ICQ Log - Funds:

Why Outsourcing is a Hot Topic for Compliance Teams


Last Updated:  24 March 2022

Carina Myles, Partner, Governance, Risk & Compliance at EisnerAmper Ireland and Chair of Compliance Institute's Funds Working Group looks at why outsourcing is a hot topic for compliance teams and the key elements of the Central Bank of Ireland’s “Cross-Industry Guidance on Outsourcing” which was published in December 2021.

In this Outsourcing update, Carina Myles, Partner, Governance, Risk & Compliance at EisnerAmper Ireland, discusses why Outsourcing is a hot topic for Compliance teams and the key elements of the Central Bank of Ireland’s “Cross-Industry Guidance on Outsourcing” which was published in December 2021.


Outsourcing is a key area of focus for regulators across Europe including the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the Central Bank of Ireland (Central Bank). In its “Cross-Industry Guidance on Outsourcing” (Guidance), the Central Bank notes that it is strongly focused on Outsourcing due to its increasing prevalence across the financial services sector and its potential, if not effectively managed, to threaten the operational resilience of Regulated Financial Service Providers (RFSPs).


The Central Bank has undertaken a significant programme of activity on outsourcing over the last number of years to ensure that Boards of RFSPs do not seek to rely on either third-party providers or group companies to the point where they are inadvertently delegating accountability to those entities. On this basis, the Central Bank seeks to ensure that accountability and responsibility ultimately remains with the Board and that certain processes and principles are followed to mitigate outsourcing risks. Compliance professionals will be required to help the Board understand and implement the Guidance. The following article includes key considerations when reviewing the outsourcing risk management framework of the RFSP.

The Central Bank’s programme of work in relation to outsourcing is illustrated below and includes its latest publication in December 2021: “Cross-Industry Guidance on Outsourcing” (Guidance), following its February 2021 Consultation (CP138).


The Guidance recognises that outsourced service providers (OSPs), including both intragroup entities and third party OSPs, both regulated and unregulated, support the provision of activities and services considered central to the successful delivery of the RFSP’s strategic objectives. The Guidance also notes that the changing landscape for the provision of financial services is leading to new service delivery models such as strategic partnering, cross-industry shared service centres, staff sharing and extensive sub-outsourcing. The development and use of these new models to deliver critical and important services or functions by RFSPs will be regarded as outsourcing and as such, RFSPs will be expected to apply the Guidance.


The Guidance is being introduced to supplement existing sectoral legislation, regulations and guidelines on Outsourcing, by setting out the  Bank’s expectations of good practice for effective management of outsourcing risk. The Guidance expects firms to take a firm-wide approach to analysing and managing their outsourcing risks through to the implementation of a robust strategy, framework, policies and procedures. Some of the key expectations on firms include:

  1. Risk Assessment – the expectation on firms to risk assess the criticality or importance of the activity or service to be outsourced either to a third party, intragroup or delegated arrangement. In assessing the risks, firms are expected to consider a number of factors including taking a holistic approach to outsourcing and the concentration risk across the entire firm and/or industry where several firms outsource to the same outsourced providers, for example, cloud service providers.
  2. Governance - the Board, as ultimate accountable owners, must ensure they have demonstrable due diligence, oversight and monitoring frameworks in place to provide the appropriate assurance that outsourcing risk is effectively managed and the right controls are in place to mitigate the risk.
  3. Policy – regulated firms are expected to have a documented outsourcing strategy that takes account of outsourcing risk appetite and clearly articulates:
    1. the types of activities and functions they will consider outsourcing;
    2. the associated risks;
    3. the ability, skills and competencies required to appropriately monitor and oversee outsourcing arrangements.
  4. Record Keeping – maintenance of a register of the firm’s outsourcing universe is required to facilitate centralised management.
  5. Outsourcing Risk Management Framework – the Central Bank’s expectation is that firms develop and implement a robust and strong outsourcing risk management framework that incorporates comprehensive risk assessments to enable adequate oversight out outsourced activities.

An approach we have found to be beneficial when supporting our clients’ Boards and Senior Executives is to benchmark existing outsourcing risk management frameworks to the guidance to enable the effective identification, oversight and management of outsourcing risks.

In supporting our clients, we have explored the entire lifecycle of the risk of their outsourcing arrangements and underpinned the framework with existing legislation, regulations and guidelines relevant to the firms’ sector.

As Partner in EisnerAmper Ireland’s Governance, Risk & Compliance Group, Carina advises financial services providers on risk, regulatory and compliance-related matters. Carina supports clients throughout the regulatory engagement lifecycle and specialises in the design
and implementation of risk and compliance frameworks.

Carina has over 20 years’ experience of designing and developing risk, compliance and control frameworks; leading regulatory change programmes such as AIFMD and GDPR; and leading large scale business transformation programs across EMEA & India.

Lawyer Photo

AUTHOR: Carina Myles

Partner, EisnerAmper Ireland

ICQ Summer Edition 2020

This article was taken from Compliance Institute's ICQ Spring Edition 2022