Outsourcing: A strategic business tool and a key supervisory priority

The Central Bank of Ireland has recognised that outsourcing is increasingly being adopted as a key strategic tool to enable financial services providers to responding to the changing nature of the financial services landscape. It notes that rapid growth of FinTech, RegTech and plans to migrate to and adopt cloud services.

It is currently engaged in a public consultation on its proposed Cross-Industry Guidance on Outsourcing, which will “support and complement existing sectoral legislation, regulations and guidelines on outsourcing. The consultation Discussion Paper will remain open for 5 months from 25 February until 20 July 2021.

This will have a number of practical implications which build on existing regulatory requirements; it sets out “the CBI’s expectations more broadly with regard to the management of outsourcing risk” and some of which we highlight here.

Outsourcing Policy & Accountability

For regulated firms currently engaged in outsourcing transactions or considering an outsourcing strategy, including a migration to the cloud, the Central Bank confirms that the proposed Guidance should be applied to these arrangements. Existing outsourcing risk management frameworks should be updated to ensure expectations set out in the Guidance.

Regulated firms must have a comprehensive outsourcing policy in place which is reviewed and approved by the Board at least annually. The proposed guidance contains 16 separate requirements on what the policy should address including the firms “Data Management Strategy”.

There should also be a mechanism in place to provide the board with a comprehensive view of the firms outsourcing universe. Any review of outsourcing practices for this purpose should include both existing outsourcing arrangements as well as any proposed new arrangements, be able to clearly evidence the rationale for their compliance approach and risk management and that the approach has been considered by the board or equivalent.

CBI Notification and Engagement

While there is no pre-approval process for outsourcing transactions where such is not an existing legal requirement, there are proposals to establish an online regulatory return for submission by regulated firms of their outsourcing registers, on a cyclical basis commencing in January 2022. The guidance is quite prescriptive on the detail that is required to be collected and maintained in relation to outsourcing transactions.

Migrating to the Cloud

The CBI notes that “most importantly” there is a need for regulated firms to understand (which includes being able to demonstrate understanding at a board and senior management level) and appropriately manage the specific risk relation to the outsourcing of critical or important services to cloud service providers.

There is not yet significant choice for financial services firms when choosing large scale cloud providers in this market. The CBI notes that there is elevated levels of concentration risk as a result. This can arise directly when moving infrastructure or applications to the cloud. But it also arises indirectly where smaller technology providers to FS firms, sub-contract much of their service to large cloud providers¹.

The concentration risk is described as increasingly significant and the CBI observes that large IT and cloud providers can be a single point of industry failure and often hold “significant leverage” due to the specialist nature of the services they provide. The direction to regulated firms is to ensure that their ability to negotiate and put in place secure robust arrangements is not hindered even where there is only a small number of suppliers to choose from. It seems the regulator will expect firms to be able to give a rationale for how and why they got satisfied with the contractual terms they agree for cloud and other IT outsource arrangements.

The shared responsibility model (for data security) in cloud transactions should be documented in arrangements with cloud providers so that there is consistency of application between the cloud provider and the regulated customer. However, overall responsibility for oversight for data confidentiality, integrity, availability and authenticity, remains with the board of the regulated firm.

There is still quite a broad requirement to ensure audit and access rights, which we think will continue to present a challenge in negotiating some arrangements. The CBI notes that audit carries a significant degree of complexity when outsourcing to cloud service providers and expects that internal and external auditors must have the necessary skills and expertise to effectively audit. This includes by interrogating the veracity and reliability of pooled audit and other standard reports offered by suppliers.

Offshoring Data & Data Transfers

The CBI is concerned about visibility and supervisibility risk when it comes to off-shoring, although data protection risk management also features. It is notable in this context, that an Industry Survey in 2017 confirmed that outsourcing arrangements are in place to over 80 countries, many of which are outside the EU/EEA.

Internationally, many banks (investment and retail) are engaged in large projects (at various stages) to assess offshoring and related data risk. Schrems II working groups are more prevalent now. Financial services firms ought to have started on planning/strategy if not country and vendor-specific assessments on the topic. It is advisable to take into account the practical measures needed to manage the broader visibility and supervisibility risk when doing so.

As noted above, the Data Management Strategy of the firm should be part of the outsourcing policy and in the contract with the vendor. The expectation is for implementation of appropriately designed and effective controls for data-in-transit, data-in-memory and data-at-rest.

Disaster Recovery & Business Continuity

Alignment between the regulated firm and the outsourcing providers DR and BC policies remains key and there is a clear indication that for critical and important outsourcing, there should be regular testing (at least annual) of such plans and reporting of findings to the Board.

The CBI specifically outlines 12 specific expectations in relation to business continuity and disaster recovery arrangements and, notably, recommends the creation of a periodic isolated offline back-up (“safe harbour” back-up arrangements) to ensure there will always be a clean copy of critical data, available for recovery, whose integrity can be vouched for at a point in time.

Step-in and Exit

There is more of an emphasis on a qualitative assessment of exit strategies and regulated firms are expected to have considered and documented their impact tolerances for business service interruption and have process and procedures for dealing with same. Interestingly, the proposed guidance supports a link between service levels and exit strategy.

Step-in is considered as part of exit strategy and the guidance is to “consider the viability of invoking step-in rights” in stressed scenarios as well as the form such step-in would take. Provision of financial support and transitioning in-house are two examples of step-in given. There is an acknowledgement that the technical nature of some services (i.e. cloud services in particular) will influence the form and it is noted technology solutions and tools are increasingly available to facilitate the switching and portability of data and applications.

Regulated firms therefore need to fully understand and validate the options available from different vendors and ensure these are included not just as value added options but as clear contractual rights.

The importance of both issues is particularly evident because the notification of critical or important outsourcing should include “confirmation and latest dates of testing of the… exit strategies” and “the outcome of the assessment of the service provider’s substitutability (as easy, difficult or impossible) and the possibility of reintegration of the function”.

Summary

In summary, outsourcing is clearly a key supervisory priority for the CBI and regulated firms should ensure that any outsourcing transaction (whether intra-group or third party) is in line with the CBI’s expectations as outlined in its Discussion Paper as well as any sector specific requirements (e.g. EBA Guidelines) so as to mitigate against any enforcement action in this area.

¹ The CBI re-affirms its adoption of EBA Guidelines on Outsourcing Arrangements, the EIOPA and ESMA Guidelines for outsourcing to cloud service providers.