CBI Cross-Industry Guidance on Outsourcing-CP138

On 25 February 2021, the (“Central Bank of Ireland”) CBI issued a consultation paper on Cross-Industry Guidance on Outsourcing (“CP138”). The draft Guidance is contained in Schedule 1 to CP138. CP138 follows on from the publication of the CBI discussion paper ‘Outsourcing – Findings and Issues for Discussion’ in November 2018. Once finalised CP138 will apply to all financial service providers regulated by the CBI.

CP138 sets out the CBI’s minimum supervisory expectations regarding effective governance, risk management and business continuity processes that should be applied by firms when using outsourcing as part of their business model. It aims to reduce the occurrence of risks such as financial instability and consumer detriment. CP138 also reminds boards and senior management of their responsibilities when considering outsourcing as part of their business model.

CP138 guidelines are set out under ten headings:

1. Assessment of Criticality or Importance of activity/service to be outsourced – defined and documented methodology required for determining criticality of function being outsourced.
2. Intragroup Arrangements – apply the same rigour when conducting outsourcing risk assessments for intragroup arrangements as would be applied for third party arrangements; and consider risks particular to intragroup arrangements such as conflict of interests.
3. Outsourcing and Delegation – these terms are not considered by the CBI to be different concepts and should both be subject to the same level of scrutiny.
4. Governance – boards and senior management should take appropriate steps to ensure that the governance and risk management of their outsourcing framework is appropriate and operating effectively; have a documented outsourcing policy in place updated to reflect CP138.
5. Outsourcing Risk Assessment and Management – ensure the firm’s risk management framework appropriately considers any outsourcing arrangements; conduct comprehensive risk assessment of any proposed outsourcing arrangement.
6. Due Diligence – appropriate and proportionate due diligence reviews to be conducted in respect of all prospective outsourced service providers (“OSPs”) before entering into any arrangements with them, and periodically thereafter. CP138 sets out the criteria which firms are expected to consider when carrying out this due diligence, including the OSP’s regulatory status, financial performance, ownership and reputation, as well as factors such as the substitutability of the OSP, concentration risk, use of sub-contractors, etc.
7. Contractual Arrangements and Service Level Agreements (“SLAs”) – firms should put in place contracts with OSPs, preferably that are legally binding, supported by SLAs; this includes ensuring that contracts relating to critical or important outsourcing are in line with the detailed requirements in relation to content set out in CP138 and in the ‘European Banking Authority (“EBA”) Guidelines on Outsourcing’.
8. Ongoing Monitoring and Challenge of the Outsourcing Framework – put in place mechanisms to oversee, monitor and assess the appropriateness and performance of their outsourced arrangements using a risk-based approach, including conducting onsite reviews of the OSP.
9. Disaster Recovery and Business Continuity Management – ensure continuity of services through robust disaster recovery and business continuity management when engaging the services of an OSP; document and implement business continuity plans in relation to their critical or important outsourced functions and ensure that these plans are tested and updated on a regular basis.
10. Provision of Outsourcing Information to the CBI – Regulated Firms will notify the CBI of proposed critical or important outsourcing arrangements and of material changes to existing critical or important outsourcing arrangements. This includes reporting to the CBI when adverse incidents occur and establishing and maintaining an outsourcing register (containing the detailed information set out in CP138) which will be submitted to the CBI by a periodic regulatory return. The CBI reserves the right to take appropriate action in respect of such arrangements.

Next steps

Consultation on CP138 closes on 26 July 2021. The CBI intends to publish final guidance in 2021.

Download your copy of the CBI Cross-Industry Guidance on Outsourcing-CP138 here

KB Associates Services

KB Associates provides a range of services to investment funds including:

• The provision of UCITS management company/AIFM services
• The provision of designated persons to perform UCITS business plan/AIFMD programme of activity functions.
• The provision of operational and compliance services to both UCITS and AIFMD compliant structures.

If you would like to discuss this note or KB Associates’ services in general, please contact:

• Mike Kirby (+353 1 667 1980) mike.kirby@kbassociates.ie
• Andrew Kehoe (+353 1 613 6396) andrew.kehoe@kbassociates.ie.