- within Insurance, Employment and HR and Insolvency/Bankruptcy/Re-Structuring topic(s)
On 6 March 2026, the Central Bank of Ireland (CBI) issued a letter (Dear CEO Letter) on its findings arising from the thematic inspection of outsourcing risk which it conducted on Fund Administrators and Depositaries, collectively known as Fund Service Providers (FSPs), in 2025 (Thematic Inspection).
The Dear CEO Letter outlines that the Thematic Inspection sought to assess the outsourcing oversight frameworks established by FSPs taking into consideration the good practices for the effective management of outsourcing risk as outlined in the CBI’s Cross Industry Guidance on Outsourcing published in December 2021. For Fund Administrators, the Thematic Inspection also considered the outsourcing requirements set out in the Investment Firms Regulations 20231 and related Central Bank guidance.
The Thematic Inspection identifies that deficiencies continue to exist in the outsourcing oversight frameworks established by FSPs. In order to address this, Appendix 1 of the Dear CEO Letter sets out the good practices observed during the CBI during the Thematic Inspection.
The CBI indicates that FSPs are expected to consider these good practices in order to improve their “ability to manage operational resilience risk, including the identification, assessment, monitoring and reporting of outsourcing risks going forward”.
The good practices identified in Appendix 1 are set out below.
|
Good practice |
Description |
|---|---|
|
Outsourcing forums / committees |
Establishment of outsourcing forums/committees as these play an important role as the main oversight medium for outsourced activities. |
|
Outsourcing Manager |
Establishment of a dedicated Outsourcing Manager to oversee the outsourcing oversight framework and monitoring of outsourcing service providers, where this is required in light of the nature, scale and risk profile of the FSPs outsourcing universe. |
|
Role of Second Line of Defence |
Establishment of: (i) processes whereby there is formal input and sign-off of outsourcing proposals and initial and ongoing risk assessments by the second line of defence; and (ii) performance of independent compliance due diligence and assurance testing. |
|
Outsourcing Risk Appetite Limits |
Establishment of defined internal outsourcing risk appetite thresholds |
|
Risk Metrics |
Development of multi‑layered outsourcing risk metrics to monitor, for example, concentration risks, outsourcing incidents, outsourcing engagement, and vendor performance and ongoing monitoring re: outsourcing lifecycle. Receipt of performance self-certifications / attestations from outsourcing services providers (OSPs). |
|
Due Diligence and Risk Assessments |
Completion of periodic due diligence and risk assessments on OSPs on a proportional basis (not just critical or important OSPs). For depositaries, the completion of sample testing of due diligence reports of the sub‑custody network and related legal advice obtained and reviewed by network management. |
|
Outsourcing Oversight Documentation |
Establishment of tailored (i.e. entity specific) outsourcing oversight documentation established including outsourcing oversight framework and outsourcing policy |
|
Outsourcing Registers (Depositaries only) |
For depositaries, ensuring the recording of Prime Brokers within their outsourcing registers to ensure same standards are applied |
|
NAV Oversight (Fund Administrators only) |
For fund administrators, establishing robust NAV oversight, such as automated maker‑checker processes to ensure the correct sequencing of reviews and that the checker was of an equal or higher grade to that of the maker. |
The Dear CEO Letter can be accessed here.
Footnote
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
[View Source]