Over recent years, organisations have chosen to outsource their business activities in order to reduce costs and improve their flexibility and efficiency. Outsourcing is one of the specific aspects of institutions governance arrangements and is now a key focus of both the European Banking Authority (‘EBA’) and the Central Bank of Ireland (‘CBI’).
On 25 February 2019, the EBA published its final revised ‘Guidelines on outsourcing arrangements’. The Guidelines will repeal the 2006 guidelines on outsourcing and the EBA’s recommendation on outsourcing to cloud service providers.
Furthermore, the CBI’s discussion paper ‘Outsourcing Findings and Issues for Discussion’ issued on 19 November 2018, follows on from an extensive review of outsourcing arrangements across the Irish financial sector in which 185 regulated firms were surveyed. The review identified significant weaknesses in how outsourcing arrangements are being managed, with the results of the survey being described as “disappointing”.
See here for a summary of the paper.
We have outlined below a number of key questions to consider in relation to your outsourcing arrangements in order to ensure adequate management of your third party risks.
Institutions should ensure that the Board is aware of the scale of outsourcing arrangements and the consequent level of third party dependencies.
What should you consider?
Firms should ensure that they conduct adequate risk assessments before entering into an outsourcing arrangement. Risk assessments of outsourcing arrangements should be revisited on an ongoing basis.
What should you consider?
Institutions should ensure through their selection process and assessment that the service provider has appropriate and sufficient ability, capacity, resources, organisational structure and, if applicable, required regulatory authorisation(s) to perform the critical or important function in a reliable, controlled and professional manner over the duration of the proposed contract.
What should you consider?
Is the ownership of outsourcing risk clearly designated and is there an appropriate oversight and governance structure in place?
What should you consider?
Institutions should ensure that banking activities or payment services that require authorisation by a competent authority can only be outsourced to a service provider abroad, if:
What should you consider?
What should you consider?
Institutions should monitor on an ongoing basis the performance by service providers and sub-contractors. Institutions must place particular focus on the outsourcing of critical or important functions, including that the availability, integrity and security of data and information is ensured.
What should you consider?
Institutions should have a clearly defined exit strategy and business continuity plan for all outsourcing of critical or important functions in line with their outsourcing policy, including for the following possibilities:
What should you consider?
The Central Bank of Ireland expects that all regulated firms take appropriate action to address the issues outlined in the Outsourcing Findings and Issues for Discussion paper and be in a position to evidence same to the Central Bank if required. KPMG can help you review your outsourcing arrangements already in place as well as assist you consider new ones. KPMG can also help you assess the design and implementation of the appropriate policies, procedures and controls or update your existing outsourcing frameworks to ensure that they are appropriately considered and adequately managed.
We can help you assess your outsourcing arrangements against our third party risk management framework (TPRFM). Our framework is aligned to regulatory and best practice requirements. Each of the framework elements present different but often interrelated challenges including implementation challenges we have helped our clients address.