Skip to main content

IORP II Outsourcing Requirements

Irish pension trustees routinely rely on external service providers — administrators, investment managers, actuaries, legal advisers, technology platforms — to deliver scheme operations. IORP II imposes structured requirements on all such outsourcing arrangements. These requirements are set out in Article 31 of IORP II and transposed in Section 64AK of the Pensions Act 1990 as amended by S.I. 128/2021. The governing principle is clear: trustees can delegate tasks, but they cannot delegate accountability.

The Non-Delegable Fiduciary Responsibility

Trustees cannot outsource their fiduciary responsibility. Regardless of how many functions are outsourced to third parties, the trustee board retains full legal accountability for the governance, management, and compliance of the scheme. If an outsourced service provider fails to perform, the trustees — not the provider — are accountable to members and the Pensions Authority.This means the trustee board must actively oversee all outsourced functions, receive performance reports, and retain the ability to terminate and replace providers. Passive reliance on an outsourced provider is not adequate governance.

When Is It Outsourcing?

Under IORP II, outsourcing means any arrangement under which a service provider (internal or external) carries out a process, service, or activity that would otherwise be performed by the IORP itself. This is intentionally broad. It includes:
  • Scheme administration (member records, benefit calculations, communications)
  • Investment management (discretionary or advisory)
  • Actuarial services (ACS, technical provisions, funding advice)
  • Legal and compliance advisory services
  • IT and technology platforms (including PensionsPortal.ie)
  • Any Key Function Holder role filled by an external provider

Written Agreement Requirements (Article 31 IORP II / Section 64AK Pensions Act)

Every outsourcing arrangement must be governed by a written agreement that meets minimum statutory standards. A verbal arrangement or a service provider’s standard terms of business (without appropriate pension-specific provisions) will not satisfy this requirement.

Mandatory Agreement Contents

A precise description of the services being provided, including scope, deliverables, and service standards. Vague descriptions (e.g., “administration services”) are not adequate — the agreement must be specific enough to allow meaningful performance monitoring.
Measurable performance standards against which the provider’s performance can be assessed. These should include accuracy targets, turnaround times for member communications, and reporting deadlines. Non-performance must be linked to remediation or termination rights.
The provider must report to the trustee board on defined matters at specified intervals. Reports must be adequate for the trustees to monitor performance and identify issues. Ad hoc reporting requirements (e.g., immediate notification of material incidents) should also be specified.
The provider cannot sub-outsource material elements of the service without prior written consent from the trustee board. The agreement must specify the process for approving sub-outsourcing and must require the sub-contractor to meet equivalent standards.
For providers that process personal data on behalf of the scheme, a compliant Data Processing Agreement (DPA) is required under GDPR and the Data Protection Acts 1988–2018. The DPA must cover processing purposes, data subject rights, security measures, breach notification, and sub-processor restrictions.
The provider must maintain and test a business continuity plan that covers service disruption scenarios. Trustees must receive evidence of BCP testing at agreed intervals, and the provider must notify trustees promptly of any activations.
The trustee board (or its appointed auditor) must have the contractual right to audit the provider’s performance of the contracted services. This right must be exercisable on reasonable notice and must not be conditional on provider consent.
The agreement must provide for termination — for cause (material breach, insolvency) and, where appropriate, without cause on reasonable notice. Transition assistance obligations (data return, continuity support) must be specified, ensuring the scheme can migrate to a new provider without disruption to members.

Notification Obligations: Outsourcing a Key Function

When a trustee board outsources a Key Function (risk management, internal audit, actuarial, compliance), the Pensions Authority must be notified. This notification requirement applies in addition to the notification of the KFH appointment itself. Trustees should ensure that Pensions Authority notifications are completed before or immediately upon commencement of the outsourced arrangement.
Under Section 64AK(3) of the Pensions Act 1990, notification must be provided in the form and manner specified by the Pensions Authority. PensionsPortal.ie generates Pensions Authority notifications for KFH outsourcing arrangements as part of the outsourcing registration workflow.

Common Outsourcing Arrangements in Practice

Scheme Administrator

The most common outsourced function. The administrator manages member records, processes contributions and withdrawals, prepares benefit calculations, and handles member communications. Almost universally outsourced in Irish pension schemes.

Investment Manager

Discretionary investment managers act under an Investment Management Agreement (IMA) that must meet both IORP II outsourcing requirements and any applicable MiFID II or AIFMD requirements. The trustee board retains responsibility for the investment policy and for monitoring manager performance against it.

Actuary

Where the scheme has an Actuarial KFH requirement, the actuary is almost always an external firm. The engagement letter must meet IORP II outsourcing requirements. The actuary’s ACS is a primary regulatory submission.

Legal Adviser

Legal advisers provide regulatory and scheme-specific advice. While legal advice relationships are subject to professional privilege, the engagement arrangements must still comply with IORP II outsourcing standards where the adviser carries out scheme governance functions.

Technology Platforms

IT platforms that process scheme data or support governance activities are within scope of IORP II outsourcing requirements. This includes pension administration software, governance platforms (such as PensionsPortal.ie), and any cloud services used to process member data.

Key Function Holders (Outsourced)

Any of the four KFH roles can be outsourced to a suitably qualified professional firm. The Pensions Authority must be notified of both the outsourcing arrangement and the identity of the responsible individual at the outsourced firm.

PensionsPortal.ie as an Outsourced Service Provider

PensionsPortal.ie operates as a technology service provider and data processor for Irish pension schemes. We have designed our arrangements to meet IORP II outsourcing requirements in full.
RequirementPensionsPortal.ie Position
Written AgreementFull Data Processing Agreement (DPA) provided to all clients, meeting GDPR and IORP II requirements
Audit RightsTrustees have the right to audit PensionsPortal.ie’s processing activities under the DPA
Security StandardsSOC 2 Type II aligned controls; annual penetration testing (planned for 2026; not yet conducted); encryption at rest and in transit
Business ContinuityDocumented BCP and DR plan; 99.9% uptime SLA; evidence of BCP testing on request
Sub-Processor TransparencyFull sub-processor list available (see below); client notification of material sub-processor changes
Data ReturnOn termination, client data is returned in structured format within 30 days; data deleted per agreed schedule
PA Notification SupportPensionsPortal.ie supports trustees in completing Pensions Authority outsourcing notifications

Sub-Outsourcing: PensionsPortal.ie Sub-Processor Chain

PensionsPortal.ie uses a limited number of sub-processors to deliver the platform. Each sub-processor is subject to contractual data protection obligations equivalent to those in our client DPAs.
Trustees should record PensionsPortal.ie’s sub-processors in their scheme’s outsourcing register. Our full sub-processor list is available in the PensionsPortal.ie Data Processing Agreement and on request from your account manager.
Sub-ProcessorRoleLocation
Cloud Infrastructure ProviderHosting, storage, computeEU/EEA
Authentication ProviderIdentity and access managementEU/EEA
AI Model ProviderAI-assisted narrative generation (ORA, board reports)Subject to data processing controls
Email DeliverySystem notifications and alertsEU/EEA
All AI processing of scheme data uses privacy-preserving configurations. No scheme data is used to train AI models.

The Outsourcing Register

The Pensions Authority expects trustees to maintain an outsourcing register — a centralised record of all outsourcing arrangements. This is a primary evidence item in supervisory reviews.

What the Outsourcing Register Should Contain

For each outsourcing arrangement:
  1. Provider name and contact details
  2. Nature of the outsourced function (is it a key function?)
  3. Date of appointment
  4. Key agreement terms (contract reference, term, notice period, SLA summary)
  5. Sub-outsourcing arrangements approved under the agreement
  6. Pensions Authority notification status (date notified, if applicable)
  7. Last performance review date and outcome
  8. KFH status (if the provider holds a KFH role)
  9. Data protection (DPA in place, data categories processed)

PensionsPortal.ie Outsourcing Register

PensionsPortal.ie provides a built-in outsourcing register that maintains all required fields, generates Pensions Authority notification templates where a key function is outsourced, and triggers review reminders based on contract terms. The register is included in the scheme’s exportable supervisory review evidence pack.

Conflicts of Interest in Provider Selection

The Pensions Authority expects trustees to apply rigorous, documented due diligence to the selection and renewal of outsourced service providers — and that due diligence must address conflicts of interest.
Where a trustee, KFH, or connected person has a commercial or financial relationship with a service provider being considered for appointment, this is a conflict of interest that must be declared, documented, and managed. A trustee who votes to appoint a provider with whom they have an undisclosed commercial relationship is in breach of their fiduciary duty.
What trustees must do:
  1. Before any appointment: Confirm whether any trustee, KFH, or connected person has a commercial or financial relationship with the proposed provider. Document the outcome — including where the result is nil.
  2. Where a conflict exists: Record the conflict in the COI register. Consider whether the conflicted person should be excluded from the selection process. Ensure the final appointment decision is made by unconflicted trustees.
  3. At renewal: Repeat the COI check at the point of contract renewal. Conflicts can arise after initial appointment. A provider that was unconflicted in Year 1 may have acquired a commercial relationship with a trustee by Year 3.
  4. Master trust structures: Where the master trust founder or promoter has a commercial interest in appointed providers, the trustees must document the governance arrangements that ensure appointments are made on merit. This may include appointing an independent trustee or adviser to manage the conflicted relationship.
Navigate to Schemes → [Your Scheme] → Governance → Conflicts of Interest to record and manage COI declarations related to provider selection. For a trustee-facing guide, see: Conflicts of Interest →

Sub-Outsourcing — What the PA Expects

Sub-outsourcing occurs when a service provider appointed by the trustees delegates material elements of the contracted service to a third party. This is common in practice — administrators sub-contract IT processing, investment managers use sub-custodians, technology platforms use cloud infrastructure providers. The key obligation: Trustees cannot track only their primary service providers. They must understand and approve the sub-outsourcing chain.

What the Outsourcing Register Must Include

For each primary provider, the outsourcing register should include:
  • The provider’s known sub-contractors for material elements of the service
  • Whether written consent for sub-outsourcing was given under the primary agreement
  • Confirmation that the sub-contractor meets equivalent standards to the primary provider (data protection, security, BCP)

Contractual Requirements

The written agreement with each primary provider must:
  • Require the provider to obtain trustee consent before sub-outsourcing material elements
  • Require the provider to impose equivalent obligations on sub-contractors (data protection, security, BCP, audit rights)
  • Require notification of any changes to sub-outsourcing arrangements within a defined timeframe

Managing the Sub-Outsourcing Chain in Practice

Before appointing any service provider, ask for a list of their material sub-contractors. Review whether any sub-contractor presents a concentration risk (for example, if multiple primary providers use the same sub-custodian or IT platform). Document your review in the outsourcing register.
At each annual outsourcing register review, request updated sub-contractor lists from all primary providers. Confirm that any changes since the last review were notified as required under the agreement. Record the confirmation in the register.
PensionsPortal.ie operates as an outsourced technology provider and data processor. Our sub-processor list is maintained in our Data Processing Agreement and available on request. Trustees should record PensionsPortal.ie and its sub-processors in their outsourcing register. Our sub-processors are located in the EU/EEA.

DORA Integration — ICT Third-Party Oversight

From January 2025, the Digital Operational Resilience Act (DORA) applies to all Irish pension schemes with 16 or more members. DORA imposes specific requirements for managing ICT third-party risk that overlap significantly with the IORP II outsourcing framework. The critical principle: Trustees should maintain one integrated register — not parallel IORP II and DORA registers. Managing the same provider relationships through two separate processes creates duplication, inconsistency, and governance gaps.

Where IORP II Outsourcing and DORA ICT Requirements Overlap

RequirementIORP II Article 31DORA (EU 2022/2554)
Written agreement✅ Required✅ Required (with additional DORA clauses)
Sub-outsourcing consent✅ Required✅ Required
Audit rights✅ Required✅ Required
BCP/exit strategy✅ Required✅ Required (with testing evidence)
ICT incident reportingNot specified✅ Required — classified incidents reported to PA
ICT third-party registerNot specified✅ Required — all ICT providers tagged
Concentration riskImplicit✅ Explicit — trustees must assess and manage ICT concentration

The Integrated Register Approach

PensionsPortal.ie’s outsourcing register is designed to capture both IORP II and DORA requirements in one place:
  • Navigate to Schemes → [Your Scheme] → Governance → Outsourcing to maintain the IORP II outsourcing register for all service providers
  • Navigate to Schemes → [Your Scheme] → Governance → ICT Risk to maintain the DORA ICT third-party register, which tags ICT-specific providers and assets within the same provider relationships
Where a provider serves both an IORP II function (for example, scheme administration) and an ICT function (for example, the administration platform is cloud-hosted), they appear in both registers — but the data is maintained once.

DORA-Specific Written Agreement Clauses

Agreements with ICT providers must include DORA-specific clauses covering:
  • ICT incident notification obligations (including severity classification)
  • Requirements to maintain and test business continuity plans
  • Rights to conduct security audits
  • Data portability and exit assistance on termination
For ICT providers that are also key function providers (for example, a technology platform that supports the compliance function), both the IORP II key function outsourcing notification and the DORA ICT third-party registration are required. For the full DORA crosswalk, see: DORA Compliance →

Legislative References

  • IORP II Directive, Article 31: Outsourcing
  • S.I. 128/2021, Regulation 32: Outsourcing requirements
  • Pensions Act 1990, Section 64AK: Outsourcing (as inserted by Pensions (Amendment) Act 2022)
  • DORA, EU Regulation 2022/2554, Articles 28–30: ICT third-party risk management
  • Pensions Authority IORP II Guidance