Financial Services Ireland

Overview

Financial Services firms are increasingly relying on third parties to drive efficiency and cost savings. Managing the risk associated with outsourcing can be challenging and presents a host of unique risks and vulnerabilities that need to be effectively managed. Increased outsourcing is leading to the creation of new service delivery models such as strategic partnering, cross-industry shared service centres, staff sharing and extensive sub-outsourcing.

Against a backdrop of increased regulatory attention to the risks posed from outsourcing, the Central Bank of Ireland (CBI) has issued its own, “Cross Industry Guidance on Outsourcing”. Published in December 2021, the Guidance sets out the expected steps a firm should take to mitigate the risks posed, particularly in the delivery of critical or important business functions. The Guidance builds on existing European directives from the EBA (Banking Sector), EIOPA (Insurance sector), and ESMA (Investments Sector), with the aim of enhancing outsourcing minimum requirements across the industry.

The Guidance does not seek to address in detail, every aspect of a firms’ legal and regulatory obligation as they relate to outsourcing and should be read in conjunction with the other relevant regulations, guidance and standards issued by the European Supervisory Authorities (ESAs) and further guidelines/guidance or bulletins issued by the Central Bank.

The Guidelines

The CBI defines Outsourcing as “an arrangement of any form between a regulated firm and an outsourced service provider (OSP) by which that service provider performs a process, a service, or an activity that would otherwise be undertaken by the regulated firm itself, even if the regulated firm has not performed that function itself in the past”.

The purpose of the CBI’s guidance is to:

  • Communicate the Central Bank’s expectations with respect to the governance and management of outsourcing risk to the boards and senior management of regulated firms.
  • Remind boards and senior management of regulated firms of their responsibilities when considering utilising outsourcing as part of their business model.
  • Ensure that the boards and senior management of regulated firms take appropriate action to ensure that their outsourcing frameworks are well designed, operating effectively and are sufficiently robust to manage the associated risks.

Timelines

The Guidance came into immediate effect upon publication in December 2021. Boards and Senior Management are expected to review the Guidance and enhance their outsourcing risk management frameworks to effectively identify, monitor and manage their outsourcing risks.  However, the accompanying Feedback Statement notes that “the [Central Bank’s] supervisory approach to its implementation will be mindful of the adjustments to be made by firms relative to the nature, scale and complexity of the use of outsourcing as an element of their business model.”

 

Change from the draft Consultation Paper (CP) 138 guidance to the final publication

There have been no material changes from the draft guidance to the final publication. However, some noteworthy inclusions to the final publication are outlined below.

  1. Role of the Board

    The CBI have set some clear roles and responsibilities for the board and senior management around outsourcing. The paper details a marked increase in the boards remit and their accountability. Consideration should be given to the imminent Senior Executive Accountabilities Regime which will specify the responsibilities of senior executives as they relate to outsourcing.

  2. Critical or Important Functions

    Firms will be required to notify the CBI of any outsourcing arrangement in respect of critical or important functions or activities. The CBI intends to publish template notification forms for firms on its website in H1 2022.

  3. Outsourcing Register

    In respect of the obligation under the Guidance for firms to establish, maintain and submit to the CBI an outsourcing register, the Guidance provides, under Appendix 3, the general content the CBI will expect to be included in an outsourcing register.

  4. Scope of branches

    The Central Bank is of the view that branch-to-branch service provision, branch-to-parent provision and centres of excellence should all be regarded as forms of inter/intragroup service provision and, as such, are indistinguishable from outsourcing in terms of the risks posed by such arrangements when they are deemed critical or important. There is no reference to Parent to Branch provision of services.

  5. Delegation vs Outsourcing

    There is no distinction between delegated activities and outsourced services. The Central Bank is of the view that the Guidance should apply to outsourcing arrangements involving critical financial market infrastructure in a manner consistent with the firm’s nature, scale, and complexity

  6. Intra-group arrangements

    The firm should be able to demonstrate its capacity to influence the outsourcing arrangements contracted with the “parent” or “sibling”. Firms should be particularly conscious of the possibility that serious conflicts of interest can arise in respect of intragroup arrangements. The possibility of such conflicts should be considered as part of the firm’s risk assessment when establishing the arrangements and mechanisms detailed for the resolution of any which do arise.

  7. Sub outsourcing

    Each firms’ primary responsibility is to ensure that third party service providers appropriately manage any critical or important sub-outsourcing arrangements. The Central Bank clarified that it does not expect firms to directly monitor fourth parties in all circumstances. However, before entering into a critical or important outsourcing agreement, firms should consider the potential impact on service delivery.

  8. Concentration risk

    Firms, as part of their risk assessments in respect of outsourcing generally and in respect of each particular arrangement are obliged to consider the potential implication for the firm with respect to concentration risk. Firms should consider, i. What services will be outsourced to a particular supplier/OSP? ii. Are the services critical or important? iii. If there are multiple services, does it expose the firm to concentration risk? iv. Is the OSP readily substitutable? At the Systemic Level It is accepted that individual firms have limited market intelligence in respect of their possible contribution to systemic risk, but it is a factor that they should be aware of and the risk each firm carries. Over time, it is expected that, the Central Bank will be in a position to discuss such considerations with individual firms and industry sectors.

  9. Off-shoring

    It is not the Central Bank’s intention to impede the use of global strategies, infrastructure and or specific locations (assuming no regulatory barriers exist) or technologies as part of outsourcing arrangements provided that firms can demonstrate prudent risk management and appropriate governance for same.

  10. Notification to the Central Bank

    Notification Templates appropriate to each sector and aligned with the requirements of the EBA Guidelines will be published on the Central Bank website from Q1 2022 with the exception of the template for Banks, which will be published by the Single Supervisory Mechanism (SSM) and is expected sometime during 2022.

Implementation Considerations

Implementing the guidance on outsourcing risk can prove daunting at first. Work is needed to also align with other regulations, both existing and upcoming, such as the Digital Operational Resilience Act (DORA), and the CBI’s Cross Industry Guidance on Operational Resilience. Other areas of consideration include:

 

  • Framework: Traditionally firms managed outsourcing and third parties based on the level of monetary spend or a limited number of risk factors.  Now they must consider cloud computing, geographic location, concentration risk, chain-outsourcing etc.
  • Governance: The level of board awareness and quality of governance needs to be improved.  Reporting of third parties’ risk has traditionally been limited to reactively assessing significant incidents.
  • Inter-group arrangements: Critical inter-group arrangements should meet the same levels of governance and risk management as external third parties.
  • Business Model: Banks need to clearly determine how their outsourcing strategy supports their business model and assess their risk profile against their risk appetite.
  • Concentration Risk: Banks need to reconsider the levels of outsourcing of critical or important functions if it leads to concentration risk or if they are not in a position to provide adequate monitoring and oversight.
  • Substitutability: Banks must assess the substitutability of service providers to identify suitable alternative service provider if existing providers need to be exited.

Next steps

In meeting the CBI’s guidance, firms need begin assessing their outsourcing arrangements, the risks posed and how best to manage this risk.

Firms will be required to notify the CBI of any outsourcing arrangement in respect of critical or important functions or activities. The CBI intends to publish template notification forms firms on its website in 2022.

Review the Guidance to establish whether the firm has the required data points as prescribed for the outsourcing register, The CBI intends to publish a template outsourcing register for firms in H1 2022 which can be used to validate the required information is being captured.

It is intended that any firm with a PRISM impact rating of ‘medium low’ or higher will be required to submit its outsourcing register to the CBI on an annual basis, with the first submission of outsourcing registers to be completed in Q2 2022. The CBI confirms in its feedback statement that it will provide regulated firms with advance notice before outsourcing registers are to be submitted. Firms will be advised within a reasonable notice period in advance of making a submission in 2022.

Low Impact firms may also be asked to submit their Outsourcing Register on a case-by-case basis by their Supervisor.

How can EY help

EY can support you in your journey to achieving effective Third-Party Risk Management in full compliance of the CBI’s Cross Industry Guidance on Outsourcing while tailoring our processes and frameworks to meet your needs and objectives.

EY has a range of operating models to support you in delivering your TPRM program. From utilising in-house employees, to co-sourcing, to providing an end-to-end Managed Service model, an out of the box, pre-configured solution with dedicated technology, SLAs, and governance model. EY can ensure that processes align to your current and future business operating models to enable you to build a model which supports the future of TPRM.

Our proven approach uses industry leading accelerators, which enable us to expedite the gap analysis and maturity assessment exercise. EY can further support you through:

  • Risk Identification: Delivering access to the latest public, proprietary and self-reported information. This enables you to identify and classify a variety of risk factors, including cyber, privacy, information security, bribery, corruption, financial crime, reputational and operational concerns.
  • Evaluation: Provide due diligence and investigation services. EY offers off-the-shelf and fully customised services for you to evaluate, segment and understand both the risk landscape and the quality controls in place at the local, country, regional and global level.
  • Monitoring: Help you understand and implement tactical and strategic methods of managing and mitigating third-party risks. These methods include continuous or periodic monitoring, threat monitoring and alert management processes to make the job of staying on top of risk easier to implement at a lower overall cost.
  • Innovate: Leverage advanced analytics, robotic automation, advanced workflow, and machine learning to simplify and streamline everyday tasks when implementing and managing effective third-party risk management programs.

 

Meet the team

Jerry O’Sullivan

Associate Partner, Risk

jerry.osullivan@ie.ey.com

David Spollen

Director, Risk

david.spollen@ie.ey.com

Donnchadh Duffin

Manager, Risk

donnchadh.duffin@ie.ey.com

Contact Us