The Central Bank of Ireland has issued local market guidance on the topic of outsourcing within the financial services industry. The paper, released in February 2021, builds on existing European directives from the European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA) and European Securities and Markets Authority (ESMA), with the aim of enhancing outsourcing minimum requirements across the industry.
In a nutshell, it asks all financial industry firms to comply with the highest level of all requirements across the banking, insurance and investment sectors and outlines some additional requirements.
The CBI cross-industry guidance is not designed to conflict with any aspect of the EU industry-specific papers, and should generally be considered an evolution to the existing regulatory landscape rather than running counter to it. However, we would caution all firms that the required step up from their current state shouldn’t be underestimated.
Outsourcing is increasingly used by regulated firms as a successful strategic tool to deliver on its objectives. CBI acknowledges the benefits from outsourcing arrangements but also notes that the dependency created by such arrangements may influence the stability of the firm, quality and service of products delivered to consumers and operation of the market. The consequential impact to the risk profile of regulated firms has increased the CBI’s focus around regulated firms’ capabilities and approaches to managing and mitigating outsourcing risk.
Some key themes and areas of the consultation paper include:
The CBI has set some clear roles and responsibilities for the board and senior management around outsourcing. The papers detail a marked increase in the board’s remit and accountability. Upfront the papers set their audience as the board and senior management, with the papers’ purpose being articulated as:
The consultation paper states that Boards and senior management must be cognisant of the fact that when entering into outsourcing arrangements they are creating a dependency on a third party, which has the potential to influence the operational resilience of their firm. As well as a specific section in the papers outlining the role of the board and senior management, there are references to board requirements throughout the papers. It will be important that boards are appropriately briefed on the topic to be able to apply the level of review, challenge and rigour the guidelines will require.
Specific board requirements include:
Whilst the EBA, EIOPA and ESMA guidelines stipulate intragroup outsource arrangements should be subject to the same framework as service providers outside the group, the EBA references being able to rely on group business continuity plans as well as the group’s governance and oversight framework.
The CBI Cross Industry guidance takes a stronger stance on intragroup outsourcing. In contrast to the EBA wording of intragroup being “not necessarily less risky” the CBI refers to intragroup outsourcing by saying it “can carry the same risk as external outsourcing as well as present additional unique risk.”
Whilst the EBA requirements call out conflicts as an area that needs to be taken into account as a risk for intragroup, the CBI papers go further and stipulate a number of expectations for intragroup arrangements including:
There are references to the topic of operational resilience throughout the draft guidelines. This reflects the reliance and importance placed on third parties to support the soundness of resilience for both individual firms and the wider financial system. The CBI specify that the paper is aligned to one of its five strategic themes of “strengthening resilience’- driving the financial system to be better able to withstand external shocks and future crises.
Where the paper addresses BCM, DR and exit requirements there is reference made to consider and include impact tolerances for business service interruptions. This is aligned to the requirements expected in the European Commission’s Digital Operational Resilience Act (DORA) proposal.
As with the ESMA and EIOPA cloud outsourcing guidelines, there is an emphasis in the CBI papers on the digital risks and a firm’s exposure through ICT and security third parties, including cloud providers. Aligned to ESMA, the CBI requires information security requirements to be built into internal policies and procedures, with dedicated roles and responsibilities assigned both internally and with the service provider. Additionally, the CBI requires a documented data management strategy to be in place to implement effective measures for the appropriate storage, management, retention and destruction of data handled by a third party. A number of areas to be covered within the strategy are outlined.
There are specific requirements set out around data security (including the availability and integrity of a firm’s business and customer data). The CBI expects a number of appropriately designed and operationally effective controls (i.e. encryption and access management, incident response, training).
The CBI papers also refer to the disaster recovery requirements alongside the business continuity requirements we have seen in the industry-specific papers.
Some clarity is provided around concentration risk and what firms are expected to assess and measure. There is a requirement (aligned to ESMA) to assess the concentration across the financial services sector and wider financial services market, not just that within the financial institution.
The CBI paper voices concerns around offshoring. Specifically, it references the impact offshoring has on the visibility and the ‘supervisibility’ of the risks associated with the physical distance and both the regulated firm and the CBI’s ability to ensure effective oversight and supervision. The papers require a board-approved appetite for offshoring, a subset of risks to be carefully considered, and the CBI to be notified well in advance of intended agreement. Additionally, the CBI cautions that it may restrict a firm from offshoring if necessary.
Consultation on CP138 is open till 26th July and the guidance is expected to be published in the later part of 2021. Firms should reflect on the consultation papers and the potential impact on their business.
EY, on behalf of its clients, can submit a response to the consultation with its views on the regulators’ proposals. If you would like to further discuss the papers in further detail, please don’t hesitate to reach out.