Irish Regulatory Matters
AIMA actively monitors and advocates on a variety of proposed legislation and guidance that will affect the operations of its members in Ireland. Drawing upon the expertise and diversity of our membership and through its proactive and constructive engagement with the Central Bank of Ireland (CBI) and the Irish Government, it aims to provide leadership to the alternative investment industry and to be its pre-eminent voice in Ireland.
In 2021, the CBI has issued two public consultations for industry feedback on its proposed Cross-Industry Guidance on (i) CP140 - Operational Resilience, and (ii) CP138 - Outsourcing. AIMA has responded to both of these consultations.
Operational Resilience Guidance
The proposed guidance aims to enhance the financial services industry’s operational resilience given the array of disruptive events firms face including technology failures and cyber incidents. There are 15 guidelines built around three pillars: (i) Identify and Prepare, (ii) Respond and Adapt, (iii) Recover and Learn. The CBI proposes to apply the guidance to all Regulated Financial Service Providers (RFSPs).
The Irish regulator expect that the boards and senior management of RFSPs will adopt appropriate measures to strengthen and improve their operational resilience frameworks and their effective management of operational resilience in line with the proposed guidance. Firms are expected to have an incident management strategy and capture operational resilience within the firm’s business continuity management processes.
The CBI expect firms to be actively and promptly addressing operational resilience vulnerabilities and be able to evidence the implemented measures within two years of the final guidelines being issued.
The proposed guidance is designed to set out the CBI’s expectations regarding the governance and management of outsourcing risk by RFSPs. The guidance addresses outsourcing to both intragroup entities and to third party service providers, regulated and unregulated.
It is intended to complement, and not replace, existing sectoral laws, regulations and guidelines on outsourcing and delegation. The four key risks highlighted by the Irish regulator in the proposed guidance:
- data security risks inherent in the use of third parties (including other group companies) to store and manage business-sensitive and/or customer-confidential information;
- oversight risks where sub-/chain outsourcing structures are used;
- challenges to effective oversight and supervision where outsourcing is offshored, particularly outside the EU/EEA; and
- higher levels of concentration risk (particularly in respect of cloud outsourcing).
The CBI plans to publish its final guidelines on outsourcing later this year.
(Last updated: 20 September 2021)