Central Bank Expectations on Outsourcing

insight featured image
All regulated financial services providers (RFSPs) with a PRISM impact rating of medium-low or above should now be preparing to submit their first outsourcing register using a new online return. The first submission is due by 31 July 2022

The Cross-Industry Guidance on Outsourcing was issued by the Central Bank of Ireland (Central Bank) in December 2021, following on from consultation CP138, and has immediate effect. This Guidance is applicable to any RFSP which utilises outsourcing as part of its business model; nevertheless it is applicable proportionately, based on the nature, scale and complexity of the firm's business model and the degree to which it engages in outsourcing.

The Guidance sets out the Central Bank’s expectations on governance and management of outsourcing risk, frameworks to manage associated risks and the responsibilities of directors and senior management when outsourcing. The Central Bank expects Boards and senior management of RFSPs to have reviewed the Guidance and enhance their outsourcing risk management frameworks to effectively identify, monitor and manage their outsourcing risks. In particular, the Central Bank notes that RFSPs should:

  1. Determine the criticality or importance of the function, service or activity to be outsourced. This should determine the risk management measures that should be adopted to ensure resilience and continuity of operations.
  2. Apply the same level of oversight and rigour when conducting an intra-group outsourcing risk assessment as would be applied for any other externally outsourced service provider (OSP).
  3. Ensure that any delegation arrangements are subject to the same oversight and monitoring as other outsourcing arrangements; and be able to demonstrate that the Board has considered any risks associated with delegation.
  4. Document an outsourcing strategy that aligns with the overall business model and risk appetite.
  5. Implement an outsourcing policy that details the methodology for the identification, assessment, mitigation and assessment of outsourcing risks; the procedures for approving new outsourcing arrangements; and the structures for operational oversight and control. This should be reviewed on at least on an annual basis or upon a material change to the business model.
  6. Include outsourcing risks in the overall risk management framework and risk register, conduct risk assessments prior to entering into an outsourcing arrangement, and adopt procedures for overseeing, monitoring, and assessing the OSP.
  7. Conduct detailed initial due diligence on prospective OSPs and review OSPs of critical services annually.
  8. Document arrangements with OSPs using formal contracts or written agreements covering specific provisions as set out in the Guidance.
  9. Ensure the OSPs have adequate business continuity management and disaster recovery measures.
  10. Notify the Central Bank of planned critical or important outsourcing arrangements and of material changes to existing critical or important outsourcing arrangements.
  11. Develop and maintain an outsourcing register to include prescribed information for all existing and future outsourcing arrangements.