Kevin Curtis, Head of AIFM Oversight – Ireland, examines
the recently published guidelines on outsourcing by the Central
Bank of Ireland under CP138 and outlines the steps managers can
take to reduce exposure to risk.
The role of outsourcing throughout the broader financial
services industry has gained significant traction in the past
decade. Frequently used as a strategic tool, businesses of all
sizes across the financial spectrum have turned to outsourcing to
deliver on specific objectives.
Nowhere is this more true than in funds services industry -
where outsourced and delegated relationships are increasingly
playing a critical role in the industry.
Considering the level of regulation that exists across the
broader financial services landscape, it’s perhaps
unsurprising, then, that outsourcing is becoming a key point of
focus. The most recent development being the publication by the
Central Bank of Ireland (“CBI”) in February 2021 of Consultation Paper 138 (“CP138”) to
consult on the proposed Cross Industry Guidance on Outsourcing (the
“Guidance”), together with draft sectoral guidance issued
thereafter and then the final publication of the Guidance in
December 2021.
The focus on outsourcing isn’t new, however, it is an area
in which the CBI has a continued history, having previously
published a discussion paper on outsourcing (Discussion Paper 8:
Outsourcing – Findings and Issues for Discussion) in 2018 and held
a conference on the matter in 2019.
In recent years we have also seen several high-profile financial
services firms reprimanded by the Central Bank and receive fines
because of regulatory breaches relating to outsourcing, and for
serious failings in the firms’ outsourcing frameworks. CP138
and the Guidance is therefore a clear step up in intent and
expectations from the CBI.
Indeed, the CBI’s paper builds on existing directives from
the European Banking Authority (“EBA”), European
Insurance and Occupational Pensions Authority (“EIOPA”)
and the European Securities and Markets Authority
(“ESMA”), with the aim of enhancing minimum requirements
for outsourcing. The consultation period ended in July 2021 and the
CBI issued its final guidelines in December 2021.
While the CBI acknowledges the benefits that outsourcing can
bring, it’s also of the opinion that it can come with
significant risk if managed poorly. As such, it has published
guidance ‘seeks to confirm that regulated firms have
effective governance, risk management and business continuity
processes in place in relation to outsourcing, to mitigate
potential risks of financial instability and consumer
detriment.‘
The CP138 Cross-Industry Guidance on Outsourcing guidelines are
set out under 10 headings as follows:
- Assessment of criticality or importance – the
proposed guidance will be
predominantly applied in respect of outsourcing of activities,
services or functions that are deemed to be critical or important
to a firm’s business. - Intragroup arrangements – the guidance applies
equally to intragroup outsourcing arrangements as it does to
arrangements with third-party outsourcing providers
(“OSPs”). - Outsourcing and delegation – clarifies the
CBI’s view that outsourcing and delegation aren’t different
concepts. - Governance – this section sets out the
CBI’s expectations around the appropriate and effective
governance of outsourcing, including the details of the
responsibilities of boards and senior management in this regard. It
also highlights the expectation that regulated firms consider their
strategy and risk appetite in relation to outsourcing and details
the elements, which should be incorporated in a regulated
firm’s outsourcing policy. - Outsourcing risk assessment and management -
highlights the importance of conducting and maintaining
comprehensive outsourcing risk assessments and details the issues
which should be considered when assessing and designing controls to
manage and/or mitigate several key outsourcing risks. - Due diligence – sets out the expectation that
regulated firms undertake appropriate due diligence in respect of
their OSPs prior to entering an outsourcing arrangement and at
appropriate intervals during its life cycle of the
arrangement. - Contractual arrangements and service level agreements
(SLAs) – sets out the key contractual provisions that
should be incorporated into written outsourcing agreements, and
highlights that such agreements should be supported by SLAs. - Ongoing monitoring and challenge – highlights
the importance of regular, comprehensive monitoring of the delivery
of the service or function that has been outsourced. - Disaster recovery and business continuity
management – sets out expectations in the establishment
and oversight of measures to ensure support for the continuity of
outsourced functions. It also sets out the requirement to have in
place appropriate strategies to exit outsourcing arrangements
should the need arise. - Provision of outsourcing information to the
CBI – sets out the requirements for regulated firms to
establish and maintain a register (database) of all outsourcing
arrangements and the information (data elements) that such
registers should contain. It also sets out the CBI’s proposals
to establish an online regulatory return for submission by
regulated firms of their outsourcing registers. It is proposed that
submission of registers will be required from regulated firms on a
cyclical basis, with the first filing potentially due in Q2
2022
Although the guidelines aren’t specifically aimed at
investment funds or fund management companies, CP138 most certainly
applies to the funds industry. What it effectively does is take the
EBA guidelines that weren’t initially applicable to fund
service providers (including management companies) and brings them
up to these standards.
Steps that fund managers can take
On the surface, the CBI’s published guidelines seem to have
taken a clear and structured approach to outsourcing oversight.
However, as with any piece of regulation (or guidance), practice is
often very different to theory and the devil is always in the
detail.
Considering that, for some fund managers, the implementation of
such guidelines might entail significant operational change, here
are five steps they can take to best prepare themselves.
1. Conduct a full audit of outsourced
services
The main challenge from a fund manager’s point of view, in
terms of dealing with this guidance, is how to bring it all
together and document everything. This is because many firms have a
wide variety of delegations and outsourcing agreements in place -
such as admin services, investment management services, different
tech providers, intragroup arrangements and so on.
Generally, all third-party providers will expose a fund manager
to a certain level of risk but not all will constitute outsourcing.
This is easier to determine in a regulated environment, but grey
areas do exist, such as around cloud service providers, who may
hold confidential and sensitive data.
Overall, the key is to have a clear definition within the firm
as to what constitutes outsourcing and stick to it. Remain
cognisant, however, of the areas that carry third-party risk that
aren’t part of outsourcing – firms are still required to have
some level of oversight over these service providers.
2. Create a standardised approach for delegating
oversight
Businesses must ensure there is strong delegate oversight in
place, but issues can arise when the oversight and due diligence
functions are managed by different teams or parts of an
organisation. These teams may have different approaches. So, the
challenge and goal here is around standardising the process and
creating a synchronised firmwide approach to delegate oversight.
This will be particularly important where businesses have oversight
responsibilities in different European jurisdictions that have not
yet implemented the same rigour and level of expectations in terms
of oversight that the CBI have through CP138.
With this in mind, managers may try to develop a standard due
diligence approach to critical service providers, and a common
framework for reviewing service level agreements (SLAs), KPIs and
so on. Try to centralise oversight, criticality assessments and the
documentation of Registers. This could be achieved by establishing
an outsourcing committee to oversee the implementation of the
Guidance.
3. Review service-level agreements with intragroup
arrangements front of mind
Oftentimes it can be more difficult to get the same level of
service/responsiveness from an intragroup agreement than from a
third-party organisation whose services are being paid for -
particularly in the area of formal SLAs and high-quality detailed
KPIs.
As part of CP138 and the Guidance, the CBI have made it explicit
that they expect an equal approach to be taken to intragroup
arrangements as they do to third-parties. Firms need to be clear on
the responsibilities of both sides when entering an intragroup
arrangement and ensure it is as well documented as it would be for
a third-party agreement.
4. Keep an eye on the bigger regulatory
picture
Firms have found themselves caught in the middle of CP138 – this
is especially true for administrators and fund management companies
where, in many cases, they outsource some of their activities but
at the same time services are being outsourced to them. One of the
biggest challenges for administrators with a global operating model
and a number of centres of excellence around the world is that the
CBI, with CP138 and the Guidance, is now deviating in certain areas
from the current requirements outlined in EBA or ESMA
regulation.
This supervisory convergence issue is becoming a problem as
there is a higher bar in Ireland now compared to, say, Luxembourg.
Common toolkits and oversight procedures that the Group may have
now need to be adapted for Ireland, which is a challenge.
5. Initial steps to consider now the Guidance has been
published
The CBI have confirmed in the accompanying Feedback Statement
that the Guidance comes into immediate effect from 17 December
2021, the publication date. Boards and senior management should now
examine the Guidance and assess which areas of their current
outsourcing practices will need to be enhanced to meet the new
Central Bank expectations. The Central Bank did note however, that
“the supervisory approach to its implementation will be
mindful of the adjustments to be made by firms relative to the
nature, scale and complexity of the use of outsourcing as an
element of their business model”. Establishing a clear plan,
identifying any potential areas that should be prioritised, and a
timeline for the necessary enhancements is a great place to start
for firms.
Additionally, within the Feedback Statement the Central Bank
have confirmed that management companies with a PRISM rating of
Medium Low or above will be required to complete an Outsourcing
Register (described within the Guidance) on an annual basis, with
the first submission potentially due in Q2 2022. The Central Bank
is expected to provide a submission template on their website for
this in Q1 2022 so do keep an eye out for this to be ready for the
first filing.
Realise your investment strategy
For investment managers looking to domicile and market their
alternative investment funds (“AIFs”) in Europe,
outsourcing core alternative investment fund manager
(“AIFM”) functions to a provider of third-party
management company (“ManCo”) and AIFM services is a
quick, cost effective, and compliant route to cross-border
distribution.
With the recent authorisation of Ocorian (AIFM) Ireland Limited,
Ocorian can provide a platform for third-party AIFM management
company services and facilitate access to the European market. With
an experienced team and comprehensive outsourcing oversight
framework, we can provide the outsourcing oversight and risk
management function whilst helping you navigate the changing
regulatory landscape as described above.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.