Guidance Note G3/2019: 2019 Meetings with Executive Management of Smaller South African Banks

[Logo: South African Reserve Bank] South African Reserve Bank Prudential Authority

15/8/1/2 G3/2019

To: All banks, controlling companies and auditors of banks or controlling companies excluding branches of foreign banks

Guidance Note G3/2019 issued in terms of section 6(5) of the Banks Act 94 of 1990

Meetings to be held during the 2019 calendar year with the executive management¹ South African banks

Executive summary

The purpose of this guidance note is to inform all South African banks with an asset value of less than R50bn (hereinafter collectively referred to as 'smaller SA banks') and the auditors of such smaller SA banks, of the flavour-of-the-year topic for the discussions to be held with the board of directors and executive management of smaller SA banks during 2019.

1. Background

1.1 Outsourcing is defined by the Basel Committee on Banking Supervision - Joint Forum paper entitled “Outsourcing in Financial Services”, as a regulated entity’s use of a third party (either an affiliated entity within a corporate group or an entity that is external to the corporate group) to perform activities on a continuing basis that would normally be undertaken by the regulated entity, currently or in the future.

1.2 Outsourcing can be the initial transfer of an activity (or a part of that activity) from a regulated entity to a third party or the further transfer of an activity (or a part thereof) from one third party service provider to another, sometimes referred to as “subcontracting.” In some jurisdictions, the initial outsourcing is also referred to as subcontracting.

1.3 In order to assist the Prudential Authority (PA) in discharging its supervisory responsibilities, the scope of the meetings with the executive management of smaller SA Banks, to be held during the 2019 calendar year, will include a discussion on the flavor-of-the-year topic, "Life cycle of Outsourcing."

---

¹ South African banks with total assets of less than R50 billion as reported on the BA100, line 54, column 3 as at 31 December 2018.

P O Box 8432 Pretoria 0001 • 370 Helen Joseph Street Pretoria 0002 • South Africa • Tel +27 12 313 3911 / 0861 12 7272 • Fax +27 12 313 3758 • www.resbank.co.za

---

2

1.4 Format of the meetings to be held with the board of directors and executive management of smaller SA banks

1.4.1 Using the format outlined below, the board of directors and executives of all smaller SA Banks will be required to make a presentation and engage in discussions on the above-mentioned flavor-of-the-year topic. The duration for the presentation should be targeted at approximately 45 minutes.

1.4.2 The PA also requires to be provided with a copy of the presentation at least three weeks prior to the scheduled board of directors and executive committee meeting. The flavor-of-the-year topic is elaborated upon below.

2. Considerations regarding matters relating to outsourcing

2.1 There are a variety of guidelines that are in place for banks to follow with regards to outsourcing. These include:

2.1.1 Regulation 39 – management of risk arising from outsourcing of material business activities and functions;

2.1.2 Directive 8 of 2015 – Reporting requirements relating to material outsourced service providers and critical third-party service providers;

2.1.3 Guidance Note 5 of 2014 – Outsourcing of functions within banks;

2.1.4 Basel Committee - Joint Forum paper on Outsourcing in Financial Services published in February 2005.

3. Presentation by the Chairman of the board of directors of the smaller SA bank, with a specific focus on the following:

3.1 Strategy

3.1.1 An overview of the processes involved in deciding to outsource any activity and how it links to strategy and budget.

3.1.2 High level discussion of the outsourcing policy as approved by the board of directors.

3.1.3 Discussion as to the material risks combined with the cost / benefit analysis considered by the bank before engaging in outsourcing of activities. Practical examples should be used to support the discussion.

3.1.4 Demonstration as to how the outsourcing of activities has been considered in line with the board of directors’ approved risk appetite. Practical examples should be used to support the discussion.

---

3

3.2 Selection of outsourcing partners

3.2.1 An overview of the selection process to identify an outsourcing partner. This should include detail on the criteria used and the basis on which an outsourcing partner is selected, supported by practical examples. Discussion as to how:

(a) any conflicts of interest, or potential conflicts of interest are identified, between the business of the bank, the interests of depositors and the business of the service provider that performs the outsourcing service;

(b) consideration was given to the potential impact of multiple outsourcing arrangements by the service provider to a number of banks;

(c) the fitness and propriety of the outsourcing partner has been assessed and whether fitness and propriety is assessed at specific intervals during the contract period;

(d) the outsourcing partner’s governance, risk management, and internal controls have been assessed together with its ability to comply with applicable laws;

(e) the outsourcing partner’s operational capability and its financial position has been assessed to ensure that it does not pose a material risk to outsourcing partner’s ability to deliver the proposed outsourced function or activity.

3.3 Contracting

3.3.1 Explanation of the contracting process including details of the unit responsible for contracting and adherence to the terms of the contract by the outsourcing party;

3.3.2 Discussion of the standard elements that are provided for in an outsourcing arrangement/ contract;

3.3.3 Discussion of how confidentiality is maintained, where applicable.

3.4 Implementation

3.4.1 An overview of the transition considerations when moving to an outsourcing arrangement or moving from one outsourcing arrangement to another.

3.5 Management and review of outsourcing arrangements

3.5.1 Explanation as to how risks associated with any outsourcing of a material business activity are appropriately assessed, monitored, managed, and regularly reviewed;

3.5.2 Description of the type and frequency of contact maintained with the outsource partner;

---

4

3.5.3 Description of the processes implemented for ensuring that the level and standard of service to the bank under an outsourcing arrangement are appropriately monitored, managed, and reviewed;

3.5.4 Discussion of the resources allocated to oversee and manage the outsourcing arrangements entered into;

3.5.5 Discussion of the monitoring of budget allocation against deliverables and the timely escalation at the right level;

3.5.6 Discussion of assurance provided by internal audit over outsourced activities;

3.5.7 Discussion of assurance provided by external audit over outsourced activities;

3.5.8 Discussion of the management information that is reported to executive management and the board of directors regarding all outsourcing arrangements.

3.6 Exiting or termination

3.6.1 Explanation of the process of exiting an outsourcing arrangement;

3.6.2 The process of overseeing the exiting of an outsourcing arrangement including the assessment of the completeness of delivery;

3.6.3 Discussion as to how appropriate contingency plans have been developed to ensure the continuous functioning of the business of the bank in the event that the outsourcing arrangement is terminated or found to be ineffective.

4. Acknowledgement of receipt

4.1 Kindly ensure that a copy of this guidance note is made available to your institution's external auditors. The attached acknowledgement of receipt, duly completed and signed by both the Chief Executive Officer of the institution and the said auditors, should be returned to the Prudential Authority at the earliest convenience of the aforementioned signatories.

[Signature] Kuben Naidoo Deputy Governor and CEO: Prudential Authority Date: 1/4/2019

The previous guidance note issued was Guidance Note 2/2019, dated 1 April 2019.