Guidance set by the CBI in relation to outsourcing late last year requires regulated financial service providers (RFSPs) to establish and maintain an outsourcing register. The CBI recently published template registers to help RFSPs record their relevant outsourcing arrangements and for reporting them via the CBI’s Online Reporting System (ONR).
There are different templates for different sub-sets of the financial services sector. Each template is accompanied by a guidance note which includes instructions for completion and submission of the register for each sector.
The reporting requirement does not apply to all RFSPs in Ireland – only those with a PRISM impact rating of ‘medium low’ or higher must report – but Dublin-based Lucy Deane of Pinsent Masons, who specialises in financial services regulation, has advised all firms to complete their register in case the CBI subsequently requests access to it.
‘PRISM’ is the ‘probability risk and impact system’ of regulation deployed in Irish financial services. Under PRISM, RFSPs are given an impact rating to reflect their importance to the economy. The regulatory standards RFSPs are expected to meet depend on which impact rating they are given. The CBI has said PRISM allows it to better focus its finite resources and that it helps ensure “idiosyncratic approaches to firm supervision are avoided and that potential risks are analysed for the higher impact firms using a common framework”.
“While RFSPs with a PRISM impact rating of ‘medium low’ or above will need to prepare and submit a completed outsourcing register by 7 October 2022, we would suggest that all RFSPs be prepared to provide a completed outsourcing register to supervisors upon request,” Deane said.
The CBI’s outsourcing guidance is designed to assist regulated firms in developing their outsourcing risk management framework to effectively identify, monitor and manage their outsourcing risk. The guidance also sets out the Central Bank’s expectations on governance and management of outsourcing risk and highlights the responsibilities of the board of directors and senior management when outsourcing. The guidance closely follows the European Banking Authority’s own outsourcing guidance but is broader in scope, applying across the various sub-sectors of financial services.
Earlier this year, the CBI imposed its largest ever fine on fund service provider BNY Mellon Fund Services (Ireland) DAC in relation to outsourcing failings. At the time, Andreas Carney and Yvonne Dunn of Pinsent Masons said there was a growing focus of regulators on outsourcing risk and that financial services firms should expect greater scrutiny of their use of cloud services and other third party services in light of a stiffening of requirements in relation to outsourcing arrangements.