Financial Regulation Unit Briefing

Similar documents
Statement of Guidance: Outsourcing Regulated Entities

RECOMMENDATIONS ON CLOUD OUTSOURCING EBA/REC/2017/03 28/03/2018. Recommendations. on outsourcing to cloud service providers

Third Party Trust Manage your outsourcing arrangements

Recommendations on outsourcing to cloud service providers (EBA/REC/2017/03)

ASX CLEAR OPERATING RULES Guidance Note 9

ASX CLEAR (FUTURES) OPERATING RULES Guidance Note 9

OUTSOURCING IN 2010 RECENT TRENDS & KEY ISSUES FOR IRISH BUSINESSES

Outsourcing Guidelines. for Financial Institutions DRAFT (FOR CONSULTATION)

BOM/BSD 17/May 2006 BANK OF MAURITIUS. Guidelines on Outsourcing by Financial Institutions

Outsourcing. a practical guide on how to create successful outsourcing solutions

Final Report. Recommendations on outsourcing to cloud service providers EBA/REC/2017/ December 2017

Retail Audit Forum How can Internal Audit add value to outsourcing arrangements?

Regulatory Compliance. Operations and Systems Outsourcing: Compliance Considerations for Broker-Dealers.

Outsourcing Risk Management. UniCredit Group Experience

HEA Procurement Practices Review 2016 HEA Procurement Summit

Home Energy Saving (HES) scheme - Homeowner Application Form Version 10.0

A GUIDE TO THE CENTRAL BANK S ON-SITE EXAMINATION PROCESS

Application for Funding

Sample Privacy Impact Assessment Report Project: Outsourcing clinical audit to an external company in St. Anywhere s hospital

Guide to Incident Reporting for General Medical Devices and Active Implantable Medical Devices

MAS RELEASES REVISED GUIDELINES ON OUTSOURCING RISK MANAGEMENT

Financial Technology. Thursday 28 May Peter Oakes ( / 1

Guide to Incident Reporting for In-vitro Diagnostic Medical Devices

Deutsche Börse Group Response

UCL MAJOR INCIDENT TEAM MAJOR INCIDENT PLAN. Managing and Recovering from Major Incidents

1. daa plc, whose principal address is at Old Central Terminal Building, Dublin Airport, Co Dublin (Funder)

Request for Supplementary Tender (mini-competition)

Data Breach Notification Guide Policies and Procedures

Home Energy Saving (HES) scheme - Homeowner Application Form Version 1.0

Outsourcing in the Banking Sector in the Bailiwick of Guernsey. A Thematic Report issued by the Guernsey Financial Services Commission

Meeting of Governing Body

Home Energy Saving scheme. Application Guide Version 1.1

Policy Rules for the ORIO Grant Facility

The Integrated Support and Assurance Process (ISAP): guidance on assuring novel and complex contracts

RISK MANAGEMENT IN THE DECISION MAKING PROCESS CONCERNING THE USE OF OUTSOURCING SERVICES IN THE BULGARIAN ARMED FORCES.

Work of Internal Auditors

London Borough of Newham

BUSINESS CONTINUITY MANAGEMENT POLICY

Ocean Energy Prototype Research and Development. Programme Application Guide

GDPR DATA PROCESSING ADDENDUM. (Revision March 2018)

Viewing the GDPR Through a De-Identification Lens: A Tool for Clarification and Compliance. Mike Hintze 1

Effectiveness of an internal audit function

COMMISSION IMPLEMENTING REGULATION (EU)

Grants and R&D Tax Credits for Research & Innovation. Guinness Enterprise Centre, Dublin 10 th April 2018

The 12-page ORSA report template

DOH Policy on Healthcare Emergency & Disaster Management for the Emirate of Abu Dhabi

SAAG-ZA 12 July 2018

14 th May Pharmacy Voice. 4 Bloomsbury Square London WC1A 2RP T E

Internal Audit. Health and Safety Governance. November Report Assessment

Chapter 3: Business Continuity Management

Birmingham CrossCity Clinical Commissioning Group Deprivation of Liberty Safeguards (DoLS) Policy: Supervisory body Functions

WEAPONS TREATIES AND OTHER INTERNATIONAL ACTS SERIES Agreement Between the UNITED STATES OF AMERICA and ROMANIA

RECORD RETENTION: Imaging Data Longevity

Role Profile Medical Officer- Medical Devices

2018 Terms and Conditions for Support of Grant Awards Revised 7 th June 2018

GAO INDUSTRIAL SECURITY. DOD Cannot Provide Adequate Assurances That Its Oversight Ensures the Protection of Classified Information

Privacy Code for Consumer, Customer, Supplier and Business Partner Data

Strategic Risk Report 4 July 2016

Outsourcing in Financial Services

Client name:... Billing name:... Address:... address:... ABN/ACN:... Contact name:... Phone number:... Cost register (office use):...

2012 Medicare Compliance Plan

The investigation of a complaint by Mr D against Cwm Taf University Health Board. A report by the Public Services Ombudsman for Wales Case:

Royal College of Nursing Response to Care Quality Commission s consultation Our Next Phase of Regulation

Outsourcing of Child Welfare Services: Has Effective Oversight Been Established?

How does an agency worker qualify for equal treatment?

THE WHITE HOUSE. Office of the Press Secretary. For Immediate Release January 17, January 17, 2014

Community Health Centre Program

Generating cash from Irish R&D activities

The Contract Manager's Role

Top 10 Considerations For Incident Response. By: Tom Brennan, ProactiveRISK

Atos Global FinTech program: A catalyst for innovation in Financial Services

Yorkshire and Humber Integrated Urgent Care: Service Development and Procurement

State advocacy roadmap: Medicaid access monitoring review plans

University of San Francisco Office of Contracts and Grants Subaward Policy and Procedures

Outsourcing. Securing a better deal for the future of your business. New York 14th Floor, 415 Madison Avenue New York Tel

DOD Anti-Counterfeit Rule Requires Immediate Action --By Craig Holman, Evelina Norwinski and Dana Peterson, Arnold & Porter LLP

Banking Regulation and Policy Department Bangladesh Bank Head Office Dhaka

Navigating the road to Opportunities and challenges for telecom operators in the Middle East

REQUEST FOR PROPOSAL

MODELS FOR BUSINESS CONTINUITY PLANNING

Pharmaceutical company sales and marketing operations. Global Outsourcing for Pharmaceutical Sales and Marketing: More Innovation for Less Cost

INTERNAL AUDIT DIVISION REPORT 2017/118. Audit of demining activities in the United Nations Interim Force in Lebanon

DRAFT FOR DISCUSSION SAVE OUR CEMETERIES, INC. STRATEGIC PLAN FOR CEMETERY RESTORATION YEARS RE-AFFIRMATION OF CORE MISSION The board of

Foreword... 1 Introduction... 2 Context... 2 Key Messages from the Review... 5 Aim and Objectives of the HSA Plan for the Healthcare Sector...

BUSINESS CONTINUITY PLAN

terms of business Client Details Client name:... Billing name:... Address:... address:... NZBN/NZCN:... Contact name:... Phone number:...

Code of Governance of Irish Institutes of Technology. Annual Governance Statement and Statement of Internal Control - reporting arrangements to HEA

NOA Glossary of Sourcing Terms

An Exploratory Study to Determine Factors Impacting Outsourcing of Information Systems in Healthcare

UK FinTech. On the cutting edge. An evaluation of the international FinTech sector. Executive summary abridged report.

Outsourcing. Introduction

We are thankful for the opportunity to provide our input and applaud MAS s continued leadership in fostering responsible innovation.

The EU GDPR: Implications for U.S. Universities and Academic Medical Centers

THE CODE. Professional standards of conduct, ethics and performance for pharmacists in Northern Ireland. Effective from 1 March 2016

Guidance Note on Completing an Application for Authorisation as a Retail Intermediary. June

Memorandum of Understanding. between. Healthcare Inspectorate Wales. and. NHS Wales National Collaborative Commissioning Unit

Terms and Conditions of studentship funding

UNLOCKING BUSINESS VALUE OUTSOURCING DEALS FROM SECOND GENERATION

Global Sourcing Market Update: October, 2007 Preview Deck Topic: Bank of the Future The Emerging Operating Model

AUDIT REPORT NATIONAL LOW-LEVEL WASTE MANAGEMENT PROGRAM DOE/IG-0462 FEBRUARY 2000

Transcription:

Financial Regulation Unit Briefing November 2018 Central Bank of Ireland Report on Outsourcing Overview On 19 November 2018, the Central Bank of Ireland (CBI) published a report on outsourcing by regulated firms across different segments of the financial services sector (the Report). The Report sets out the CBI s main findings from its review of regulated firms outsourcing activities and outlines the CBI s minimum supervisory expectations arising from those findings. The Report identifies several areas of weakness in firms management of outsourcing arrangements and outlines the specific actions that it expects firms to take to address these. The three key areas of weakness and related expectations and as follows: Governance boards and senior managers must increase their degree of operational oversight over outsourcing arrangements; Risk management improvements in the identification and active management of outsourcing risks are required; and Business continuity management firms must be in a position to transfer or bring outsourced services in-house if required. The Report also highlights current outsourcing trends and corresponding risks that arise for regulated firms as a result of particular outsourced activities. Outsourcing to cloud service providers (CSPs), amongst others, is identified as an emerging trend that gives rise to a specific set of challenges that the CBI expects firms to address and mitigate against, including managing data protection, location, concentration, systemic and security risks. The Report concludes that the results of the CBI s review into outsourcing are disappointing and that the CBI expects that regulated firms will take immediate action to remedy the significant weaknesses in firms management of outsourcing arrangements identified in the Report. The Report communicates the CBI s minimum supervisory expectations and reaffirms the CBI s commitment to increasing regulatory inspections and oversight in this area.

MANAGEMENT OF OUTSOURCING ARRANGEMENTS MAIN CBI FINDINGS Governance The Report, in keeping with the current regulatory landscape, demonstrates an increased focus on the level of responsibility of boards and senior managers of regulated firms for management and oversight of risk. The CBI states that the level of board awareness and quality of governance and risk management remains far from satisfactory and the Report makes recommendations for improved performance. Weakness identified by CBI Board awareness and control Key CBI Findings The CBI notes a lack of awareness, understanding and interrogation at board level of the scale of outsourcing arrangements and dependencies on outsourced service providers (OSPs) within regulated firms. This is exacerbated by the complexities of chain outsourcing when OSPs themselves outsource activities to other OSPs. Outsourcing strategy and policy Outsourcing of risk management / internal control functions Outsourcing of PCF and CF roles and activities Responsibility and oversight The CBI expects that regulated firms give due consideration to their outsourcing strategy and are in a position to evidence this. The existence of a board approved outsourcing policy is not of itself indicative of whether the impact of outsourcing on the firms ability to deliver its core services is appropriately understood at board level. The CBI states that firms must have a firm-wide outsourcing policy outlining clear lines of responsibility for initial due diligence and ongoing management of outsourced activities. Outsourcing risk management/internal control functions does not detract from the responsibility of the board and senior management who remain accountable for the firm s strategies, policies, risk appetite and risk management framework. The CBI s Guidance on Fitness and Probity Standards 2018 outlines requirements in relation to the outsourcing of pre-approval controlled functions (PCF) and controlled functions (CF). The Report reiterates that any outsourcing of these roles does not diminish the responsibility of the board and senior management for the proper performance of those roles. The Report is critical of instances where responsibility for oversight of outsourced activities is not clearly assigned and where a complete register of all outsourcing arrangements is not maintained. Contractual arrangements / Service Level Agreements The Report identifies several weaknesses in outsourcing agreements including: absence of service level agreements (SLAs) and/or key performance indicators (KPIs) resulting in no objective benchmark for measuring performance of outsourced services; failure to review, revise and monitor SLAs/KPIs; and absence or insufficiency of contractual provisions and controls relating to chain outsourcing provisions. Key governance expectations include: operational oversight of outsourcing risk and arrangements must be clearly assigned to designated relevant persons or committees; outsourcing agreements between firms and OSPs must include appropriate SLAs/KPIs; boards must have appropriate awareness and oversight of current and proposed outsourcing, evidenced by records of discussions and decisions taken in respect of such activity; and firms must be in a position to challenge the quality and performance of all outsourced activities. 2

Risk Management The Report identifies significant gaps in the awareness and understanding of outsourcing risk oversight and monitoring responsibilities and identifies areas where the CBI expects firms to develop their current practices. Weakness identified by CBI Risk assessments Due diligence Outsourcing of critical or important functions Key CBI Findings The CBI expects that risk assessments are an ongoing, systematic process whereby known and potential risks linked to outsourced activities are identified, analysed and mitigated against. The Report notes failure by some firms to conduct due diligence on OSPs prior to the commencement of outsourcing arrangements. The CBI notes that regulated firms must ensure that risk controls in relation to outsourced activities are at least as strong as the controls operated by the firm itself. The Report observes that the number of critical or important services reported as outsourced may be underestimated and provides guidance to assist in the identification of such functions. Monitoring and management The CBI is concerned that 23% of respondents to its survey of regulated firms OSP arrangements on a less than annual basis. Skills and knowledge The CBI notes the importance of staff within a firm retaining sufficient in-house knowledge to manage outsourced activities which may require taking functions back in-house if required. It is imperative that OSPs receive an appropriate handover and that monitoring processes include the identification of key risk indicators as well as early warning indicators of service disruption issues. Key risk management expectations include: firms must conduct risk assessments in respect of any outsourcing arrangement; firms must monitor and identify potential risks arising from OSPs and put in place mitigation plans; firms must maintain sufficient skill and knowledge within the firm to meaningfully monitor outsourced services; and firms risk management structures must adhere to relevant regulatory guidelines, and in the case of IT systems, be in line with the Central Bank s Cross Industry Guidance in respect of information technology and cybersecurity risks. 3

Business Continuity Management (BCM) The CBI highlights that firms must be alert to business continuity risks associated with outsourcing. The CBI sees robust BCM as integral to effective management of outsourcing risks. Weakness identified by CBI BCM testing Deficiencies in BCP testing outcomes Key CBI Findings The Report notes a lack of awareness by firms of BCM processes in place with their OSPs including the level of support firms would receive if an OSP invoked its own business continuity plan (BCP). The Report indicates that where BCP testing with OSPs does take place, remedial action should be taken against the OSP if performance is inadequate. Exit strategies The Report observes that the 2006 CEBS Outsourcing Guidelines provide that in-scope firms should have arrangements in place for unexpected termination of an outsourcing agreement including a defined exit strategy and a sufficient timeframe for transfer of services to an alternative OSP or to bring the services in-house. The CBI states that regulated firms should consider implementing interim contingency arrangements especially if a service is critical. Key business continuity management expectations include: firms must have back up plans in place and consider, plan and test scenarios which may warrant the transfer of activities to an alternative OSP or in-house; firms must adhere to the relevant sectoral regulatory requirements and guidelines in relation to BCPs and exit strategies; and regulated firms and their OSPs must have BCPs in place and firms must review such plans in light of evolving technologies, trends and risks. EVOLVING TRENDS AND KEY OUTSOURCING RISKS Evolving Trends The Report sets out prevalent and emerging trends of outsourcing activity amongst regulated firms including outsourcing to CSPs and outsourcing to or partnering with FinTechs and RegTechs. Cloud Outsourcing The CBI is particularly focused on cloud computing and regulated firms outsourcing to CSPs and raises concerns over the widespread use of several large suppliers of IT and cloud computing services which creates systemic risk within the financial services industry. The Report states that the use of CSPs also raises challenges in terms of data protection, location, concentration and systemic risk issues and security issues. The CBI states that it expects firms to consider existing sectoral guidelines and references the European Banking Authority s Guidelines on Outsourcing to CSPs (EBA CSP Guidelines), applicable as of 1 July 2018. The CBI states that the EBA CSP Guidelines may assist regulated firms to overcome the high level of uncertainty surrounding supervisory expectations related to cloud outsourcing. The CBI states that this Report is to be considered supplemental to existing regulatory guidance. 4

Partnering with FinTechs and RegTechs The Report finds that the prevalence of outsourcing arrangements between regulated firms and FinTechs and RegTechs may be underreported and that this may be attributable to regulated firms classification of relationships with FinTechs and RegTechs as strategic partnerships or collaborative strategies rather than outsourcing agreements. The CBI states that if the failure of the OSP to fulfil its part of the service would prevent the regulated firm from carrying out its critical or important business activities, or impair it from delivering its service to customers, then that relationship may fall within the definition of outsourcing and must be treated accordingly by the regulated firm. Key Outsourcing Risks The following section sets out the four primary outsourcing risks that the CBI has identified and highlights some of the corresponding issues that the CBI expects firms to address following the publication of this Report. Substitutability Risk The Report indicates that regulated firms must manage substitutability risk by ensuring that clear and viable contingency plans and exit strategies are in place so that business continuity can be ensured if the risk occurs. Firms should explore options including bringing the service in-house or identifying a back-up OSP. Key issues for firms to address include: Sensitive Data Risk In scenarios where data is being transmitted to an OSP there is a risk of data loss, alteration, corruption, or unauthorised access to data while in transit. Appropriate storage, retention and destruction of data needs to be carefully managed and firms should be mindful that data breaches can cause significant reputational and/or prudential damage to the firm, particularly when the OSP is offshore and not subject to data protection laws equivalent to Irish data protection laws. Particular data risks arise when using CSPs and the CBI indicates that maintaining appropriate in-house skills and knowledge is key to mitigating those risks. Key issues for firms to address include: whether the firm has determined the substitutability of the outsourced service; and how data will be transferred from the OSP to an alternative provider in a timely manner. whether the regulated firm has ensured that data protection standards applied by their OSPs are aligned to the standards of the regulated firm; and whether the firm has considered the location of data when engaging the services of CSPs. 5

Offshoring Risk Visibility and Supervisibility Risk Visibility risk arises from the physical distance of the regulated firm from the OSP which complicates effective oversight and is an inherent feature of offshoring. The CBI states that firms should be mindful that the CBI s access rights do not differ depending on a firm s outsourcing structure. Country Risk The CBI indicates that firms should consider issues such as the OSP country s regulatory environment, political risk, physical climate risk, cultural or language issues as well as time-zone and employment conditions. Best practices observed in other industries include conducting on-site visits in advance of commencing an OSP relationship and ongoing monitoring overseen by senior management. Brexit Regulated firms ought to consider implications for their outsourcing arrangements arising from Brexit. Post-Brexit issues, such as possible regulatory changes in the UK, and transfer of data outside the EU, should be considered. Chain Outsourcing / Sub-contracting If sub-contracting is occurring the regulated firm must ensure compliance with the outsourcing contract and relevant SLA by the sub-contracted entity. Key issues for firms to address include: Concentration Risk Concentration risk in the outsourcing context is the probability of loss arising from a lack of diversification of OSPs. The Report finds that some OSPs provide multiple critical and important services to clusters of financial services firms in Ireland and that there are further concentrations at sectoral level. Concentration risk arising from the widespread use of CSPs is identified as an increasingly significant issue requiring attention of individual firms. The Report identifies concentration risk as a systemic issue at industry levels. Large suppliers of IT and CSPs can become a single point of industry failure when many institutions rely on the same provider and some OSPs may hold significant leverage owing to the nature of services provided. Shorter OSP contract duration and more regular review of the outsourced activities may mitigate concentration risk. Contracts should include conditions that require the prior consent of the outsourcing firm to sub-outsourcing by OSPs. Firms should also be aware of concentration risk arising from chain outsourcing and may seek to review contracts to determine if their efforts at diversification are undermined by sub-contracting by their OSP. Key issues for firms to address include: whether the firm has assessed offshoring risk factors; and whether the firm has conducted scenario planning in respect of Brexit. whether the regulated firm has considered concentration risk in respect of OSPs and CSPs; and whether the firm has considered concentration risk prior to entering new outsourcing arrangements. 6

FINANCIAL REGULATION UNIT COMMENTS The Report is not presented by the CBI as a distillation of regulatory requirements relating to outsourcing. However it is a useful overview of the CBI s latest thinking on areas of risk and its expectations of firms in these areas. Many of the findings will not come as a surprise to industry but it is prudent for all regulated firms to review their current approach to outsourcing in the light of the report to proactively mitigate regulatory risk. The CBI expects regulated firms to conduct appropriate outsourcing risk assessments, both initially and on an ongoing basis. The Report also makes clear that the risk management framework in many cases necessarily requires increased input from and reporting to, the board and senior management, reviews of contractual arrangements and increased ongoing supervision and oversight. It is clear that the development of a well drafted and comprehensive outsourcing policy with appropriate SLAs/KPIs, should be viewed by a regulated firm as a regulatory imperative. Such a review should be treated as a strategic opportunity to reflect in greater detail on the unique requirements of the business of the firm. Thereafter, managing the outsourcing agreement and associated SLAs/KPIs and maintaining a close working relationship with the chosen OSP are essential elements of successful outsourcing. It is notable that the Report does not focus on one of the most contentious issues in any outsourcing arrangement which is the allocation of liability and risk between the firm and the OSP. The value of a policy or contractual covenant, no matter how well drafted, needs to be seen in light of the limitations and exclusions of liability in the outsourcing agreement with an OSP and its sub-contractors. In line with current CBI priorities, the Report evidences an intention of the CBI to engage in closer supervisory inspection and interrogation of firms outsourcing arrangements and to hold senior individuals and boards to account for shortcomings. It is therefore crucial that such persons make themselves aware of existing weaknesses in their outsourcing frameworks and take appropriate remedial action. HOW CAN WILLIAM FRY HELP? William Fry can assist regulated firms in relation to: reviewing and updating outsourcing policies and procedures to ensure they comply with applicable regulatory standards; reviewing and updating outsourcing agreements and SLAs/KPIs with OSPs; providing training and advice concerning the management and mitigation of outsourcing risk including the CBI s expectations of boards and senior management; assisting regulated firms to comply with sectoral guidance on outsourcing; and advising on regulatory inspections and enforcement in relation to outsourcing. 7

CONTACT OUR FINANCIAL REGULATION UNIT For further information, please contact any member of the William Fry Financial Regulation Unit. Shane Kelleher Partner, Head of Financial Regulation Unit +353 1 639 5148 Shane.Kelleher@williamfry.com John O Connor Partner, Technology +353 1 639 5183 John.OConnor@williamfry.com John Aherne Partner, Asset Management & Investment Funds +353 1 639 5321 John.Aherne@williamfry.com Patricia Taylor Partner, Asset Management & Investment Funds +353 1 639 5222 Patricia.Taylor@williamfry.com Lisa Carty Partner, Litigation & Dispute Resolution +353 1 639 5386 Lisa.Carty@williamfry.com Naoise Harnett Partner, Insurance & Reinsurance +353 1 639 5259 Naoise.Harnett@williamfry.com DUBLIN LONDON NEW YORK SAN FRANCISCO SILICON VALLEY T: +353 1 639 5000 E: info@williamfry.com williamfry.com

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback