Regulatory Alerts2021-03-10
Outsourcing Forms - March 2021
The Saudi Central Bank (SAMA) issued this directive to standardize third-party outsourcing applications and align them with Circular No. 4102/2017, requiring banks to submit a revised form with all mandatory attachments in PDF or WORD format. The updated framework mandates comprehensive risk assessments, confirmed regulatory compliance across information security and cybersecurity controls, and explicit contractual clauses covering termination rights, data access, and subcontracting limitations. Foreign bank branches must additionally demonstrate enforceable service level agreements with head offices, secure domestic data copies, and confirm customer consent for cross-border information sharing.
E2103110195
Date: 27/07/1442 AH
Corresponding: 11/03/2021 AD
Subject: Re: Third-Party Outsourcing Applications
Respectfully,
With reference to the Saudi Central Bank's applications regarding third-party outsourcing issued under Circular No. 4102/2017 dated 18/04/1441 AH, and in the interest of standardizing the collection of required attachments when submitting non-objection applications for third-party outsourcing, and considering observations regarding certain applications' non-compliance with the Bank's applications (including third-party outsourcing applications, comments from other relevant regulatory authorities, and deficiencies in required attachments),
We therefore confirm the following:
- The bank/financial institution must make sufficient efforts to ensure the application aligns with all Saudi Central Bank applications, particularly third-party outsourcing applications, as well as instructions from other relevant regulatory authorities.
- Attach the attached third-party outsourcing form (modified above) and submit it in (PDF/WORD) format as part of the outsourcing applications.
- Fulfill all requirements and documents specified in the attached form.
We also wish to emphasize the necessity of completing all data, documents, and requirements mentioned in the attached form to facilitate application processing.
For your information and action, should you have any inquiries regarding this matter, please contact us via email.
For your information and action, effective from the date of issuance.
Best regards,
[Signature]
Fadila Alqurashi
Director, Banking Supervision Division
General Department of Banking Control
[Full Name]
Director, Audit and Supervision Division
Banking Control Office
1442/07/27 AH | 2021/03/11 AD
www.sama.gov.sa
Third-Party Outsourcing Form
March 2021 AD
Saudi Central Bank
(1) Required Documents to Submit for the Saudi Central Bank Non-Objection Application for Third-Party Outsourcing
| No. | Documents | Attached? |
|---|---|---|
| 1 | Official letter requesting non-objection, signed by the CEO / Managing Director / General Manager. | Yes ☐ No ☐ |
| 2 | Bank/financial institution's third-party outsourcing policy. | Yes ☐ No ☐ |
| 3 | Draft contract/agreement to be executed with the service provider, including at minimum Articles (18, 19, 20, 21) of the third-party outsourcing instructions (Articles 22, 26, 33, 34). | Yes ☐ No ☐ |
| 4 | Copy of the commercial registration and activity license for the service provider. | Yes ☐ No ☐ |
| 5 | Comprehensive risk assessment for outsourcing "core activities" to a third party. | Yes ☐ No ☐ |
| 6 | Written confirmation from the bank supported by legal opinion confirming the Saudi Central Bank's right to access the outsourcing activity at the third-party service provider and obtain records and information. | Yes ☐ No ☐ |
| 7 | Confirmation of compliance with the Saudi Central Bank's requirements issued in the Information Security Regulatory Guide and the Business Continuity Regulatory Guide regarding the outsourced task. | Yes ☐ No ☐ |
| 8 | Confirmation of compliance with the National Cybersecurity Authority's fundamental cybersecurity control requirements regarding the outsourced task. | Yes ☐ No ☐ |
| 9 | Completion of the attached forms. | Yes ☐ No ☐ |
| 10 | Approvals from relevant departments within the bank. | Yes ☐ No ☐ |
| 11 | Official letter requesting non-objection from the head office/main center as stated in Article (51) of the third-party outsourcing instructions (for foreign bank branches wishing to provide services contracted with the head office). | Yes ☐ No ☐ |
| 12 | Confirmation of compliance with the National Data Management Office's national data governance policies. | Yes ☐ No ☐ |
(2) Application Description
| Bank/Financial Institution Name | |
|---|---|
| Type of Bank/Financial Institution: ☐ Local ☐ Foreign | |
| Nature of the task to be outsourced. | |
| Text of the regulatory document for obtaining non-objection: | |
| Type of Task: ☐ Core ☐ Non-Core | |
| Type of Outsourcing: ☐ Within the Kingdom ☐ Outside the Kingdom | |
| If the task is core, please state the classification justification. |
Reasons for Third-Party Outsourcing.
Will the outsourcing be to a third party or to contracted companies within the group?
Please detail if outsourcing is to a company contracted with the group.
(If outsourcing is to a third party outside the Kingdom)
Please state reasons for not providing it by a third party within the Kingdom.
Name of the service provider the bank/financial institution wishes to contract with.
Details about the third-party service provider.
Banks and companies contracted with the service provider.
Description of the outsourced task and its objective.
Type of data exchanged between the bank and service provider, storage location, and disposal method. (If applicable)
Mechanism for handling data between the bank and service provider, including preservation, protection, integrity, and confidentiality.
Mechanism for Complying with All Regulatory and Supervisory Requirements with the Contracted Company.
Supervision, execution, and management mechanism for the service provider. Overview of risk analysis related to outsourcing this task to the service provider and procedures for managing these risks. Implications if the task is not outsourced to a third party. Is there an enforceable legally binding service level agreement between the head office/main center / group members and the foreign bank branch in Saudi Arabia? granting the Central Bank the right to access the head office / group members upon outsourcing to a third party. (Specific to foreign bank branches) Has customer consent been obtained for data sharing with the head office/main center / group members? (Specific to foreign bank branches) Is access to branch information by the head office/main center / group members limited to core control functions? (Specific to foreign bank branches) If customer data is hosted or stored outside the Kingdom upon outsourcing to a third party by a foreign bank branch, does the branch maintain an accessible copy of data in Saudi Arabia, and will Kingdom laws apply to this off-shore data? (Specific to foreign bank branches)
(3) Answer the following questions by placing a checkmark (√) in the selected answer box:
| No. | Questions | Answers |
|---|---|---|
| 1 | Has the bank complied with Article (16) of the third-party outsourcing instructions when submitting non-objection regarding appointment of third-party outsourcing options? | Yes ☐ No ☐ |
| 2 | Has the bank complied with Article (30) of the third-party outsourcing instructions when submitting non-objection regarding third-party adequacy? | Yes ☐ No ☐ |
| 3 | Does the task to be outsourced involve receiving or processing any customer complaints? | Yes ☐ No ☐ |
| 4 | Have preventive procedures been established to protect the security and confidentiality of customer data and financial data, in accordance with Paragraph (K) of Item (Fourth) of the third-party outsourcing instructions? | Yes ☐ No ☐ |
| 5 | Have business continuity plans been established for the future in case of sudden contract termination or inability of the service provider to fulfill its obligations under the executed contract, in accordance with Paragraph (N) of Item (Fourth) of the third-party outsourcing instructions? | Yes ☐ No ☐ |
| 6 | Has the service provider been provided with a copy of the first update to the Saudi Central Bank's instructions regarding third-party outsourcing? | Yes ☐ No ☐ |
| 7 | Has it been confirmed that the services and activities to be outsourced are not among those specified in Article (19) of the regulations governing banking agency operations? | Yes ☐ No ☐ |
| If the answer to any of the above questions is "Yes", a detailed response must be included, specifying the question number for all questions answered "Yes" in the following data: |
| No. | Detailed Answer |
|---|---|
| 1 | |
| 2 | |
| 3 | |
| 4 | |
| 5 | |
| 6 | |
| 7 |
Form (A) Contract Compliance
| Article No. in Contract | ✓ | The attached third-party outsourcing contractual agreements include the following: |
|---|---|---|
| Contract scope. | ||
| Regulatory status (registered legal entity) of the third-party service provider. | ||
| Service levels and performance requirements. | ||
| Audit and supervision procedures. | ||
| Business continuity plans. | ||
| Default arrangements and termination rights, including minimum periods for executing termination clauses, considering bankruptcy status and any material changes. | ||
| Pricing and fee structures. | ||
| Dispute resolution mechanisms. | ||
| Liability and compensation. | ||
| Confidentiality, privacy, and information security. | ||
| Assurance of Saudi Central Bank access and internal/external bank auditors' access. | ||
| Compliance with all applicable regulatory and legal requirements. | ||
| Contractual obligations of the third-party service provider in case of subcontracting for some or all third-party outsourcing arrangements. | ||
| Reporting and escalation mechanisms. | ||
| Obligation of the third-party service provider to notify the bank about any control weaknesses or negative developments in its financial performance. | ||
| (Specific to foreign service providers) Obligation of the service provider to confirm the absence of regulatory obstacles, ensuring access to data and records in accordance with Paragraphs (33) and (34) of the outsourcing instructions. | ||
| Renewal, renegotiation, and early termination clauses. | ||
| Subcontracting is not permitted without bank approval and obtaining the Saudi Central Bank's non-objection. | ||
| Right of the Saudi Central Bank to access relevant accounting documents and records regarding outsourcing arrangements, with the third-party service provider's obligation to cooperate. | ||
| Obligation of the service provider to facilitate raising and processing customer complaints related to outsourced tasks. |
| Bank/Financial Institution | |
|---|---|
| Name of Signatory | |
| Position | |
| Signature | |
| Date |
Form (B)
We, the bank/financial institution, confirm that a Saudi Central Bank non-objection application has been submitted to contract with the company for outsourcing tasks, as detailed in the attached draft contract/agreement. We further confirm that the bank's application and the draft contract/agreement align with the bank's approved policy on third-party outsourcing, the Saudi Central Bank's instructions on third-party outsourcing, and all relevant systems, regulations, and instructions issued by the Saudi Central Bank. We acknowledge that obtaining non-objection does not exempt the bank/financial institution from liability in any case if a violation in the application is proven.
| Risk Management Director | Compliance Management Director |
|---|---|
| Name: ________________ | Name: ________________ |
| Signature: _______________ | Signature: _______________ |
| Legal Management Director |
|---|
| Name: ________________ |
| Signature: _______________ |