Opening remarks at the Central Bank Outsourcing Conference - Director General Derville Rowland

30 April 2019 Speech

Derville Rowland

Opening Remarks by Derville Rowland, Director General, Financial Conduct, Central Bank of Ireland at the Central Bank Outsourcing Conference, Dublin.

Introduction

Good morning ladies and gentlemen. I am delighted to welcome you all here this morning to discuss the important topic of outsourcing.

The Central Bank is conscious that outsourcing is big business with the global outsourcing market estimated to be worth almost €76 billion last year.   We are conscious too that it is business which brings with it not just big opportunities, but also big risks, particularly in the financial services sector.

In my remarks this morning, I will highlight the recent initiatives the Central Bank has taken to understand the extent of outsourcing in which regulated financial services firms are engaging, the related risks associated with outsourcing activities and the role of boards and senior management in managing and mitigating those risks.

But first, let me acknowledge the benefits that outsourcing can bring.

When we think of outsourcing, we tend to think firstly of firms seeking to reduce their cost base by placing business with external providers or other group entities who can provide a service more cheaply and efficiently.

But the benefits of outsourcing are not solely financial. 

Outsourcing can help firms to offer an enhanced customer experience by allowing them to provide round the clock service across different time zones.

Outsourcing can also give firms access to key skills and technology that may not be available in-house.  For example, we are seeing significant growth in the use of cloud, Fintech and Regtech service providers.  In the future, we also expect to see increased use of technologies such as robotic process automation to deliver both process efficiencies and cost savings.

The Extent of Outsourcing

As many of you will know, the Central Bank’s mission is to serve the public interest by safeguarding monetary and financial stability and by working to ensure that the financial system operates in the best interests of customers and the wider economy.

Conscious of the growth in outsourcing through our own supervisory activity and contributing to the international work being carried out by global regulators – including the European Supervisory Authorities (ESAs) and the International Organisation of Securities Commissions (IOSCO) - the Central Bank has in recent years decided to take a deep dive into the practice of outsourcing.

In order to deepen our understanding of the potential risks to which the financial services industry may be exposed as a result of outsourcing, we carried out a review of outsourcing activity across the financial services sector, including a survey of regulated firms.

Some 185 banks, asset management firms, insurers and payment institutions collectively reported having 7,700 outsourcing arrangements in place and we received data on about 3,600 of these.

The results of the survey, coupled with findings from our supervisory engagements, are contained in a discussion paper published last year, which effectively sets the scene for today’s conference. If you have not already taken the opportunity to do so, I would strongly urge you to read it.

The Risks We Identified

Time does not permit a full discussion of the many risks we have highlighted in our paper. But by way of example, three of the key evolving risks were sensitive data risk, concentration risk and offshoring risk.

Taking each of these risks in turn, let me give you a flavour of what our survey found.

Nearly 60 per cent of the outsourcing arrangements involved sensitive customer data, while 67 per cent involved sensitive business data. Where firms transfer such data to an external provider, there is a risk of data loss, alteration or corruption or, indeed, unauthorised access.

In relation to concentration risk, the survey highlighted that some Outsourced Service Providers – or OSPs – provide many critical services to clusters of companies across the Irish financial services industry, particularly in the provision of IT and cloud services. In some cases, those OSPs have significant leverage over their customers due to the specialist nature of the services they provide.

We also observed further concentration risks at sectoral level.

In the insurance sector, one OSP provides actuarial services to a large number of companies engaged in similar business lines.

In the asset management sector, several firms rely on one OSP for fund administration, anti-money laundering and back office activity.

And in the banking sector, one OSP provides payment services for several retail banks.

When it comes to offshoring risk, a sample of firms we regulate indicated offshoring to over 80 countries, with over 51 per cent of the arrangements offshored to providers located outside the European Economic Area (EEA). 

While we understand that offshoring can bring benefits, we would also remind firms that they need to consider how they will manage the related risks including, for example, country risk. Given the scale of offshoring to the UK, it is important that firms are also considering Brexit risk.

While the review found some good practices, overall the results were disappointing. To put it bluntly, we found significant risk management deficiencies on a widespread basis. More broadly, we concluded that, when it comes to outsourcing arrangements, governance and risk management standards are emphatically not where they need to be.

When Things Go Wrong

Through our ongoing supervisory work and our outsourcing review, the Central Bank has found many cases of poor outsourcing governance and risk management practices across all financial sectors. These failings have resulted in supervisory intervention ranging from the Central Bank demanding risk mitigation plans to pursuing enforcement actions.

Our experience has highlighted that severe risks can materialise as significantly in intra-group outsourcing arrangements as with external third parties. For example, one of the most high profile Irish outsourcing incidents in recent years was the 2012 Ulster Bank IT failure. This occurred after Ulster Bank failed to have robust governance arrangements in relation to its IT systems, controls, and management, which were outsourced to its UK parent RBS.

The failure caused significant, prolonged and unacceptable inconvenience to affected customers trying to carry out their everyday financial transactions. Not only did the service fail, but when it came to the remediation and restoration of service, the issue was resolved more swiftly for other Group businesses than for the Irish entity.

Irish consumers found themselves at the back of the queue. 

From a Central Bank perspective, this is simply not acceptable.

We fined Ulster Bank €3.5 million for those IT and governance failings which resulted in about 600,000 customers being deprived of basic banking services for a 28-day period. The fine and reprimand were in addition to a redress scheme required and overseen by the Central Bank under which Ulster Bank paid €59 million to affected customers.

At the time, we noted that while IT outsourcing is a feature of modern banking business, it is no defence for regulatory failings.

And this is the message I want to repeat again today: You can delegate the task, but you cannot delegate the responsibility for that task.

Failings that have occurred when firms outsource business in order to avail of new technologies also highlight the importance of having strong governance and risk management practices for outsourcing arrangements.

For example, when outsourcing to the cloud, many firms do not have the in-house knowledge or expertise to understand the service that they are employing. 

In the summer of 2017, the publishing and financial information firm Dow Jones & Co. suffered a huge data breach when the personal information of 2.2 million customers was exposed. The information was being stored in a cloud-based file repository. Dow Jones made an error in configuring the repository, which resulted in any user of the cloud service provider having the ability to access the Dow Jones repository. 

This data breach illustrates the stark reality of the consequences when firms do not clearly identify, understand, document, monitor and manage the risks which outsourcing solutions can present.

Boards Are Accountable

One of the particularly disappointing conclusions of our outsourcing review was the unsatisfactory level of board awareness of outsourcing risk.

Let me be very clear that the Central Bank expects boards to have appropriate oversight and awareness of outsourcing arrangements and the associated risks.

Furthermore, the operational oversight must be clearly designated to relevant individuals, functions and/or committees, and firms must make sure they have the appropriate skills and knowledge to effectively oversee and understand arrangements, and their associated risks, from inception to conclusion.

Ultimate accountability for compliance remains with regulated firms, particularly the boards of those firms. Where a firm chooses to outsource a regulated activity, that firm will be held responsible for any regulatory breaches that occur.

Indeed, the Central Bank has taken enforcement action regarding the failure by regulated firms to ensure that outsourced regulated activities are compliant with the relevant regulation including the Consumer Protection Code. 

The Central Bank views the management of outsourcing risk as key from both a Conduct and Prudential perspective.

We regulate financial conduct with the aim of ensuring that the best interests of consumers and investors are protected and that markets operate in a fair, orderly and transparent manner.

Outsourcing failures can have significant impacts on consumers, customers and investors in terms of loss of service, market operations, poor customer experience and potential financial loss.

And, of course, from a prudential perspective, such failures can have an impact on the firm’s bottom line – whether in terms of loss of business, remediation and restitution costs and, in some cases, regulatory fines.

Not to mention the consequent reputational damage and loss of trust.

The Central Bank’s Vision

The Central Bank’s vision is for a trustworthy financial system supporting the wider economy where firms and individuals adhere to a culture of fairness and high standards. Given that Ireland is a significant international financial services hub, this vision applies equally to firms serving customers in the European Union and beyond as well as to customers based here in Ireland.

From a Central Bank perspective, it is critical that we have visibility of activities that are being outsourced and that firms ensure that, when entering into such arrangements, that there are no barriers to our ability to effectively supervise those activities. It is also key that regulated firms can clearly demonstrate their understanding of their outsourcing arrangements and effectiveness of the governance and risk management measures in place.

Conclusion: We Want to Hear Your Views

 It is clear that the outsourcing landscape is continuing to grow and evolve and the nature of activities being outsourced is becoming increasingly complex, including through the use of new technologies.

Again, we note that these new developments present substantial benefits, but also challenges and risks. We don’t claim to have all the answers in what is a continually evolving area.

As such, we are looking forward to hearing the perspectives of all conference attendees this morning - our international regulatory colleagues, outsource service providers and the financial services industry.

Today we really want to facilitate a fruitful discussion with you around some of the evolving risks associated with outsourcing and how best to govern and manage them. This will assist us in determining whether further guidance or policy is required in this area.

We have a very interesting morning ahead of us, where we will have an opportunity to explore the developing landscape of outsourcing from both a regulatory and an industry perspective.

It is important that we seek to achieve broad alignment on these perspectives, given both the opportunities and risks that outsourcing can present to firms and the importance of robust governance and risk management principles being applied to these arrangements.

I mentioned earlier that the Central Bank is actively engaged with the important global regulatory work on outsourcing including the work of the European Banking Authority. In that regard, I am delighted to welcome our first guest speaker, Bernd Rummel, Principal Policy Expert for Prudential Regulation and Supervisory Policy at the European Banking Authority. Bernd will discuss with us today the context for the recent enhancements of the EBA Guidelines on Outsourcing and current work regarding Fintech and innovation.

Thank you.

---------------------------------------------------------------------------------------------------------------------

Acknowledgments: I wish to thank Kathleen Barrington, Orna McNamara and Kate Mulligan for their assistance with this speech.