CP138 in a Nutshell
Friday, 15 October 2021
The Central Bank of Ireland (“CBI”) recently issued CP138 highlighting its continued focus on outsourcing and delegation. Although not specifically addressed to investment funds or fund management companies (mancos), CP138 applies to the funds industry. CP138 represents a change for many investment funds and mancos which are not currently subject to any formal outsourcing requirements.
The new consultation paper sets out the CBI’s minimum expectations regarding the governance and management of outsourcing risks with a strong emphasis on performing due diligence prior to and while engaging with outsourced service providers (“OSPs”). Under CP138, funds and mancos should consider several key factors when developing a framework to manage outsourcing arrangements including: intra group arrangements, contractual arrangements and service level agreements, ongoing monitoring, disaster recovery and business continuity management, and the provision of outsourcing information to the CBI. Most importantly, CP138’s scope addresses OSPs considered critical or important such as fund distributors and focuses on the initial and ongoing due diligence aspects of these outsourcing arrangements.
Fund and manco directors must be satisfied that there are appropriate internal controls in place to identify, measure, manage, monitor and report the risks associated with their outsourcing arrangements. Management also needs to define materiality when determining which material events affecting the provision of critical or important services, or breaches of contractual arrangements or SLAs, need to be reported to the CBI when they occur. In addition, management needs to assess how the controls that are in place to assess these risks are tested via a third-party review/audit or internal audit.
Initial and ongoing due diligence procedures to monitor fund distributors and sub-distributors
Considering the CBI’s expectations, funds and mancos are now taking a fresh look at their policies and procedures around the oversight of OSPs including fund distributors and sub-distributors.
Performing due-diligence procedures for a fund’s distributor and sub-distributors, where relevant, continues to be a challenging and onerous process for funds and fund management companies because of the volume and complexity of these arrangements. There can be many intermediaries between an investor and an investment manager such as fund platforms and regional distributors and distribution channels can be complex and, at times, not transparent.
CP138 sets out the CBI’s expectation that appropriate due diligence reviews should be conducted of all prospective OSPs including intra-group providers before entering into any arrangements. Due diligence procedures clearly outlined in CP138 include, among many, the periodic review of the financial health of key OSPs, review of key contracts before expiry, and analysis of sub-outsourcing arrangements (chain outsourcing) to determine if any additional look-through due-diligence procedures are needed on sub-service providers. CP138 makes clear that the CBI expects more oversight on chain outsourcing relationships to the depth and extent dictated by risk appetite.
For chain outsourcing, primary fund distributors need to perform rigorous due diligence on their sub-delegates and maintain evidence thereof. Rigour is not clearly defined but should include, for example, that appropriate due diligence is performed on an ongoing basis on each sub-provider and that proof of these due-diligence activities are available upon request (including any onsite visits as appropriate). This can be challenging and should be allowed for within any contractual arrangement with the sub-provider.
How far funds and mancos need to perform the look-through boils down to the fund’s and manco’s own risk assessment and their assessment of criticality or importance of the function being outsourced. The risk and responsibility for sub-outsourcing arrangements depends on contracts and a thorough review of these arrangements is critical.
CP138 also identifies challenges associated with performing due diligence on intragroup and offshore entities. This is especially relevant to the fund industry when asset managers have their own distribution arm. The same rigours of due diligence need to be adhered to in these intra group entities cognisant of the challenges that may arise in those reviews such as conflicts of interest and exertion of influence.
The Investment Company Institute (ICI) recently published a best practice due-diligence questionnaire, and this has helped with standardisation (i.e. distributors get a standard set of questions from funds or mancos). However, the ICI questionnaire is not a one-size-fits-all and should be tailored accordingly. Technology has helped firms deal with due diligence procedures to follow-up on requests and report to key decision makers and the board. Following up on unanswered questionnaires can be time consuming and, depending on risk appetite and the criticality assessment of outsourcing arrangements, may lead to further data collection and screening on sub levels. To alleviate the workload, some funds and mancos have outsourced this due diligence function to providers who specialise on these matters.
What boards are mainly responsible for under CP138
reviewing and approving management’s risk assessment;
defining an entity specific outsourcing strategy aligned with the entity’s board approved outsourcing policy (including due diligence performed, conflicts of interests, exit strategy, etc.);
reviewing and approving the methodology and assessment for determining criticality or importance of the fund’s distributors and sub-distributors;
ensuring that appropriate skills and knowledge are maintained to effectively oversee outsourcing arrangements from inception to conclusion;
ensuring an up to date outsourcing register is maintained and reported to the CBI as required;
notifying the CBI of planned critical or important outsourcing arrangements in a timely manner, i.e., in advance of such arrangements being entered ; and
ensuring that assessment of the outsourcing arrangements form part of the firm’s third line of defense (via internal audit or third party assurance, if necessary).
Top 10 questions boards should ask the DP of distribution and management in relation to distribution oversight (questions 6-10 relate specifically to CP138)
Who will be responsible for distribution in each of the jurisdictions where the investment fund will be marketed and do paying agents or local representatives need to be appointed?
Have local marketing rules and tax laws been assessed and do the distributors and sub-distributors have a robust system of controls in place to ensure that marketing of the investment fund complies with these requirements?
What controls are in place to keep marketing materials consistent with the fund’s investment policy?
In relation to ESG products, are distributors and local representatives putting together their own marketing materials and have these been reviewed and compared to the fund’s prospectus (i.e., what controls are in place to ensure that distributors are not selling Article 8 funds as Article 9 funds and that they are selling to the right target market?)
Are the fund’s marketing materials (and information included on the distributor's website) up-to-date, and do they comply with local regulations?
Is there an inventory of all SLAs with distributors and do these contracts specify activities that are prohibited from being outsourced, and include termination rights, KPIs to assess performance of OSPs, etc.?
Does the fund distributor have a signed contract with each sub-distributor it engages, and do they perform appropriate due diligence on an ongoing basis on each sub-distributor?
Where is the core IT infrastructure for distribution content hosted (for intragroup, third-party distributors, and sub-distributors)?
Do the fund distributor and any sub-distributor have proper business continuity processes?
Are the controls in place to monitor outsourcing arrangements subject to the periodic review of internal audit or a third-party auditor?
The bottom line
The importance of managing delegation/outsourcing risk has never been more pertinent given the increased complexity and reliance on outsourcing activities. And the CBI’s message is clear: when it comes to overseeing delegates and critical and important outsourced service providers such as distributors and sub-distributors, the buck stops with the board and management. The board can delegate authority but not its responsibility.
Boards must be aware that entering outsourcing arrangements means becoming dependent on a third party that potentially could affect the operational resiliency and reputation of the firm and boards need to be fully versed on this topic in order to challenge management and its delegates’ overall approach to outsourcing arrangements.
Oversight of delegates has historically been focused on administrators, depositaries, and investment managers. CP138 makes it clear that there must be robust governance, risk assessment, due diligence and ongoing oversight of all outsourced service providers and delegates, including fund distributors and their sub-distributors. Funds and mancos should be able to demonstrate to the CBI that any delegation arrangements are subject to the same oversight and monitoring as other outsourcing arrangements and that any associated risks have been considered and documented by the board.
Diligence is the mother of good fortune as Cervantes once wrote, and with CP138, the CBI is not taking any chances when it comes to firms monitoring their outsourcing arrangements.
Marcos Zubrzycki, Senior Manager - Asset Management, PwC