Outsourcing is widely and increasingly used across the alternative investment management industry. With clear advantages including operational efficiencies and cost-effectiveness, it is unlikely that this trend will slow or reverse in the future. Regulatory standards on outsourcing and third-party relationships (or their risk management) are set out in primary legislation, principles, rules or guidance issued by the relevant regulatory or supervisory authorities and/or codified supervisory practices.
The European Securities and Markets Authority (ESMA) has issued new guidelines on outsourcing to cloud service providers. The guidelines, which entered into force on 31 July 2021, aim to help firms identify, address and monitor the risks arising from cloud outsourcing arrangements. The guidelines apply from 31 December 2022 to any cloud outsourcing arrangement entered into prior to 31 July 2021.
The Central Bank of Ireland (CBI) has published new guidance on outsourcing. The CBI acknowledges the increasing reliance of many regulated firms on outsourced service providers. This includes the use of both intragroup entities and third party providers. The guidance aims to supplement existing sectoral legislation, regulations and guidelines on outsourcing, by setting out the CBI's expectations of good practice for the effective management of outsourcing risk.
AIMA's Guide to Sound Practices for Outsourcing by Investment Managers is designed to give investment managers a global perspecitive on outsourcing to draw from when thinking about sound practices for their own firms in light of local and international regulatory requirements. AIMA's DDQ for Outsource Service Providers offers a starting place for due diligence on outsourcing service providers and is a starting place in documenting the selection process.
31 December 2022, ESMA guidelines apply to any cloud outsourcing arrangements entered into prior to 31 July 2021.
(Last updated: 11 January 2022)