Central Bank of Ireland Outsourcing Review – March 2017

Introduction

In July 2013, the CBI1 requirements on the outsourcing of fund administration activities were published. In the first six months of 2016, the CBI carried out a comprehensive review of the outsourcing arrangements in place at fund administrators (“administrators”) regulated in Ireland. The two key areas in this review were the extent to which certain administrators outsource activities and the relevant control environment (governance and oversight arrangements) in respect of such outsourcing. On March 7th 2017, the CBI issued a letter to the CEOs of administrators setting out a number of observations and recommendations for best practice following this review.

The Scale of Outsourcing Activities

The review focused on five administrators and the CBI observed that outsourcing is extensive among larger administrators with between 48% and 61% of activities carried out by staff in OSPs2 as at December 31st 2015. The CBI concluded that:

  • Administrators under review outsourced on average to ten locations
  • Administrators under review outsourced primarily to other group entities
  • Administrators under review were primarily working with two foreign jurisdictions representing a concentration exposure.

The CBI’s overall opinion was that the level of outsourcing observed was at close to the outer limit of what is appropriate for the industry.

Governance and Oversight Arrangements

The CBI is aware that administrators are seeking to achieve efficiencies and reduce overall costs by outsourcing. The increase in outsourcing presents challenges and risks for administrators as they are responsible for the service performed by the OSP. Outsourcing is now deemed to be a key area within operational risk for administrators.

The CBI acknowledges that many of the risks related to outsourcing can be managed through effective governance and oversight arrangements but has advised that it has concerns over the arrangements currently in place at certain administrators. Upon completion of its review, the CBI issued a number of observations and recommendations to administrators who outsource activities. The observations and recommendations issued by the CBI are not exhaustive but are to be used by administrators as guidelines for good practice and to encourage consistent outsourcing practices.

CBI Observations and Recommendations

The observations and recommendations issued by the CBI under three separate lines of defence include the following:

First line of defence – Management controls / internal control measures

  • The appointment of a dedicated outsourcing manager and a dedicated outsourcing team. The CBI observed that not all administrators had a dedicated individual in this role
  • The creation of an outsourcing governance committee to approve outsourcing arrangements and be responsible for on-going oversight of outsourced activities. The CBI observed that all administrators had committees in place
  • The documentation of a formalised outsourcing policy which the CBI observed was in place at all administrators. The CBI recommended that all policies should consider issues such as the outsourcing risks, a cost benefit analysis, how outsourcing will impact the administrator’s overall strategy and how it will oversee the OSP
  • The maintenance of a detailed record of all outsourcing arrangements which should be maintained on an on-going basis. The CBI observed weaknesses with records not being kept up to date at certain administrators
  • The regular assessment of the concentration risk associated with outsourcing arrangements. In certain administrators the CBI observed that no limits on the acceptable level of outsourced activities were in place
  • The demonstration of the ability to “take back” activities from OSPs and a requirement to conduct “take back” testing on a regular basis. The CBI highlighted that this was not being conducted in all administrators. “Take back” testing is particularly relevant to key areas such as production of final NAVs and the CBI commented that the administrator should not place undue reliance on OSPs for key functions
  • The annual review of the administrator’s SLAs3, SOPs4 and KPIs5 with OSPs by the relevant control function. Most administrators were generally deemed to be in compliance with this requirement
  • The arrangement of a formalised training programme on the outsourcing requirements for all staff in the OSP. The CBI recommended that a record of this formalised training should be maintained. The CBI observed an inconsistent approach by administrators in relation to such training.

Second line of defence – Support function oversight/monitoring

  • The tracking of risks related to outsourcing activities by the risk committee. The CBI advised that all administrators were in compliance with this recommendation
  • The receipt of approval from the compliance function before any activity is outsourced. The CBI observed that good practice was being displayed by certain administrators where the compliance function carried out onsite visits to OSPs and produced detailed reports. On the other hand, the CBI commented that it had witnessed situations where the compliance function simply checked that control processes were being followed by OSPs with no verification taking place via a site visit
  • The presence of sufficient compliance staff in the location of the OSP. The CBI observed that certain administrators had no compliance function in the location of the OSP
  • The production of a twelve month compliance review report to review the controls on both sides of the outsourcing arrangement. The CBI observed that this was not in place in all administrators.

Third line of defence – Independent assurance

  • The regulatory status of the OSPs. The CBI observed that in many cases activities are being outsourced to unregulated entities or to regulated entities where the specific outsourced activities are not subject to regulation
  • The tracking of an administrator’s outsourced activities by internal audit. The CBI observed that in all cases internal audit attended the outsourcing governance committee meetings
  • The performance of a twelve month internal audit review of the outsourcing arrangements in place at the administrator and the OSP. The CBI stated that most administrators demonstrated an adequate approach in this regard. The CBI stated that internal audit plays an important role in areas such as assessing whether OSP relationships are aligned with the administrator’s business strategy, assessing whether appropriate staff are in place to perform ongoing monitoring of OSPs and assessing the adequacy of responses to service disruptions.

KB Associates

KB Associates offers a range of services to investment funds including:

  • The provision of UCITS/AIF management company services
  • The provision of designated persons to perform UCITS business plan and AIFMD programme of activity management functions
  • The provision of UCITS/AIF operational support
  • The provision of directors
  • The provision of MLRO6 services
  • The provision of company secretary services.

You can download a copy of our Central Bank of Ireland Outsourcing Review – March 2017 here

If you would like to discuss any issues raised in this article, please feel free to contact Cormac Byrne (+353 1 667 1981) or Paul Carrigg (+353 1 667 1982).

1 Central Bank of Ireland
2 Outsourced Service Providers
3 Service Level Agreement
4 Standard Operating Procedures
5 Key Performance Indicators
6 Money Laundering Reporting Officer