REGISTRAR OF FINANCIAL INSTITUTIONS

GUIDELINES ON OUTSOURCING OF SERVICES BY FINANCIAL INSTITUTIONS

JULY 2023

---

Table of Contents

PART I – PRELIMINARY ................................................................. 1

1. Introduction ........................................................................... 1
2. Interpretation ......................................................................... 2

PART II – OBJECTIVES AND SCOPE ............................................. 3
3. Objectives .............................................................................. 3
4. Scope of Application ............................................................... 3

PART III – INTERNAL POLICIES, ROLES, RESPONSIBILITIES, RISK MANAGEMENT AND CONTRACTS IN OUTSOURCING ................................................ 4
5. Internal Policy on Outsourcing ................................................. 4
6. Role and Responsibilities of Board Directors ............................. 5
7. Role and Responsibilities of Senior Management ..................... 6
8. Evaluation of Risks Involved in Outsourcing ............................ 7
9. Due Diligence in Selecting Service Providers ........................... 8
10. Confidentiality and Security of Customer Data and Information ................................................ 9
11. Business Continuity Management .......................................... 10
12. Contracts and Service Level Agreements ............................... 11

PART IV – CLASSIFICATION OF OUTSOURCED ACTIVITIES, REQUIREMENTS FOR REGISTRAR’S APPROVAL, INTRA-GROUP OUTSOURCING, MANAGEMENT/TECHNICAL SERVICES AND FEES ................................................ 14
13. Criteria for Classification into Material or Non-material Activities ................................................ 14
14. Requirements for Registrar’s Approval of Material Outsourcing Arrangements ................................................ 15
15. Intra-Group Outsourcing and Transfer Pricing ....................... 17
16. Management and Technical Services and Fees ....................... 18

PART V – TRANSITORY ARRANGEMENTS AND SELF-ASSESSMENTS ................................................ 19
17. Transition and Self-Assessment of Existing or Proposed Outsourcing Arrangement ................................................ 19

APPENDIX A: Key Risks in Outsourcing of Services by Financial Institutions ................................................ 21
APPENDIX B: Summary of Guiding Principles on Outsourcing in Financial Services ................................................ 23

---

PART I – PRELIMINARY

1. Introduction

Financial Institutions are increasingly engaging third party to provide services under outsourcing arrangements. Common motives for outsourcing of essential services by financial institutions is to reduce costs, obtain expertise and skills which may not be available internally including access to better technology and systems, and to achieve strategic aims. Outsourcing arrangements, which are also becoming more complex, have the potential of transferring risk, management and compliance to third parties whom the Registrar of Financial Institutions (hereinafter “the Registrar”) does not have regulatory authority over, and increased reliance on them may affect the ability of financial institutions to manage their risks and monitor their compliance with regulatory requirements. There is also a concern regarding the potential for over-reliance on outsourced business activities that are critical to the on-going viability of a regulated entity as well as its obligations to customers, and unfettered outsourced arrangements have the potential to negatively impact the safety and soundness of financial institutions and the financial system as a whole.

Financial institutions can mitigate these risks by taking measures such as adopting clear and comprehensive outsourcing policies and effective risk management programmes, requiring contingency plans by the outsourcing firm, negotiating appropriate outsourcing contracts, and properly conducting due-diligence on the service provider. On the other hand, the Registrar plays a role to mitigate concerns by ensuring that outsourcing is adequately considered as an integral part of on-going risk assessment of a financial institution and, where applicable, during regulatory approval of the contracts, and to be including concentration risk in third party service providers when considering systemic risk issues. The Registrar’s assessments need to provide assurance that any outsourcing arrangements do not hamper the ability of a financial institution to meet regulatory requirements.

---

2. Interpretation

(1) In these Guidelines -
“Act” means the Financial Services Act, 2010;
“Registrar” means the Registrar of Financial of Institutions as appointed under Section 8 of the Act;
“financial institution” has the same meaning as ascribed to in the Act;
“material outsourcing” refers to the outsourcing of an activity of such importance that any weakness or failure in the provision of this activity could have a significant impact on the financial institution’s ability to meet its regulatory responsibilities and/or to continue in business;
“outsourcing” is defined in this guideline as a regulated entity’s use of a third party (either an affiliated entity within a corporate group or an entity that is external to the corporate group) to perform business activities that would normally be undertaken by the regulated entity;
“related party” has the same meaning as ascribed to under the Financial Services Act, 2010; and
“third-party service provider” refers to an entity that is undertaking the outsourced activity on behalf of the financial institution, whether the entity is affiliated to the financial institution or not.

---

PART II – OBJECTIVES AND SCOPE

3. Objectives

The main objectives of these Guidelines are to ensure that: -
(1) financial institutions establish a policy framework that guides management of outsourcing arrangements;
(2) all material outsourcing arrangements entered into by a financial institution are subject to appropriate internal due diligence, approval and on-going monitoring;
(3) all risks arising from material outsourcing arrangements are appropriately managed to ensure that a financial institution is able to meet both its obligations to customers, the Registrar and other stakeholders; and
(4) all dealings between a financial institution and outsourced service providers are conducted at arm’s length.

4. Scope of Application

These Guidelines apply to banks, insurance companies, pension services companies, deposit-taking microfinance institutions, capital market players and any other financial institution that may be specified by the Registrar from time to time.

---

PART III – INTERNAL POLICIES, ROLES, RESPONSIBILITIES, RISK MANAGEMENT AND CONTRACTS IN OUTSOURCING

5. Internal Policy on Outsourcing

(1) A financial institution should establish specific policies and criteria for making decisions about outsourcing, including guiding the evaluation of whether, how and the extent to which, the relevant activities are appropriate to be outsourced. The policy should be communicated and implemented through all relevant levels of the financial institution. Further, the policy must be reviewed periodically, at least once every two years, and in light of changing circumstances and applicable laws.

(2) The policy should be documented and include, inter-alia, the following elements and principles:
(a) strategic goals, objectives and business needs of the financial institution in relation to outsourcing, including an assessment of the institution’s core competences, managerial strengths and weaknesses;
(b) a clear outline of the range of business activities that may be outsourced and those which cannot be outsourced by the institution;
(c) criteria on the evaluation of whether the activity is appropriate for outsourcing;
(d) criteria for determining material outsourcing;
(e) processes for evaluating risks associated with an outsourced activity;
(f) criteria for evaluating outsourcing relationships with service providers, including necessary controls and reporting processes on an on-going basis;
(g) eligibility criteria for selecting service providers considering any relationships, directly or indirectly, with the latter;
(h) limits on the acceptable overall level of outsourced activities;
(i) issues addressing risk concentration and risks arising from outsourcing multiple business activities to the same service provider;

---

(j) steps to ensure its ability to comply with legal and regulatory requirements, in both home and host countries, where applicable;
(k) specify any off-shore processing arrangement, and modalities of recovering the outsourced resources such as data, in case of any dispute or termination of the contract;
(l) designate an internal unit or individual responsible for supervising and managing each outsourcing, and, overall, an appropriate governance structure, with clearly defined roles and responsibilities, should exist throughout the engagement process and contract term;
(m) outsourcing arrangements should not affect rights of a customer against the regulated entity, including the ability of the customer to obtain redress as applicable under relevant laws; and
(n) outsourcing arrangements should not deter the Registrar’s ability to exercise his regulatory responsibilities and an activity should not be outsourced if it would impair the Registrar’s right to assess, or ability to supervise, business of the financial institution.

6. Role and Responsibilities of Board Directors

(1) The board and senior management of a financial institution shall remain responsible in respect of functions or business activities that are outsourced. The board of directors shall, at a minimum, be responsible for:
(a) reviewing and approving the institution’s policy on outsourcing;
(b) reviewing and approving of processes for outsourcing of any material activity or functions;
(c) assessing outsourcing strategies and arrangements to evaluate consistency with strategic objectives;
(d) assessing how the outsourcing arrangement will support the financial institution’s objectives and strategic plans;
(e) approving material outsourcing arrangements;
(f) setting up the appropriate levels of authority for approval of outsourcing;
(g) approving the exit mechanism in respect of material outsourcing arrangements;

---

(h) assessing whether management has competently implemented outsourcing arrangements based on the set policy and in conformance to relevant regulatory requirements;
(i) Review management reports on outsourced activities, at least annually, to ensure compliance with the approved policy;
(j) ensuring the continued maintenance of an overall framework for the operational stability of the financial institution, considering the scope of outsourced services; and
(k) ensuring that the internal and external audit functions regularly review operations to assess whether or not the risk-management policies and procedures for outsourcing are being followed and to confirm that sufficient risk management processes for outsourcing are in place.

7. Role and Responsibilities of Senior Management

(1) Senior management of the financial institution has the responsibility for proper management of the risks associated with outsourcing business activities. In addition, senior management is responsible for:
(a) developing the institution’s policy on outsourcing and recommending it for approval to the board;
(b) implementing approved policies for outsourcing;
(c) establishing procedures adequate to the operation and monitoring of outsourcing arrangements in order to identify those that are material, for evaluation of the service provider, ensuring satisfactory service contract, confidentiality, security needs and accountability for monitoring outsourcing of material business activities;
(d) managing risks associated with outsourcing arrangements.
(e) carrying out periodic internal assessments, at least quarterly, to test the effectiveness of the outsourcing arrangement and keep the board informed on material outsourcing risks in a timely manner;