Outsourcing

Overview: 

Outsourcing is widely and increasingly used across the alternative investment management industry. With clear advantages including operational efficiencies and cost-effectiveness, it is unlikely that this trend will slow or reverse in the future.  Regulatory standards on outsourcing and third-party relationships (or their risk management) are set out in primary legislation, principles, rules or guidance issued by the relevant regulatory or supervisory authorities and/or codified supervisory practices.

Current work:

The European Securities and Markets Authority (ESMA) has issued new guidelines on outsourcing to cloud service providers. The guidelines, which entered into force on 31 July 2021, aim to help firms identify, address and monitor the risks arising from cloud outsourcing arrangements. The guidelines apply from 31 December 2022 to any cloud outsourcing arrangement entered into prior to 31 July 2021.

The Central Bank of Ireland (CBI) has published new guidance on outsourcing. The CBI acknowledges the increasing reliance of many regulated firms on outsourced service providers. This includes the use of both intragroup entities and third party providers. The guidance aims to supplement existing sectoral legislation, regulations and guidelines on outsourcing, by setting out the CBI's expectations of good practice for the effective management of outsourcing risk.

AIMA's Guide to Sound Practices for Outsourcing by Investment Managers is designed to give investment managers a global perspecitive on outsourcing to draw from when thinking about sound practices for their own firms in light of local and international regulatory requirements. AIMA's DDQ for Outsource Service Providers offers a starting place for due diligence on outsourcing service providers and is a starting place in documenting the selection process.

Upcoming actions:

31 December 2022, ESMA guidelines apply to any cloud outsourcing arrangements entered into prior to 31 July 2021.

(Last updated: 11 January 2022)


Other relevant workstreams

Operational Resilience

Operational resilience is expected to be a key regulatory focus over the coming years. The aim of regulators is to bring about change in how the finance industry thinks about operational resilience in order to build a more resilient financial system. The European Commission has published a proposal for a regulation on digital operational resilience (DORA). The UK regulators' new rules relating to operational resilience will come into force on 31 March 2022.

Cyber and Technology

In recent years, cyber security has increasingly become the top global risk for business, with regulators and policy-makers also paying increased attention to financial institutions’ cyber security planning.

AIFMD

The European Commission has published a proposal to review the AIFMD. The legislative proposal covers delegation, liquidity risk management, loan funds, investors disclosures, depositaries and regulatory reporting matters. The EU's Cross-Border Distribution of Funds Directive and Regulation came into force on 2 August 2021.

UCITS

The European Commission has proposed targeted amendments to the UCITS Directive on liquidity management tools, delegation and reporting. The proposals are now being scrutinised by the European Parliament and Council. Separately, the EU and the UK have both confirmed extension of the UCITS exemption under PRIIPs to 31 December 2022 in the EU and 31 December 2026 in the UK.


Other resources

EU Official Texts on Outsourcing

All of the directives, regulations, amending texts, ESA texts, etc. that apply with respect to outsourcing in Ireland and Luxembourg all in one spot.