In this first article of our mini-series ‘A Practitioners Guide to IT Outsourcing’, Rhiannon Monahan, an Associate Director within our Governance and Consulting Services Group and former Head of Outsourcing Oversight to a number of financial entities, outlines some practical suggestions on how to identify IT Outsourcing; how to categorise arrangements for IT Services; and the divergence between the outsourcing guidelines and the Digital Operational Resilience Act (“DORA”).

What is IT Outsourcing?

Under the Central Bank of Ireland’s Cross Industry Guidance on Outsourcing, each arrangement with a third-party service provider must be assessed to determine whether it is outsourcing, by considering  the following:

1. The service is recurrent or ongoing in nature.
2. The service would normally fall within the scope of functions that would or could be performed by the entity itself; and
3. It is realistic that the entity could perform the service, even if it has never performed the service previously.

Should you answer ‘yes’ to each of these three criteria, the arrangement should be classified as ‘outsourcing’ in the context of the outsourcing guidelines.

When it comes to IT Services, many firms continue to struggle to assess arrangement under questions 2 and 3 above as it can be difficult to differentiate between technologies that perform a “service” and technology-based tools which support the performance of a service in-house. In other words, when does technology move from simple process automation to process performance?

IT Service Categories

While firms must consider the criteria outlined above, there is no universally accepted methodology to identify IT Outsourcing. To aid this process, it can be helpful to group the arrangements based on the business case they are trying to solve and the impact they have on a firm’s ability to meet its regulatory obligations. For example:

Technology Productivity Tools

Technology can be used to create efficiencies in the way in which part of a process or procedure is completed e.g. electronic signature tools, slide-deck design and formatting. In using these tools, the firm’s employees retain responsibility for the performance of the service but benefit from the management of unstructured data or the automation of a minor task. On the basis that they are clerical in nature, technology-based productivity tools are usually not recognised as outsourcing.

Network Infrastructure

Firms rely on a combination of hardware and software components to ensure their devices operate at a basic level e.g. operating systems for laptops and mobiles, internet connections and software-defined networks etc. It would be difficult to argue financial entities could realistically develop the features and components of Network Infrastructures in-house and as such are not typically considered outsourcing.

Software as a Service

Firms purchase software licenses which allow for the automation of end-to-end processes. Where these processes are instrumental to the firm’s continued compliance with regulatory or legal obligations such that any system outage or disruption will have a detrimental impact, it will be difficult for firms to argue that such arrangements are not outsourcing.

Technology Storage Solution

Record retention is a regulatory requirement for firms, with many now storing their data in a mix of privately owned and managed data centres as well as in private or public cloud solutions. Where the firm is using an IT Service as a data storage solution such that it is the IT Service Provider who is deemed to hold the true and official copy of the information, these arrangements will typically be recognised as outsourcing.

Outsourcing vs. DORA

While all IT Services contracted for by a financial entity are in scope of DORA, not all IT Services will be considered IT Outsourcing. For this reason, firms should expect the volume of contracts detailed in their DORA Register of Information to be far greater at times than those arrangements listed in their outsourcing register.

It goes without saying that all service arrangements should be subject to proportionate due diligence and oversight in accordance with the firm’s Outsourcing Framework or Vendor Management Programme, as appropriate. While the outsourcing guidelines outline prescriptive requirements for the oversight and due diligence of IT Outsourcing, firms will need to be cognisant that DORA adds an additional layer of oversight measures for all IT Services, especially for those that support critical or important functions.

How can we help?

While this article outlines a practical approach to identifying IT Outsourcing, the process is rarely straightforward in practice. Each arrangement should be assessed on a case-by-case basis to determine whether the outsourcing guidelines, DORA or both apply.

If you would like to discuss any points raised in this article further, please do not hesitate to contact your usual Arthur Cox contact(s), or any member of the Governance and Consulting Services or Technology and Innovation groups to discuss how we can help you.