From a prudential perspective, historically the Central Bank of Ireland has had overall responsibility for the authorisation and supervision of credit institutions operating in Ireland. From 4 November 2014 this changed with a number of supervisory responsibilities and decision making powers moving to the European Central Bank (ECB) through the establishment of the Single Supervisory Mechanism (SSM).
The ECB is responsible for all core supervisory responsibilities as defined in the Council Regulation (EU) No. 1024/2013 (SSMR). For Significant Institutions, a Joint Supervisory Team (JST), led by the ECB and consisting of both ECB and Central Bank supervisors directly supervise these firms. The Central Bank remains responsible for the supervision of activities of institutions defined as Less Significant.
Prudential risks arising from outsourcing was one of ECB Banking Supervision’s supervisory priorities for 2017 and it carried out a themed review on this topic. The focus of the thematic review was to take stock of selected supervised entities’ outsourced activities and scrutinise how banks are managing the associated risks.
The Central Bank of Ireland has been clear with banks that the responsibility for the proper management of risks associated with outsourcing arrangements and the outsourced activities resides with boards and senior management of banks - not the outsource provider. Banks are required to grant the SSM/Central Bank the right to audit outsource providers. However, all risks remain with the bank and not the outsourced provider.
While there are potential efficiencies or specialist expertise gained through outsourcing certain services, the approach can also potentially increase operational, governance, or conduct risks if not properly managed. When SSM/Central Bank assesses outsourcing arrangements it assesses the full outsourcing life-cycle from the initial risk assessment and due diligence, through the decision-making process and then the on-going monitoring and exit strategies.
The Central Bank has commented on its expectations of banks, which include compliance with the European Banking Authority Guidelines on Outsourcing, and on the findings of its inspections in this area in public speeches.
In November 2016, then Director of Credit Institutions Supervision Ed Sibley said:
Outsourcing is not new, although it continues to increase in prominence as banks seek to reduce costs, and focus more on their core business expertise and value generating activities. We expect strong governance frameworks over outsourcing arrangements, starting with adherence with the EBA guidelines on outsourcing at the very minimum. These guidelines effectively date back to 2006. Banks have had 10 years to ensure they comply with them. However, we continue to see examples of where they do not, resulting in serious risks being run, a lack of ability to manage and drive value from the outsourcing arrangements and ultimately requiring us to take enforcement action in a number of cases.
In its consumer protection role, the Central Bank has been clear that firms cannot derogate from their obligations by contracting a third party to carry out activities on their behalf.
The Central Bank’s Consumer Protection Code (the Code) provides that a regulated entity must ensure that in all its dealings with customers and within the context of its authorisation it ensures that any outsourced activity complies with the requirements of the Code.
The Central Bank expects that a firm’s consumer protection framework must consider and address the consumer protection risks inherent in its approach to outsourcing and the arrangements in place with its outsourcees. Proper terms and conditions must be in place, along with a programme of checking to make sure that the outsourced activity meets the firm's own standards (including its ethical standards).
