Skip to main content

IORP II Outsourcing Requirements

Irish pension trustees routinely rely on external service providers — administrators, investment managers, actuaries, legal advisers, technology platforms — to deliver scheme operations. IORP II imposes structured requirements on all such outsourcing arrangements. These requirements are set out in Article 31 of IORP II and transposed in Section 64AK of the Pensions Act 1990 as amended by S.I. 128/2021. The governing principle is clear: trustees can delegate tasks, but they cannot delegate accountability.

The Non-Delegable Fiduciary Responsibility

Trustees cannot outsource their fiduciary responsibility. Regardless of how many functions are outsourced to third parties, the trustee board retains full legal accountability for the governance, management, and compliance of the scheme. If an outsourced service provider fails to perform, the trustees — not the provider — are accountable to members and the Pensions Authority.This means the trustee board must actively oversee all outsourced functions, receive performance reports, and retain the ability to terminate and replace providers. Passive reliance on an outsourced provider is not adequate governance.

When Is It Outsourcing?

Under IORP II, outsourcing means any arrangement under which a service provider (internal or external) carries out a process, service, or activity that would otherwise be performed by the IORP itself. This is intentionally broad. It includes:
  • Scheme administration (member records, benefit calculations, communications)
  • Investment management (discretionary or advisory)
  • Actuarial services (ACS, technical provisions, funding advice)
  • Legal and compliance advisory services
  • IT and technology platforms (including PensionPortal.ai)
  • Any Key Function Holder role filled by an external provider

Written Agreement Requirements (Article 31 IORP II / Section 64AK Pensions Act)

Every outsourcing arrangement must be governed by a written agreement that meets minimum statutory standards. A verbal arrangement or a service provider’s standard terms of business (without appropriate pension-specific provisions) will not satisfy this requirement.

Mandatory Agreement Contents

A precise description of the services being provided, including scope, deliverables, and service standards. Vague descriptions (e.g., “administration services”) are not adequate — the agreement must be specific enough to allow meaningful performance monitoring.
Measurable performance standards against which the provider’s performance can be assessed. These should include accuracy targets, turnaround times for member communications, and reporting deadlines. Non-performance must be linked to remediation or termination rights.
The provider must report to the trustee board on defined matters at specified intervals. Reports must be adequate for the trustees to monitor performance and identify issues. Ad hoc reporting requirements (e.g., immediate notification of material incidents) should also be specified.
The provider cannot sub-outsource material elements of the service without prior written consent from the trustee board. The agreement must specify the process for approving sub-outsourcing and must require the sub-contractor to meet equivalent standards.
For providers that process personal data on behalf of the scheme, a compliant Data Processing Agreement (DPA) is required under GDPR and the Data Protection Acts 1988–2018. The DPA must cover processing purposes, data subject rights, security measures, breach notification, and sub-processor restrictions.
The provider must maintain and test a business continuity plan that covers service disruption scenarios. Trustees must receive evidence of BCP testing at agreed intervals, and the provider must notify trustees promptly of any activations.
The trustee board (or its appointed auditor) must have the contractual right to audit the provider’s performance of the contracted services. This right must be exercisable on reasonable notice and must not be conditional on provider consent.
The agreement must provide for termination — for cause (material breach, insolvency) and, where appropriate, without cause on reasonable notice. Transition assistance obligations (data return, continuity support) must be specified, ensuring the scheme can migrate to a new provider without disruption to members.

Notification Obligations: Outsourcing a Key Function

When a trustee board outsources a Key Function (risk management, internal audit, actuarial, compliance), the Pensions Authority must be notified. This notification requirement applies in addition to the notification of the KFH appointment itself. Trustees should ensure that Pensions Authority notifications are completed before or immediately upon commencement of the outsourced arrangement.
Under Section 64AK(3) of the Pensions Act 1990, notification must be provided in the form and manner specified by the Pensions Authority. PensionPortal.ai generates Pensions Authority notifications for KFH outsourcing arrangements as part of the outsourcing registration workflow.

Common Outsourcing Arrangements in Practice

Scheme Administrator

The most common outsourced function. The administrator manages member records, processes contributions and withdrawals, prepares benefit calculations, and handles member communications. Almost universally outsourced in Irish pension schemes.

Investment Manager

Discretionary investment managers act under an Investment Management Agreement (IMA) that must meet both IORP II outsourcing requirements and any applicable MiFID II or AIFMD requirements. The trustee board retains responsibility for the investment policy and for monitoring manager performance against it.

Actuary

Where the scheme has an Actuarial KFH requirement, the actuary is almost always an external firm. The engagement letter must meet IORP II outsourcing requirements. The actuary’s ACS is a primary regulatory submission.

Legal Adviser

Legal advisers provide regulatory and scheme-specific advice. While legal advice relationships are subject to professional privilege, the engagement arrangements must still comply with IORP II outsourcing standards where the adviser carries out scheme governance functions.

Technology Platforms

IT platforms that process scheme data or support governance activities are within scope of IORP II outsourcing requirements. This includes pension administration software, governance platforms (such as PensionPortal.ai), and any cloud services used to process member data.

Key Function Holders (Outsourced)

Any of the four KFH roles can be outsourced to a suitably qualified professional firm. The Pensions Authority must be notified of both the outsourcing arrangement and the identity of the responsible individual at the outsourced firm.

PensionPortal.ai as an Outsourced Service Provider

PensionPortal.ai operates as a technology service provider and data processor for Irish pension schemes. We have designed our arrangements to meet IORP II outsourcing requirements in full.
RequirementPensionPortal.ai Position
Written AgreementFull Data Processing Agreement (DPA) provided to all clients, meeting GDPR and IORP II requirements
Audit RightsTrustees have the right to audit PensionPortal.ai’s processing activities under the DPA
Security StandardsSOC 2 Type II aligned controls; annual penetration testing; encryption at rest and in transit
Business ContinuityDocumented BCP and DR plan; 99.9% uptime SLA; evidence of BCP testing on request
Sub-Processor TransparencyFull sub-processor list available (see below); client notification of material sub-processor changes
Data ReturnOn termination, client data is returned in structured format within 30 days; data deleted per agreed schedule
PA Notification SupportPensionPortal.ai supports trustees in completing Pensions Authority outsourcing notifications

Sub-Outsourcing: PensionPortal.ai Sub-Processor Chain

PensionPortal.ai uses a limited number of sub-processors to deliver the platform. Each sub-processor is subject to contractual data protection obligations equivalent to those in our client DPAs.
Trustees should record PensionPortal.ai’s sub-processors in their scheme’s outsourcing register. Our full sub-processor list is available in the PensionPortal.ai Data Processing Agreement and on request from your account manager.
Sub-ProcessorRoleLocation
Cloud Infrastructure ProviderHosting, storage, computeEU/EEA
Authentication ProviderIdentity and access managementEU/EEA
AI Model ProviderAI-assisted narrative generation (ORA, board reports)Subject to data processing controls
Email DeliverySystem notifications and alertsEU/EEA
All AI processing of scheme data uses privacy-preserving configurations. No scheme data is used to train AI models.

The Outsourcing Register

The Pensions Authority expects trustees to maintain an outsourcing register — a centralised record of all outsourcing arrangements. This is a primary evidence item in supervisory reviews.

What the Outsourcing Register Should Contain

For each outsourcing arrangement:
  1. Provider name and contact details
  2. Nature of the outsourced function (is it a key function?)
  3. Date of appointment
  4. Key agreement terms (contract reference, term, notice period, SLA summary)
  5. Sub-outsourcing arrangements approved under the agreement
  6. Pensions Authority notification status (date notified, if applicable)
  7. Last performance review date and outcome
  8. KFH status (if the provider holds a KFH role)
  9. Data protection (DPA in place, data categories processed)

PensionPortal.ai Outsourcing Register

PensionPortal.ai provides a built-in outsourcing register that maintains all required fields, generates Pensions Authority notification templates where a key function is outsourced, and triggers review reminders based on contract terms. The register is included in the scheme’s exportable supervisory review evidence pack.

Legislative References

  • IORP II Directive, Article 31: Outsourcing
  • S.I. 128/2021, Regulation 32: Outsourcing requirements
  • Pensions Act 1990, Section 64AK: Outsourcing (as inserted by Pensions (Amendment) Act 2022)
  • Pensions Authority IORP II Guidance