Weak control of outsourcing putting banks at risk - Regulator
Poor management of outsourcing is putting banks at risk, the Central Bank has warned.
The Regulator warned of "very serious failings" in the governance of outsourcing across the banks in Ireland and branded some cases "astonishing", citing bad management of the arrangements, lack of oversight and a lack of engagement and challenge from the banks' boards.
Ed Sibley, director of Credit Institutions at the Central Bank, said that while there had been improvements, the regulator continued to see overall governance weaknesses across the institutions it supervised, including issues around internal reporting to boards and management, and risk management.
"Firstly, we continue to see very serious failings in the governance of outsourcing across the banks," Mr Sibley said.
"To be frank, I find this is astonishing. It is obvious that the ultimate responsibility for the proper management of risks associated with outsourcing arrangements and the outsourced activities resides with boards and senior management of banks - not the outsource provider.
"However, in practice, arrangements are too frequently being badly managed as a result of weak outsourcing frameworks, lack of oversight, poor risk information, and a lack of engagement and challenge from boards on the robustness of these arrangements."
The comments come just weeks after Ulster Bank was fined €3.3m by the Central Bank in respect of failures over anti-money laundering (AML) and countering of the financing of terrorism (CFT).
The breaches of the Criminal Justice (Money Laundering & Terrorist Financing) Act 2010 admitted by Ulster Bank Ireland DAC (formerly Ulster Bank Ireland Limited) occurred over a six-year period until this year.
The breaches identified significant failings in Ulster Bank's outsourcing of governance and control of AML/CFT, risk assessment and customer due diligence.
In his address to the Institute of Banking, Mr Sibley said that while outsourcing was not new, it was increasing in prominence as banks looked to cut costs. Mr Sibley pointed to guidelines from the European Banking Authority on outsourcing, but said the regulator continued to see instances where they were not being followed, resulting in "serious risks being run".
He also raised concerns about the quality of internal reporting to boards and senior management and issues with the "three lines of defence" in terms of risk management.
"Unfortunately, we are seeing inconsistencies in practices across the sector," he said.