Central Bank of Sri Lanka Directions on Outsourcing of Business Operations

# MONETARY BOARD
## CENTRAL BANK OF SRI LANKA
### FINANCE BUSINESS ACT DIRECTIONS
**04 September 2018** | **No. 07 of 2018**

---

## OUTSOURCING OF BUSINESS OPERATIONS

In terms of the powers conferred by Section 12 of the Finance Business Act, No. 42 of 2011, the Monetary Board issues Directions on Outsourcing of Business Operations of Licensed Finance Companies (LFCs).

### 1. Applicability and scope

**1.1.** Outsourcing arrangements can bring cost savings and other benefits and it may increase the risk profile of an LFC due to failure of an outsourcing service provider in providing the service, leading to reputation, compliance and operational risks.

**1.2.** These Directions shall not be applied to outsourced arrangements that are not directly related to provision of financial services, such as mail, courier, catering, housekeeping and janitorial, security, printing services (e.g. application forms, brochures, statements), communication, recruitments on contract and temporary basis, payroll and secretarial functions.

### 2. Functions/operations or activities that cannot be outsourced

**2.1** An LFC may outsource its functions/operations or activities other than the following;

a. Services associated with mobilizing of deposits and withdrawals;

b. Assets and liabilities management;

c. Compliance function;

d. Customer Due Diligence (CDD) and Know Your Customer procedures (KYC);

e. Treasury management;

f. Risk management;

g. Strategic planning and decision-making;

h. Sanctioning of loans;

i. Internal audit function subject to Directions 6 below;

j. Information Technology related services subject to Directions 7 below;

---

### 3. General Conditions

**3.1** Every LFC shall at all times enter into a legally binding agreement with the outsourcing service provider hereinafter referred to as “outsourcing arrangement”.

**3.2** Outsourcing arrangements shall be entered into only with service providers who have specialized resources, capacity and expertise to perform such functions/operations or activities.

**3.3** Outsourcing arrangements shall not be entered into with a service provider in which substantial interest is held by Directors or employees and/or close relatives of a Director or an employee of the LFC.

**3.4** When the outsourcing service provider is the parent company or another related company of the LFC, the LFC shall comply with the provisions with regard to “Related Party Transactions” stipulated in Finance Companies (Corporate Governance) Direction No. 3 of 2008 or as amended.

### 4. Outsourcing Arrangement

**4.1** The outsourcing arrangement shall include at least the following;

a. Scope of the outsourcing arrangement including service standards;

b. Period of the agreement and conditions applicable on renewal/renegotiation;

c. Rights and responsibilities of the parties involved;

d. Internal control and risk management standards;

e. Confidentiality and security;

f. Business continuity management;

---

### 5. Responsibility of the Board and Senior Management

**5.1 Approval and Effective Oversight**

a. The Board of Directors (hereinafter referred to as “Board”) and the Senior Management of the LFC shall be responsible for providing an effective oversight of the outsourcing arrangements and managing the outsourcing risks.

b. The Board shall approve an outsourcing policy framework which governs the outsourcing arrangements. The policy shall contain the following minimum requirements;

i. A mechanism for identification and effective management of risks that could arise from outsourced arrangements;

ii. The delegated approving authority of the outsourcing arrangements;

iii. Procedures to be followed for the selection of outsourcing service providers;

iv. Cost-benefit analysis on each function/operation or activity to be outsourced;

v. A procedure to assess the service provider’s capacity, capability and mode/basis of payment to perform the obligations under the outsourcing arrangement; and

vi. The reporting mechanism of the review process of all the outsourcing arrangements.

**5.2 Implementation**

The Senior Management is responsible for the implementation of outsourcing arrangements in line with the Board approved outsourcing policy framework.

**5.3 Monitoring and Control**

a. Senior Management must ensure an independent review is undertaken by, either an internal unit or external party, at regular intervals, to ensure compliance of all outsourcing arrangements with the Board approved outsourcing policy framework.

b. Senior Management must, at least annually, assess the effectiveness of the outsourcing arrangement and based on the outcome of the assessment, shall decide on the continuity of such arrangement.

### 6. Outsourcing of Internal Audit Function

**6.1** An LFC shall not outsource its internal audit function, except adhering to the conditions stated below;

a. An LFC with total assets less than Rs. 15 billion may fully outsource its internal audit function, if the LFC is able to justify the cost savings, improved efficiency and better management of resource constraints;

b. An LFC with total assets more than Rs. 15 billion should have an inhouse internal audit department and may outsource branch and Information System (IS) audits and specialised audit assignments.

**6.2** The responsibility and control of the outsourced audit assignments shall continue to be with the Chairman of the Board Audit Committee (BAC). BAC shall ensure the compliance with the provisions stipulated in the Finance Companies (Corporate Governance) Direction No. 3 of 2008 or as amended.

**6.3** Internal audit function shall be outsourced to an Auditor appointed from the panel of external auditors approved by the Central Bank of Sri Lanka subject to following conditions;

a. Such auditor shall not be the LFC’s present external auditor;

b. Any such appointment shall be made after a “cooling off” period of 2 years if such audit firm had been previously engaged in the external audit assignment of the LFC.

**6.4** The internal audit service provider shall not perform any management function or act, directly or indirectly, in a capacity equivalent to that of a member of management or an employee of the LFC.

**6.5** The internal audit service provider shall not provide consultancy services to a function/operation or activity of the LFC of which it is expected to audit or vice versa within a period of 2 years.

### 7. Outsourcing of Information Technology Function

**7.1** An LFC shall not outsource the Information Technology function except the following functions and shall be able to obtain cost savings, improved efficiency and better resource capabilities through the outsourcing arrangements;

a. Application/Systems development, testing, maintenance and support;

b. Technology infrastructure management, maintenance and support;

c. Help Desks;

d. Network administration;

e. Disaster recovery support services;

f. Data entry operations of non-core business activities;

g. Electronic banking systems (e.g. Internet banking, Mobile banking and Tele-banking) development, maintenance and support;

h. Web hosting and maintenance;

i. Credit/Debit/Automated Teller Machines (ATM) card printing;

j. Any other functions/activities except above shall be outsourced, with the prior approval of Director.

### 8. Outsourcing of Marketing & Recovery Functions

**8.1** The Marketing and recovery functions may be outsourced by LFCs subject to ensuring that the staff of the outsourcing service provider who are directly dealing with customers are properly trained to handle their responsibilities with care and prudence and comply with the provisions of the Finance Business Act Direction No. 01 of 2018 (Financial Customer Protection Framework) or as amended.

**8.2** If Central Bank of Sri Lanka receives any written/verbal complaints with respect to conduct of any outsourcing service provider, Director has the right to suspend such outsourcing arrangements upon further investigation.

### 9. Implementation

**9.1** These Directions shall be effective from the date of these Directions.

### 10. Transitional Arrangements

**10.1** If an LFC has already outsourced the core business functions/operations or activity stated in 2.1 above, approvals granted shall be lapsed within a period of six months from the effective date of these Directions.

### 11. Register of outsourcing arrangements and reporting

**11.1** LFC shall maintain an up-to-date register of all outsourcing arrangements.

**11.2** LFC shall inform the list of outsourcing arrangements proposed during a following financial year in the format given in Annexure 1 to the Director on or before the end of the first month of the financial year.

### 12. Interpretations

**12.1** “Outsourcing Arrangement” is an arrangement in which a service provider performs a function/operation or an activity on behalf of an LFC on a continuing basis, where the activity is normally or could be undertaken by the LFC.

**12.2** “Service Provider” refers to an entity, including a parent company or another related company of the LFC, providing services to an LFC under an outsourcing arrangement and includes all sub-contractors.

**12.3** “Sub-contractor” refers to an entity which enters into an arrangement, directly or indirectly, with the primary service provider to perform the whole or a part of the outsourced activity.

**12.4** “Director” means the Director of the Department of Supervision of Non-Bank Financial Institutions of the Central Bank of Sri Lanka.

**12.5** “Close relative” means spouse and dependent children.

**12.6** “Substantial interest” shall have the same meaning as contained in Section 74 of the Finance Business Act No. 42 of 2011.

**12.7** “Assets” referred in Direction 6.1 refers to total assets in the latest available audited financial statements.

---

**Dr. Indrajit Coomaraswamy**  
Chairman of the Monetary Board and  
Governor of the Central Bank of Sri Lanka

---

## Annex I

### The list of Functions/Operations or Activities proposed to be outsourced

| Function/Operation or Activity Outsourced | Name of Service Provider | Address | Proposed Date of Commencement | Period of Agreement | Deliverables/Services Performed | Cost (per annum) |
|---|---|---|---|---|---|---|
| 1. | | | | | | |
| 2. | | | | | | |
| 3. | | | | | | |
| 4. | | | | | | |

**Year: …………**