We provide a summary of the key points of the Central Bank’s Cross Industry Guidance on Outsourcing (Guidance), available here. We also look at the contractual requirements for outsourcings as contained in the Guidance.
Assessment of criticality or importance
To manage outsourcing risk effectively, it is necessary for regulated firms to determine the criticality or importance, to them, of the function, service or activity which is being outsourced. Whether an outsourcing is deemed to be critical / important or not will be determined by, amongst other things, the extent of the contractual requirements from the Guidance which will need to be reflected in the relevant outsourcing agreement.
Central Bank notification
The Central Bank expects to be notified of any proposed “critical or important” outsourcing arrangement by a regulated firm, as well as of any material changes to an existing critical or important arrangement.
Contrasting the Central Bank’s approach to the EBA, EIOPA and ESMA
Firms that are subject to the EBA Guidelines on Outsourcing, such as banks, investment firms, payment institutions and electronic money institutions, will recognize a lot of the contracting requirements in the Guidance and will be relieved to know that the EBA approach has been largely followed by the Central Bank. However, there are some nuanced differences and clarifications in the contracting requirements which will need to be considered and reflected.
Firms that are subject to EIOPA Cloud Outsourcing Guidelines, for example insurers, and the ESMA Cloud Outsourcing Guidelines, such as AIFMS, fund management companies, Central Counterparties and certain investment firms, amongst others, will notice some material differences between the Central Bank approach and the EIOPA and ESMA approaches to contracting requirements. These firms will therefore need to assess their approach to outsourcing contracts considering their other regulatory obligations and the Guidance.
Some of the contractual requirements in the Guidance are straightforward and include areas that we would expect to be addressed in any outsourcing agreement. These include for example:
- The term and notice periods for termination
- The parties’ financial obligations
- The governing law of the contract etc.
Others are specific points of detail which will need to be “ticked off”, such as:
- The location of where the service will be provided
- Where data, as a broad concept, not just personal data, will be kept and processed
- A right for the regulated firm to carryout penetration testing where relevant, etc.
The more taxing contractual requirements are those which are expressed at a more principled level. One of the most challenging to practically reflect in an outsourcing agreement relates to termination rights. Among other requirements, the regulated firm is required to have a right to terminate where impediments capable of altering the performance of the outsourced function are identified, or where there are material changes affecting the outsourcing arrangement or the outsource service provider itself. To adequately reflect these requirements, regulated firms will need to translate them into contractual rights which are actionable.
Other practically challenging contractual requirements are the audit and access rights. These require an “unrestricted right” of inspection and audit along with “full access” to all relevant premises, devices, systems, networks, information and data used for providing the outsourced function, including related financial information, personnel and the outsourced service providers (OSP’s) external auditors. These same rights need to be procured by the outsource provider from its subcontractors for the benefit of the regulated firm and the Central Bank.
Certain types of service providers can be very reluctant to grant such broad rights, such as:
• Those with large client bases in the financial sector
• Those with particular security concerns like cloud providers, and
• Those with limited leverage over their subcontractors
Our experience in implementing these audit and access rights is that while the core principles are achievable, regulated firms may need to be adaptable when it comes to alternative audit methods, e.g, third party certifications, and the efficient use of such rights, acknowledging that this can be a difficult balance to strike in the face of a regulated firms’ regulatory obligations.
The board and senior management of regulated firms are ultimately accountable for the effective oversight and management of outsourcing risk within their business.
To ensure effective governance and oversight of outsourcing risk, the Central Bank lists its expectations that the board, senior management or management body of a regulated firm should meet, and these include:
- Taking appropriate action to ensure that the governance and risk management of their outsourcing frameworks is appropriate and operating effectively
- Having a documented outsourcing strategy in place, which is aligned to the regulated firm’s business strategy, business model, risk appetite, and risk management framework
- Ensuring that their outsourcing governance and risk management structures are in line with relevant sectoral legislation, regulation and guidelines particularly where functions are outsourced to an OSP, whether third party or intragroup, operating in a different jurisdiction
- Ensuring that outsourcing does not impede the regulated firm’s ability to meet the conditions with which it must comply to remain authorised, including any conditions imposed by the Central Bank
Outsourcing Risk Assessment & Management
The Central Bank expects that outsourcing risk should be adequately covered in a regulated firm’s overall risk management framework and risk register. Tailored risk assessments should be conducted prior to entering an outsourcing arrangement. These should be reviewed annually to ensure there have been no changes to the OSP's operations that would have a material impact on the regulated firm's risk profile. Procedures should be in place for overseeing, monitoring and assessing the appropriateness and performance of OSPs.
The Central Bank expects that appropriate and proportionate due diligence reviews be conducted in respect of all prospective OSPs or intragroup providers, before entering any arrangements. Regarding critical and important functions, regulated firms should ensure that an OSP has the capabilities, and the appropriate authorisation, where required, to perform the critical or important function in a reliable and professional manner to meet its obligations over the duration of the contract.
Ongoing Monitoring and Challenge
In conducting appropriate monitoring and challenge of the outsourcing framework, the underlying outsourcing arrangements and the operational functioning of same, regulated firms should incorporate outsourcing assurance into their three lines of defence.
Disaster Recovery and Business Continuity Management
Key to effective governance and risk management associated with any outsourcing arrangement is ensuring continuity of services through robust disaster recovery and business continuity management. An integral part of this process is the regulated firm’s resilience to an event occurring. Regulated firms should ensure that controls or other resilience measures are effective and in line with evolving practice and emerging risks.
For more information, contact a member of our Technology team.
The content of this article is provided for information purposes only and does not constitute legal or other advice.