Irish regulator moves to align with European outsourcing guidance

The CBI opened a consultation on draft new outsourcing guidelines in February. The guidelines, expected to be finalised later this year, will be relevant to all financial institutions that the CBI regulates. However, institutions should already be familiar with many of the provisions. That is because they closely reflect existing guidelines set by the EU authorities, which separately address different sub-sets of the financial services sector and which are directly applicable to firms operating out of Ireland.

The CBI’s consultation is running at a time when EU policy makers are seeking to codify much of the existing outsourcing guidance in a new EU regulation on digital operational resilience, and as the Prudential Regulation Authority (PRA) in the UK elected to diverge from existing EU guidance in some areas in its recent finalised supervisory statement on outsourcing and third party risk management.

The CBI proposals in brief

The draft CBI guidance is relevant to all regulated firms operating in Ireland that outsource services and/or functions – including banks and building societies, payment service providers, insurers and investment firms.

The draft guidance largely follows the approach taken by the European Banking Authority (EBA) guidelines on outsourcing arrangements which were finalised in 2019 and for which there is a remaining deadline of 31 December 2021 for in-scope institutions to review and update their documentation for certain legacy outsourcing arrangements where they concern critical or important functions of their operations.

The CBI’s proposals, however, also take account of the EBA’s guidelines on ICT and security risk management, the finalised guidance on outsourcing to cloud service providers from the European Insurance and Occupational Pensions Authority (EIOPA) that began to apply on 1 January 2021, as well as other guidance on outsourcing to cloud service providers that the European Securities and Markets Authority (ESMA) set late last year, following a consultation exercise.

The CBI’s guidance, when finalised, will complement and not replace the existing guidance produced by the EU authorities, which in turn reflect legislative requirements set out in EU regulation such as the Solvency II and MiFID regimes.

From a contractual perspective, the central challenge with the guidelines developed at EU level, and now the CBI guidance, is practically implementing the contracting requirements into outsourcing agreements. Core issues include obligations around data, termination rights and exit planning,requirements around sub-outsourcing, providing for access and audit rights and ensuring business continuity.

While the CBI’s draft guidelines closely resemble the guidance set by the EU authorities, their introduction will represent another layer of requirements around outsourcing for many financial institutions in Ireland. There will be a particular onus on institutions subject to related requirements in other jurisdictions to ensure their outsourcing agreements comply with all relevant legal and regulatory requirements. They should undertake a review of the regulatory landscape to understand their multiple obligations and adopt a ‘high water mark’ approach to compliance.

The specifics

Intragroup outsourcing

The CBI’s draft guidance addresses outsourcing to both intragroup entities and to third party outsourcing service providers, regulated and unregulated. The CBI has placed a significant focus on intragroup arrangements and offshoring risks. 

The CBI guidance has included provisions that state that regulated firms should apply the same rigour when conducting outsourcing risk assessments for intragroup arrangements as they would for third party arrangements. The CBI expects regulated firms to consider the risks particular to intragroup arrangements such as conflicts of interest, the remediation of outsourced services where outages impact the wider group, and the appropriateness of the application of group-wide policies.

ICT risk

The CBI is particularly focused on outsourcing relating to information and communications technology (ICT) and the outsourcing to cloud service providers (CSPs). For example, the CBI expect boards and senior management of regulated firms to regularly document the management and monitoring of sub-outsourcing and data security risks.

The CBI has also outlined proposals to ensure that where data is encrypted regulated firms should have guaranteed access to any encryption keys. The PRA in the UK recently softened a similar position it had taken on this issue in its finalised supervisory statement on outsourcing, and many service providers – particularly cloud providers that may find it difficult to ensure guaranteed access to encryption keys – will be hoping that the CBI follows suit when it sets its finalised guidance.

Financial resilience

The CBI expects regulated firms to review the financial health of outsourcing service providers providing critical or important services and to review their due diligence assessment prior to the expiry of key contracts before making a decision to renew the contract. 

While the EBA outsourcing guidelines do provide for due diligence procedures, the CBI has proposed stiffer requirements – seeking to impose an initial due diligence assessment prior to the termination of arrangement which is not provided for in the EBA guidelines.

Outsourcing strategy

The CBI has proposed to require regulated firms to have a documented outsourcing strategy in place, aligned with their business strategy, business model, risk appetite, and risk management framework. The strategy, according to the draft provisions, should be supported by appropriate policies, procedures and controls which are in line with the relevant sectoral legislation and are organised to reflect the CBI guidance.

Notification requirements

According to the CBI draft guidance, the CBI will expect to be notified of any proposed critical or important outsourcing arrangements – including whether it involves the off shore outsourcing of such critical functions – as well as of material changes to existing critical or important outsourcing arrangements during the term of the agreement, and the termination of critical or important outsourcing arrangements.

The CBI would, under its proposals, reserve the right to take appropriate action in respect of such arrangements where there is an objectionable risk posed to the financial stability of the regulated firms.

Risk assessments

The CBI draft guidance places a strong focus on regulated firms conducting appropriate risk assessments. It would require regulated firms to ensure that such risk assessments are tailored to take account of the specific risks associated with outsourcing, such as sub-outsourcing risks, sensitive data risks, risks around data security, availability and integrity, concentration risks and offshoring risks. 

Oversight

Under the CBI’s proposed new guidance there would also be obligations for regulated firms to ensure there are mechanisms for it to oversee, monitor and assess the appropriateness and performance of outsourced arrangements, with appropriately skilled staff. Those oversight requirements would be relevant to reporting from the outsourcing service provider, benchmarking against key performance indicators in the service level agreement, and assessing business continuity measures. Appropriate internal audit review would also need to be undertaken of the service provider too.

Next steps

The CBI’s consultation is open to comments until 26 July 2021. It plans to publish its final guidelines later this year. 

Financial institutions should take the opportunity to review the draft guidelines and engage with the consultation on issues that would merit greater clarification or pragmatism from the CBI, and continue to work towards meeting the EBA’s 31 December 2021 for remediating legacy outsourcing contracts.