On 7 March 2017 the Central Bank published the results of its review of the governance and oversight arrangements of the outsourcing of fund administration activities to outsourcing providers (“OSPs”) in an industry letter to Irish fund administrators.
The letter follows the Central Bank’s review in 2016 of the outsourcing activities of certain Irish fund administrators and noted that outsourcing was now extensive and continues to grow. The Central Bank’s analysis of five administration firms indicated that between 48% and 61% of fund administration activities are being carried out by OSPs. The aim of the Central Bank’s review was to assess the extent of outsourcing within larger Irish fund administrators and the governance and oversight arrangements in place within these administration firms.
The Central Bank noted that the scale of the current outsourcing activities is significant. Outsourcing occurs in some ten locations, primarily within group entities and the Central Bank noted that there is often considerable concentration exposure in one or more outsourced locations. The Central Bank’s view is that outsourcing levels are likely at or close to the upper limit of what is appropriate for the industry. Despite the increasing efficiencies and reduction in costs that outsourcing may bring, outsourcing is challenging for firms as the firms retain the ultimate responsibility for complying with the Central Bank’s requirements on outsourcing.1 In particular, the Central Bank noted that not all firms were keeping comprehensive outsourcing records and that most OSPs were either not regulated or not regulated in the same way as Irish fund administration firms. Furthermore, the majority of firms had not set limits in respect of the amount of outsourcing permitted for a specific fund administration activity.
The Central Bank identified three key areas which are essential for firms’ compliance with the outsourcing requirements. These are:
» Internal control measures and management controls
» Oversight and monitoring
» Independent assurance
However, the Central Bank noted that its recommendations are not exhaustive and that firms should always evaluate their own outsourcing risk.
INTERNAL CONTROL MEASURES AND MANAGEMENT CONTROLS
The Central Bank recommended the types of matters firms should review in the context of their outsourcing policy and any decisions taken on outsourcing. Firms should carry out regular assessments of the concentration risks arising from the outsourcing arrangements. The Central Bank also recommended that firms maintain sufficient expertise and competence to oversee outsourced activities and should assess the adequacy and effectiveness of the OSP’s business continuity plans. The service level agreements in place with the OSP should be reviewed annually and onsite due diligence visits should be conducted and the Central Bank listed the matters that should be reviewed as a minimum. Maintaining a centralised log of outsourcing arrangements on an ongoing basis was also recommended and the Central Bank should have access to the log on request. Furthermore, staff in the OSP should receive indepth training on the Central Bank’s outsourcing requirements and records capable of demonstrating this should be maintained and kept up to date.
SUPPORT FUNCTION OVERSIGHT AND MONITORING
The Central Bank noted that many administration firms did not visit the OSPs despite having been requested to do so. Firms should ensure that all outsourced activities are conducted in compliance with regulatory obligations and that control mechanisms are effective and appropriate. Permanent compliance staff should be based in the OSP offices to ensure effective oversight of the outsourced activities. In relation to the 12 month compliance review, the best practice was for both the Irish fund administrator and the OSP to review the outsourcing process and firms should be able to demonstrate the rationale for the extent of a compliance review as well as mechanisms used. The annual reports on compliance and internal audit reviews of the outsourcing should confirm compliance with the outsourcing requirements and be sufficiently detailed.
The Central Bank noted that most OSPs used by the firms reviewed were unregulated entities or in some cases were regulated but the specific fund administration activity was not subject to regulation. Internal audit should assess whether OSP relationships align with the firm’s business strategy and identify, assess and manage risks. Furthermore, firms’ processes should be assessed as to their adequacy for responding to material breaches and ensuring appropriate staffing and expertise to perform due diligence and ongoing monitoring of OSPs. Records should evidence that clients have been notified of outsourcing arrangements and be available for inspection by the Central Bank.
Irish fund administrators should assess their current outsourcing activities in the light of the recommendations issued by the Central Bank to ensure that they have strong controls in place around the governance and oversight of their outsourcing arrangements.
Fund boards are likely to require more information from Irish fund administrators about the controls in place in relation to their outsourcing arrangements and may require assurances about a firm’s adherence to the recommendations issued by the Central Bank in this letter.