Financial Services firms are increasingly relying on third parties to drive efficiency and cost savings. Managing the risk associated with outsourcing can be challenging and presents a host of unique risks and vulnerabilities that need to be effectively managed. Increased outsourcing is leading to the creation of new service delivery models such as strategic partnering, cross-industry shared service centres, staff sharing and extensive sub-outsourcing.
Against a backdrop of increased regulatory attention to the risks posed from outsourcing, the Central Bank of Ireland (CBI) has issued its own, “Cross Industry Guidance on Outsourcing”. Published in December 2021, the Guidance sets out the expected steps a firm should take to mitigate the risks posed, particularly in the delivery of critical or important business functions. The Guidance builds on existing European directives from the EBA (Banking Sector), EIOPA (Insurance sector), and ESMA (Investments Sector), with the aim of enhancing outsourcing minimum requirements across the industry.
The Guidance does not seek to address in detail, every aspect of a firms’ legal and regulatory obligation as they relate to outsourcing and should be read in conjunction with the other relevant regulations, guidance and standards issued by the European Supervisory Authorities (ESAs) and further guidelines/guidance or bulletins issued by the Central Bank.
The CBI defines Outsourcing as “an arrangement of any form between a regulated firm and an outsourced service provider (OSP) by which that service provider performs a process, a service, or an activity that would otherwise be undertaken by the regulated firm itself, even if the regulated firm has not performed that function itself in the past”.
The purpose of the CBI’s guidance is to:
The Guidance came into immediate effect upon publication in December 2021. Boards and Senior Management are expected to review the Guidance and enhance their outsourcing risk management frameworks to effectively identify, monitor and manage their outsourcing risks. However, the accompanying Feedback Statement notes that “the [Central Bank’s] supervisory approach to its implementation will be mindful of the adjustments to be made by firms relative to the nature, scale and complexity of the use of outsourcing as an element of their business model.”
There have been no material changes from the draft guidance to the final publication. However, some noteworthy inclusions to the final publication are outlined below.
The CBI have set some clear roles and responsibilities for the board and senior management around outsourcing. The paper details a marked increase in the boards remit and their accountability. Consideration should be given to the imminent Senior Executive Accountabilities Regime which will specify the responsibilities of senior executives as they relate to outsourcing.
Firms will be required to notify the CBI of any outsourcing arrangement in respect of critical or important functions or activities. The CBI intends to publish template notification forms for firms on its website in H1 2022.
In respect of the obligation under the Guidance for firms to establish, maintain and submit to the CBI an outsourcing register, the Guidance provides, under Appendix 3, the general content the CBI will expect to be included in an outsourcing register.
The Central Bank is of the view that branch-to-branch service provision, branch-to-parent provision and centres of excellence should all be regarded as forms of inter/intragroup service provision and, as such, are indistinguishable from outsourcing in terms of the risks posed by such arrangements when they are deemed critical or important. There is no reference to Parent to Branch provision of services.
There is no distinction between delegated activities and outsourced services. The Central Bank is of the view that the Guidance should apply to outsourcing arrangements involving critical financial market infrastructure in a manner consistent with the firm’s nature, scale, and complexity
The firm should be able to demonstrate its capacity to influence the outsourcing arrangements contracted with the “parent” or “sibling”. Firms should be particularly conscious of the possibility that serious conflicts of interest can arise in respect of intragroup arrangements. The possibility of such conflicts should be considered as part of the firm’s risk assessment when establishing the arrangements and mechanisms detailed for the resolution of any which do arise.
Each firms’ primary responsibility is to ensure that third party service providers appropriately manage any critical or important sub-outsourcing arrangements. The Central Bank clarified that it does not expect firms to directly monitor fourth parties in all circumstances. However, before entering into a critical or important outsourcing agreement, firms should consider the potential impact on service delivery.
Firms, as part of their risk assessments in respect of outsourcing generally and in respect of each particular arrangement are obliged to consider the potential implication for the firm with respect to concentration risk. Firms should consider, i. What services will be outsourced to a particular supplier/OSP? ii. Are the services critical or important? iii. If there are multiple services, does it expose the firm to concentration risk? iv. Is the OSP readily substitutable? At the Systemic Level It is accepted that individual firms have limited market intelligence in respect of their possible contribution to systemic risk, but it is a factor that they should be aware of and the risk each firm carries. Over time, it is expected that, the Central Bank will be in a position to discuss such considerations with individual firms and industry sectors.
It is not the Central Bank’s intention to impede the use of global strategies, infrastructure and or specific locations (assuming no regulatory barriers exist) or technologies as part of outsourcing arrangements provided that firms can demonstrate prudent risk management and appropriate governance for same.
Notification Templates appropriate to each sector and aligned with the requirements of the EBA Guidelines will be published on the Central Bank website from Q1 2022 with the exception of the template for Banks, which will be published by the Single Supervisory Mechanism (SSM) and is expected sometime during 2022.
Implementing the guidance on outsourcing risk can prove daunting at first. Work is needed to also align with other regulations, both existing and upcoming, such as the Digital Operational Resilience Act (DORA), and the CBI’s Cross Industry Guidance on Operational Resilience. Other areas of consideration include:
In meeting the CBI’s guidance, firms need begin assessing their outsourcing arrangements, the risks posed and how best to manage this risk.
Firms will be required to notify the CBI of any outsourcing arrangement in respect of critical or important functions or activities. The CBI intends to publish template notification forms firms on its website in 2022.
Review the Guidance to establish whether the firm has the required data points as prescribed for the outsourcing register, The CBI intends to publish a template outsourcing register for firms in H1 2022 which can be used to validate the required information is being captured.
It is intended that any firm with a PRISM impact rating of ‘medium low’ or higher will be required to submit its outsourcing register to the CBI on an annual basis, with the first submission of outsourcing registers to be completed in Q2 2022. The CBI confirms in its feedback statement that it will provide regulated firms with advance notice before outsourcing registers are to be submitted. Firms will be advised within a reasonable notice period in advance of making a submission in 2022.
Low Impact firms may also be asked to submit their Outsourcing Register on a case-by-case basis by their Supervisor.
EY can support you in your journey to achieving effective Third-Party Risk Management in full compliance of the CBI’s Cross Industry Guidance on Outsourcing while tailoring our processes and frameworks to meet your needs and objectives.
EY has a range of operating models to support you in delivering your TPRM program. From utilising in-house employees, to co-sourcing, to providing an end-to-end Managed Service model, an out of the box, pre-configured solution with dedicated technology, SLAs, and governance model. EY can ensure that processes align to your current and future business operating models to enable you to build a model which supports the future of TPRM.
Our proven approach uses industry leading accelerators, which enable us to expedite the gap analysis and maturity assessment exercise. EY can further support you through:
Jerry O’Sullivan Associate Partner, Risk |
David Spollen Director, Risk |
Donnchadh Duffin Manager, Risk |
If you would like more information on how EY's team of experts can help, please reach out today.
