Outsourcing and the provision of financial services in Ireland

May 2020  |  SPOTLIGHT  |  BANKING & FINANCE

Financier Worldwide Magazine

May 2020 Issue

In recent years, the Central Bank of Ireland (CBI), in its capacity as the primary regulator of financial services firms in Ireland, has significantly increased its focus on outsourcing carried out by regulated financial services firms and the management by firms of the risks arising from such outsourcing arrangements.

In November 2018, the CBI published a paper entitled ‘Outsourcing – Findings and Issues for Discussion’. The discussion paper followed a cross-sector survey completed by the CBI in which a total of 185 financial services firms were surveyed, covering 7700 outsourcing agreements.

Speaking at a CBI conference on outsourcing in April 2019, the CBI’s director general, financial conduct, Derville Rowland, set out the CBI’s views on outsourcing post the survey. “While the review found some good practices, overall the results were disappointing,” said Ms Rowland. “To put it bluntly, we found significant risk management deficiencies on a widespread basis. More broadly, we concluded that, when it comes to outsourcing arrangements, governance and risk management standards are emphatically not where they need to be.”

Ms Rowland further indicated that the CBI views “the management of outsourcing risk as key from both a Conduct and Prudential perspective”. The discussion paper identifies several areas of weakness in firms’ management of outsourcing arrangements and outlines the minimum supervisory expectations of the regulator in the form of specific actions that firms are expected to take to address the weaknesses identified. Three primary areas of concern were identified as governance, risk management and business continuity management.

Outsourcing governance

Robust governance is key to the effective management of outsourcing risks. The discussion paper notes a lack of awareness within many firms of the scale of outsourcing and the resultant level of third-party dependencies. This issue is amplified by the complexities arising from ‘chain-outsourcing’ arrangements.

Some of the minimum supervisory expectations set out in the paper in respect of the governance issues identified are as follows: (i) the board and senior management must be fully aware of the scale of existing and proposed outsourcing arrangements and associated risks; (ii) the firm must have the appropriate skills and knowledge to properly oversee outsourced activities from inception to conclusion, in particular in cases where new or emerging technologies are being employed; (iii) the firm must have in place a documented and comprehensive outsourcing policy, which is approved by the board and complies with relevant legislation and guidance; (iv) there should be an appropriate oversight structure relating to outsourcing in place, with clearly established lines of responsibility; and (v) contractual arrangements, supported by service level agreements (SLAs) against which performance can be measured, must be put in place with all outsourcing service providers (OSPs).

Risk management

The discussion paper warns against the dangers of over-relying on the first line of defence, such as client-facing staff, for assurance around outsourcing arrangements and leaving the second line, including the risk function, in the dark regarding outsourced activities. Minimum supervisory expectations include the following: (i) the firm’s risk management framework should appropriately consider any outsourcing arrangements; (ii) the firm should conduct comprehensive outsourcing risk assessments; (iii) firms should have a ‘criticality and importance of service’ methodology that can be applied to all outsourcing decisions and the criticality or importance of all outsourced services should be assessed on an ongoing basis; (iv) firms must maintain appropriate skills and knowledge to effectively monitor and manage outsourced activities and to either substitute the OSP or bring the outsourced function in-house in an orderly manner; and (v) firms must monitor the performance of their OSPs so that issues can be identified, escalated and resolved as necessary.

Business continuity management

The CBI’s survey identified a number of deficiencies in relation to business continuity management (BCM), particularly in relation to business continuity testing and exit strategies. The resilience of firms to vulnerabilities presented by outsourcing arrangements will, to a large extent, be dictated by the effectiveness of the back-up measures it has in place, including its exit strategies.

Minimum supervisory expectations set out in the discussion paper include the following. First, BCM should be considered at the point at which firms propose engaging the services of an OSP. Second, the firm should put backup measures in place and plan and test scenarios that may warrant taking the activities back in-house or transferring them to another OSP. The firm must have sufficient skills and expertise to ensure that activities can be taken back in-house or transferred to another OSP in an orderly manner. Third, when testing their own business continuity plans, firms must ensure that their OSPs are included in the testing where appropriate. Fourth, firms must ensure that their OSPs have business continuity plans in place that include outsourcing arrangements. Firms are expected to be able to participate in the OSP’s business continuity testing. Fifth, firms are expected to regularly review the appropriateness of their business continuity plans, particularly where their outsourcing arrangements involve new or evolving technologies, trends or risks.

Outsourcing risks and trends

The discussion paper requires regulated firms to consider several key risks and evolving trends relating to outsourcing.

Sensitive data risk. Outsourcing often involves a third party handling the firm’s sensitive data. This gives rise to the risk of data loss, alteration, corruption or unauthorised access. Firms should ensure that OSPs apply data protection standards equivalent to those employed by the firm itself. Where a firm avails of cloud computing services, it should ensure that the OSP’s security operations are consistent with the firm’s own security operations. Firms must consider the location of data held in the cloud and consider all layers of a cloud supply chain when identifying and monitoring risk.

Concentration risk. A lack of diversification of OSPs can give rise to risks and result in unplanned service outages, disruption of services to customers and damage to reputation. The issue is more acute where a firm outsources to a dominant, not easily substitutable OSP, such as a large IT and cloud service provider. The CBI monitors concentration in the use of OSPs to ensure that any emerging systemic risks are identified and managed accordingly. Regulated firms should consider concentration risk before entering into new outsourcing arrangements and seek to avoid becoming over-reliant on a single provider.

Offshoring risk. The outsourcing of activities to another country presents firms with challenges and risk that must be effectively managed throughout the lifecycle of the arrangement. The physical distance of the firm from the outsourced activities increases the importance of regular engagement, monitoring KPIs and assurance testing by the firm’s compliance and risk functions, including on-site reviews. Firms must also ensure that the CBI has access to all information required to enable it to carry out its supervisory functions, which may include access to the physical location where the activity is being carried out.

Firms are also required to consider the strength of the regulatory regime of the country where the OSP is located, as well as the political, cultural, climate and other risks specific to the country. Where firms currently outsource to the UK, they are expected to have conducted comprehensive risk assessments and scenario planning in relation to the potential impact of Brexit.

Chain outsourcing. A regulated firm is expected to impose a contractual obligation on all OSPs to inform the firm of any planned sub-outsourcing or changes to existing sub-outsourcing. The firm must ensure that the OSP oversees and manages the activities of the sub-contracted service provider so that all services are performed to the standards set out in the primary outsourcing agreement and SLA.

Substitutability. Firms must ensure that they have clear and viable contingency plans and exit strategies in place in order to facilitate continuity of business in the event of an issue with an OSP. The starting point is an assessment of the extent to which a service can be substituted or taken back in-house. For services that can be substituted, the firm should identify and engage with an alternative provider and assess the time frame for transition. Where a service cannot be substituted, the firm should consider what contingency arrangements can be put in place to minimise the impact of the disruption on the firm’s clients and business.

Conclusion

Regulated firms face myriad regulatory requirements and guidelines applicable to their outsourcing arrangements. The discussion paper lists 26 distinct pieces of legislation, regulatory requirements and guidance which are potentially applicable, depending upon the sector in question. When seeking to meet the minimum supervisory expectations set out in the paper, regulated firms must consider the scope and structure of any proposed outsourcing in the context of the relevant regulatory regime.

Since the discussion paper was issued, the European Insurance and Occupational Pensions Authority (EIOPA) has issued its final report guidelines on outsourcing to cloud service providers, which contains guidance for national supervisory authorities interpreting Solvency II outsourcing requirements. In addition, the European Banking Authority (EBA) published two sets of final guidelines concerning, firstly, outsourcing arrangements generally and, secondly, concerning ICT and security risk management. Finally, the European Securities & Markets Authority (ESMA) has indicated that it intends to issue guidelines on outsourcing to cloud service providers during 2020.

The ever-increasing complexity of the regulatory landscape for outsourcing means that regulated firms will need to ensure that they have set aside sufficient resources to understand the requirements and to assess and manage their outsourcing arrangements accordingly.

Keith Waine is a partner and Karen Jennings is a senior associate at Dillon Eustace. Mr Waine can be contacted on +353 1 673 1822 or by email: keith.waine@dilloneustace.ie. Ms Jennings can be contacted on +353 1 673 1720 or by email: karen.jennings@dilloneustace.ie.

© Financier Worldwide

BY

Keith Waine and Karen Jennings

Dillon Eustace

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.