Guidelines on Minimum Standards for the Outsourcing of Material Functions

SUPERVISORY AND REGULATORY GUIDELINES Minimum Standards for Outsourcing ISSUED: 4th May 2004 Revised 27th August 2009 Last Revised: 2 nd November 2020 GUIDELINES ON MINIMUM STANDARDS FOR THE OUTSOURCING OF MATERIAL FUNCTIONS I. INTRODUCTION The Central Bank of The Bahamas (“Central Bank”) is responsible for licensing, regulating and supervising banks and trust companies (collectively, “Supervised Financial Institutions” or ‘SFIs”) operating in and from within The Bahamas pursuant to The Banks and Trust Companies Regulation Act, 2020, and The Central Bank of The Bahamas Act, 2020. Additionally, the Central Bank has the duty, in collaboration with SFIs, to promote and maintain high standards of conduct and risk management. II. PURPOSE For the purposes of these Guidelines, outsourcing involves an SFI entering into an arrangement with another party (including an entity affiliated or related to the SFI) to perform a business activity which currently is, or could be, undertaken by the SFI itself. These Guidelines set out the Central Bank’s approach to outsourcing and the major issues to be considered by SFIs when entering into outsourcing arrangements. The Central Bank recognises that SFIs may have sound reasons to outsource functions, such as the ability to achieve economies of scale or to improve the quality of service to clients, or to improve the quality of risk management. Whatever outsourcing arrangements are in place1 , SFIs are required to comply with the requirements of the Commercial Entities (Substance) Requirement Act, 2018 and the physical presence requirements outlined in the Guidelines for the Minimum Physical Presence Requirements for Banks and Trust Companies Licensed in The Bahamas, unless the Central Bank grants specific exemption from the aforementioned Guidelines.

1 There is no provision for an SFI’s compliance function (MLRO) to be outsourced.

2 III. APPLICABILITY These Guidelines apply to all material outsourcing arrangements of an SFI. Annex I provides examples of some services that may be regarded as outsourcing for the purposes of these Guidelines and, services that are generally not intended to be subject to these Guidelines.2 These examples do not excuse the application of the Guidelines to services that are not listed. SFIs should consider the materiality of outsourcing in applying the Guidelines. IV. CENTRAL BANK NOTIFICATION REQUIREMENTS

1. An SFI must notify the Central Bank at least ten business days prior to entering into or materially varying an outsourcing agreement. Annex III to these Guidelines comprises the form of such notice, and the required information to be included. Previously, the Central Bank required its prior approval of material outsourcing agreements, but this is no longer the case.
2. The Central Bank does not intend to evaluate the quality of outsourcing arrangements subject to prior notice, but will instead focus its supervisory effort upon ensuring that the agreement has benefitted from appropriate governance and risk management by the SFI.3
3. The Central Bank requires the SFI to provide an annual summary of its outsourcing arrangements, in a common format outlined in Annex III to this Guideline. This schedule must be maintained at all times, and the SFI may be required to submit the schedule for review by the Central Bank, at any time.
4. The SFI must notify the Central Bank immediately upon a material performance failure by any outsource provider, or should the SFI conclude that such a failure is imminent. The remedial measures to be taken must be provided upon notification of a material performance failure, as well as in instances where such failure is imminent. V. MATERIALITY ASSESSMENT FOR OUTSOURCING ARRANGEMENTS
5. The materiality of an outsourcing arrangement is often subjective and depends on the circumstances faced by an SFI.
6. Without limiting the scope of the materiality assessment, factors that should be considered include:

2 This list is provided for information purposes only. The services listed do not necessarily mean that they are considered material for the purposes of these Guidelines. SFIs should apply the materiality test and consult the Central Bank where there is doubt. 3 This requirement can be satisfied by an attestation in the notice to the Central Bank that the appropriate governance and risk management issues have been evaluated in accordance with the SFI’s governance and risk management policies and addressed in the outsourcing arrangement.

3 a) the impact of the outsourcing arrangement on the finances, reputation and operations of the SFI, particularly if the service provider or group of affiliated service providers should fail to perform under the outsourcing arrangement; b) the ability of the SFI to maintain important controls and meet supervisory and regulatory requirements, particularly if the service provider were to default on its obligations; c) the cost of the outsourcing arrangement; and d) the degree of difficulty, funds, and time required to find an alternative service provider or to return the outsourced activity in-house. 3. As minimum guidance, the Central Bank will consider an outsourcing arrangement material if: a) It exceeds the lesser of $1 million, 5 per cent of the SFI’s prudential capital, or 1 per cent of the SFI’s gross assets in annual payments to the outsource provider; b) The outsource provider is given access to the SFI’s general ledger or confidential customer information; c) An information security, other operational failure, or misconduct by the outsource provider and its employees and agents could plausibly lead to the SFI’s inability to conduct a material line of business for more than 48 hours, or if the failure would plausibly lead to public exposure of confidential customer or counterparty information; d) The conservatively estimable cost of remediation of an outsource provider’s inability to provide satisfactory performance exceeds the lesser of $1 million, 5 per cent of the SFI’s prudential capital, or 1 per cent of the SFI’s gross assets; e) A performance failure by the outsource provider could plausibly lead to long term impairment of the SFI’s reputation, or the reputation of The Bahamas as a sound jurisdiction in which to conduct financial services; or f) The outsourcing arrangement affects the SFI’s ability to provide regular and ad hoc regulatory reporting to the Central Bank or other Bahamian public sector agencies. 4. SFIs should periodically reassess an outsourcing arrangement’s materiality. In cases where an arrangement is reassessed as material, it should comply with the principles set out in these Guidelines at the first opportunity, such as when the outsourcing contract or agreement is substantially amended, renewed or extended. 5. Annex II contains a set of suggested questions that an SFI could usefully consider in assessing the materiality of outsourcing arrangements. The Central Bank may review an SFI’s materiality assessment on a case-by-case basis as a part of its on-site examination process, or as part of its ongoing supervision.

4 VI. RISK MANAGEMENT PROGRAMME The Central Bank requires SFIs to design and implement risk management policies that apply to all material risks, including risks associated with outsourcing arrangements.

1. Board of Directors and Senior Management Responsibilities4 a) It is the responsibility of the Board and senior management to ensure that adequate risk mitigation practices are in place for the effective oversight and management of outsourcing arrangements. b) The Board, or delegated committee, should: i. Review and approve risk management policies for outsourcing; ii. Regularly review compliance with the outsourcing policy; iii. Approve all outsourcing arrangements of material business activities; iv. Regularly review reports on outsourcing arrangements; and v. Ensure that the audit function covers any outsourcing arrangements and reports on compliance with the terms and conditions of the agreements. This includes a review of the service provider’s internal control environment as it relates to the service provided. The Central Bank considers that an SFI should undertake internal (or external) audit review of material outsourcing arrangements, as often as is required using a risk￾based approach , or no less often than every three years. c) The Board must satisfy itself that the outsourcing arrangement complies with relevant statutory requirements related to client confidentiality (including Section 19 of the Banks and Trust Companies Regulation Act, 2000), statutory requirements on anti-money laundering/countering terrorist and proliferation financing and record keeping procedures and practices, other applicable Bahamian legal requirements and Guidelines issued by the Central Bank. d) The Board should include a statement in its Annual Corporate Governance Certificate confirming that the Board is performing its functions and fulfilling its obligations under

4 For branches of foreign banks, the responsibilities set forth in these Guidelines for the Board of Directors of an organization should be assumed by the head office of the local branch. Senior managers at head office should ensure that the standards set forth in these Guidelines are appropriately addressed by the senior management of the local branch. Where the Board of Directors of a subsidiary or head office of a local branch utilizes risk management programmes applicable to group companies, such risk management programmes must be consistent with the requirements of these Guidelines.

5 these Guidelines. In addition, any deficiencies in respect of these Guidelines should be noted and an Action Plan to remedy these deficiencies should be submitted to the Central Bank. e) Senior Management of the SFI should: i. Develop a risk management framework for outsourcing arrangements that reflects the Board’s approved policy; ii. Establish and implement an oversight process that ensures that outsourcing of material business activities are reported to and approved by the Board prior to implementation; iii. Ensure that, for each outsourcing arrangement, there is a formal evaluation of the service provider, that a contract with appropriate service level agreements is in place, and that any confidentiality provisions and security needs are adequately addressed; iv. Ensure that appropriate reporting regimes are in place, including to the Board and the Central Bank, to enable effective management and control of outsourcing arrangements and to identify potential problems at an early stage; and v. Ensure that the audit function reviews any outsourcing arrangement and that auditors regularly report on compliance with applicable terms and conditions of the agreement. 2. Accountability a) In any outsourcing arrangement, the Board of Directors (in the case of subsidiaries and stand-alone entities) or head office (in the case of branches of foreign banks) and the SFI’s management are accountable for the outsourced activity. Although outsourcing may result in day-to-day managerial responsibility moving to the service provider, accountability for the business activity remains with the SFI. It is important for SFIs to recognise that outsourcing a business activity does not transfer all of the risks associated with the activity to the service provider. It remains the responsibility of the SFI to ensure that all risks associated with the business activity are addressed to the same extent as they would be if the activity were performed “in house”. b) When a material outsourcing arrangement results in services being provided outside The Bahamas, an SFI’s risk management programme should address any additional concerns linked to the foreign jurisdiction’s economic and political environment, technological sophistication, and legal and regulatory risk profile.5

5 Refer to Section VI, paragraph 2

6 c) The SFI’s management must satisfy the Central Bank that adequate procedures are in place and that the SFI possesses the clear ability to monitor and control all material outsourced arrangements. The Central Bank will hold the SFI’s Board and senior management responsible for ensuring that the outsourced functions are performed to an appropriate standard, and that the integrity of the SFI’s systems and controls is maintained. 3. Due Diligence a) In selecting a service provider, or renewing a contract or outsourcing arrangement, SFIs are expected to undertake a due diligence process that appropriately assesses the risks associated with the outsourcing arrangement, including all factors that would affect the service provider’s ability to perform the outsourced activity.

b) The Central Bank recognises that the level of due diligence conducted will vary depending on the prospective outsourcing partner6 . The due diligence process should include, but is not limited to: i. Assessing the financial strength, experience and technical competence of the service provider to deliver the required services; ii. The service provider’s internal control, reporting and monitoring environment; iii. The fitness and propriety of the principals of the service provider; iv. Business reputation, complaints, and pending litigation; v. Business continuity arrangements and contingency plans, including technology recovery testing; vi. Reliance on and success in dealing with subcontractors; vii. Insurance coverage; viii. Business objectives; ix. Human resource policies, service philosophies, business culture, and how these fit with those of the SFI. c) Due diligence undertaken during the selection process should be documented and updated periodically as part of the monitoring and control processes of outsourcing. The due diligence process can vary depending on the nature of the outsourcing arrangement (e.g. reduced due diligence may be sufficient where no developments or changes have arisen to affect an existing outsourcing arrangement.)

6 A reduced level of due diligence may be appropriate if the prospective outsourcing partner is an entity affiliated or related to the licensee, but sufficient due diligence must be undertaken to satisfy the SFI’s board and management that the arrangement is sound.

7 4. Confidentiality of Outsourced Functions SFIs must have controls in place to ensure that the requirements of customer data confidentiality are observed and proper safeguards are established to protect the integrity and confidentiality of customer information. SFIs must not undertake outsourcing arrangements that may result in the disclosure of client information to third parties without the prior consent of the client7 . 5. Anti-Money Laundering Requirements SFIs must be able to demonstrate to the Central Bank and any other authorised party that under the outsourcing arrangement, statutory requirements on anti-money laundering and record keeping procedures and practices will continue to be met (see requirements under the Financial Intelligence Unit Act, 2000, the Financial Transactions Reporting Act, 2018, the Guidelines for Supervised Financial Institutions on the Prevention of Money Laundering, Countering the Financing of Terrorism and Proliferation Financing and all other applicable Regulations and Guidelines). 6. Business Continuity Arrangements Where a material function is outsourced, the SFI should ensure that its business continuity arrangements address foreseeable situations (either temporary or permanent) where the arrangement is suddenly terminated or the service provider is unable to fulfil its obligations under the outsourcing agreement. An SFI should make provision in its business continuity arrangements for the retention of and ready access to all records necessary to allow it to sustain business operations, meet its statutory obligations, and provide such information as may be required by the Central Bank to exercise its regulatory powers or perform its supervisory functions. 7. Audit and Supervision a) The Board and senior management must ensure that the audit function conducts reviews of any outsourcing arrangement and that auditors regularly report on compliance with applicable terms and conditions of the agreement. This includes a review of the service provider’s internal control environment as it relates to the service provided. Additionally, the outsourcing arrangement must not hinder the Central Bank’s ability to perform its supervisory functions. Therefore, SFIs should ensure that the terms of the contract or outsourcing agreement include clauses that allow: i. The SFI’s internal or external auditors or agents appointed by the SFI to review the outsourcing arrangement to ensure compliance with applicable

7 Refer to Section 77 of the Banks and Trust Regulation Act, 2020. SFIs should note that the responsibility with regard to the preservation of customer data confidentiality cannot be outsourced.

8 terms and conditions of the agreement. This includes a review of the service provider’s internal control environment as it relates to the service provided; ii. The SFI to obtain copies of any report(s) and/or finding(s) made relevant to any outsourcing arrangements; and iii. The Central Bank, or any agent appointed by Central Bank, to access and obtain records of transactions, documents, and information of the SFI given to, stored at or processed by the service provider and the right to access any report(s) and/or finding(s) made on the service provider relative to any outsourcing arrangements. In the normal course, the Central Bank would seek to obtain whatever information it requires from the SFI itself, but the Central Bank reserves the right to approach service providers directly for information. b) SFIs should ensure that effective audit and supervision arrangements are in place with the service provider, as well as any sub-contractor that the service provider may engage for the outsourcing, including any disaster recovery and backup service providers. VII. CENTRAL BANK SUPERVISION CONSIDERATIONS

1. The Central Bank must be in a position to continue its supervision of the outsourced functions, and must be given access to documentation and accounting records related to the outsourced activities.
2. On-site examinations of any SFI may include a review of outsourced functions, where appropriate.
3. SFIs must notify the Central Bank of any adverse development(s) related to outsourcing arrangements that could significantly affect the SFI’s operations, including any event(s) that could potentially lead to the termination and early exit from the outsourcing arrangement.
4. The Central Bank may direct an SFI to terminate, replace, or modify an outsourcing arrangement, should that arrangement appreciably impair the Central Bank’s ability to supervise the SFI.

9 VIII. THE OUTSOURCING AGREEMENT

1. The Central Bank expects that outsourcing arrangements should be undertaken using a written, legally binding agreement that has been reviewed by the SFI’s legal counsel. At a minimum, the contract should address the following issues: a) Scope of the arrangement and services to be provided; b) Service levels and performance requirements; c) Audit and monitoring procedures8 ; d) Business continuity arrangements9 ; e) Default arrangements and termination provisions; f) Pricing and fee structure; g) Dispute resolution arrangements; h) Sub-contracting; i) Insurance10; j) Liability and indemnity; and k) Confidentiality, privacy and security of information11 .

8 Refer to Section VI, paragraph 7 9 Refer to Section VI, paragraph 6 10 The service provider should be required to notify the SFI about significant changes in insurance coverage and disclose general terms and conditions of insurance coverage. 11 Refer to Section VI, paragraph 4

10 ANNEX I EXAMPLES OF OUTSOURCING ARRANGEMENTS The following are examples of some services that may be regarded as outsourcing for the purposes of these Guidelines:

1. Information system management and maintenance (e.g. data entry and processing, data centres, facilities management, end-user support, local area networks, help desks);
2. Document processing (e.g., cheques, credit card slips, bill payments, bank statements, other corporate payments);
3. Application processing (e.g. loan originations, credit cards);
4. Sales and marketing functions, including commissioned agency arrangements;
5. Loan administration (e.g., loan negotiations, loan processing, collateral management, collection of bad loans);
6. Investment management (e.g., portfolio management, cash management);
7. Marketing and research (e.g., product development, data warehousing and mining, advertising, media relations, call centres, telemarketing);
8. Back office management (e.g., electronic funds transfer, payroll processing, custody operations, quality control, purchasing);
9. Professional services related to the business activities of the SFI (e.g., accounting, internal audit, actuarial);
10. Human resources (e.g., benefits administration, recruiting);
11. Business continuity and disaster recovery capacity and capabilities;
12. Client On-boarding, KYC document processing; and
13. Transaction monitoring for AML/CFT purposes. The following are arrangements that would not be considered outsourcing for the purposes of these Guidelines:
14. Courier services, regular mail, utilities, telephone;
15. Procurement of specialized training;
16. Discrete advisory services (e.g., legal opinions, certain investment advisory services that do not result directly in investment decisions, independent appraisals, trustees in bankruptcy);
17. Purchase of goods, wares, commercially available software and other commodities;
18. Independent audit reviews;

11 6. Credit background and background investigation and information services; 7. Market information services (e.g., Bloomberg, Moody’s, Standard & Poor’s, Fitch); 8. Independent consulting; 9. Services the SFI is not legally able to provide; 10. Printing services; 11. Repair and maintenance of fixed assets; 12. Supply and service of leased telecommunication equipment; 13. Travel agency and transportation services; 14. Correspondent banking services; 15. Maintenance and support of licensed software; 16. Temporary help and contract personnel; 17. Fleet leasing services; 18. Specialized recruitment; 19. External conferences; 20. Clearing and settlement arrangements between members or participants of recognized clearing and settlement systems; 21. Ceded insurance and reinsurance ceded; and 22. Syndication of loans.

12 ANNEX II SAMPLE QUESTIONS TO ASSESS THE MATERIALITY OF OUTSOURCING ARRANGEMENTS In assessing the materiality of a specific outsourcing arrangement, an SFI may want to consider, among others, these questions:

1. Is the business activity important in relation to the SFI’s core business?
2. Is a significant share of revenue derived from that particular activity?
3. What is the outsourcing arrangement’s potential impact on earnings, solvency, liquidity, funding, capital, reputation, brand value, or system of internal controls, or its importance to achieving and implementing business objectives, business strategy and business plans?
4. What is the SFI’s aggregate exposure to a particular service provider?
5. Does the organization outsource a variety of activities to the same service provider?
6. What is the size of contractual expenditures as a share of non-interest expenses of the SFI or line of business?
7. If the service provider is unable to perform the service over a given period of time: (a) What is the expected impact on the SFI’s customers? (b) What is the likelihood that it would harm the SFI’s reputation? (c) Would it have a material impact on the SFI’s risk profile? (d) Would the SFI be able to engage an alternative service provider? (e) How long would it take and what costs would be involved?

13 ANNEX III FORM OF PRIOR NOTICE and ANNUAL SUMMARY of OUTSOURCING REPORT (ALSO TO BE MAINTAINED CURRENT AT ALL TIMES, AND SUBJECT TO CENTRAL BANK REQUEST AT ANY TIME) SFIs with material outsourcing arrangements will be required to:

1. File the completed Annual Summary of Outsourcing Report via ORIMS with Central Bank on January 3012 , summarising the SFI’s experience with outsourcing during the year; and
2. Maintain a continuous register of outsourcing arrangements, which should indicate: a) The name of the service provider; b) The location where the service is provided; c) The expiry or renewal date of the outsourcing arrangement; d) The value of the outsourcing arrangement; e) The applicable attestations; and f) The key risks involved in the respective outsourcing arrangement, along with risk mitigation strategies to address those risks. The above list should be updated when the outsourcing arrangements are substantially amended, renewed, extended or terminated and should be a part of senior management’s reports to the SFI’s Board of Directors (in the case of subsidiaries and stand-alone entities) or to the head office (in the case of branches of foreign banks).

12 Filing of the ORIMS return will not supersede the attestation contained within the Board of Directors’ Annual Certification. This form will be available on Central Bank’s website.

14 Form of Prior Notice of Outsourcing Arrangement to Central Bank of The Bahamas Name of Supervised Financial Institution Date of Notification (dd/mm/yyyy) 1 Name of Outsourcing Agreement 2 Services Covered 3 Commencement Date/Date of Agreement (dd/mm/yyyy) 4 Termination Date (If Applicable) (dd/mm/yyyy) 5 Provider Name 6 Affiliated Entity (Y/N) 7 Jurisdiction/Country of Provider 8 Annualized Cost of Outsourcing Arrangement1 (USD Equivalent '000s) 9 Date Approved by the Board of Directors (dd/mm/yyyy) 10 Key risks associated with the outsourcing arrangement, along with risk mitigation strategies to address those risks have been assessed and documented (Y/N) [Attach a copy of the Assessment of Key Risks] 1 Amounts should be reported net of VAT and should reflect the USD equivalent in thousands

15