Central Bank Guidance On Outsourcing: Implications For Fund Management Companies – Finance and Banking

Key Points to Note:

• Management Companies are expected to develop an appropriate and
  effective outsourcing risk management framework in line with the
  Guidance.

• This will require assessment of existing governance
  arrangements, policies and procedures and contracts in place with
  OSPs

• Guidance applies from 17 December 2021 but the Central Bank
  will be “mindful of the adjustments to be made by the
  firms relative to the nature, scale and complexity of the use of
  outsourcing as an element of their business model” in
  exercising its supervisory power.

Following its consultation on the topic of outsourcing earlier
this year¹ the Central Bank of Ireland
(“Central Bank“) has published its
finalised 
Cross-Industry Guidance on
Outsourcing (“Guidance“)
together with a feedback statement providing the rationale for some
of the approaches taken by it in finalising the Guidance (“
Feedback Statement“).

While the Guidance will be of relevance to all firms regulated
by the Central Bank, in this briefing, we consider the implications
of the Guidance on Irish fund management
companies² (“Management
Companies”).

Purpose of the Guidance

In recognition of the “increasing reliance of many
regulated firms on outsourced service providers”, the Guidance
is intended to assist regulated firms in developing their
outsourcing risk management framework to effectively identify,
monitor and manage their outsourcing risks. It is intended to
supplement existing sectoral legislation, regulations and
guidelines on outsourcing and sets down the Central Bank’s
expectations of good practice for effective management of
outsourcing risk.

Overview of Some Key Concepts

Before considering some of the specific issues which will arise
for Management Companies in complying with the Guidance, we have
set out some key concepts which are relevant when considering the
implications of the Guidance for Management Companies:

• While Management Companies are already subject to detailed
  delegation rules under the UCITS and AIFMD frameworks, the Central
  Bank Fund Management Company Guidance as well as the expectations
  of the Central Bank as outlined in its October 2020 
  Dear Chair Letter, (“Dear Chair
  Letter”), the Central Bank has made clear that it
  expects Management Companies to assess the adequacy and
  effectiveness of their existing outsourcing/delegation risk
  management framework against the provisions of the Guidance. In
  this regard, the Central Bank notes in the Feedback Statement that
  the delegation rules set down under the UCITS and AIFMD framework
  relating to specific tasks should be viewed as “imposing
  additional requirements not reducing the obligations of the entity
  in question. In respect of both delegation and outsourcing, all
  arrangements require effective due diligence, appropriate oversight
  arrangements and good governance to ensure that any tasks not
  performed by the regulated entity are carried out to a high
  standard with ultimate responsibility for the function being
  retained by the regulated entity.”

• The Central Bank recognises that the Guidance should be
  complied with in a proportionate manner by regulated firms, taking
  into account the relevant firm’s nature, scale and complexity
  of its business activities and the degree to which the firm engages
  in outsourcing. In other words, the Central Bank does not expect
  all Management Companies to comply with the Guidance in the same
  way, acknowledging that “it may not be appropriate for certain
  smaller, less complex regulated firms to adopt, in full, all
  measures set out in the Guidance”. When deciding how to
  implement measures to comply with the Guidance, Management
  Companies should also have regard to whether the relevant
  outsourced activity is deemed “critical” or
  “important”;

• Under the Guidance, it is possible to adopt different practices
  to those outlined by the Central Bank in order to manage
  outsourcing risk but in such circumstances, such practices must be
  considered and approved by the board of directors of the relevant
  Management Company (“Board”) and the
  Management Company should be in a position to explain the rationale
  for any such approach to the Central Bank;

• The Central Bank will expect Management Companies to comply
  with the Guidance in respect not only of outsourcing arrangements
  in place with third parties but also those outsourcing arrangements
  in place with entities within their own groups (referred to in the
  Guidance as “intragroup” arrangements);

• While Management Companies will be used to complying with
  specific delegation rules set down in the UCITS framework or AIFMD
  frameworks which apply in the case of delegation of regulated
  activities, outsourcing arrangements with unregulated outsourcing
  service providers, including cloud service providers also fall
  within the scope of the Guidance; and

• Management Companies will be required to put in place both a
  documented outsourcing strategy and documented outsourcing policy,
  each of which is considered in more detail below.

Identification of “Critical or Important” Outsourcing
Arrangements

Under the Guidance, Management Companies will, for the first
time, be required to identify those outsourcing arrangements which
relate to activities or services which are critical or important,
using the criteria set down in Appendix 2 of the Guidance which
incorporates the principles outlined in the recently
published 
IOSCO Principles on
Outsourcing. Appendix 2 also
incorporates some specific guidance for Management Companies which
provides that administrative or technical functions are unlikely to
be critical or important and suggests that Management Companies
could have regard to the definition of the critical or important
functions provided under the ESMA Guidelines on Outsourcing to
Cloud Service Providers³  and the criteria for
assessment of critical or important functions set down under MiFID
II. Functions which are necessary to perform “core business
lines” or “critical business functions” should be
considered as critical or important⁴ . This
assessment should be carried out in respect of all activities or
services which are being outsourced by the Management Company,
including IT activities. It is worth noting in this regard that
certain provisions of the Guidance only apply to the outsourcing of
activities or services which have been categorised as critical or
important.

The Central Bank expects Management Companies to have a defined
and documented methodology for determining whether a service or
function is critical or important which should be approved by the
Board. It would seem appropriate that this should also identify
those within the organisation who are responsible for determining
whether or not a specific service or function is critical or
important.

The assessment of criticality and importance, including the
methodology used in such assessment, must be reviewed at
appropriate intervals in conjunction with the outsourcing policy.
The Central Bank also suggests that such a review should be carried
out if a Management Company decides to scale up its use of the
services being provided by the outsourced service provider
(“OSP“) or its dependency on such
services or if there is an organisational change in the OSP such as
a change to the ownership or financial position of that OSP or a
material sub-outsourced service provider.

Governance and the role of the Board and Senior Management

The Guidance outlines that Boards and senior management of
regulated firms are responsible for all activities undertaken by
the regulated firm including those activities which are conducted
on the regulated firm’s behalf by any third party, including
any group entity. The Central Bank prescribes that the Board and
senior management are ultimately accountable for the effective
oversight and management of outsourcing risk within its business.
This includes ensuring that there are appropriate structures in
place to facilitate comprehensive oversight of the outsourcing
universe.

Under the Guidance, Boards and senior management will be
required to develop existing risk management frameworks to ensure
that the governance and risk management of their outsourcing
frameworks operates effectively and is in line with the supervisory
expectations. Outsourcing risk should also be reflected in the
overarching risk register of the Management Company.

In addition, the risk management framework must consider and
document the controls to be put in place to minimise exposure to
any risks identified and ensure that these controls and the
mechanism for monitoring their effectiveness, are reflected in the
relevant outsourcing contracts and service level agreements.

Boards are expected to regularly review their outsourcing
arrangements, with particular focus on those outsourcing
arrangements which relate to critical or important functions.

Such outsourcing governance and risk management structures must
be in line with relevant sectoral legislation, regulation and
guidelines applicable to Management Companies and should not impede
the Management Company’s ability to meet the conditions with
which it must comply in order to remain authorised, including any
conditions imposed by the Central Bank. Consistent with the
concerns raised by it in its Dear Chair Letter, outsourcing
arrangements should not be such that they result in a Management
Company becoming an “empty shell” or “letter
box” entity.

The Guidance outlines that the Central Bank expects firms to
appoint a designated individual, function and/or committee to
ensure that outsourcing arrangements are overseen and reported on
appropriately. This designated function should be directly
accountable to the Board. Management Companies should also be
satisfied that the reporting framework is such that the Board and
senior management receive sufficiently detailed reports on
outsourcing arrangements on an ongoing basis and that an
appropriate escalation process is in place to ensure that they can
adequately govern outsourcing risks arising.

Under the Guidance, Boards are also expected to establish an
outsourcing register to identify and facilitate appropriate
oversight and awareness of current and proposed outsourcing
arrangements, and the associated risks, including the extent of the
Management Company’s dependence on critical OSPs. The Guidance
sets out the Central Bank’s specific expectations relating to
the maintenance of outsourcing registers, including the content and
completion of such register which is set down in Appendix 3
thereto. The Central Bank has confirmed in its Feedback Statement
that a spreadsheet template for the outsourcing register will be
made available for all firms to download from its website during
Quarter 1 of 2022. It also confirms that all Management Companies
(and other firms regulated by the Central Bank) which have a PRISM
Impact Rating of Medium Low or higher must submit their outsourcing
register via an online return on an annual basis. The first
submission is currently planned for such firms for Quarter 2 of
2022 and the Central Bank will notify such firms “within a
reasonable notice period” of the specific filing
requirements for 2022. “Low Impact” Management Companies
may be required to submit their outsourcing register on a case by
case basis by their supervisor.

Outsourcing Strategy and Outsourcing Policy

Under the Guidance, Management Companies are expected to have a
documented outsourcing strategy in place which is aligned to their
business strategy, business model, risk appetite, and risk
management framework. This strategy should be supported through
appropriate policies, procedures and controls.

In formulating an outsourcing strategy, consideration must be
given to a number of areas, including but not limited to:

• the extent of outsourcing that the Management Company intends
  to undertake;




• the types of activities and functions it will consider
  outsourcing;




• the risks which arise from its outsourcing arrangements
  including how they will be managed and mitigated; and




• the extent to which the Management Company has the skills and
  capacity to monitor and exercise oversight of outsourcing
  arrangements. We would anticipate that this should also identify
  any functions which the Management Company determines are not
  suitable for outsourcing in light of its risk appetite.

As part of this outsourcing strategy, and in a new departure,
Management Companies must have a documented firm-wide outsourcing
policy, which is reviewed and approved by the Board at least
annually. The Central Bank expects that the policy should outline
its risk appetite as it relates to outsourcing, the roles and
responsibilities within the Management Company for the oversight
and management of outsourcing risk as well the criteria and
methodology for the identification and classification of
outsourcing arrangements as critical or important. The policy
should also address the approach to the identification, assessment,
mitigation and management of risks associated with outsourcing as
well as the approach to initial and ongoing due diligence on OSPs
and the ongoing management, monitoring and review of outsourced
arrangements in place.

Amongst other matters identified by the Central Bank in the
Guidance, the outsourcing policy should also address:

• the process for approval of new outsourcing arrangements;




• the requirement to put in place appropriate contracts, written
  agreements and SLAs with the relevant OSP;




• sub-outsourcing particularly with regard to critical or
  important functions or material parts of such functions;




• the risk management framework and structures for operational
  oversight and controls;




• conflicts of interest,




• business continuity arrangements as they pertain to the
  outsourcing arrangements;




• a documented exit strategy for each outsourcing arrangement
  deemed critical or important; and




• termination processes generally, including in the event of
  unexpected termination of an outsourcing arrangement and the need
  for contingency arrangements.

The Guidance also highlights the importance that the Management
Company’s outsourcing policy addresses maintenance of
appropriate records in relation to its outsourcing universe in
order to appropriately manage risk.

Outsourcing of Risk Management and Internal Control
Functions

The Central Bank expects Management Companies to apply due care
and attention when considering and appointing the outsourcing of
those roles which have been designated by the Central Bank as
pre-approval controlled functions
(“PCFs“) and or controlled functions
(“CFs“). It also reiterates that the
Management Company remains responsible for compliance with its
obligations and that any outsourcing of PCF or CF roles does not
diminish the responsibility of the Board or senior management in
this regard.

Outsourcing Risk Assessment

A comprehensive risk assessment, which the Central Bank
considers to be a “key tool in enabling appropriate and
adequate oversight of outsourced activities“, should be
conducted prior to entering into any outsourcing arrangement. Such
risk assessments should be tailored to take account of specific
risks identified by the Central Bank in the Guidance including,
inter alia, sub-outsourcing risks, sensitive data risks,
concentration risks⁵, offshoring risks, step-in risk and
any other additional risks associated with the relevant outsourcing
arrangement. Helpfully, the Central Bank has provided specific
guidance on the risks associated with outsourcing in the Guidance
which should assist Management Companies in designing their risk
assessments.

Under the Guidance, Boards are expected to review and refresh
their risk assessments on a periodic basis, to ensure that in the
case of each Management Company, the risk assessments continue to
accurately reflect the business of the Management Company,
including for example, its operating environment, legal or
regulatory environment and to ensure they remain reflective of the
current risks to which the Management Company is exposed. The
Guidance sets down certain events which may trigger a review of
outsourcing risk assessments.

Due Diligence

The Guidance outlines the expectations of the Central Bank, both
at an initial stage and on an on-going basis, regarding the due
diligence that regulated firms should carry out on OSPs. The
Guidance outlines specific criteria which must be considered prior
to any outsourcing taking place. These criteria include by way of
example only the OSP’s business model, financial health,
ownership and group structure, consideration of its ability to
“keep pace with innovation“, potential conflicts
of interest (particularly in the case of intragroup arrangements)
and the effectiveness of the OSP’s risk management and internal
controls.

The Guidance also highlights the importance of periodic reviews
of the due diligence being undertaken during the lifecycle of the
outsourcing arrangements. In particular, the Central Bank notes the
need to periodically review the financial health of key OSPs which
provide critical or important services to the Management Company
and the need to undertake additional due diligence assessments
prior to the expiry of any key outsourcing arrangements in order to
determine whether such outsourcing arrangement should be renewed.
As considered in more detail below, the Central Bank highlights
that intragroup arrangements should be approached with the same
rigour as the appointment of external OSPs while noting that the
same risks may arise in all situations.

In line with the development of a financial system focused on
good governance and the adoption of ESG principles and the ESA
Guidelines on Outsourcing, the Central Bank highlights its
expectation that the Management Company satisfies itself that any
outsourcing is being conducted in an ethical and socially
responsible manner and consistent with the values and code of
conduct of the Management Company outsourcing the activities.

Contractual Arrangements and Service Level Agreement

The Guidance stresses the importance of ensuring that adequate
provisions are included in any outsourcing contract put in place
with the OSP which governs the provision of critical or important
functions or services. The Central Bank specifically draws
attention to twenty-one key provisions which it believes should
form the basis for any such contractual arrangement with OSPs,
including a clear description of the outsourced function, the
circumstances in which sub-outsourcing is permitted, the
location(s) of where the services will be performed, data security,
reporting obligations imposed on the OSP, business continuity plans
and termination and exit provisions. These key provisions generally
align with the contractual provisions prescribed by the EBA
Guidelines on Outsourcing and are particularly focussed on ensuring
that written agreements governing the provision of critical or
important functions are resolution-resilient.

In the case of sub-outsourcing of a critical or important
function, the Management Company must provide its consent to the
sub-delegation / outsourcing arrangement. While the consent of an
AIFM must be obtained prior to the appointment of any sub-delegate
under existing AIFMD rules, there is currently no such
corresponding consent requirement under the UCITS framework,
meaning that the sub-outsourcing/sub-delegation provisions in
existing contracts entered into by UCITS management companies may,
depending on existing terms, need to be revised in light of the
finalised Guidance.

In line with the outcome from the “Dear Chair” Letter,
the Central Bank again stresses the importance of having service
level agreements in place with OSPs which provide critical or
important functions or services in order to support the formal
contracts in place, whether the relevant OSP is external or
internal to the group. Such service level agreements must
incorporate key performance indicators to allow the Management
Company to monitor performance appropriately.

The Central Bank indicates that any such contract with an OSP
should give the Management Company the ability to terminate the
arrangement in certain specific circumstances identified in the
Guidance. The Guidance also provides that the contract in place
with the OSP should facilitate the re-incorporation of outsourced
functions to the Management Company upon termination or the
transfer of the outsourced function to another OSP. The potential
for the Management Company to ‘re-incorporate’ the
outsourced functions should be considered in light of the substance
requirements of the Central Bank and in light of the Dear Chair
Letter.

In line with the Central Bank’s risk based approach to
supervision of regulated firms, the Central Bank further outlines
its expectation that the internal audit function of regulated firms
should, on a contractual basis, be able to review the performance
of the outsourced function using a risk-based approach. Management
Companies should also consider the investigatory powers of the
Central Bank when negotiating agreements with a particular emphasis
on the Management Company and the Central Bank having full access
to all relevant business premises of the OSP and unrestricted
rights of inspection and auditing related to the outsourcing
arrangements where the relevant OSP is providing critical or
important services to the Management Company.

In keeping with the expectations set out with respect to due
diligence, the Central Bank indicates that periodic reviews of
contracts and outsourcing arrangements should be undertaken where
there are changes to business models or regulatory changes or the
completion of risk assessments warrant a re-consideration of the
continued suitability of the contract. If relevant, contractual
arrangements should also be reviewed in good time before any
scheduled renewal or termination dates in order to ensure smooth
transitions or continuity of service is a decision is taken to
change OSP.

In response to the publication of the Guidance, Management
Companies are advised to conduct a review of all existing
delegation agreements (including for example existing investment
management agreements, administration agreements and distribution
agreements) and other outsourcing and sub-outsourcing contractual
arrangements in place with OSPs which provide critical or important
functions or services to the Management Company in order to
consider whether such arrangements meet the expectations of the
Central Bank as outlined in the Guidance.

Ongoing Monitoring and Challenge

Similar to the approach adopted by the Central Bank in its Fund
Management Company Guidance, the Guidance emphasises the importance
of regular and comprehensive monitoring of outsourced
services/functions. The Central Bank expects Management Companies
to include the three lines of defence as part of its outsourcing
assurance (i.e. involving the Risk Management/Compliance function
as the second line of defence and the internal audit function as
the third line of defence). The Management Company’s
outsourcing risk management arrangements should be such that they
incorporate a mechanism to oversee, monitor, and assess the
appropriateness and performance of its outsourced arrangements is
in place.

In line with the key message of challenge which has been
emphasised by the Central Bank of the last number of years and most
recently in its Dear Chair Letter, the ability to interrogate the
effectiveness and performance of the outsourcing and in particular
the monitoring of any sub-outsourcing are key elements of the
assurance framework which should be in sharp focus for all
Management Companies. The expectations highlighted will require
Management Companies who currently outsource functions to undertake
a review of the existing arrangements in place and to ensure that
they have sufficient and appropriately skilled staff within the
Management Company to oversee the outsourcing arrangements in line
with the supervisory expectations of the Central Bank as outlined
in the Guidance.

The third line of defence, the internal audit function, is seen
as a key function in supporting the assessment of the
appropriateness of outsourcing arrangements. Amongst other matters,
the Central Bank expects that an internal audit function’s
audit programme will assess, using a risk based approach,
whether:

• the outsourcing framework is operating effectively in line with
  the outsourcing policy and the Management Company’s risk
  appetite for outsourcing;




• the outsourcing policies have been reviewed and updated to take
  account of any new legislation, business functions or new or
  emerging risks;




• the correct classification is being used for outsourcing
  arrangements in line with the Management Company’s methodology
  for assessing “criticality and importance”;




• the Management Company’s outsourcing register is being
  appropriately maintained; and




• the oversight of the Board and the monitoring and management of
  its outsourcing arrangement is effective.

To the extent that a Management Company uses third party
certifications provided by the OSP and/or pooled audits as part of
its ongoing monitoring regime, the Management Company should
document how such third party certifications and pooled
audits⁶ are deemed to provide appropriate levels of
assurance in line with its outsourcing policy and its risk
assessment. The Guidance also sets down specific requirements which
must be met where a Management Company uses third party
certifications provided by OPS and/or pooled audits.

Disaster Recovery and Business Continuity Management

In its Feedback Statement, the Central Bank noted that
supervisory review has revealed in some cases that there have been
weaknesses in the quality of controls implemented by firms in the
area of business continuity as well as evidence of a lack of
consideration of resiliency risk. Against this backdrop, the
Guidance sets out the Central Bank’s expectations for regulated
firms in the establishment and oversight of measures to ensure
continuity of outsourced functions in the event of a business
interruption event. Management Companies must consider the disaster
recovery and business continuity measures of their proposed OSPs
and must be satisfied that service disruptions can be maintained by
the OSPs within the impact tolerances and recovery time objectives
of the Management Company. The internal governance of Management
Companies, including business continuity plans and exit strategies,
must be updated to reflect any implications of the relevant
outsourcing arrangement.

In addition, in the case of critical or important services,
Management Companies must: (i) document and implement business
continuity plans (“BCPs“) in relation to
their critical and important outsourced functions and ensure that
these plans are tested and updated on a regular basis; (ii) must
ensure that OSPs are obliged under the arrangements to carry out
testing of their BCPs at least annually and to share the reports
with the relevant Management Company; and (iii) allow the
Management Company to participate in such OSPs BCP testing
“where necessary” and to conduct coordinated testing of
the BCP arrangements on a regular basis. In its Feedback Statement,
the Central Bank noted that the purpose of setting out its
expectations is to ensure that “there is close alignment
of the contingency planning and testing of the OSP and that of the
regulated firm” which it notes is key to ensuring the
“smooth recovery of services critical to the firm in the
event of a disaster“. While it notes that it may not
always be operationally feasible to participate in the OSP’s
business continuity testing or to co-ordinate the testing of the
firm’s and the OSP’s arrangements on a regular basis, it
does note that it should be possible to conduct “combined
“Tabletop Exercises” to walk through the coordinated
recovery processes as a form of testing. It also notes that where a
firm is relying on the business continuity testing performed by the
OSP, that OSP should be able to demonstrate that it has carried out
the testing to a level which the firm considers appropriate in
light of its risk appetite and impact tolerance requirements.

The Guidance makes clear that it is the responsibility of the
Management Company to ensure that corrective action is taken to
remediate any deficiencies identified in the performance of the OSP
relating to disaster recovery and business continuity
management.

Exit Strategies

The Central Bank has also set down a requirement for Management
Companies to have in place appropriate strategies and plans to exit
outsourcing arrangements should the need arise, providing detailed
guidance on the considerations which should be taken into account
when finalising such exit strategies.

Such exit plans may potentially involve the transfer of
activities to another OSP (substitutability) or for the activities
to be taken back in-house by the Management Company. The proposal
that a Management Company will retain the ability to take back an
outsourced activity in-house may not be viable in many instances
for a number of reasons, primarily due to lack of availability of
sufficient resources with appropriate expertise and lack of
operational capability.

In addition, Management Companies will be expected to test
(insofar as is possible) scenarios which may warrant the transfer
of activities to another OSP or back in-house and to periodically
review and update exit strategies to take account of developments
that may alter the feasibility of an exit in stressed or
non-stressed circumstances.

In its Feedback Statement, the Central Bank reiterated that the
issues arising for intragroup arrangements relating to exit
strategies and termination rights are “the same as for any
other third party arrangements especially in respect of critical or
important arrangements”.

Intragroup Arrangements

In the Guidance, the Central Bank has set down its expectations
in respect of intragroup arrangements which will be of particular
relevance to “proprietary” or “related”
Management Companies. It noted in its Feedback Statement that
“intragroup arrangements should not be treated as
inherently less risky than arrangements with third parties outside
a firm’s group although certain aspects of the arrangements may
be managed differently in practice“.

In line with existing rules under the UCITS and AIFMD
frameworks, Management Companies entering into intragroup
outsourcing arrangements should be satisfied that all potential
conflicts of interests arising from such arrangements have been
appropriately identified and managed. Consistent with the Central
Bank’s existing requirements set down in its Fund Management
Company-Guidance, it expects all regulated firms to satisfy
themselves that reliance on group policies and procedures is
appropriate in each case.

In addition to these pre-existing requirements, the Central Bank
expects Management Companies to (i) conduct detailed risk
assessments of both third-party outsourcing arrangements and
intragroup outsourcing arrangements, and (ii) consider and be
satisfied with the extent to which the Management Company can exert
sufficient influence on any group company providing the service.
Therefore a Management Company should be able to demonstrate to the
Central Bank if required that such intragroup delegate is
adequately challenged and appropriately supervised by the
Management Company on an ongoing basis.

Provision of Outsourcing Information to the Central Bank

Under the Guidance, the Central Bank requires timely
notification of any planned “critical or important”
outsourcing arrangement or material changes to existing
“critical or important” outsourcing arrangements. It
identifies specific events which could give rise to an obligation
to notify the Central Bank of the proposed or changing outsourcing
arrangement and provides guidance on the type of information that
must be provided to the Central Bank as part of such notification.
These requirements will not involve a change the existing practice
for Management Companies in the context of appointment of
delegates/OSPs performing regulated services. However, this will
reflect a change to existing practice in the context of the
appointment of delegates/OSPs performing “non-regulated”
services, particularly IT or cybersecurity where these are deemed
“critical or important”.

As noted above, the Central Bank has confirmed in its Feedback
Statement that Management Companies with a PRISM rating of Medium
Low or higher will be required to submit a copy of their
outsourcing register (a template for which will be made available
on the Central Bank’s website during Quarter 1 of 2022) on an
annual basis with the first submission currently planned for
Quarter 2 of 2022. “Low Impact” Management Companies may
be required to submit their outsourcing register on a case by case
basis by their supervisor.

Application of the Guidance to Branches of Oversees
Entities

In response to queries raised as part of the consultation
process on the application of the Guidance to branches of oversees
banks, insurers and other firms (both EU and/or third country
branches), the Central Bank has noted in its Feedback Statement
that it is of the view that “branch to branch service
provision, branch to parent provision and centres of excellence
should all be regarded as forms of inter/intragroup service
provision and as such are indistinguishable from outsourcing in
terms of the risks posed by such arrangements when they are deemed
critical or important” and that “consequently,
the Central Bank expects the Guidance to be applied and the risks
managed in the same manner as any intragroup
arrangements“.

Next Steps

The Central Bank confirmed in its Feedback Statement that the
Guidance comes into effect on the publication date (being 17
December 2021). However it does note that “the supervisory
approach to its implementation will be mindful of the adjustments
to be made by firms relative to the nature, scale and complexity of
the use of outsourcing as an element of their business
model“.

We would suggest that as a first step, Management Companies
should now assess their existing arrangements against the Guidance
to identify what changes will need to be made in order to comply
with the Guidance, the key stakeholders involved and the timeframe
within which necessary steps will be taken. Once finalised, this
implementation plan should be presented to the Board for its
consideration and approval. Once it has been approved by the Board,
Management Companies can then take the necessary actions identified
in the implementation plan to ensure compliance with the Guidance
within the timeframe agreed with the Board.

Footnotes

1 
https://www.centralbank.ie/docs/default-source/publications/consultation-papers/cp138/cp138-consultation-on-cross-industry-guidance-on-

outsourcing.pdf?sfvrsn=5 . This consultation process was
preceded by the publication by the Central Bank of a discussion
paper on outsourcing in November 2018

2 For the purposes of this briefing, “fund
management companies” includes UCITS management companies,
AIFMS, internally managed AIFs and self-managed UCITS funds
regulated

by the Central Bank.

3 Available from 
https://www.esma.europa.eu/sit…

4 In its recently published 
Cross Industry Guidance on Operational Resilience, the Central
Bank again uses the concept of “critical or important business
services” in order to calibrate its proposed rules on

operational resilience of regulated firms.

5 Page 15 of the Feedback Statement provides clarity on
the responsibilities of regulated firms regarding the issue of
concentration risk

6 Described by the Central Bank in the Guidance as
onsite audits which are conducted with other regulated
firms

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.