Feedback Statement on Consultation Paper 138: Cross-Industry Guidance on Outsourcing

Month Year December 2021 Feedback Statement – Consultation Paper 138: Cross-Industry Guidance on Outsourcing

Feedback Statement – Consultation Paper 138: Cross-Industry Guidance on Outsourcing Central Bank of Ireland Page 2 Contents Introduction................................................................................................................... 3 Key Topics for Comment........................................................................................... 5

1. Alignment with Existing ESA Guidance & International Good Practice 5
2. The Principle of Proportionality ................................................. 5
3. Application of the Guidance to Branches................................. 6
4. Application of the Guidance to the Funds Industry .............. 7
5. Intragroup Arrangements............................................................. 9
6. Sub-Outsourcing ...........................................................................10
7. Contractual Arrangements & Service Level Agreements (SLAs) 10
8. Outsourcing Registers .................................................................11
9. Disaster Recovery, Business Continuity Management, Exit Strategies and Recovery and Resolution....................................................................12
10. Feasibility of Disaster Recovery and Business Continuity Management Expectations ...........................................................................................13
11. Audit & Access Rights ..............................................................14
12. Concentration Risk – Individual & Systemic .....................14
13. Offshoring ...................................................................................16
14. Outsourcing Policy Review ....................................................16 Next Steps & Regulatory Submissions................................................................17

Feedback Statement – Consultation Paper 138: Cross-Industry Guidance on Outsourcing Central Bank of Ireland Page 3 Introduction The Central Bank of Ireland’s (the Central Bank’s) consultation paper (CP138) on the Cross￾Industry Guidance on Outsourcing (the Guidance) outlined the Central Bank’s expectations regarding the management of outsourcing risk with a view to promoting higher standards of operational resilience in regulated financial service providers (RFSPs or firms). Stakeholders were invited to provide feedback on the Guidance during the consultation period, which closed at the end of July 2021. Twenty-one responses were received during the consultation period from RFSPs, industry representative bodies, associations and outsource service providers (OSPs).1 The Central Bank is grateful for the time and effort taken by all stakeholders who responded to the consultation. In general, the feedback welcomed the publication of the Guidance and the clarity it brings in setting out the Central Bank’s expectations for the management of outsourcing risk. Respondents felt the publication of the Guidance was timely given the increased focus on outsourcing at a global and European level. In this Feedback Statement, the Central Bank is responding to the most material and/or consistently raised aspects of the twenty-one consultation responses. Additional valuable feedback was also obtained by way of meetings held with industry representative bodies following initial consideration of the written responses. Having considered each response in detail, the following topics were identified as those where feedback, amendment or further clarification is warranted:  Alignment with existing guidance from the European Supervisory Authorities (ESAs)  The Principal of Proportionality  Application of the Guidance to branches and the funds sector  Intragroup Arrangements  Sub-Outsourcing  Contractual Arrangements and SLAs  Disaster Recovery, Business Continuity Management & Exit Strategies  Audit and Access Rights  Concentration Risk  Offshoring

1 See list at Appendix 1.

Feedback Statement – Consultation Paper 138: Cross-Industry Guidance on Outsourcing Central Bank of Ireland Page 4  Board Oversight Having reviewed the feedback and taken on board a number of constructive comments and suggestions the Central Bank has made some specific revisions to the Guidance, which is published together with this Feedback Statement. Where changes have been made, they do not alter the intent or purpose of the Guidance but instead provide additional clarity or context based on some of the consultation responses. Supervisory Risk Division Central Bank of Ireland 17 December 2021

Feedback Statement – Consultation Paper 138: Cross-Industry Guidance on Outsourcing Central Bank of Ireland Page 5 Key Topics for Comment

1. Alignment with Existing ESA Guidance & International Good Practice Feedback A number of respondents commented on the relationship between the Central Bank’s proposed Guidance and current ESA Guidelines. In particular, respondents sought reassurance and encouraged the Central Bank to align its Guidance closely to the European Banking Authority (EBA) Outsourcing GL 02/2019 and not to place additional expectations on firms, in particular international/global entities, in order to minimise deviation from international standards. Central Bank Response The Central Bank considers that the expectations in the Guidance are aligned with the EBA Guidelines on Outsourcing, the ICT Guidelines and the Cloud Guidelines as set out by EIOPA and ESMA. The Cross-Industry Guidance on Outsourcing has been reviewed and updated in light of responses to CP138. The Guidance articulates the Central Bank’s expectations in the management of outsourcing risk and is designed to complement existing sectoral legislation, regulation and guidelines. The Central Bank reminds firms that ‘Where existing relevant sectoral legislation, regulations or guidance is less prescriptive or is silent on certain matters, it is the Central Bank’s expectation that regulated firms refer to the supervisory expectations set out in this Guidance, which is deemed good practice in the governance and management of outsourcing risk’.
2. The Principle of Proportionality Feedback A number of respondents highlighted the importance of the application of the principle of proportionality to the firms in their sector and welcomed the application of the Guidance based on the nature, scale and complexity of the firm. In some cases, respondents requested specific

Feedback Statement – Consultation Paper 138: Cross-Industry Guidance on Outsourcing Central Bank of Ireland Page 6 clarification of the provisions, which would apply to their sector. Questions were raised regarding the applicability of the Guidance to sole traders, one person / limited partnerships. 3. Application of the Guidance to Branches Feedback A number of respondents requested clarification on the applicability of the Guidance to Branches of overseas banks, insurers and other firms (both EU and or third country branches). Central Bank Response The Guidance is set out as Cross-Industry Guidance i.e. it is Cross Sectoral. It is deemed relevantto any regulated firm, which utilises outsourcing as part of its business model. Its application is based on applying the overarching principle of proportionality at the level of the individual firm irrespective of the sector in which it operates. In adopting the Guidance, a regulated firm should always have regard to the nature scale and complexity of its business model and the degree to which it engages in outsourcing. The Central Bank acknowledges that certain aspects of the Guidance may not be appropriate to all regulated firms. However, the test for proportionality should always be underpinned by a robust outsourcing risk assessment and a consideration of the appropriate control environment such that the firm can demonstrate that it has appropriate measures in place to effectively govern and manage outsourcing risk. Central Bank Response The Central Bank is of the view that branch to branch service provision, branch to parent provision and centres of excellence should all be regarded as forms of inter/intragroup service provision and as such are indistinguishable from outsourcing in terms of the risks posed by such arrangements when they are deemed critical or important. Consequently, the Central Bank expects the Guidance to be applied and the risks managed in the same manner as any intragroup arrangements.

Feedback Statement – Consultation Paper 138: Cross-Industry Guidance on Outsourcing Central Bank of Ireland Page 7 4. Application of the Guidance to the Funds Industry Feedback A number of respondents raised questions regarding the applicability of the Guidance to investment funds and Fund Service Providers (including Fund Management Companies, Depositaries and Fund Administrators). In particular, respondents advocated that certain activities including clearing, settlement and custodial services should generally be exempt from the definition of outsourcing under the Guidance, citing the approach taken by the EBA and Prudential Regulation Authority (PRA). Respondents proposed that depositaries delegating custody and sub custody arrangements should fall outside the scope of the Guidance. Separately, specifically for fund depositaries, respondents suggested that it was necessary to draw a distinction between the delegation of safekeeping duties and the delegation of supporting tasks that are linked depositary tasks other than safekeeping. In relation to Fund Management Companies, respondents noted the existing Fund Management Company Guidance, which addresses similar areas as the Outsourcing Guidance and outlined challenges given the potential duplication of requirements. Respondents also raised the distinction, in their view, between Delegation and Outsourcing. A further issue raised related to the definition of ‘critical or important’ outsourcing and the lack of existing sectoral regulatory requirements or guidance on this matter. It was pointed out that this was in contrast to other sectors such as Markets in Financial Instruments Directive (MIFID) investment firms. As a result, respondents suggested that they might have difficulty in meeting the Central Bank’s expectation as set out in the Guidance. Central Bank Response Application of the Guidance to funds and fund service providers - The Guidance applies to ‘regulated firms’ rather than regulated products. In the case of investment funds, consequently it should be understood that the Guidance will apply in a proportionate manner to the fund service providers associated with the operation of the fund and not to the investment fund itself. Nevertheless, it should be noted that the board of directors of an externally managed investment company should ensure that it supports

Feedback Statement – Consultation Paper 138: Cross-Industry Guidance on Outsourcing Central Bank of Ireland Page 8 the ability of the fund management company to comply with all regulatory obligations, including this Guidance. The definition of ‘critical or important’ -Appendix 2 of the draft Guidance sets out details for various sectors on how to assess what is critical or important outsourcing. The Guidance has been further developed for the funds sector and takes into account the existing elements of the Undertakings for Collective Investment in Transferable Securities (UCITS) and Alternative Investment Fund Managers (AIFMD) frameworks in addition to recent developments at ESMA related to Guidelines on outsourcing to cloud outsourcing providers. Delegation versus Outsourcing – Under the UCITS and AIFMD frameworks, no distinction is drawn between the terms ‘outsourcing’ or ‘delegation’. The Central Bank has made its view relating to Delegation and Outsourcing (as being one and the same) clear in its Discussion Paper on Outsourcing 2018 and at the subsequent Industry Conference in April 2019. The Consultation Paper and draft Guidance, has reiterated the Central Bank’s view that no difference should be inferred where these terms are used. This is because while legislative requirements might set out specific obligations for certain tasks, which are deemed to be delegated, this should be viewed as imposing additional requirements not reducing the obligations of the entity in question. In respect of both delegation and outsourcing, all arrangements require effective due diligence, appropriate oversight arrangements and good governance to ensure that any tasks not performed by the regulated entity are carried out to a high standard with ultimate responsibility for the function being retained by the regulated entity. Fund Depositaries and Custody/ Sub-Custodian Arrangements - After considering the feedback received, the Central Bank remains of the view that the provision of custodial services generally may carry the same risks as other forms of outsourcing arrangements and consequently the requirements of the Central Bank’s Guidance should apply to the management of such risks. Specifically, with regard to feedback that certain critical financial market infrastructure should be exempted, including clearing and settlement services provided by Central Securities Depositories (CSDs) and Central Counterparties (CCPs), the Central Bank carefully considered this feedback. While there may be merit to such an approach in terms of clarity, it would

Feedback Statement – Consultation Paper 138: Cross-Industry Guidance on Outsourcing Central Bank of Ireland Page 9 5. Intragroup Arrangements Feedback A number of respondents acknowledged that intragroup entities require appropriate governance and the risks associated with intragroup outsourcing are similar to third party outsourcing. Some concerns were raised relating to aspects of intragroup arrangements. These focused on the need to differentiate between the risk of outsourcing to third parties and intragroup, the expectation that the burden of control should be lessened, the nature of arrangements for termination, the resolution of conflicts of interest, and in general the need for a more flexible approach to the application of the Central Bank’s control expectations. also be unduly broad and could be interpreted as including the provision of ancillary services provided by such entities. Therefore, the Central Bank is of the view that the Guidance should apply to outsourcing arrangements involving critical financial market infrastructure in a manner consistent with the firm’s nature, scale and complexity. Central Bank Response The Central Bank’s position remains, that intragroup arrangements should not be treated as inherently less risky than arrangements with third parties outside a firm’s group, although certain aspects of the arrangements may be managed differently in practice. This position is aligned with international regulatory good practice. The freedom to exercise such management discretions in respect of intragroup arrangements should be directly related to the degree of control or influence which the firm can demonstrate its capacity to exercise over the supplier of service whether it be a “parent” or “sibling”. This degree of influence sometimes transpires to be less than expected especially in stressed circumstances. Firms should be particularly conscious of the possibility that serious conflicts of interest can arise in respect of intragroup arrangements. The possibility of such conflicts should be considered as part of the firms risk assessment when establishing the arrangements and mechanisms detailed for the resolution of any which do arise.

Feedback Statement – Consultation Paper 138: Cross-Industry Guidance on Outsourcing Central Bank of Ireland Page 10 6. Sub-Outsourcing Feedback Requests were received to provide clarity regarding aspects of the requirements in respect of sub-outsourcing including roles and responsibilities for oversight and monitoring, access rights and the application of the Guidance in the case of intragroup sub-outsourcing. 7. Contractual Arrangements & Service Level Agreements (SLAs) Feedback A number of respondents raised questions relating to various aspects of the ‘good practice’ expectations detailed for consideration and application in respect of drafting contractual agreements and supporting SLAs. The suggestion was made that perhaps many of the expectations should only apply to critical or important outsourcing arrangements and/or that many would be rejected by OSPs/Cloud Service Providers (CSPs). On the subject of exit strategies and the termination of intragroup arrangements, the issues are the same as for any other third party arrangements especially in respect of critical or important arrangements. Central Bank Response The expectations in Part B Sub-Section 5.1 of the Guidance on Sub-Outsourcing relating to the direct oversight and monitoring only apply to critical or important sub￾outsourcing arrangements. Each firms’ primary responsibility is to ensure that third party service providers appropriately manage any critical or important sub￾outsourcing arrangements. The Central Bank does not expect firms to directly monitor fourth parties in all circumstances. However, before entering into a critical or important outsourcing agreement, firms should consider the potential impact on service delivery of large, complex sub-outsourcing chains on their operational resilience and their capacity to monitor such arrangements and oversee such complexity.

Feedback Statement – Consultation Paper 138: Cross-Industry Guidance on Outsourcing Central Bank of Ireland Page 11 8. Outsourcing Registers Feedback A number of respondents remarked that the Central Bank should maintain absolute consistency with the EBA Guidelines with respect to the data being sought relating to the content of the Outsourcing Registers and that where additional data is sought that it be obtained by way of separate requests. The issue of the frequency for the submission of the Outsourcing Registers was raised and the suggestion was made that it be linked to the Central Bank’s PRISM Impact Rating of firms.

2 DORA - The EU Digital Operational Resilience Act. The European Commission has published a legislative proposal for a regulation on Digital Operational Resilience in the EU financial services sector. DORA aims to ensure that all participants in the financial system have the necessary safeguards in place to mitigate cyber-attacks and other risks. Central Bank Response The purpose of setting out the expectations relating to contractual/written agreements and associated SLAs with the degree of granularity used is to trigger consideration, by firms, of their appropriateness when drawing up new or revised contracts and associated SLAs. Going forward it is appropriate that the expectations set out in the Guidance regarding contractual agreements and associated SLAs will be considered and implemented as appropriate, by firms, for the nature, scale, importance and complexity of each arrangement. This requirement also anticipates the implementation of the draft EU Directive, DORA.2 With regard to current agreements, firms should seek to review and update legacy outsourcing agreements as appropriate or necessary, in light of the expectations contained in the Guidance, at their renewal dates or earlier if deemed necessary. Central Bank Response The Central Bank has requested that firms retain and provide some additional data elements in their Outsourcing Registers. The Central Bank requires this additional data to assist it in performing its regulatory responsibilities including those relating to the assessment of concentration risk. Some of the data provides additional granularity

Feedback Statement – Consultation Paper 138: Cross-Industry Guidance on Outsourcing Central Bank of Ireland Page 12 9. Disaster Recovery, Business Continuity Management, Exit Strategies and Recovery and Resolution Feedback Some respondents questioned the need for the granularity of the expectations and the inclusion of references to Recovery and Resolution. to ensure clarity within the registers with respect to the service providers with whom firms are contracting. In considering the approach to the submission of Outsourcing Registers, the Central Bank has engaged closely with other NCAs to ensure as much alignment as possible can be achieved in relation to the submission of outsourcing data. It is also noted that much of this additional information was requested as part of the Central Banks initial Industry Survey on Outsourcing in 2017. Central Bank Response The Central Bank is promoting, by way of the Guidance the need for holistic consideration of these key controls in the context of resiliency to business disruption and stressed exits even where perhaps not already addressed by specific legislation and or regulation. These are areas where supervisory review has shown that there have been weaknesses in the quality of controls implemented by firms. More importantly perhaps is the evidence of a lack of consideration of resiliency risk demonstrated by the manner in which such controls are implemented, tested in isolation from each other and reported/or not to senior management. The Central Bank believes that the provision of greater granularity around its policy expectations with respect to these controls will raise Board and senior management awareness of its resiliency concerns and the need to address these in a cohesive manner.

Feedback Statement – Consultation Paper 138: Cross-Industry Guidance on Outsourcing Central Bank of Ireland Page 13 10.Feasibility of Disaster Recovery and Business Continuity Management Expectations Feedback A number of respondents raised a concern regarding the feasibility of the expectations referenced at Part B Section 9 of the Guidance - Disaster Recovery and Business Continuity Management Sub Paragraphs g), h), and i). Central Bank Response These will be amended to read as follows: “g) Ensure that they can participate in the OSP’s business continuity plan testing, where necessary and feasible; h) Use best efforts to conduct coordinated testing of the firm’s and the OSP’s arrangements on a regular basis and share the results with the boards/senior management of both the regulated firm and the OSP; i) Have sight of reports on business continuity measures and testing undertaken by the OSP and are informed of any relevant actions or remediation arising as a result of this testing, as appropriate; “ The purpose of laying out these specific expectations is to ensure that there is close alignment of the contingency planning and testing of the OSP and that of the regulated firm. This is necessary to ensure the smooth recovery of services critical to the firm in the event of a disaster. The Central Bank is conscious that this may not always be operationally feasible. It should however, be possible to conduct combined “Tabletop Exercises” to walk through coordinated recovery processes as a form of testing. The Central Bank acknowledges that firms will need to rely on the business continuity testing performed by the OSP. This is acceptable provided that the OSP is able to adequately evidence this testing and demonstrate that it has been conducted at a level the financial institution deems appropriate to its risk appetite and impact tolerance requirements and that it can be aligned with the firm’s contingency measures.

Feedback Statement – Consultation Paper 138: Cross-Industry Guidance on Outsourcing Central Bank of Ireland Page 14 11.Audit & Access Rights Feedback Some respondents raised doubts about the ability of firms to require OSPs/CSPs to agree to audit and access rights in the manner required by the EBA Guidelines and the Central Bank’s Guidance. A number of respondents suggested that the Central Bank should not restrict the use of “Pooled Audits” or “Certifications”. 12.Concentration Risk – Individual & Systemic Feedback A number of respondents raised the issue relating to the responsibility of individual firms in respect of concentration risk and in particular systemic concentration risk. Central Bank Response While the Central Bank understands that some service providers are endeavouring to restrict audit and access rights, such a stance is unhelpful both for the regulated firm and for the regulator. The Central Bank, as a competent authority, has an obligation under Title V para 110 of the EBA Guidelines, to ensure that regulated firms have ensured such rights of access. Therefore, audit and access rights should be insisted upon by regulated firms in the course of contractual negotiations. Third party and fourth party providers need to be made aware of such regulatory requirements where they apply. The Central Bank has also made its position clear on the use of “Pooled Audits or Inspections”. The Central Bank has no objection to the use of such alternative means of providing assurance provided that the regulated firm has satisfied itself and can demonstrate to the Central Bank that the work can be conducted by appropriately qualified staff and that the Terms of Reference set for such work by the commissioner of such work is aligned to the requirements of the regulated entity and are sufficiently specific to address the audit needs of the firm.

Feedback Statement – Consultation Paper 138: Cross-Industry Guidance on Outsourcing Central Bank of Ireland Page 15 Central Bank Response In order to ensure there is no misunderstanding relating to such responsibilities regarding the issue of concentration risk the following should assist in providing clarity: At the Firm Level Firms as part of their risk assessments in respect of outsourcing generally and in respect of each particular arrangement are obliged to consider the potential implication for the firm with respect to concentration risk and should consider the following questions:  What services will I be outsourcing to a particular supplier/OSP?  Are the services critical or important?  If there are multiple services, does it expose the firm to concentration risk?  Is the OSP readily substitutable?  Are other FS firms outsourcing to the same OSP and if so is the firm satisfied that the OSP has the capacity to ensure service even in stressed circumstances? Note: In providing the above clarification, the Central Bank is conscious of the particular circumstances of the Credit Union Sector and its outsourcing arrangements in respect of IT and the limitations on substitutability. The Credit Union Sector needs to be conscious of the business continuity risk that arises as a consequence. At the Systemic Level It is accepted that individual firms have limited market intelligence in respect of their possible contribution to systemic risk, but it is a factor that they should be aware of and the risk each firm carries. In addition, firms should understand the Central Bank’s obligations in this regard. The Central Bank recognises the need to develop a pragmatic means of monitoring the threat to financial stability, which might arise from systemic concentration risk. Over time, it is expected that, the Central Bank will be in a position to discuss such considerations with individual firms and industry sectors, as

Feedback Statement – Consultation Paper 138: Cross-Industry Guidance on Outsourcing Central Bank of Ireland Page 16 13.Offshoring Feedback Some respondents raised queries regarding the Central Bank’s position with respect to offshoring. Particular issues raised included concerns that the Central Bank’s position could impede the use of global technologies and infrastructure by Irish based firms. Others requested that the Central Bank publish a list of jurisdictions, which might be subject to constraints. 14.Outsourcing Policy Review Feedback A number of respondents raised a query regarding the need for the annual review and approval of the firm’s outsourcing policy by the board.

3 The Central Bank’s concerns in this regard are aligned with those expressed in the EBA Guidelines in its Rationale and objectives for the Guidelines - Reference P9 Para 18, which speaks to supervisibility. its knowledge base grows as a result of the data collected and analysed via the Outsourcing Registers. Central Bank Response The Central Bank’s concerns with regard to offshoring arise primarily in the context of supervisibility but also in ensuring that the risk assessment conducted by a firm adequately considers all of the risks associated in deploying such outsourcing arrangements as a critical element of its business model. The Central Bank has provided what it believes is appropriate Guidance to firms for consideration in conducting risk assessments in respect of proposed offshored outsourcing arrangements. However, in providing this detailed Guidance it is not the Central Bank’s intention to impede the use of global strategies, infrastructure and or specific locations (assuming no regulatory barriers exist) or technologies as part of outsourcing arrangements provided that firms can demonstrate prudent risk management and appropriate governance for same3 .

Feedback Statement – Consultation Paper 138: Cross-Industry Guidance on Outsourcing Central Bank of Ireland Page 17 Next Steps & Regulatory Submissions The Central Bank will publish the finalised Cross-Industry Guidance on Outsourcing in conjunction with this Feedback Statement. While the Guidance will come into effect on the publication date, the supervisory approach to its implementation will be mindful of the adjustments to be made by firms relative to the nature, scale and complexity of the use of outsourcing as an element of their business model. With regard to the expectations set out in the Guidance around the notification of planned critical or important outsourcing arrangements, or material changes to existing arrangements, Notification Templates appropriate to each sector and aligned with the requirements of the EBA Guidelines will be published on the Central Bank website in Q1 2022 with the exception of the template for Banks, which will be published by the SSM and is expected during 2022. The notification of such proposed arrangements does not constitute a pre-approval process and specific timings in respect of the submission of notifications are not prescribed unless required by existing regulation. With regard to the submission of Outsourcing Registers, the general content of the Registers is contained in Appendix 3 of the finalised Cross-Industry Guidance on Outsourcing. A spreadsheet template for the Outsourcing Register will be made available for all firms to download from the Central Bank website during the first quarter of 2022 as a tool for organising and storing the required data for the Register. It is intended that all firms4 whose PRISM Impact Rating is Medium Low (ML) or above (or its equivalent) will submit their Outsourcing Register via a new Online Return on an annual basis. The timing of the first submission is planned for Q2 2022. Firms will be advised within a reasonable notice period in advance of making a submission in 2022.

4 Except SI Banks who will make their submission to the SSM. Central Bank Response Having considered the suggestions provided, the Central Bank has decided that in the interests of sound governance Part B Section 4.2 relating to review and approval will remain unchanged i.e. - It is crucial that regulated firms have a documented firm-wide Outsourcing Policy, which is reviewed and approved by the board at least annually.

Feedback Statement – Consultation Paper 138: Cross-Industry Guidance on Outsourcing Central Bank of Ireland Page 18 Low Impact firms may also be asked to submit their Outsourcing Register on a case by case basis by their Supervisor. The details and instructions for completion will be communicated to all impacted firms at the earliest possible date giving sufficient advance notice to allow firms to meet the submission deadline.

T: +353 (0)1 224 6000 www.centralbank.ie