them or your usual Matheson contact.