Dangers of Outsourcing by Regulated Entities

June 30, 2014

On 15 May 2014, the Central Bank of Ireland announced that it had entered into a settlement agreement with FBD Insurance, fining the company €490,000 for various breaches of the Consumer Protection Code 2006 (‘CPC 2006’).[1] In a statement issued on the same day, the Central Bank identified six specific grounds on which FBD failed to ensure that it had the ‘resources and procedures, systems and controls necessary to ensure compliance with the 2006 Code‘. Identified as key amongst these breaches was the failure by FBD to ensure that regulated activities it outsourced to third-party service providers were compliant and remained compliant with CPC 2006.[2]

This decision will be of great interest to any entity regulated by the Central Bank, particularly those subject to the Consumer Protection Code 2012 (‘CPC 2012’), which replaced CPC 2006, that has outsourced, or is contemplating outsourcing, regulated activities to a third party. But it is also of relevance to other regulated entities because the lessons are of universal application. The decision emphasises the need to have robust oversight and management mechanisms in place to ensure that the outsourced activity is being conducted in accordance with the provisions of CPC 2012. Any failure to do so has the potential to render the regulated entity liable to administrative sanction.

This article outlines some key features of the settlement agreement, the obligations that CPC 2012 places on entities caught by it when outsourcing activities to third parties and the consequences of failing to comply with those obligations. The question will also be addressed of whether and if so how a regulated entity can, in a legally enforceable manner, pass onto the outsourced service provider any fines, losses or costs incurred by the regulated entity due to a failure of the outsourced service provider to adhere to the provisions of CPC 2012.  

The Settlement

The settlement relates to a number of breaches of CPC 2006, which occurred between 2006 and 2011. The contraventions identified include failing to:

·        provide adequate staff training;

·        disclose ‘relevant material information‘ to consumers;

·        have an adequate complaints handling procedure in place; and

·        ensure that regulated activities outsourced to other entities were carried out in compliance with CPC 2006.

In setting out the background to the settlement, the Central Bank noted the fact that FBD voluntarily disclosed the breaches by way of a report, following which the Central Bank conducted its own investigation into the matter. The Central Bank also acknowledged the fact that FBD had acted promptly to take appropriate remedial steps to remedy the breaches, had enhanced its controls around the outsourcing of regulated activities, and had cooperated fully at all stages of the investigative and punitive procedure.

Notwithstanding this, the Central Bank went on to impose a fine of €490,000 on the insurer, stating that ‘the penalties imposed in this case reflect the seriousness with which the Central Bank treats the relevant contraventions‘.

Importantly from the point of view of regulated entities engaged in outsourcing, the Central Bank went on to note that ‘in particular the Central Bank considers it entirely inappropriate for firms to outsource regulated activity without appropriate oversight and assurance that the regulated activity is being conducted in accordance with the 2006 Code‘.

These remarks, coupled with the amount of the fine imposed, despite the presence of significant mitigating factors, evidence the importance the Central Bank places on complying with the outsourcing related obligations imposed by CPC 2006 and now CPC 2012 and, in addition, it can be assumed, with outsourcing related requirements contained elsewhere, including in the European Communities (Markets in Financial Instruments) Regulations 2007 (the ‘MiFID Regulations’) for MiFID firms.  

Relevant Provisions of the Code

CPC 2012[3] replaced CPC 2006 with effect from 1 January 2012. However, CPC 2006 is still relevant to the extent that previous contraventions of it may have taken place. CPC 2012 applies to all ‘Regulated Entities’ when they are providing financial services to a consumer, save for certain types of services, including MiFID services. CPC 2012 lays down strict requirements with regards to ‘outsourced activity‘, which it defines broadly as ‘where a regulated entity employs another person (other than a natural person who is an employee of the regulated entity under a contract of service) to carry out an activity on its behalf‘. The Regulated Entity ‘must ensure that any outsourced activity complies with the requirements of this Code‘.

Therefore, an obligation is placed on all entities caught by CPC to ensure that any outsourced activities are carried out in accordance with the terms of CPC 2012. This reflects the principles outlined in the Committee of European Banking Supervisors (‘CEBS’) Guidelines on Outsourcing,[4] which provide that ‘The outsourcing of functions does not relieve an outsourcing institution of its regulatory responsibilities for its authorised activities‘.[5] Whilst not part of Irish law or constituting formal Central Bank guidelines, the Central Bank generally expects regulated entities to comply with the requirements of the CEBS Guidelines whenever they undertake an outsourcing.

Chapter 1 of CPC 2012 provides that the full range of administrative sanctions and procedures contained in Part IIIC of the Central Bank Act 1942[6] are available to the Central Bank in enforcing the Code’s provisions[7]. Under the Central Bank (Supervision and Enforcement) Act 2013[8], a ‘monetary penalty’ may be imposed ‘not exceeding’ the greater of: (i) €10,000,000 or 10% of turnover, where the financial services provider is a body corporate or an unincorporated body or (ii) €1,000,000, where the financial services provider is an individual.[9]

Other administrative sanctions available include the power to conduct an inquiry into suspected or alleged contraventions, make findings in respect of such, suspend or revoke an entity’s authorisation, and order an entity to pay the costs of the Central Bank’s investigation. Put together, these regulatory powers are intended to prompt serious and continuous efforts by a regulated entity to comply with all requirements within CPC 2012. 

Analysis

It is clear from the above that regulated entities have an obligation to ensure that outsourced activity is conducted in accordance with the terms of the CPC 2012. The Central Bank’s comments in the FBD settlement agreement make it clear that outsourcing related obligations will be strictly monitored and enforced. Even entities who voluntarily disclose breaches, comply fully with any investigation conducted, and take appropriate remedial steps to limit damage, may be subject to hefty fines.

It is therefore important that regulated entities have proper ‘resources and procedures, systems and controls‘ in place to ensure that breaches do not occur. All regulated entities that outsource activities to third parties must have ‘appropriate oversight and assurance‘ that the outsourced activity is being conducted in accordance with CPC 2012, or other relevant legislation, such as the MiFID Regulations . Steps in this regard include:

·            inserting appropriate terms into the contract between the regulated entity and the outsource service provider. The contract should clearly and unambiguously provide that all activities undertaken by the service provider will comply with the terms of CPC 2012, or other relevant legislation;

·        the regulated entity should retain appropriate audit, inspection and information request rights to allow it to ascertain whether and ensure that all obligations are being adhered to. The imposition of reporting requirements in relation to the carrying out of the outsourced activity and any breach of regulatory requirements that may occur should also be considered; and

·        as is always the case with any outsourcing, to a large extent the transaction is only as strong as its governance and contract management regime. In a regulated environment these should include regulatory compliance as an essential feature of relationship management.

In the event that CPC 2012, or other relevant requirement, is breached by the outsource service provider and the regulated entity is subject to a fine or other penalty, the contract should ideally provide that the regulated entity will be made financially whole. From the regulated entity’s perspective, this is best achieved by way of an on-demand indemnity, whether with or without financial cap. Obviously, it will be a matter of negotiation as to what form of protection the regulated entity customer succeeds in achieving and a question of fact whether the relevant provision applies. It is a matter of construction whether the indemnity effectively operates as a form of limitation clause, requiring litigation to secure recovery, or as a true indemnity clause, allowing recovery without litigation. The indemnity clause should be clear in its terms in order to temper, in so far as possible, the judicial tendency to interpret such clauses as akin to limitation of liability clauses, requiring litigation to enforce. In addition, if properly constructed, an indemnity clause may avoid the risk of being held to be void on public policy grounds, on the basis that the sanction to which it relates is administrative rather than criminal in nature. It should be noted that, as well as construction challenges, there are public policy based principles which require consideration applicable to customer attempts to pass onto service providers certain fines and penalties imposed on the customer by regulatory authorities to which they are subject. Legal advice should be taken in this area and if nothing else, reflecting a certain element of risk in this area, an indemnity clause should be stated to be effective ‘to the extent permitted by law‘. In our experience, all too frequently, at the point at which a customer comes to rely on an indemnity clause, deficiencies in clause construction and drafting come to light, which challenge enforcement as an on-demand indemnity mechanism, as opposed to a litigation based recovery mechanism. As ever with complex areas, drafting is key and reliance on standard corporate contract models is generally inadvisable.

The FBD settlement agreement is a timely reminder that outsourcing by regulated entities carries with it requirements not found in the non-regulated sector. The requirements would be viewed by outsourcing lawyers as effectively a formalising of what is a summary of good practice in relevant areas. The requirements should be dealt with both in the outsourcing contract and, more importantly, in terms of implementing requirements, in the governance and contract management procedures, generally set out in the contract schedules or supporting documentation. As with all outsourcing engagements, active and ongoing policing and management of requirements, expressed through the governance and contract management procedures, is a more challenging task than inclusion of contractual terms, which is a one-off drafting exercise. As the settlement agreement states, the requirement for ‘resources and procedures, systems and controls necessary to ensure compliance with‘ regulatory requirements is a key area of concern for the Central Bank. The financial services sector is not alone in facing challenges in this area and outsourcing lawyers would typically identify governance and contract management as key factors in determining the success of any material outsourcing engagement. However, the financial services sector is alone in in its regulatory supervisory obligations.

The old adage is true: one can outsource everything except one’s responsibilities. As stated above, the CEBS Guidelines on Outsourcing provide that ‘The outsourcing of functions does not relieve an outsourcing institution of its regulatory responsibilities for its authorised activities‘. What the FBD settlement demonstrates above all else is the need for oversight and control of external service providers and, as stated by the Central Bank they consider it ‘entirely inappropriate for firms to outsource regulated activity without appropriate oversight and assurance that the regulated activity is being conducted in accordance with the 2006 Code‘. The message is clear: if you outsource an activity you retain responsibility for the functional area outsourced and must retain ‘appropriate oversight and assurances‘ in terms of operational control. 

Pearse Ryan is a partner in the Technology & Innovation Group at Arthur Cox, Dublin, Rob Cain is a partner in the Finance Group at Arthur Cox and Emma Dunne is a trainee in the Technology & Innovation Group there.



[1] https://www.centralbank.ie/regulation/processes/consumer-protection-code/Documents/Consumer%20Protection%20Code.pdf

 

[2] http://www.centralbank.ie/press-area/press-releases/Pages/SettlementAgreementFBDInsuranceplc.aspx

 

[3] http://www.centralbank.ie/regulation/processes/consumer-protection-code/documents/consumer%20protection%20code%202012.pdf

 

[4] https://www.eba.europa.eu/documents/10180/104404/GL02OutsourcingGuidelines.pdf.pdf

 

[5] Ibid., Part 2, Guideline 2.

 

[6] An administrative consolidation of which (updated to 22 February 2013) can be found at: http://www.lawreform.ie/_fileupload/Restatement/OtherDocsRelatedToSLR/EN_ACT_1942_0022.PDF

 

[7] The Central Bank’s ability to apply sanctions is applicable in circumstances where the ‘Bank makes a finding that a regulated financial service provider is committing or has committed a prescribed contravention, it may impose on the financial service provider one or more of’ a range of sanctions – Section 33AQ(iii) of Central Bank Act 1942, as amended.

 

[8] http://www.irishstatutebook.ie/pdf/2013/en.act.2013.0026.pdf

 

[9] Central Bank (Supervision and Enforcement) Act 2013 (Ibid., at Footnote 7), Section 68.