CP138: Five ways to minimise outsourcing risk in the fund services industry

Ocorian’s Kevin Curtis, Head of AIFM Oversight – Ireland, examines the Central Bank of Ireland’s guidelines on outsourcing and outlines the steps fund managers can take to reduce exposure to risk.
By Kevin Curtis

Outsourced and delegated relationships are increasingly playing a critical role in the funds services industry.


In recent years we have seen several high-profile financial services firms reprimanded by the Central Bank of Ireland (“CBI”) and receive fines because of regulatory breaches relating to outsourcing, and for serious failings in the firms’ outsourcing frameworks.


As a result, the CBI published Consultation Paper 138 (“CP138”) in February 2021. It consults on the proposed Cross Industry Guidance on Outsourcing (the “Guidance”), together with draft sectoral guidance issued thereafter and then the final publication of the Guidance in December 2021.


CP138 applies to the funds industry and effectively takes the European Banking Authority guidelines that weren’t initially applicable to fund service providers (including management companies) and brings them up to these standards.


Steps that fund managers can take

For some fund managers, the implementation of the CBI’s published guidelines might entail significant operational change. Here are five steps they can take to best prepare themselves.


  1. Conduct a full audit of outsourced services

The main challenge from a fund manager’s point of view, in terms of dealing with this guidance, is how to bring it all together and document everything. This is because many firms have a wide variety of delegations and outsourcing agreements in place – such as admin services, investment management services, different tech providers, intragroup arrangements and so on.


Generally, all third-party providers will expose a fund manager to a certain level of risk but not all will constitute outsourcing. This is easier to determine in a regulated environment, but grey areas do exist, such as around cloud service providers, who may hold confidential and sensitive data.


Overall, the key is to have a clear definition within the firm as to what constitutes outsourcing and stick to it. Remain cognisant, however, of the areas that carry third-party risk that aren’t part of outsourcing – firms are still required to have some level of oversight over these service providers.


  1. Create a standardised approach for delegating oversight

Businesses must ensure there is strong delegate oversight in place, but issues can arise when the oversight and due diligence functions are managed by different teams or parts of an organisation. These teams may have different approaches. So, the challenge and goal here is around standardising the process and creating a synchronised firmwide approach to delegate oversight. This will be particularly important where businesses have oversight responsibilities in different European jurisdictions that have not yet implemented the same rigour and level of expectations in terms of oversight that the CBI have through CP138.


Managers may try to develop a standard due diligence approach to critical service providers, and a common framework for reviewing service level agreements (SLAs), KPIs and so on. Try to centralise oversight, criticality assessments and the documentation of registers. This could be achieved by establishing an outsourcing committee to oversee the implementation of the Guidance.


  1. Review service-level agreements with intragroup arrangements front of mind

Oftentimes it can be more difficult to get the same level of service/responsiveness from an intragroup agreement than from a third-party organisation whose services are being paid for – particularly in the area of formal SLAs and high-quality detailed KPIs.


As part of CP138 and the Guidance, the CBI have made it explicit they expect an equal approach to be taken to intragroup arrangements as they do to third-parties. Firms need to be clear on the responsibilities of both sides when entering an intragroup arrangement and ensure it is as well documented as it would be for a third-party agreement.


  1. Keep an eye on the bigger regulatory picture

Firms have found themselves caught in the middle of CP138 – this is especially true for administrators and fund management companies where, in many cases, they outsource some of their activities but at the same time services are being outsourced to them. One of the biggest challenges for administrators with a global operating model and several centres of excellence is that the CBI is now deviating in certain areas from the current requirements outlined in EBA or ESMA regulation.


This supervisory convergence issue is becoming a problem as there is a higher bar in Ireland now compared to, say, Luxembourg. Common toolkits and oversight procedures that the Group may have now need to be adapted for Ireland, which is a challenge.


  1. Initial steps to consider now the Guidance has been published

The Guidance came into immediate effect from 17 December 2021. Boards and senior management should examine the Guidance and assess which areas of their current outsourcing practices will need to be enhanced to meet the new Central Bank expectations.


The Central Bank did note however, that “the supervisory approach to its implementation will be mindful of the adjustments to be made by firms relative to the nature, scale and complexity of the use of outsourcing as an element of their business model”. Establishing a clear plan, identifying any potential areas that should be prioritised, and a timeline for the necessary enhancements is a great place to start for firms.


Additionally, within the Feedback Statement the Central Bank have confirmed that management companies with a PRISM rating of Medium Low or above will be required to complete an Outsourcing Register (described within the Guidance) on an annual basis.


Realise your investment strategy

For investment managers looking to domicile and market their alternative investment funds in Europe, outsourcing core alternative investment fund manager (“AIFM”) functions to a provider of third-party management company and AIFM services is a quick, cost effective, and compliant route to cross-border distribution.


Ocorian can provide a platform for third-party AIFM management company services in Luxembourg and Ireland and facilitate access to the European market whilst helping you navigate the changing regulatory landscape.

For more information on how we can support your investment ambitions, visit Ocorian Irish Fund Services.