Financial firms can expect more scrutiny of outsourcing arrangements

Out-Law News | 07 Apr 2022 | 11:58 am | 2 min. read

Financial services firms can expect greater scrutiny of their use of cloud services and other third party services in light of a stiffening of requirements in relation to outsourcing arrangements, experts have said.

Andreas Carney and Yvonne Dunn of Pinsent Masons said recent developments in Ireland highlight the growing focus of regulators on outsourcing risk.

Dublin-based Carney said: “There have been significant changes over the past decade, and in particular the last few years, in the regulatory environment in Europe on outsourcing by financial institutions. Previously, outsourcing requirements were set out at a relatively high-level in EU legislation such as the Solvency II and MiFID frameworks. Now much more detailed requirements are outlined in guidelines issued by the EU’s supervisory authorities, like the European Banking Authority (EBA), and national regulators – such as the Central Bank of Ireland – have issued their own guidance to help firms meet their obligations when outsourcing.”

The CBI’s guidance on outsourcing, finalised late last year, closely follows the EBA’s own guidance but is broader in scope, applying across the various sub-sectors of financial services. As well as setting out detailed requirements around things such as risk assessments, regulatory notifications, financial resilience, sub-outsourcing, and the management of ICT and data risks, for example, the CBI’s guidance emphasises the need to have sufficient governance around the ongoing management of outsourcing arrangements during their full term. This is more than just a paper exercise for firms at the outset of the arrangements,” he said.

Dunn said: “We are seeing more financial services firms moving operations to outsourced service providers or to cloud-based systems either themselves or through engagement with cloud-native fintech companies. This gives them access to flexible, cheaper and more innovative technology that enables them to meet customer demand for digital solutions. That shift is essential to meet today’s market challenges, but moving systems and operations to the cloud or other outsourced service providers must not be done at the expense of appropriate oversight over the lifetime of the contract.”

Carney Andreas

Andreas Carney

Partner

The requirements firms face on outsourcing must be seen in the broader context of regulators’ attitude towards operational resilience

Last month the CBI imposed its largest ever fine on a fund service provider in Ireland in relation to outsourcing failings.

As part of a settlement reached with the CBI, BNY Mellon Fund Services (Ireland) DAC agreed to pay a fine of €10,780,000 and admitted to 16 breaches of regulatory requirements. The CBI said there had been failings over a period spanning more than six years to the end of 2019 and cited issues with the way the provider had identified and managed risks associated with its outsourcing arrangements and its reporting of the issues to it. The CBI also highlighted faults with the provider’s engagement with it in relation to its supervision of the outsourced regulated functions, and said unnecessary risks had arisen for clients, investors and the financial markets.

Carney said: “The requirements firms face on outsourcing must be seen in the broader context of regulators’ attitude towards operational resilience. Many regulators have already stiffened their expectations of firms in relation to how the identify and manage risks that threaten to disrupt the delivery of core services – risks that include those arising in an outsourcing context but also those such as financial market shocks, climate change and cyber attacks.”

“In Ireland, the CBI has issued cross-industry guidance on operational resilience to help firms manage those risks and, like with its outsourcing guidance, the theme of strong governance and oversight is prevalent. Firms should expect further developments in relation to requirements around operational resilience as the ‘DORA’ proposals make their way through the EU law-making process. Regulated firms will need to assess how their arrangements with vendors could impact on the firms’ own operational resilience frameworks and will need to flow down any requirements to their vendors to properly support those frameworks,” he said.