Fund Administrator Outsourcing

This Guidance supersedes the letter issued to industry on 7 March 2017 with regard to the outsourcing of fund administration activities.

General

Core management functions shall not be outsourced and the fund administrator must continue to exercise adequate and effective control and decision making.
Core management functions include, inter alia, setting the risk strategy, the risk policy, and, accordingly, the risk bearing capacity of the fund administrator. Hence, management functions such as the setting of strategies and policies in respect of the fund administrator’s risk profile and control, the oversight of the operation of the fund administrator’s processes and the final responsibility towards clients and the Central Bank must not be outsourced.

Outsourcing must not impair:

  • the orderliness of the conduct of the fund administrator's business or of the services provided; or
  • the ability of other internal governance bodies, such as the board of directors or the audit committee, to fulfil their oversight tasks.

Governance Structures for Outsourcing

It is good practice to have a formalised Outsourcing Governance Forum or an Outsourcing Committee in place charged with responsibility for:

(i) initial approval of the outsourcing arrangements;

(ii) on-going oversight of outsourced activities;

(iii) ratifying any changes to the outsourcing policy document; and

(iv) monitoring the completion of any remediation plans should these arise from due diligence visits to outsourcing service providers.

Attendees should include representatives from the Board and from the risk, compliance and operational teams.

The appointment of a dedicated outsourcing manager and/or a dedicated outsourcing team is a good practice in governance oversight arrangements, particularly in the context of increased levels of outsourcing.

A fund administrator is expected to consider, at a minimum, the following issues during its decision making phase on outsourcing.  These should be reflected in the formal documented outsourcing policy:

(i) all risks (including country and concentration risks);

(ii) the complexity of the proposal;

(iii) the materiality of the services to be outsourced;

(iv) whether any financial benefits outweigh the estimated costs to control the risks involved;

(v) how the proposal impacts the fund administrator’s overall strategy;

(vi) the impact on employees;

(vii) the nature of client interaction with the outsourcing service provider;

(viii) potential information security and data protection implications;

(ix) the extent to which the activities are subject to specific laws and regulations;

(x) consistency with group policies;

(xi) how the fund administrator will conduct oversight of the outsourcing service provider;

(xii) a statement as to whether the arrangements are within the fund administrator’s risk appetite;

(xiii) risks to the level of service provided to clients; and

(xiv) the scale of outsourcing already conducted.

Documented policy on outsourcing

It is good practice for the outsourcing policy document to set tolerance limits in respect of the amount of outsourcing permitted for a specific fund administration activity (i.e. in respect of the level of activities or the level of staff that can be outsourced to one location).

The outsourcing policy should be subject to review on an annual basis. 

Outsourcing Records

A fund administrator should maintain a comprehensive centralised log of all outsourcing arrangements, which is updated on an on-going basis. The Central Bank should have access to the log upon request.

Operational Oversight

A fund administrator is required to evaluate the performance of an outsourcing service provider on an on-going basis to include periodic due diligence related visits to the premises of the outsourcing service provider. It is expected that annual on-site visits (depending on the scale and materiality of the activity) to the outsourcing service provider will take place. An evaluation of the outsourcing service provider should include an assessment of the following elements:

(i) the human, financial and technical resources;

(ii) the experience of the staff performing the activity to be outsourced;

(iii) the regulatory status;

(iv) the appropriateness of insurance cover;

(v) the ability to safeguard the confidentiality, integrity and availability of information;

(vi) the corporate governance, risk management, security, internal controls, reporting and monitoring processes;

(vii) the reputation, complaints history or pending litigation issues;

(viii) the business continuity arrangements, contingency plans and the testing against recovery time objectives; and

(ix) the business culture and how this aligns with the policies and culture of the fund administrator.

Following a due diligence visit, it is good practice for a report to be produced for review by the outsourcing governance forum or committee and by senior management. 

It is good practice for fund administrators to have a risk assessment process in place in order to assess the risks and control environment. Under such a process, and depending on the level of outsourcing activity, calls and meetings would be held between the staff in the fund administrator and staff in the outsourcing service provider. Intra-day progress would be monitored through system workflow tools which apply internal deadlines for work to be completed.

A fund administrator should have adequate internal controls in place to ensure that the Central Bank is notified of any material change to any arrangements with an outsourcing service provider or any development which affects the fund administrator’s ability to fulfil its obligations to its customers. This control should be documented in the fund administrator’s outsourcing policy document.

Take Back/Resilience Testing

A fund administrator should be able to demonstrate to the satisfaction of its own outsourcing governance forum or committee and, on request, to the Central Bank, that it is conducting take back/resilience testing on activities which have been outsourced and has all the necessary expertise to manage the risks associated with the outsourcing arrangement. The testing should at a minimum cover:

(i) an assessment of capabilities and resources;

(ii) the timeframe required to transition the activity while still managing legal, regulatory, customer and other impacts that might arise;

(iii) the risks associated with data retention and destruction;

(iv) information system connections and access control issues; and

(v) reputation risks to the outsourcing firm if the termination happens as a result of the outsourcing service provider’s inability to meet expectations.

Good practices with regard to the take back/resilience testing of activities from outsourcing service provider locations include but are not limited to the following:

(i) performing take back/resilience testing within 90 days of a new outsourcing arrangement going live;

(ii) performing take back/resilience testing on Final NAV arrangements;

(iii) annual testing of critical functions;

(iv) annual Cross Regional Recovery testing; and

(v) performing take back/resilience testing on a rolling sample basis for fund accounting, for example, testing in which the fund administrator aims to take back/complete resilience testing on 10% of investment funds annually and where the selection is based on fund types.

This testing may involve back-to-base (i.e. Ireland) and/or other appropriate outsourcing service providers.

Formalised Disaster Recovery/Business Continuity Planning (BCP)

Business Continuity Plans should be reviewed and tested on at least an annual basis. It is good practice for contingency plans to contain the following:

(i) an assessment of the adequacy and effectiveness of an outsourcing service provider’s contingency plan and alignment of this to the fund administrator’s plan;

(ii) a documenting of the roles and responsibilities for maintaining and testing the outsourcing service providers contingency plans.These should also be tested at least annually in order to ensure adequacy and effectiveness;

(iii) an incident response plan which defines roles and responsibilities;

(iv) an up to date Business Impact Analysis, reviewed annually;

(v) the critical activities to be prioritised in a disaster scenario; and

(vi) an exit strategy, including a pool of comparable outsourcing service providers, in the event that a contracted service provider is unable to perform. The identification of a standby outsourcing service provider may help with reducing the time it takes to transfer between service providers.

Consideration should also be given to the possible concentration risk where multiple firms and/or their outsourcing service providers have BCP sites in the same locations.

Training

Staff within an outsourcing service provider, who are involved in the provision of services to a fund administrator, should have appropriate training on and access to Irish regulatory requirements, particularly with regard to the outsourcing requirements which apply to the fund administrator and in relation to the calculation of an investment fund’s net asset value. Training should be provided before commencement of activities and should be provided on at least an annual basis thereafter.

It is good practice for staff within a fund administrator to provide training to relevant staff in the outsourcing service provider, possibly through workshops or other seminars in the premises of the outsourcing service provider. Appropriate records of this training, including details of staff who attended, should be maintained and provided to the Central Bank on request.

Risk and Compliance Functions

Fund administrators are required to carry out regular assessments of the operational and concentration risk associated with their outsourcing arrangements. Risk concentrations, limits on the acceptable overall level of outsourced activities and risks arising from outsourcing multiple activities to the same outsourcing service provider should be addressed in that assessment.

 

The Risk Function within a fund administrator should work closely with operational teams in order to provide advice on any necessary changes to control processes and procedures. It is good practice to have a Risk Committee which tracks risks arising from outsourcing and provides a forum for these to be discussed.

The Compliance Function should have an effective monitoring program to ensure that all outsourcing is conducted in compliance with regulatory requirements and that all control measures are effective and appropriate. It is good practice for monitoring programs to establish appropriate priorities for monitoring compliance. Escalation procedures within the Compliance Function should be sufficient to ensure that any concerns are brought to the attention of the senior management of the fund administrator and the Central Bank as required.

The Compliance Function should also assess the presence of the risk, compliance and internal audit functions within an outsourcing service provider and be satisfied that there is a sufficiently resourced permanent compliance function within that entity/region.

Fund administrators' review of their outsourcing arrangements

A fund administrator is required to have its internal auditors and compliance function examine an outsourcing arrangement within the first 12 months of its operations. Compliance and Internal Audit Functions carry out two distinct roles. Therefore, a separate report is required from each function detailing the distinct reviews undertaken.

In relation to the timelines outlined in Regulation 21(1)(p) for completion of Internal Audit and Compliance Reviews, the following clarification may be helpful: A fund administrator must examine the operation of its outsourcing arrangement within the first 12 months of its operation. This review will likely occur towards the end of the first year of operations, for example if the outsourcing activity is initiated in January 2017, the review is likely to be completed in the period between October and December 2017, in order for the firm to get an accurate view of its operations. If the review is completed in October 2017, a copy of the report must be submitted three months after this date, i.e. in January 2018. If the review is completed in December 2017, a copy of the report must be submitted three months after this date, i.e. in March 2018.

It is good practice for the Compliance Review to assess the control functions both within the fund administrator and within the outsourcing service provider. The documentation should clearly identify the outsourcing arrangement under review. 

Reports from both the Compliance and Internal Audit Functions should include the following:

(i) the identity of the outsourcing service provider;

(ii) the activities being outsourced;

(iii) the date clearance was received from the Central Bank;

(iv) the date the outsourcing activity commenced;

(v) the date of the report; and

(vi) details of the authors and approvers.

Independent assurance

The role of Internal Audit in the review of outsourcing arrangements is very important. Internal Audit reviews should, at a minimum, assess the adequacy of processes within the fund administrator in terms of:

(i) assurance that the relationship with the outsourcing service provider aligns with the fund administrator’s business strategy;

(ii) identifying, assessing, managing, and reporting on all risks;

(iii) responding to material breaches or service disruptions; and

(iv) ensuring appropriate staffing and expertise is in place to perform due diligence and on-going monitoring of outsourcing service providers.

It is good practice for Internal Audit to review the robustness of the fund administrator’s processes for identifying and managing concentration risks that may arise from relying on a single third party for multiple activities, or from geographic concentration of business due to either direct contracting or subcontracting agreements to the same location. 

Outsourcing notification to the Central Bank

 

A fund administrator shall submit an outsourcing proposal notification in advance of seeking to outsource administration services. This notification must afford the Central Bank sufficient time to consider the proposal. Please see Outsourcing Proposal Notification Template.

 

Before submitting a notification to the Central Bank of a proposed outsourcing arrangement relating to outsourcing the check and release of an investment fund’s final NAV, fund administrators must ensure that they are able to demonstrate that the outsourcing of the check and release of the NAV is necessary, because the following conditions are met:

 

(a) the investment fund is daily dealing;

(b) the outsourcing service provider who checks and releases the final NAV is an entity within the fund administrator’s group and the fund administrator and the outsourcing service provider share the same systems, controls, staff training, procedures and processes for the valuation of each investment fund final NAV;

(c) the prices for investments used for valuation purposes are not available from markets before 5pm Irish time in order to facilitate a release of the final NAV within normal Irish business hours; and

(d) the release of the final NAV outside of normal Irish business hours (8am – 6pm) is necessary in order to facilitate investor dealing due to the existence of one of the following circumstances:

   (i) the final NAV is required to be received by the underlying investor in markets with time zones from UTC (GMT) +4:00 to UTC (GMT) +12:00 by market opening T+1(for example Asian/Eastern regions);

   (ii) the investment fund is a US Money Market Fund with trade date settlement;

   (iii) the investment fund is an ETF which needs to release the final NAV to the primary market and to     investors in the secondary market outside of normal Irish business hours (8am - 6pm).

 

While each notification by a fund administrator with regard to the outsourcing of the check and release of the final NAV will be considered and determined by the Central Bank on its merits, the Central Bank will have strict regard, inter alia, to the criteria above when assessing such outsourcing applications.

 

Fund administrators that have at 28 February 2017 existing, previously cleared, outsourcing arrangements in respect of the check and release of the final NAV that do not meet with the criteria outlined in this Guidance are not being required to change those arrangements.

 

It is not necessary to notify the Central Bank when investment funds are added to an existing outsourcing arrangement in respect of which the Central Bank has not objected, except for instances relating to the outsourcing of the release of the final NAV. 

 

A fund administrator must seek clearance from the Central Bank to outsource the release of the final NAV for any new umbrella/standalone fund. Once clearance has been received for the umbrella fund it will not be necessary to notify the Central Bank when new sub-funds are added to the arrangement provided the arrangement is consistent with the Central Bank Investment Firms Regulations and this Guidance.

 

A fund administrator should have adequate internal controls in place to ensure that Central Bank clearance is granted in advance of commencing an outsourcing arrangement. This control should be documented in the fund administrator’s outsourcing policy document.

Intra-group outsourcing

Requirements in Part 4, Chapter 2 of the Central Bank Investment Firms Regulations apply equally to both intra group and external outsourcing arrangements. Where the fund administrator and the outsourcing service provider are members of the same group, the Central Bank, for the purposes of assessing the outsourcing notification, may take into account the extent to which the fund administrator controls the outsourcing service provider, the fund administrator’s ability to influence the actions of the service provider and the extent to which the service provider is included in the consolidated supervision of the group.

 

Maintenance of shareholders registers

 

In accordance with Regulation 19 of the Central Bank Investment Firms Regulations, the shareholder register for each investment fund must be maintained by the fund administrator. This means that the fund administrator maintains oversight and control of the register and can reproduce the full register at any time.

 

Preliminary NAV

 

Preliminary NAV means a calculated NAV which has not yet been provided to investors, published or otherwise released to the market by the fund administrator or its outsourcing service provider. This preliminary NAV may be provided to the investment fund or its investment manager for review prior to release as final NAV.

 

The fund administrator must ensure that the preliminary NAV is not provided to investors, published or otherwise released to the market by the investment fund or its investment manager.

 

A model where the preliminary NAV calculation is outsourced and combined / amalgamated with a model where the final NAV is also outsourced for the same investment fund is not permitted without submitting an outsourcing proposal notification in advance to the Central Bank for review.

 

Issued: 13 March 2017

 

Latest revision: 28 June 2017