Outsourcing in the Funds Industry
During 2016, the Central Bank of Ireland (“CBI”) performed a review of the outsourcing arrangements of a number of fund administrators. The CBI’s objective was to ascertain the level of outsourcing performed by fund administrators and the governance and oversight in place for these outsourced activities. On 7 March 2017, CBI published its findings, highlighting an extensive use of outsourcing in the industry which places considerable demands on fund administrators to demonstrate good governance, managerial oversight and independent assurance. CBI’s analysis noted the trend of outsourcing continues and across some selected larger administrators, it estimated that between 48 and 61% of fund administration activities were carried out by outsourced service providers (‘OSPs’). CBI noted these firms had on average up to 10 different service locations, with concentration exposure to one or multiple locations. However, CBI confirmed that these firms outsourced primarily to other group entities, ensuring the operational activities remained within the administration company’s ecosystem. CBI has focused its recommendations on three core areas:
- First line of Defence – Management and Internal Control Measures
- Second line of Defence – Support Function Oversight and Monitoring
- Third line of Defence – Independent Assurance
Management and Internal Controls
The first line of defence is focused on core internal controls and managerial governance. Each firm should have an outsourcing team structure, an outsourcing governance forum and legally binding agreements in place with each of their OSPs. Firms should have clear documented policies for the governance of outsourced activities. CBI recommends that firms have a readily retrievable and current centralized log of all outsourced arrangements.
Take Back Testing and BCP
When outsourcing activities, firms must ensure they can take back the activity in the event of a service disruption. CBI noted some firms demonstrated good practice in this regard already, but the minimum expectation is for annual take back testing.
Similarly, CBI re-emphasized that all firms must maintain detailed and comprehensive Business Continuity Plans. CBI noted that while all providers had evidenced good practice around their OSPs business continuity plans, firms must align these with their own BCP plans in terms of adequacy, effectiveness and periodic tests.
Operational Oversight, due diligence and training
The day to day operations of each outsourced activity needs to be governed by legally enforceable Service Level Agreements. CBI acknowledges this is in place across fund administrators, however CBI recommends that all procedural documents pertaining to outsourcing must be reviewed at least annually. It was noted all firms use KPI’s and review these daily, weekly and monthly.
CBI outlines clear recommendations that need to be conducted by each firm, given the varied Due Diligence approaches across firms. CBI highlighted positive examples of training being given on-site at OSP’s and has recommended that formalized training programs are in place for outsourcing requirements.
Support Function Oversight and Monitoring
The second line of control is performed by functions such as Risk and Compliance. CBI focused on the interaction of these functions with their OSP, noting some OSPs did not have an onsite Compliance function. Following on from previous industry communication, CBI reiterates the importance of the Compliance role and the requirement to collaborate with the other control functions. CBI recommends a more structured annual reporting of outsourced activities from each firm and their OSP.
As a result of industry-wide discussions (e.g. Consultation Paper 100), Firms’ risk resources and risk indicators will need to be identified, assessed and measured. CBI noted instances where no tolerance levels were set in respect of the amount of outsourcing permitted for a specific fund administration activity. CBI recommends that firms regularly assess the concentrations of activities outsourced and the providers used.
The Third Line of Defence – Independent Assurance
While it was noted that firms outsourced primarily to affiliates/group entities, the CBI confirmed the majority of OSPs were unregulated. The CBI reiterated the role of Internal Audit and the requirement for an independent assessment of a firm’s business strategy and risks associated with outsourcing. The Internal Audit team should assess the firm’s adequacy for responding to material breaches or service disruptions and ensure appropriate staffing and expertise is in place to perform ongoing monitoring.
In a complex and increasingly globalised industry, fund administrators are required to provide a broad range of services across multiple fund jurisdictions and operating locations. In order to provide the industry with efficient and effective products, administrators need to ensure there are robust controls, procedures and governance across their operational platforms. By demonstrating oversight in compliance with regulatory requirements and enabling supervision with a clear operational audit trail, they will be able to provide the highest standards of service, while remaining cost efficient and supporting a well governed industry.
Ireland must remain competitive and flexible to service managers across multiple locations. The operational benefits of outsourcing are widely documented and CBI acknowledges that firms are outsourcing more business processes and functions in order to provide robust, but efficient services.
Importantly, over 800 fund managers across 50+ countries have assets administered in Ireland. Combining the highest standards of regulation with our client requirements is crucial in providing global clients with services across multiple time zones. As the regulatory landscape evolves so too must fund administrators with an integrated approach to champion good governance, managerial oversight and independent assurance of their activities.
Colin Keane, Country Head of SS&C Financial Services (Ireland) Limited