We recently hosted a webinar with a panel of industry experts discussing the key points to note from the new Cross-Industry Guidance on Outsourcing (CP138) and its potential impact.
Des Fullam, Head of Regulation & Client Solutions, Carne Group, hosted the panel discussion with Justyna McNeive, Head of Fund Operations at Mercer, Brendan O’Regan, Managing Director & Head of Business Governance and Outsourcing Oversight at State Street, and Laura Wadding, Partner & Risk Advisory at Deloitte.
You can read the main take-aways from the discussion below and the webinar is also now available to view on demand.
- How we got here
Earlier this year the Central Bank of Ireland (CBI) issued the Cross Industry Guidance on Outsourcing in Consultation Paper CP138. The CBI views the management of outsourcing risk as key from both a Prudential and Conduct perspective. The Guidance resulted from years of a significant programme of work in relation to outsourcing and the management by regulated firms of risks presented by outsourcing arrangements.
- Criticality Assessment, Risk Register
Firms are required to conduct a criticality assessment prior to making an outsourcing appointment and on an ongoing basis. Firms must have a defined methodology for conducting this assessment which clearly sets out the factors and rationale that are considered in making this determination; can be applied consistently across all outsourcing decisions and is in line with relevant sectoral regulations and guidance; and considers the nature, scale and complexity of the firm’s business.
Firms must also produce an outsourcing register, implement KPIs and SLAs, undertake due diligence and put in place a reporting framework in relation to outsourced activities. One of the main challenges is to implement a common framework across organisations that have a global or cross border operating model, which considers the Central Bank’s requirements.
- Delegation & Outsourcing are the same thing according to the CBI
Historically there has been some ambiguity as to whether delegation and outsourcing amounted to the same thing. The regulator has clarified that, in its view, they are equal and therefore the Central Bank’s expectation is that its rules on outsourcing would apply to all delegates.
- Intragroup Outsourcing- The same level of controls apply to it as to 3rd party outsourcing
The CBI has emphasised that it expects the same level of rigor in place with intragroup arrangements as when utilising a 3rd party provider. Historically, intragroup arrangements may not have received the same level of attention and governance arrangements as 3rd party outsourcing. Detailed KPIs and SLAs are often more challenging to implement on an intragroup basis.
Global operating models will also pose a challenge for Irish entities as the Irish entity may not have been central to the decision-making process notwithstanding that it is required to ensure that the policies and procedures applied at group level comply with Irish requirements. The Irish entity is also often relying on centralised oversight teams to consider the requirements of the Irish entity to demonstrate oversight compliance.
- Exit planning strategy for outsourcing arrangements
Resiliency and exit-planning are key considerations in outsourcing arrangements. Intragroup concentrates on resiliency and work shifts between different locations across the world when required, while 3rd party focus is on ongoing resiliency, having solutions and alternatives lined up and tested.
In considering exit planning the EBA and UK acknowledge that there is commonality in terms of systems and oversight policies and procedures in an intragroup arrangement which gives rise to a different risk profile, than an arrangement with a 3rd party element. As noted above the Central Bank’s view is a similar process should apply to both intragroup arrangements and 3rd party providers. This is a point the industry has highlighted in its feedback to the CBI.
- Application of the Guidelines to the Depositary/Custody network
Clarification has been sought that custody services and the use of sub-custodians should be outside the scope of the Guidelines. The PRA in the UK has excluded custodial services from the scope of its outsourcing guidelines and the EBA has also excluded other key parts of market infrastructure such as clearing and settlement from its guidelines. In the absence of such exclusion there is concern that different requirements could apply to the delegation of custody activities to those outlined in the UCITS and AIFMD frameworks. There are already robust network management frameworks in place which govern custodial relationships on a global basis.
- Next steps
The deadline for comments on the Guidelines closed in July 2021. Feedback from the Central Bank is expected in due course.
Firms will need to ensure that they have an outsourcing register, reflecting the Guidelines in place by year-end, as it is proposed that submission of registers will be required from regulated firms on a cyclical basis commencing in January 2022.
We await further guidance from the CBI on an implementation date for the remainder of the Guidelines, but firms have plenty to consider between now and then.
Webinar Poll Results
During the webinar, attendees were invited to answer two poll questions sharing their considerations on raising capital in Europe.
Question 1 – How familiar are you with CP 138?
Question 2 – What areas of CP 138 are you most concerned about?
If you would like to discuss any of the areas covered in the webinar in more detail, please contact Des Fullam or your Carne Relationship Manager.