Financial firms can expect more scrutiny of outsourcing arrangements

Andreas Carney and Yvonne Dunn of Pinsent Masons said recent developments in Ireland highlight the growing focus of regulators on outsourcing risk.

Dublin-based Carney said: “There have been significant changes over the past decade, and in particular the last few years, in the regulatory environment in Europe on outsourcing by financial institutions. Previously, outsourcing requirements were set out at a relatively high-level in EU legislation such as the Solvency II and MiFID frameworks. Now much more detailed requirements are outlined in guidelines issued by the EU’s supervisory authorities, like the European Banking Authority (EBA), and national regulators – such as the Central Bank of Ireland – have issued their own guidance to help firms meet their obligations when outsourcing.”

“The CBI’s guidance on outsourcing, finalised late last year, closely follows the EBA’s own guidance but is broader in scope, applying across the various sub-sectors of financial services. As well as setting out detailed requirements around things such as risk assessments, regulatory notifications, financial resilience, sub-outsourcing, and the management of ICT and data risks, for example, the CBI’s guidance emphasises the need to have sufficient governance around the ongoing management of outsourcing arrangements during their full term. This is more than just a paper exercise for firms at the outset of the arrangements,” he said.

Dunn said: “We are seeing more financial services firms moving operations to outsourced service providers or to cloud-based systems either themselves or through engagement with cloud-native fintech companies. This gives them access to flexible, cheaper and more innovative technology that enables them to meet customer demand for digital solutions. That shift is essential to meet today’s market challenges, but moving systems and operations to the cloud or other outsourced service providers must not be done at the expense of appropriate oversight over the lifetime of the contract.”

Last month the CBI imposed its largest ever fine on a fund service provider in Ireland in relation to outsourcing failings.

As part of a settlement reached with the CBI, BNY Mellon Fund Services (Ireland) DAC agreed to pay a fine of €10,780,000 and admitted to 16 breaches of regulatory requirements. The CBI said there had been failings over a period spanning more than six years to the end of 2019 and cited issues with the way the provider had identified and managed risks associated with its outsourcing arrangements and its reporting of the issues to it. The CBI also highlighted faults with the provider’s engagement with it in relation to its supervision of the outsourced regulated functions, and said unnecessary risks had arisen for clients, investors and the financial markets.