Central Bank proposed outsourcing guidelines
The Central Bank has launched a consultation on outsourcing, which builds on the themes set out in its 2018 discussion paper.
Background
Outsourcing has long been an area of particular focus for EU regulators, including the Central Bank of Ireland (the "Central Bank"). This is because of increasing prevalence of outsourcing across the financial services sector and its potential, if not effectively managed, to threaten the operational resilience of regulated financial services providers and the financial systems in which they operate.
In recent years, the Central Bank has carried out a large amount of work on outsourcing, including the publication of its discussion paper 'Outsourcing - Findings and Issues for Discussion' in November 2018 (the "Discussion Paper"), which set out the Central Bank's minimum supervisory expectations for regulated firms. The Central Bank has also adopted the relevant international standards on outsourcing, such as the EBA's updated guidelines which came into force in September 2019 (the "EBA Guidance")
Proposed Guidance
The Central Bank has now published draft Cross-Industry Guidance on Outsourcing Risk (the "Proposed Guidance") as part of a consultation, which runs until July 2021. The proposed guidance deals with the following ten areas, each of which we have briefly discussed below:
Assessment of Criticality or Importance of activity/service to be outsourced
Intragroup Arrangements
Outsourcing & Delegation
Governance
Outsourcing Risk Assessment & Management
Due Diligence
Contractual Arrangements and Service Level Agreements (SLAs)
Ongoing Monitoring and Challenge
Disaster Recovery and Business Continuity Management
Provision of Outsourcing Information to the Central Bank of Ireland
1. Assessment of Criticality or Importance
The relevance of the criticality or importance assessment is that it allows for the effective management of outsourcing risk. The Proposed Guidance uses the EBA's definition of criticality or importance:
"Functions that are necessary to perform core business lines or critical business functions should be considered as critical or important, unless the institution's assessment establishes that a failure to provide the outsourced Function or the inappropriate provision of the outsourced Function would not have an adverse impact on the operational continuity of the core business line or critical business function".
The expectation is for firms to have a methodology for assessing the criticality or importance of a service, and to document and review that methodology. They are also expected to review the assessments which have been carried out, to ensure that they are still appropriate.
2. Intragroup Arrangements
One of the observations of the Discussion Paper was an approximately 50:50 split between third party and intragroup outsourcing, and one of the supervisory expectations was that both types of outsourcing are subject to the same governance and risk management principles. The Proposed Guidance states that, while intragroup outsourcing offers benefits such as the consolidation of expertise, it also presents unique risks. In this regard, firms are expected to consider the extent to which they can exert sufficient influence over the group entity, and to ensure that the performance of the outsourced functions are appropriately prioritised internally.
3. Outsourcing and Delegation
The Central Bank expects firms to note that it does not regard "delegation" and "outsourcing" as different concepts and that delegation is subject to the same requirements, for example around oversight, as outsourcing.
4. Governance
The Proposed Guidance reminds firms that their boards and senior management are responsible for all of a firm's activities, whether or not they are outsourced. In addition, the board and senior management is ultimately accountable for the effective oversight and management of outsourcing risk within the firm.
In particular, the board and senior management is expected to:
Have an outsourcing policy in place which is reviewed and approved by the board at least annually;
Assign responsibility for oversight of outsourcing risk and outsourcing arrangements to an appropriately designated individual, function and/or committee, which should be directly accountable to the board;
Ensure that their outsourcing governance and risk management structures are in line with relevant sectoral legislation, regulation and guidelines;
Maintain at all times sufficient substance and not become empty shells or letter-box entities;
Ensure that appropriate skills and knowledge are maintained within the regulated firm to effectively oversee outsourcing arrangements;
Ensure that the method for assessing criticality and importance referred to above is regularly assessed;
Establish and maintain an outsourcing register; and
Ensure that firm's outsourcing arrangements cannot affect its resolvability.
5. Outsourcing Risk Assessment & Management
Firms are expected to develop outsourcing risk management frameworks in order to monitor, manage and mitigate outsourcing risk. Firms are also expected to conduct outsourcing risk assessments before entering into any outsourcing arrangements.
Sub-Outsourcing Risk
In common with the Discussion Paper, the Proposed Guidance deals with the particular risk posed by sub-outsourcing or chain outsourcing. Again, the requirement is to ensure both visibility (the right of the firm to oversee the outsourcing service provider ("OSP")) and supervisibility (the right of the Central Bank to access and audit the OSP).
Sensitive Data Risk
In what we see as one of the most important areas of the Proposed Guidance, the Central Bank sets out its expectations on how firms should manage the risks relating to the potential loss, alteration, destruction or unauthorised disclosure of sensitive data.
In particular:
Measures to secure and protect data must be set out both in the firm's outsourcing policy and in outsourcing contracts;
A firm should also have a documented data management strategy, which should:
define the firms' approach to data security and management. As regards cloud outsourcing, under the shared responsibility model, the strategy should ensure consistency of application by both the firm and the cloud service provider ("CSP");
again as regards cloud outsourcing, assess and document the risks in respect of any multi-tenanted environment;
address, in terms of location, data at rest, data in use and data in transit/transmission;
Firms also need to adhere to specific data protection legislation, including the GDPR, which is especially relevant when outsourcing to a non-EU service provider;
Firms must design a comprehensive security architecture, which may be implemented by both the firm and the OSP. For cloud outsourcing, this requires firms to understand the different cloud deployment models and service offerings including:
SaaS: software as a service;
IaaS: infrastructure as a service; or
PaaS: platform as a service.
Data Security
Firms are expected to design and implement operationally effective controls for:
data-in-transit;
data-in-memory; and
data-at-rest.
Concentration Risk
Concentration risk was one of the main topics of the Discussion Paper, and is another area where cloud services provide a unique risk, because a large CSP can become a single point of industry failure.
6. Due Diligence
The Central Bank's expectation is that firms will carry out appropriate and proportionate due diligence on all prospective OSPs or intragroup providers. The Proposed Guidance sets out a detailed list of criteria to be considered by firms when carrying out this process. There is also guidance around the frequency of due diligence reviews.
7. Contractual Arrangements and SLAs
In common with the guidance on due diligence, the Proposed Guidance sets out a detailed list of the provisions to be included within outsourcing agreements, with specific guidance around termination rights, and access, information and audit rights. The Proposed Guidance states that, regardless of criticality or importance, firms should ensure that the agreements do not impede or limit the Central Bank's ability to effectively supervise or audit the regulated firm or its outsourced activity, function or service.
8. Ongoing Monitoring and Challenge
Firms are expected to monitor and assess the performance of their outsourced arrangements on a continuous basis. This will generally be carried out by the first line of defence, however firms must also include an assessment of outsourcing in the third line of defence, as part of the internal audit.
9. Disaster Recovery and Business Continuity Management
In addition to monitoring the performance of the outsourced arrangements, firms are also expected to continuously assess their own disaster recovery (DR) and business continuity management (BCM) plans in order to ensure continuity of service. Firms are also expected to ensure that these plans align with the OSP's DR/BCM arrangements.
10. Provision of Information to the Central Bank
The final section of the Proposed Guidance related to firms' obligations to inform the Central Bank of their proposed critical and important outsourcing arrangements, and to any changes to these arrangements.
Conclusion
The Proposed Guidelines add further colour to the Central Bank's supervisory expectations on outsourcing as set out in the 2018 Discussion Paper, and they reflect the Central Bank's continued focus of chain outsourcing, sensitive data risk and concentration risk. Although the Proposed Guidelines are not yet in final form, our view is that they provide a valuable and detailed insight into the Central Bank's expectations around outsourcing.
.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)