RegSol Blog

Implementation of Central Bank’s Outsourcing Guidance

May 2022

In December 2021, the Central Bank of Ireland (the “CBI”) published its Cross Industry Guidance on Outsourcing (the “Guidance”). The Guidance applies on 17th December 2021 to all regulated firms which use outsourcing as part of their business model.

It is accompanied by the CBI’s Feedback Statement providing commentary on industry views and explaining changes made to the Guidance. The Guidance is being introduced to supplement existing sectoral legislation, regulations and guidelines on outsourcing, by setting out the CBI’s expectations of good practice for the effective management of outsourcing risk

The Guidance is intended to assist regulated firms in developing their outsourcing risk management framework to effectively identify, monitor and manage their outsourcing risks. It is applicable proportionately, based on the nature, scale and complexity of each firm's business model and degree to which it engages in outsourcing.

The extent of measures applied should also be informed by the regulated firm’s assessment of whether the outsourced service or activity is deemed critical or important, except where it is highlighted that the requirements should take account of all outsourcing arrangements.

The CBI acknowledges that all measures of the Guidance may not be appropriate for smaller, less complex regulated firms to adopt in full. In those instances, the CBI confirms such firms may decide to adopt different practices to those covered in the Guidance although they must still ensure compliance with the relevant sectoral legislation, regulation and guidelines. Such firms are also expected to be in a position to explain the reason, upon request, for proceeding as they have done to the CBI. The firms must be able to clearly evidence the rationale for their approach and that the approach has been considered and approved by the board or equivalent.

The following are some of the key factors which should be considered when developing frameworks to manage outsourcing risks:

  • Principle of Proportionality: Firms will need to assess and analyse the Guidance with a view to implementing same within their outsourcing frameworks in a proportionate manner.
  • Strategy & Policy for Outsourcing: Firms should document their outsourcing policy in its business strategy, business model, risk appetite and risk management framework.
  • Sensitive Data Risk: To prevent data breaches or unauthorised disclosure of customer, employee or commercially sensitive data, firms need to implement appropriate measures for the storage, management, retention and destruction of this data and to set out these measures in the firm’s outsourcing policy and agreements governing outsourcing arrangements.
  • Sub-outsourcing: Firms must be aware of and have appropriate governance and risk management arrangements in place in respect of sub-outsourcing, especially if same are spread across different physical and geographical locations. Firms should determine their appetite for sub-outsourcing as part of their outsourcing policy and actively manage the associated risks via their contractual arrangements and monitoring and oversight mechanisms.
  • Board Oversight: The responsibility and accountability for effective oversight for all outsourced regulated activities ultimately rests with the board and senior management.
The Guidance also outlines other key aspects such as Disaster Recovery, Business Continuity Management & Exit Strategies, Audit and Access Rights and Concentration Risk, which firms should consider when it comes to their outsourcing activities.

The CBI intends that all firms whose PRISM Impact Rating is Medium Low or above will submit their outsourcing register via a new Online Return on an annual basis. The timing of the first submission is planned for Q2 2022. Low Impact firms may also be asked to submit their outsourcing register on a case-by-case basis by their supervisor.

Outsourcing is a key strategic area of focus for the CBI therefore firms must be aware of and implement the requirements of the Guidance on a proportionate basis when engaging with OSPs. A failure to have effect governance and risk management processes in relation to outsourcing has resulted in a recent CBI enforcement action and a large fine being imposed – see BYN Mellon article below.

BNY Mellon Enforcement Action

If you have any questions on the Guidance and how it impacts your business, please get in touch with us at