Michael McGrath (Cork South Central, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

357. To ask the Minister for Finance if the Central Bank of Ireland has established protocols for financial institutions who wish to outsource information technology functions; if its approval is required prior to commencement of significant outsourcing projects; and if he will make a statement on the matter. [22495/15]

Michael McGrath (Cork South Central, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

359. To ask the Minister for Finance his views that some bank information technology outsourcing has resulted in reduced quality of customer service and increased risk for the institution; the way the interests of consumers can be protected from potential adverse effects of outsourcing; and if he will make a statement on the matter. [22497/15]

Michael Noonan (Limerick City, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I propose to take Questions Nos. 357 and 359 together.

The Central bank has informed me that under the Consumer Protection Code 2012 (CPC 2012) a regulated entity must ensure that in all its dealings with customers, and within the context of its authorisation, it ensures that any outsourced activity complies with the requirements of this Code (General Principle 2.10 CPC 2012).

The Central Bank has a protocol in place for Credit Institutions who wish to outsource. Specifically, banks are required to demonstrate compliance with the EBA Guidelines on Outsourcing, dated 14 December 2006, which sets out the relevant requirements for banks in respect of any outsourcing arrangements. The Central Bank reviews a bank's outsourcing proposal against these guidelines and indicates its non-objection or otherwise, it does not formally approve these proposals.

The effect of provision 2.10 of the Code is that a regulated entity must ensure that any company operating under an outsourcing arrangement from that regulated firm, acts in accordance with the rules of the Consumer Protection Code.

The Central Bank has previously commented in relation to IT failures specifically and stated that Ultimate accountability for compliance remains with firms and they must ensure that they maintain oversight of outsourced activities. Where firms and their management fail to ensure that robust governance arrangements are in place for in-house and outsourced IT systems, they should expect vigorous investigation and follow up by the Central Bank, and for the Central Bank to exercise its powers, including sanctioning powers where appropriate.

All financial institutions are expected to have adequate systems and controls in place and where issues that impact customers arise they should be addressed and rectified urgently, particularly as customers are increasingly using and becoming dependent on online and mobile banking services.

In this regard, the Central Bank expects firms to communicate clearly and promptly with affected customers when a technical incident occurs, including details of the impacted service, details of alternative access to services and an undertaking that identifiable loss will be remediated. The Central Bank's expectations have been communicated to banks and are provided for in the Consumer Protection Code as follows:

Section 2.4 of the Consumer Protection Code 2012 provides that a regulated entity must ensure that in all its dealings with customers and within the context of its authorisation it has and employs effectively the resources, policies and procedures, systems and control checks, including compliance checks, and staff training that are necessary for compliance with this Code.

Section 10.2 also provides that a regulated entity must resolve all errors speedily and no later than six months after the date the error was first discovered, including:

a) correcting any systems failures;

b) ensuring effective controls are implemented to prevent any recurrence of the identified error;

c) effecting a refund (with appropriate interest) to all consumers who have been affected by the error, where possible; and

d) notifying all affected consumers, both current and former, in a timely manner, of any error that has impacted or may impact negatively on the cost of the service, or the value of the product, provided, where possible.