1 Regulatory Requirements on Outsourcing of Business Operations of Licensed Banks 1 Definitions and Applicability 1.1 An “outsourcing arrangement” shall mean an agreement between a licensed bank and a third-party service provider where the service provider performs an integral part of an activity, function or process connected with provision of financial services in relation to banking business of licensed banks. 1.2 A “service provider” means any party which provides services, that are directly related to the provision of financial services by a licensed bank. This shall include the head office, regional office, parent institution, a branch or any entity within the Group of the licensed bank or an unrelated entity which is located in Sri Lanka or outside Sri Lanka. Further, with respect to outsourcing of Information Technology, a “service provider” of a licensed bank incorporated outside Sri Lanka, that is either the licensed bank’s head office, a branch of the head office, or a subsidiary that is operating to provide services exclusively to the head office and its Branches/Group, can be excluded from being considered as a “service provider” under these Directions, provided such operations comply with the requirements laid under the Banking Act Directions on Technology Risk Management and Resilience of licensed banks for the time being in force. 1.3 “Board of Directors” for licensed banks incorporated outside Sri Lanka, shall mean the Head Office or Regional Office of such licensed bank that supervises the respective branch or a management committee, for which powers on overseeing the management have been delegated by such Head Office or the Regional Office, as the case may be, to act as the Board of Directors of such branch.

2 1.4 “Board Integrated Risk Management Committee” (BIRMC) for licensed banks incorporated outside Sri Lanka”, shall mean the risk management committee established locally or in the absence of such committee, the head of risk management in Sri Lanka, together with the risk management function in the Head Office or any appropriate higher-level committee at the Head Office that directly or indirectly oversee the risk management framework pertaining to operations in Sri Lanka. 1.5 “Board Audit Committee” (BAC) for licensed banks incorporated outside Sri Lanka” shall mean the head of internal audit in Sri Lanka together with the internal audit function in the Head Office or any appropriate higher￾level committee at the Head Office that directly or indirectly oversee the audit functions pertaining to operations in Sri Lanka. 1.6 “Senior Management” shall mean the Chief Executive Officer and the key management personnel of the licensed bank. 1.7 “Material Outsourcing Arrangement” shall mean an outsourcing arrangement that is significant in terms of the ability of the licensed bank to achieve its strategic and business objectives and/or in the event of a service failure, the arrangement has the potential to significantly impact the licensed bank’s provision of financial services in compliance with applicable laws and regulatory requirements. 1.8 These Directions shall not apply to outsourcing arrangements that are not directly related to the provision of financial services, such as mail, courier services, catering of staff, housekeeping and janitorial services, security of premises, printing services (e.g., application

3 forms, brochures, etc.), communication services, recruitments, and payroll. 2 General Requirements 2.1 Outsourcing arrangements shall only be entered into with service providers who have specialized resources, capacity, and expertise to perform such functions/ operations or activities. 2.2 Licensed banks shall ensure that outsourcing arrangements with service providers in which substantial interest is held by a Director or senior management member and/or close relations of a Director or senior management member of the licensed bank are conducted on an arm’s-length basis. Such arrangements shall be outsourced subject to the approval of the Board of Directors and shall be conducted in compliance with the prevailing Banking Act Directions on Corporate Governance of licensed banks. In respect of outsourcing arrangements with any other related party of the licensed bank, licensed banks shall comply with the regulatory requirements applicable to related party transactions as specified in the prevailing Banking Act Directions on Corporate Governance of licensed banks. 2.3 Licensed banks shall ensure that the service provider exercises high standard of care and diligence in performing the outsourced activity/functions and protects the confidentiality and security of the bank’s sensitive information, especially in relation to customers, operating systems, application software, hardware, etc. 2.4 Licensed banks shall ensure that the service provider processes the information received under the outsourcing arrangements solely for purposes specified in the outsourcing agreement while complying with the laws and regulations for the time being in force relating to personal data protection.

4 2.5 Outsourcing arrangements shall not compromise or weaken the risk management, internal controls, business operations and conduct or reputation of the licensed bank. 2.6 Licensed banks shall ensure that all contractual agreements (new and existing) pertaining to outsourcing arrangements comply with these Directions. 2.7 In the case of services outsourced to wholly owned subsidiaries of the licensed bank, such bank shall develop appropriate policies and risk management framework giving due consideration to the requirements of these Directions. 3 Governance Framework for Outsourcing of Business Operations 3.1 The Board and the senior management shall be ultimately responsible and accountable for providing effective oversight of the outsourcing arrangements, supported by a robust risk management framework to mitigate the risks arising from outsourced activities and ensure compliance with applicable laws and regulations, in a manner consistent with safe and sound banking practices. 3.2 The Board shall approve the proposed outsourcing arrangements of the licensed bank, taking into consideration the potential risks, Know Your Customer (KYC) and due diligence processes, cost-benefit analysis, and other requirements as laid down by the Outsourcing Policy of the licensed bank. 3.3 The Board and senior management shall be fully aware of and understand the risks arising from outsourcing of business operations. 3.4 Licensed banks shall establish Board approved internal policies and procedures covering all outsourcing arrangements as per these Directions. 3.5 The Board shall undertake regular reviews of policies and procedures relating to outsourcing arrangements based on

5 the continued relevance, safety, and soundness of such arrangements. 3.6 The Board shall establish a sound risk management framework, including appropriate risk appetite limits, to identify, evaluate, and report the material risks of all outsourcing arrangements, commensurate with the bank’s size, scale, diversity, complexity of operations, risk profile, and the continued relevance, safety, and soundness of all outsourcing arrangements, and ensure that such framework is effectively implemented. 3.7 The Board and senior management shall ensure the continuous ability of the licensed bank to fulfill its obligations to customers, despite the outsourcing arrangements. 3.8 Licensed banks shall ensure that independent audit and compliance reviews are conducted on outsourcing arrangements and timely remedial actions are taken to address any findings thereof. 3.9 In the event any subcontracting arrangements are involved, i.e., where the service provider has further outsourced the services or part of the services covered under the outsourcing arrangement to another service provider, licensed banks shall ensure that the service provider has implemented necessary measures to identify, evaluate, and mitigate the risks arising from subcontracted services. 3.10 Licensed banks shall obtain a confirmation from the service provider that the individuals employed by the service providers and subcontractors, where applicable, are bound by a Non-Disclosure Agreement and are properly trained to handle their respective responsibilities with due care and prudence.

6 3.11 In the case of services outsourced to the head office/regional office/group level of licensed banks incorporated outside Sri Lanka, a confirmation shall be obtained from the head office/group on the availability of such Non-Disclosure Agreements and that the respective individuals involved in outsourcing arrangements are properly trained to handle their responsibilities with due care and prudence. 3.12 Licensed banks shall ensure that the service provider shall neither impede/interfere with the ability of the licensed banks to effectively oversee and manage its activities. 3.13 Licensed banks shall ensure compliance with all applicable laws and regulations, notwithstanding that such activity is conducted by a service provider under an outsourcing arrangement. 4 Outsourcing Policy 4.1 A licensed bank shall have a comprehensive policy to guide the bank as to how their operations are to be outsourced, considering the size, scale, diversity, and the complexity of operations of the licensed bank. The policy shall contain the following at a minimum: (i) The placing of overall responsibility on the Board of Directors, the respective Board committees, and senior management for the outsourcing of activities and for the formulation of policy thereof. (ii) The roles and responsibilities of the Board of Directors, Board Committees, senior management, and risk management, compliance, and internal audit functions. (iii) The criteria for selection of activities to be outsourced and the service providers. (iv) A framework to conduct KYC and the due diligence process on the service provider in terms

7 of the applicable laws and regulations for the time being in force. (v) A procedure to assess service provider’s risk management frameworks, physical and Information Technology (IT) security controls, financial strength, resources, capacity and capabilities, professional standards, business continuity plans, and disaster recovery arrangements. (vi) Guidelines for cost-benefit analysis on each activity, function, or process to be outsourced, taking into account the risks that may arise from the outsourcing arrangement, such as temporary disruption to service. (vii) A framework for identification and effective management of risks that could arise from outsourcing of activities. (viii) Tender procedures are to be followed for the procurement of outsourced services. (ix) Policies on setting up a monitoring and control unit in the event of having several outsourcing arrangements. (x) A format for the contract/agreement for outsourcing arrangements, which shall include the following at a minimum: (a) Applicable laws, regulations, and prudential requirements, (b) Scope of the arrangement, (c) Period of the agreement and conditions applicable on renewal/renegotiation, (d) Service, internal controls, and risk management standards,

8 (e) Rights, responsibilities, and expectations of all parties, (f) Dispute resolution mechanism, as applicable, (g) Confidentiality and security of information, (h) Performance evaluation mechanism, (i) Monitoring and control of outsourcing arrangements, (j) Audit and inspection, (k) Termination or early exit from contract, (l) Subcontracting (if involved), (m) Business continuity management, (n) Notification of adverse developments, (o) Whether the service provider should take mandatory insurance against certain risks and, if applicable, the level of insurance cover requested, and, (p) Circumstances that may lead to termination of the outsourcing arrangement, the contractual parties’ termination rights, and a minimum period to execute the termination provisions, ensuring sufficient time for an orderly transfer of the outsourced activity to the licensed bank or another party. (xi) A specific contingency plan to restore or obtain the services of alternative service provider(s), which could arise due to termination of the outsourcing arrangement. (xii) A robust grievance handling mechanism by vendors related to outsourced services.

9 (xiii) A procedure to ensure the confidentiality of customer information maintained with the service provider. (xiv) The requirements applicable to subcontractors in broad terms. (xv) The procedure for obtaining the services related to sales/marketing of the products. (xvi) A framework for cross-border outsourcing, if applicable, taking into account the differences in country environments. (xvii) Limits on maximum exposure to a single service provider both in terms of value and the number of contracts. 5 Functions or Activities that cannot be Outsourced 5.1 Licensed banks shall not outsource the following functions, operations, or activities: (i) Services associated with the acceptance of deposits and withdrawals excluding the agency arrangements approved under the provisions of 12(l)(a) and 76(D)(4) of the Banking Act and Directions issued under Section 76J(l) of the Banking Act., (ii) Assets and liabilities management, (iii) Compliance function, (iv) Customer Due Diligence (CDD) measures (including KYC procedures), except functions/activities permitted by the Financial Intelligence Unit (FIU), subject to rules and regulations issued by FIU for the time being in force, (v) Treasury functions, foreign exchange trading and management, (vi) Risk management, (vii) Strategic planning and decision-making,

10 (viii) Sanctioning of loans, (ix) Internal Audit Function subject to Direction 6, and, (x) IT-related functions and services subject to Direction 7. 6 Outsourcing of Internal Audit 6.1 Licensed banks shall not outsource their Internal Audit function other than in keeping with the following: (i) Licensed banks may outsource their Internal Audit Function, where the size of the bank and the extent of the risks do not justify the operation of an Internal Audit function with full-time internal audit staff. (ii) Licensed banks may outsource certain activities or specialised areas of their Internal Audit Function such as branch audits or department audits or Information System (IS) audits, where the bank is in a position to justify the cost savings, improved efficiency, and better management of resource constraints. 6.2 The outsourcing of the Internal Audit Function or activities shall be subject to the following conditions: (i) The responsibility and control of the outsourced audit assignments shall continue to be with the BAC. With respect to the Internal Audit Function, BAC shall ensure compliance with the prevailing Banking Act Directions on Corporate Governance for licensed banks. (ii) The Firm and staff of the Internal Audit service provider, hereinafter referred to as the Internal Audit service provider, shall have the expertise and experience commensurate with the size, scale, diversity, and complexity of operations of the

11 licensed bank to effectively complete the engagement. (iii) The engagement with the Internal Audit service provider shall be approved by the Board of Directors of the licensed bank, based on the assessment and recommendations made by BAC on the capacity and the competencies of the service provider. (iv) The selection of the Internal Audit service provider shall be made from the “list of qualified auditors to audit the accounts of licensed banks in Sri Lanka” published by CBSL, subject to the following conditions: (a) The service provider shall not be the licensed bank’s present External Auditor. (b) Any such appointment shall be made after a “cooling off” period as specified by CBSL if such firm and staff of the Internal Audit service provider had been previously engaged in the External Audit assignment of the licensed bank and vice versa. (v) Partners or employees of the Internal Audit service provider shall not perform any management function or act, directly or indirectly, in a capacity equivalent to that of a member of senior management or an employee of the bank. (vi) The Internal Audit service provider shall not provide consultancy services to a function or an activity of the licensed bank, which is currently audited/expected to be audited by the service provider or vice versa within a period of 2 years. (vii) BAC shall conduct periodic assessments to satisfy itself with the continued ability of the Internal

12 Audit service provider to perform the Internal Audit Function satisfactorily. (viii) BAC shall ensure that, as far as practicable, one or more members of the bank’s Internal Audit staff are also involved in the bank’s Internal Audit￾related work provided by the service provider with a view to gathering the relevant knowledge to perform such work if the need arises. 6.3 Licensed banks shall provide the Internal Audit plan, follow-up actions taken, reports and related working papers, etc. to CBSL, as and when required. 7 Outsourcing of Information Technology 7.1 Licensed banks may outsource the following IT and business processing functions, subject to Direction 7.2: (i) Application/Systems development, testing, maintenance and support, (ii) Technology infrastructure management, maintenance and support, Help Desks, (iii) Maintenance and support to data center operations, (iv) Network administration, (v) Security Operations Center, (vi) Information Security Testing, (vii) Disaster recovery support services, (viii) Data entry operations, (ix) Database maintenance and support, (x) Data warehousing, (xi) Electronic banking systems (e.g., Internet banking, Mobile banking, and Tele-banking) development, maintenance, and support, (xii) Web hosting and maintenance, (xiii) Credit/Debit/ATM card and statements printing, and, (xiv) Cloud computing in line with the applicable regulations.

13 7.2 Licensed banks, in the event of outsourcing the above IT operations and information security services, shall ensure: (i) compliance with all requirements related to governance, oversight of the Board and senior management, risk management, due diligence, cost-benefit analysis, monitoring and control of outsourcing arrangements, as provided in these Directions, (ii) availability of a comprehensive Board approved IT outsourcing policy giving due consideration to the requirements given in Direction 4.1., clearly defining the roles and responsibilities of the Board of Directors, Board Committees, senior management, Chief Information Officer, Chief Information Security Officer, IT and business functions, Information Security Function, and risk, compliance, and internal audit functions, (iii) a risk assessment is conducted considering the bank’s scale, operational model, legal and regulatory requirements, and operational risks arising from the proposed outsourced arrangement prior to deciding whether a system, process, or function related to IT can be outsourced, based on the Board approved IT outsourcing policy. Risk assessment of outsourcing arrangements for information security services shall be conducted by the Chief Information Security Officer, considering the operational model, legal and regulatory requirements, and security risks, (iv) necessary approvals are obtained from the Board of Directors, while the proposed outsourcing arrangements for information security services

14 shall be recommended for Board approval through BIRMC, (v) the Board and senior management are fully responsible for uninterrupted banking operations, (vi) the confidentiality and integrity of data and information pertaining to the customers that is available to the service provider, (vii) necessary non-disclosure agreement/s are signed with the relevant vendors, (viii) continuous monitoring of such operations and security services, including ongoing risk evaluations, security performance assessments, and incident reporting by relevant authorities of the IT Department/Information Security Function of the bank as applicable, (ix) appropriate business continuity and disaster recovery plans/rollback arrangements are available for the outsourced activities, (x) an availability of an agreed arrangement for the service provider to report cyber incidents to the licensed bank, and, (xi) compliance with the Banking Act Directions on Regulatory Framework on Technology Risk Management and Resilience of Licensed Banks. (xii) In the event of cloud computing, in addition to (i) to (xi) above: (a) Licensed banks shall ensure that effective measures are in place to address risks associated with data accessibility, confidentiality, integrity, sovereignty, recoverability, and regulatory compliance. (b) Licensed banks shall ensure that such service provider possesses a relevant

15 certification for the latest edition of security controls for cloud services from an accredited certification body, as per the applicable laws and regulations for the time being in force. 8. Outsourcing of Marketing & Recovery Functions 8.1 The marketing and recovery functions, outsourced by licensed banks, shall be subject to ensuring that the staff of the outsourcing service providers who are directly dealing with customers are properly trained to handle their responsibilities with care and prudence and comply with the regulations for the time being in force relating to financial consumer protection. 9. Monitoring and Control of Outsourced Activities 9.1 Licensed banks shall have a specifically designated Monitoring Unit/Division at the Head Office to handle all outsourcing arrangements given the size, scale, diversity, and complexity of operations of the bank. A licensed bank incorporated outside Sri Lanka shall have the designated unit/division at the local office. 9.2 The Monitoring Unit shall maintain up-to-date information on all outsourcing arrangements, and such information will be subject to review during the statutory examination of the respective bank. 9.3 The Monitoring Unit shall maintain documents related to all outsourcing arrangements, i.e., service agreements, approvals granted by the Board, audit reports if any, and ensure that such documents are readily available to CBSL, upon request. 9.4 The Monitoring Unit shall carry out periodic assessments covering the quality and timeliness of service delivery, financial strength, compliance, underlying risks, confidentiality, customer complaints, and security of the outsourcing arrangements, and any material concerns

16 identified therein shall be duly reported to the BIRMC or the Board. 9.5 The Monitoring Unit shall handle complaints received with regard to the outsourcing arrangements and shall maintain records of such complaints. 9.6 Licensed banks shall establish an effective management information system that would provide information on a regular basis, such as the type of outsourced service activity, costs, volume, deliverables, terms and conditions of the agreement, expiry or renewal dates of the contracts, the complaints, and the financial and operational conditions of the service providers. 10. Cross-border Outsourcing 10.1 Licensed banks shall assess on an ongoing basis the country’s risk, economic, social, and political conditions, government policies, and legal and regulatory developments in the foreign country that may adversely affect the operations of the licensed bank. 10.2 Licensed banks shall be aware of the disaster recovery arrangements established in foreign countries by the service provider in relation to the outsourcing arrangement. 11. Business Continuity Management (BCM) 11.1 Licensed banks shall ensure that the service provider has a satisfactory Business Continuity Plan (BCP) that is commensurate with the nature, scope, and complexity of the outsourcing arrangement. 11.2 Licensed banks are responsible for ensuring that its BCP considers any operational disruptions or failure of the service provider. 11.3 BCPs shall consider the following: (i) the estimated cost involved in resuming the outsourced activity,

17 (ii) the possible need for an alternative service provider, including considerations of the limited number of service providers in the market, (iii) the degree of difficulty, cost, and time required to reintegrate the outsourced activity in-house. 11.4 Licensed banks shall at least on an annual basis test their own BCP and proactively seek assurance on the state of BCP preparedness of the service provider. The intensity and frequency of BCP testing and assessments of BCP preparedness must be commensurate with the materiality of the outsourcing arrangement. In assessing the preparedness, licensed banks shall, at a minimum: (i) ensure that the back-up arrangements are available and ready to be operated when necessary, (ii) ensure that the service provider periodically tests its BCP and provides any test reports, including any identified deficiencies, that may affect the provision of the outsourced service and measures to address such deficiencies as soon as practicable, and, (iii) for material outsourcing arrangements, consider participating in joint testing with the service provider to enable an end-to-end BCP test for these arrangements by the licensed bank. 11.5 In the event where subcontracting arrangements are involved, licensed banks shall request for a confirmation from the relevant service providers that such subcontractors have a satisfactory BCP. 12. Reporting Requirements 12.1 Every licensed bank shall inform the Director of Bank Supervision on existing outsourced business operations and proposed business operations to be outsourced during a particular calendar year, as approved by the Board, by 31 January of every year, as per the format given in

18 Annex 1 hereto, and shall notify the Director of Bank Supervision immediately of any changes/developments made to therein. 12.2 Licensed banks shall promptly notify the Director of Bank Supervision if any service provider is found to have not complied with these Directions or has acted in an unlawful/unsafe manner. 12.3 Reporting to Financial Intelligence Unit Licensed banks shall be responsible for submitting transactions reports, suspicious transactions reports and any such report required by statutes, regulations, and guidelines to the FIU in respect of its customer transaction activities, even if such activities are under outsourced arrangements. 13. Regulatory Intervention of the Central Bank of Sri Lanka 13.1 CBSL may, where it deems necessary, direct a licensed bank to modify, restrict, or terminate an outsourcing arrangement entered/to be entered into with a service provider. 13.2 CBSL, in receipt of any written complaint with respect to the conduct of any outsourcing service provider, may direct the licensed bank to conduct further investigations and to initiate appropriate remediation measures on the same. 13.3 CBSL may implement appropriate regulatory actions against licensed banks in the event of non-compliance with these Directions. 14. Revocation of Previous Directions 14.1 Banking Act Directions No. 02 of 2012 on Outsourcing of Business Operations of a Licensed Commercial Bank and Licensed Specialised Bank will be revoked, with effect from 01.01.2027.

19 Annex I Business Operations Outsourced/Proposed to be Outsourced during ………… (year) Name of the Bank: …………………………………………………………………………

Activity/

Function/ Process Outsourced Name of the Service Provider Address Date of Commencement/ Renewal Period No. of Persons involved/ authorised Deliverables/ Services Cost (per annum) Existing 1 2 3 Proposed 1 2 3 …………………………………… …………………………… Chief Executive Officer Chief Compliance Officer Date: ……………………………. Date: ……………………