Bank of Namibia Determination on Outsourcing (BID-34)

N$13.60 WINDHOEK - 26 November 2024 No. 8515 GOVERNMENT GAZETTE OF THE REPUBLIC OF NAMIBIA CONTENTS Page GENERAL NOTICE No. 767 Bank of Namibia: Determination under the Banking Institutions Act, 2023: Determination on Outsourcing (BID-34) ............................................................................................................... 1

---

General Notice BANK OF NAMIBIA No. 767 2024 DETERMINATION UNDER THE BANKING INSTITUTIONS ACT, 2023: DETERMINATION ON OUTSOURCING (BID-34) In my capacity as the Governor of the Bank of Namibia (Bank) and under the power vested in the Bank in terms of section 108(3)(b) of the Banking Institutions Act, 2023 (Act No. 13 of 2023), I hereby issue the Determination on Outsourcing (BID-34). J. !GAWAXAB GOVERNOR BANK OF NAMIBIA Windhoek, 1 October 2024

2 Government Gazette 26 November 2024 8515 Determination No. BID-34 OUTSOURCING Arrangement of paragraphs PART I PRELIMINARY PARAGRAPHS

1. Short Title
2. Authorisation
3. Definitions PART II STATEMENT OF POLICY
4. Purpose
5. Application PART III IMPLEMENTATION AND SPECIFIC REQUIREMENTS
6. Responsibility
7. Outsourcing Policy
8. Functions that cannot be outsourced
9. Outsourcing of material business activities and functions
10. Outsourcing of non-material activities and functions
11. Risk management and operational continuity
12. Due diligence and selection
13. Contract management and agreements
14. Contingency planning and business continuity
15. Confidentiality and security
16. Outsourcing outside Namibia (“offshoring”)
17. Supervisory access to information
18. Reporting requirements PART IV EFFECTIVE DATE
19. Effective date ANNEXURE 1 ANNEXURE 2 PART I: PRELIMINARY
20. Short Title – Outsourcing
21. Authorisation – The authority for the Bank to issue this Determination is provided in section 108(3)(b) of the Banking Institutions Act, 2023 (Act No. 13 of 2023).
22. Definitions – Terms used in this Determination are as defined in the Act, as further defined below, or as reasonably implied by the contextual usage.

8515 Government Gazette 26 November 2024 3 3.1 “Act” means the Banking Institutions Act, 2023 (Act No. 13 of 2023). 3.2 “Bank” means the Bank of Namibia referred to in section 2 of the Bank of Namibia Act, 2020 (Act No. 1 of 2020). 3.3 “critical services” means a service provided to a banking institution or microfinance banking institution of which a failure or disruption thereof can significantly impair the banking institution or microfinance banking institution’s viability, operations or ability to meet key legal and regulatory obligations. 3.4 “insourcing” means an arrangement where functions or business activities have been outsourced to a third-party service provider within a particular group of institutions that form part of a single banking group. 3.5 “material business activities” means business activities or functions of such importance that, if interrupted, may have a significant impact on the banking institution or microfinance banking institution’s business operations, its ability to manage risks effectively or its continued regulatory compliance. 3.6 “non-material business activities” means business activities or functions that, if interrupted, may not affect the internal control system (including the systems, policies, procedures and processes implemented by a banking institution or microfinance banking institution to safeguard its assets, limit or control risk) and do not pose a significant risk to the operation of a banking institution or microfinance banking institution. 3.7 “Offshoring” means outsourcing by a banking institution or microfinance banking institution of a business activity or function to a third-party service provider, who conducts the outsourced activity or function, outside Namibia. 3.8 “outsourcing” means the use of a third-party service provider, whether it is an affiliate within a corporate group or a third-party service provider, to perform a business activity, service, function or process on behalf of a banking institution or microfinance banking institution which business activity, service, function or process could also be undertaken by the banking institution or microfinance banking institution. This includes insourcing arrangements. 3.9 “outsourcing arrangement” means a written, legally binding agreement between a banking institution or microfinance banking institution and a service provider, where the service provider performs a business activity, function or process which can ordinarily be undertaken by the banking institution or microfinance banking institution. 3.10 “third-party service provider” means an entity that is undertaking the outsourced function or activity on behalf of a banking institution or microfinance banking institution and includes members of the corporate group to which the banking institution or microfinance banking institution belongs, or an entity that is external to the banking group, whether located in Namibia or elsewhere. PART II: STATEMENT OF POLICY 4. Purpose 4.1 This Determination sets out the requirements that a banking institution or microfinance banking institution must observe in assessing and managing risks relating to outsourcing arrangements.

4 Government Gazette 26 November 2024 8515 4.2 This Determination guides all aspects of outsourcing business activities or functions of a banking institution or microfinance banking institution. 5. Application This Determination applies to all banking institutions and microfinance banking institutions authorised to conduct business in Namibia. PART III: IMPLEMENTATION AND SPECIFIC REQUIREMENTS 6. Responsibility 6.1 The Board of Directors of a banking institution or microfinance banking institution is responsible for ensuring compliance with this Determination and for ensuring, at a minimum, that: (a) An outsourcing policy which comprehensively guides the assessment and risk management of outsourced activities is approved by the Board of Directors and reviewed at least once every three years. (b) The risks associated with outsourced activities or functions are identified and duly managed, to ensure that a banking institution or microfinance banking institution delivers on its obligations. (c) Abanking institution or microfinance banking institution has comprehensive risk management, internal control and oversight processes, practices and procedures to manage various types of outsourcing arrangements. (d) Outsourced activities are conducted in a safe and sound manner and in compliance with applicable legislation and where compliance issues are identified, these are comprehensively and timeously addressed by the banking institution or microfinance banking institution. (e) The selection and management of a group entity concerning all insourcing arrangements: (i) are subject to the requirements of this Determination; (ii) are based on objective reasons; (iii) the conditions of the outsourcing arrangement are set at arm’slength, explicitly deal with conflicts of interest, do not impair the banking institution or microfinance banking institution’s ability to comply with regulatory requirements; and (iv) fees levied are documented, set in a transparent manner and are commensurate with the service rendered. (f) The Bank and a banking institution or microfinance banking institution’s external auditors have access to information relating to the outsourced function or activity to enable them to execute their duties under the Act and other relevant legislation.

8515 Government Gazette 26 November 2024 5 6.2 Senior management of a banking institution or microfinance banking institution is required to ensure the following requirements relating to outsourcing of material business activities and functions are in place: (a) A plan for assessing outsourcing strategies and arrangements and evaluating their consistency with and support of the banking institution or microfinance banking institution’s strategic objectives. (b) A programme for outsourcing activities, including performing risk assessments regarding the outsourcing of material business activities and functions both before entering into the arrangement and during the arrangements, as well as determining appropriate approval mandates for outsourced services. (c) A comprehensive risk assessment and risk mitigation strategies to address the risks associated with outsourcing arrangements and third-party service providers. The risks should be periodically reassessed in line with the banking institution or microfinance banking institution’s risk management framework. (d) Notification to the Bank before outsourcing material business activities and functions under section 9 of this Determination. (e) Ensure that an official within the banking institution or microfinance banking institution is specifically designated to oversee outsourced or managed services, which person will also be deemed accountable for the smooth operation of the outsourced functions and compliance of the outsourced entities with this Determination, where applicable. This official should be competent and adequately authorised to make decisions commensurate with the nature, scope and complexity of the outsourcing arrangements. These responsibilities can be part of the existing roles, depending on the banking institution’s organisational structure and capacity. (f) Ensure that a banking institution or microfinance banking institution is aware of the legislative requirements applicable to the third-party service provider in the countries where the banking institution or microfinance banking institution’s data is hosted; and determine whether such requirements do not impose undue risk on the banking institution or microfinance banking institution, especially where countries have rights to seize or otherwise access data hosted by the third-party service provider. (g) Ensure that the outsourcing arangement with third parties incorporates the necessary arrangements to enable the institution to remain compliant and to provide evidence of such compliance. 7. Outsourcing Policy 7.1 A banking institution or microfinance banking institution must have an outsourcing policy approved by the Board that addresses the identification, classification, assessment, management, mitigation and reporting of risks associated with outsourcing. The banking institution or microfinance banking institution must ensure that the policy specifies how compliance with the policy will be monitored and enforced across all relevant parties, including third-party service providers.

6 Government Gazette 26 November 2024 8515 7.2 The outsourcing policy should include the following: (a) The strategic goals, objectives and business needs of a banking institution or microfinance banking institution in relation to outsourcing; (b) Clear definitions of the range of activities and functions that may be outsourced and those that may not be outsourced; (c) Limits on the overall acceptable level of outsourced activities and functions within the banking institution or microfinance banking institution and limits on the geographical location of a third-party service provider, if applicable; (d) Criteria for classification process for designation of outsourced activities and functions as material and non-material; (e) Eligibility criteria for selecting third-pary service providers taking into account any relation, directly or indirectly, with the banking institution or microfinance banking institution; (f) Processes and criteria for evaluating and reporting on the risks and controls associated with outsourced activities of varying nature on an ongoing basis; (g) Management of material and non-material outsourcing activities and functions; (h) Issues addressing risk concentration and risks arising from outsourcing multiple activities to the same service provider or multiple banking institutions and microfinance banking institutions using the same service provider; (i) Steps to ensure compliance with legal and regulatory requirements in both home and host countries; and (j) Contingency plans and the assessment of the third-party service provider contingency plans to ensure operational continuity in case of business disruption. 8. Functions that cannot be outsourced 8.1 Functions and activities that are considered integral and fundamental to the operation of a banking institution or microfinance banking institution cannot be outsourced. These functions and activities must be maintained and conducted internally by the banking institution or microfinance banking institution, to ensure direct oversight and control. Functions and activities that cannot be outsourced, without the Bank’s specific approval, include: (a) Credit lending - The credit lending function, which encompasses all activities related to credit risk assessment, loan origination, approval, loan issuance and the management of credit portfolios, must be performed internally by a banking institution or microfinance banking institution. (b) Deposit-taking - The deposit-taking function involves accepting deposits from the public, including opening and managing deposit accounts, which must remain within the banking institution or microfinance banking institution. This excludes the deposit-taking function carried out by an

8515 Government Gazette 26 November 2024 7 agent on behalf of a banking institution as a result of an agency relationship between a banking institution and a third-party service provider. (c) Treasury function - The treasury function, including the management of liquidity, investment portfolios, capital planning and funding strategies, must be conducted internally and must remain within the banking institution or microfinance banking institution. A banking institution or microfinance banking institution must retain overall responsibility for the strategic management and oversight of its investment portfolio. While certain administrative or operational activities related to the investment portfolio may be outsourced, the ultimate decision-making and oversight must remain within the banking institution or microfinance banking institution to ensure alignment with its risk management framework and regulatory requirements. (d) Governance, risk management, compliance and internal audit functions

• These functions are critical to the operation of a banking institution or microfinance banking institution and, therefore, cannot be outsourced. While the individuals performing the role internal audit function itself cannot be outsourced, where necessary, the individuals performing the role can be recruited on a temporary basis, in line with the relevant labour laws. 8.2 Certain activities performed under each of the functions listed under section 8.1 that cannot be outsourced, may under certain circumstances be outsourced with specific approval from the Bank. 8.3 Related systems and support tools - While the functions indicated in section 8.1 cannot be outsourced, systems and standard tools that support these functions such as systems and software may be outsourced. These support systems fall outside the scope of functions and activities that cannot be outsourced. However, the outsourcing and treatment of such systems must be assessed and evaluated based on their materiality.

9. Outsourcing of material business activities and functions 9.1 A banking institution or microfinance banking institution intending to outsource a material activity must notify and obtain prior authorisation from the Bank. The authorisation should be sought at least 30 working days before entering into an agreement with the service provider. A list of information required to accompany the authorisation notification is outlined in Annexure 1. 9.2 It is the role of the management of a banking institution or microfinance banking institution to evaluate whether an outsourcing arrangement is material or not. Both quantitative and qualitative judgments must be involved in assessing materiality. 9.3 Material outsourcing refers to the outsourcing of an activity or function of such importance that any weakness or failure in the provision of this activity or function, could have a significant impact on a banking institution or microfinance banking institution’s business operations, its ability to manage risks effectively, or its continued regulatory compliance should such activities be disrupted. 9.4 In assessing materiality, i.e. whether an activity to be outsourced is material or non￾material, at a minimum, the assessment must consider the following factors: (a) Relative importance and contribution to income - the relative importance of the business activity to be outsourced, which can be measured in terms of contribution to income and profit;

8 Government Gazette 26 November 2024 8515 (b) Potential impact on financial metrics - the potential impact of the outsourcing activity on current and projected earnings, solvency, liquidity, funding and capital and risk profile; (c) Impact on reputation and business objectives - the likely impact on a banking institution or microfinance banking institution’s reputation and its ability to achieve business objectives, strategy and plans should the service provider fail to perform; (d) Cost-effectiveness - the cost of the outsourcing as a percentage of total operating expenses; (e) Aggregate exposure to service providers - the aggregate exposure to that particular service provider, in cases where a banking institution or microfinance banking institution outsources various functions to the same service provider; and (f) Internal controls and regulatory compliance - the ability to maintain appropriate internal controls and meet regulatory requirements in case of operational failures by the service provider. 9.5 The Bank may require additional information from outsourcing banking institutions or microfinance banking institutions and service providers, depending on the specificities of the outsourcing arrangements. 9.6 A banking institution or microfinance banking institution must note the functions that cannot be outsourced, as specified in this Determination. 10. Outsourcing of non-material activities and functions 10.1 A banking institution or microfinance banking institution that intends to outsource a non-material activity is not required to notify and obtain the prior authorisation of the Bank. However, a banking institution or microfinance banking institution is required to ensure that adequate risk management and oversight are exercised at all times by the Board and Senior Management of a banking institution or microfinance banking institution, over these activities or functions. 10.2 The outsourcing policy of a banking institution or microfinance banking institution must clearly outline the classification process for the designation of outsourced activities and functions as material and non-material. The Outsourcing Policy should further indicate how non-material outsourcing activities and functions will be managed. 10.3 Outsourced functions or activities which are assessed and designated as non-material include those which do not affect the internal control system of a banking institution or microfinance banking institution, do not pose a significant risk to operational continuity and fall outside of the criteria for material outsourced arrangements. 10.4 Abanking institution or microfinance banking institution must ensure that outsourcing agreements do not impede or limit the Bank’s ability to effectively supervise the banking institution or microfinance banking institution or outsourced activity, function, or service.

8515 Government Gazette 26 November 2024 9 10.5 An outsourcing arrangement which was previously non-material may subsequently become material due to an increase in the volume or nature of the activity outsourced to the service provider or for any other reason. Should this be the case, a banking institution or microfinance banking institution must notify the Bank immediately or within 20 working days of the change occurring, where non-material activities or functions become material. 10.6 For this Determination, the following activities will not be considered as outsourcing. A banking institution or microfinance banking institution is not required to obtain approval from the Bank and may outsource the activities and functions listed below, irrespective of their classification: (a) Use of common network infrastructure such as Visa/MasterCard; (b) Market information services such as Bloomberg and Moody’s; (c) Clearing and settlement arrangements between institutions; (d) Correspondent banking services; (e) Credit reference bureau services; (f) Professional advisory services, e.g. legal opinions; (g) Marketing and advertising agreements; (h) Tasks such as cleaning services, maintenance and repair services for office equipment and premises; and (i) Any other activity that the Bank may specify periodically through official circulars, guidelines or amendments to this Determination. 11. Risk management and operational continuity 11.1 The ultimate responsibility for ensuring that the risks in terms of outsourcing arrangements are effectively managed lies with the Board and Management of the banking institution or microfinance banking institution. The Board of Directors and Management of a banking institution or microfinance banking institution must always have a complete understanding of the various risks associated with outsourcing. Annexure 2 outlines some of the key risks in outsourcing that a banking institution or microfinance banking institution needs to evaluate and guard against. 11.2 The risk management on outsourcing must include the following: (a) Identification of the role of outsourcing in the overall business strategy and its interaction with corporate strategic goals; (b) Due diligence on the outsourced service provider and effective identification of the key risk mitigation strategies; (c) Analysis of the impact of the outsourcing arrangement on the overall risk profile of the banking institution or microfinance banking institution and whether there are adequate internal expertise and resources to mitigate the risks identified; and

10 Government Gazette 26 November 2024 8515 (d) analysis of risk-return on the potential benefits of outsourcing against the vulnerabilities that may arise from the impact of temporary disruption to that of an unexpected termination of the outsourcing arrangement and whether for strategic and internal control reasons, the arrangement should be entered into. 12. Due diligence and selection 12.1 A banking institution or microfinance banking institution must conduct the necessary due diligence on a prospective service provider prior to entering into an outsourcing agreement, including insourced agreements. 12.2 When performing due diligence, a banking institution or microfinance banking institution must, among others, consider and assess the following factors pertaining to the third-party service provider, including but not limited to the third-party service provider’s capacity and ability to perform; known and potential risks related to the third-party service provider’s arrangement; and relative benefits and costs of the arrangement which will be further discussed below. 12.3 Capacity and ability to perform - As part of the assessment of a outsourcing service provider’s capacity and ability to deliver the services under the arrangement, a banking institution or microfinance banking institution must consider the third-party service provider’s: (a) capability to offer service support to ensure the continuity of operations of the banking institution or microfinance banking institution; (b) reliance on sub-contractors and other parties; (c) operational and technical capability; (d) ability to support the banking institution ormicrofinance banking institution’s objectives for innovation, expansion and third-party strategy; (e) ability to support the banking institution ormicrofinance banking institution’s legal and regulatory compliance obligations; (f) ability to maintain qualified and adequate staff for ongoing service delivery as well as during disruption; (g) effectiveness of internal controls and risk management, including its ability to manage information communication technology (ICT), cyber-risk and other operational risks; (h) ability to manage supply chain risks; and (i) ability to maintain Business Continuity Plans (BCPs), Disaster Recovery Plans (DRPs) and other relevant plans (e.g. crisis communication plans) consistent with or benchmarked to the banking institution or microfinance banking institution’s tolerance for disruption of critical services. 12.4 Risks - As part of the assessment of known and potential risks, a banking institution or microfinance banking institution must consider the following:

8515 Government Gazette 26 November 2024 11 (a) the allocation of responsibility for security, resilience and other technical configurations (e.g. access management controls) between a banking institution or microfinance banking institution and the third-party service provider with respect to the delivery of services and the associated risks; (b) financial soundness insofar as it can affect the delivery of the relevant services; (c) geographic dependencies and management of related risks (e.g. risks related to the economic, financial, political, legal and regulatory environment in the jurisdiction(s) where the relevant service will be provided); (d) potential conflicts of interest; (e) recent or pending adverse media screening, relevant complaints, investigations or litigation in as far as it related to the third-party service provider; (f) availability of potential alternative third-party service providers and assessment of related risks; (g) whether the outsourcing arrangement under consideration may result in unacceptable concentration risk; and (h) A banking institution or microfinance banking institution must consider other relevant regulations issued by the Bank on matters such as cloud computing and information security. This includes ensuring compliance with the applicable regulations. 12.5 Relative benefits and costs - As part of the assessment of relative benefits and costs associated with the third-party service provider’s arrangement, a banking institution or microfinance banking institution must consider the following: (a) the potential risks of not entering into a third-party service provider arrangement against the risks that the new third-party service provider arrangement may introduce or amplify known risks (e.g. replacing obsolete legacy system, difficulty in hiring and maintaining qualified staff); and (b) its ability (including cost, timing, contractual restrictions) to exit the third￾party service provider’s arrangement and either transition to another third￾party service provider or move the activity back in-house with the banking institution or microfinance banking institution. 13. Contract Management and Agreements 13.1 Outsourcing arrangements between a banking institution or microfinance banking institution and a service provider must be governed by a written outsourcing arangement and may be supported by Service Level Agreements. 13.2 The outsourcing arrangement must be concluded between a banking institution or microfinance banking institution and the third-party service provider. Where a parent company has entered into an agreement with a third-party service provider for the benefit of the banking institution or microfinance banking institution, such banking institution or microfinance banking institution must be a signatory to the contract with the third-party service provider.

12 Government Gazette 26 November 2024 8515 13.3 Other provisions to be included in an outsourcing agreement are: (a) scope of the outsourcing activities, including clear definitions of functions to be outsourced to the third-party service provider as well as the timeframe for implementation of the outsourcing arrangement; (b) cost and maintenance; (c) confidentiality and security; (d) contingency planning in the event of the third-party service provider failing; (e) access by the banking institution or the microfinance banking institution and the Bank to all books, records and information relevant to the outsourced activity provided by the service provider; (f) continuous monitoring and assessment by the banking institution or the microfinance banking institution of the third-party service providers; (g) types of audit reports and other reports that a banking institution or microfinance banking institution should receive, for example, audited financial statements and performance reports of the third-party service provider; (h) reporting of any material weakness that may impact negatively on the financial soundness of the third-party service provider; (i) dispute resolution; (j) termination and early exit clause in case of default by the third-party service provider, including judicial management insolvency, liquidation or change in ownership; (k) conditions of subcontracting by the third-party service provider for all or part of an outsourced activity and contingency planning for business resumption; (l) need, if any, for insurance cover to be contracted by the third-party service provider; (m) where the third-party service provider is located outside Namibia, choice￾of-law provisions, agreement covenants and jurisdictional covenants that provide for adjudication of disputes between the parties under the laws of a specific jurisdiction; (n) Considerations of environmental, social and governance (ESG) elements, including factors such as socio-economic inclusion and environmental sustainability; (o) Data protection and ownership of data; and (p) Such country risks and obstacles in exercising oversight and management as may be necessary and relevant.

8515 Government Gazette 26 November 2024 13 13.4 The outsourcing arangement must detail the pricing methodology and considerations such as fairness and reasonableness for any fees charged for outsourced activities, including insourced activities. A detailed and comprehensive invoice must be provided to each banking institution or microfinance banking institution, detailing the fees charged. 13.5 An outsourcing arangement must contain an indemnity clause to the effect that any sub-contracting by a third-party service provider of the outsourced function remains the responsibility of the third-party service provider, including liability for any failure on the part of the sub-contractor to who such third-party service provider outsourced. 13.6 A banking institution or microfinance banking institution must ensure that the outsourcing arangement does not entitle the service provider to unilaterally cancel the arangement in the event that a recovery or resolution action is taken by the Bank. 13.7 The terms of the outsourcing arangement must allow a banking institution or microfinance banking institution to modify the manner in which the outsourced activities are performed, specifically where a banking institution or microfinance banking institution may need to amend processes to meet compliance requirements. 13.8 Where a banking institution or microfinance banking institution makes use of a third-party service provider in the use of outsourcing, the banking institution or microfinance banking institution must ensure that it contractually agrees on the compliance requirements to be honoured by the third-party service provider to ensure ongoing compliance with laws and regulations. 13.9 Abanking institution or microfinance banking institution must ensure that outsourced systems handling customer, accounting, or other sensitive data across borders comply with local data protection laws and regulatory requirements. Provisions must be made to ensure that data is protected, including adherence to regulations such as data sovereignty and applicable international frameworks on data sharing and privacy. 13.10 A banking institution or microfinance banking institution must ensure that the outsourcing arangement specifies relevant data hosting details, including location, protection measures and compliance with applicable laws and regulations. 13.11 A banking institution or microfinance banking institution must ensure that the outsourcing contract includes a clearly defined termination clause. This clause should specify the responsibilities and processes to be followed upon termination and should address scenarios of insolvency, breach of contract and voluntary exit by either party. 14. Contingency planning and business continuity 14.1 Before entering into a contract with a third-party service provider, a banking institution or microfinance banking institution must assess whether the third-party service provider has sufficient capacity to effectively manage, on a continuous basis, the services that the banking institution or microfinance banking institution is planning to outsource. 14.2 A banking institution or microfinance banking institution must also consider the potential services that the third-party service provider may have to provide in the foreseeable future, including the relevant metrics for capacities, such as storage capacity, increased number of users and transactional requirements.

14 Government Gazette 26 November 2024 8515 14.3 Before entering into any third-party outsourcing arangements, a banking institution or microfinance banking institution must consider whether the information communication infrastructure between the banking institution or microfinance banking institution and the third-party service provider is sufficient to manage the current and future requirements on a continual basis. 14.4 A banking institution or microfinance banking institution must ensure effective incident management and reporting to maintain operational continuity and compliance. A banking institution or microfinance banking institution must also develop a comprehensive incident response plan to manage and mitigate service disruptions, including procedures for identifying, responding to and recovering from incidents. 14.5 A banking institution or microfinance banking institution must notify the Bank immediately upon becoming aware of any incident involving a material outsourced function or activity, or within 24 hours after detecting an incident or the next immediate working day in case of weekends and public holidays. 14.6 The banking institution or microfinance banking institution must conduct post￾incident reviews and identify root causes and implement corrective actions, fostering continuous improvement and resilience. 15. Confidentiality and Security 15.1 As public confidence in banking institutions and microfinance banking institutions is crucial in the stability and reputation of the financial system, a banking institution or microfinance banking institution must satisfy itself that the third-party service provider’s security policies, procedures and controls will enable the institution to protect confidentiality and security of all information. A banking institution or microfinance banking institution must take the following steps, as a minimum, to ensure confidentiality is maintained: (a) Access to customer information by staff of the third-party service provider must be limited to those areas where the information is required to perform the outsourced function. (b) Ensure that the third-party service provider is able to isolate and identify the banking institution’s or microfinance banking institution’s customer information, documents, records and assets to protect the confidentiality of the information. (c) Ensure it reviews and monitors, at a minimum, the security and control practices of a material third-party service provider on a regular basis, but not less than once annually. (d) Immediately report to the Bank any unauthorised access or breach of confidentiality and security, directly or indirectly and must subsequently submit information related to the incident in an Information Security Incident Reporting return (BIR-301) within 24 hours after detecting the incident or the next immediate working day in case of weekends and public holidays. 16. Outsourcing Outside Namibia (“Offshoring”) 16.1 A banking institution or microfinance banking institution may outsource certain types of activities to third-party service providers outside Namibia, such as

8515 Government Gazette 26 November 2024 15 ‘offshoring’. The engagement of third-party service providers in a foreign country exposes a banking institution or microfinance banking institution to foreign country risks, including economic, social, and political conditions and other conditions in that foreign country. These foreign country risk exposures may adversely affect the banking institution or microfinance banking institution, in that the third-party service provider in that foreign country, may be prevented from carrying out the terms of the outsourcing arangement with the banking institution or microfinance banking institution. 16.2 To manage the foreign country risk involved in offshore outsourcing activities, a banking institution or microfinance banking institution must consider and closely monitor government policies as well as political, social, economic and legal conditions in countries where the service provider is based, during the risk assessment process and on a continuous basis and establish sound procedures for dealing with foreign country risk exposures. This includes having appropriate contingency and exit strategies. 16.3 The activities outsourced outside Namibia should be conducted in a manner that does not hinder efforts by the Bank to supervise the activities of the banking institution or microfinance banking institution in a timely manner. In this regard, a banking institution or microfinance banking institution must not outsource its functions to service providers in jurisdictions where unfettered access to information by the Bank or its authorised person and the internal and external auditors of the banking institution or microfinance banking institution, may be impeded. The Bank may communicate directly with the home or host regulator of the banking institution or microfinance banking institution or the third-party service provider, as the case may be, to seek confirmation on any matter the Bank deems appropriate. 16.4 A banking institution or microfinance banking institution must consider scenarios in case of disruptions in the business continuity of the third-party service provider especially on how quickly and efficiently the outsourced processes could be reverted to Namibia to limit any potential disruption of service to the banking institution or microfinance banking institution due to the disruption. 17. Supervisory access to information 17.1 A banking institution or microfinance banking institution must provide the Bank with access to necessary information on the outsourced material business activity or function to enable the Bank to exercise its regulatory responsibilities. 17.2 A banking institution or microfinance banking institution must inform the Bank of any possible restriction on the provision of information relating to the outsourced activity or function. 17.3 To facilitate the ability of the Bank to regulate and access a banking institution or microfinance banking institution’s data, a banking institution or microfinance banking institution must ensure that: (a) The third-party service provider’s outsourcing arangement includes the right of supervisory institutions to access information, which may include conducting on-site visits at the third-party service provider’s facilities or alternative measures for supervisory access such as virtual audits. (b) The third-party service provider’s outsourcing arangement provides for the mutual exchange of information (potentially through a right to transparency

16 Government Gazette 26 November 2024 8515 clause) and, by request, the provision of relevant information to the Bank. Where a banking institution or microfinance banking institution is unable to present data to the Bank upon request, for any reason whatsoever, the Bank may require the outsourcing arrangement to be brought into compliance with this Determination and may, after due process, request the the termination of the relationship with the third-party service provider and take further steps as the Bank may deem necessary. (c) The Bank is informed as soon as practically possible or within 20 working days within which the banking institution or microfinance banking institution becomes aware of any possible restrictions. 18. Reporting requirements A banking institution or microfinance banking institution is required to submit to the Bank, on an annual basis by no later than 31 March each year, a list of all material and non-material activities and function that have been outsourced, in such form and manner as may be determined by the Bank. This list should include all material and non-material outsourced activities and functions held as of 31 December of the preceding year. PART VI: EFFECTIVE DATE 19. Effective Date This Determination comes into force on the date of publication in the Gazette. ANNEXURE 1 A list of information is to be submitted along with the request for authorisation for outsourcing material business activities and functions.

1. A feasibility study or business case on the activity to be outsourced, including the rationale for outsourcing and the associated costs.
2. A profile of the service provider including, inter alia, details of significant shareholders and senior management and financial standings.
3. A draft outsourcing agreement proposed to be entered between the banking institution or microfinance banking institution and the service provider.
4. A contingency plan for the outsourcing arrangement.
5. A letter to the Bank seeking approval for the outsourcing of material business activities or functions. The letter must include a clause orstatement by the Principal Officer of the banking institution or microfinance banking institution confirming that all relevant internal control procedures and risk management systems, in relation to the proposed outsourced function or activity, have been assessed and are in place for the implementation of the outsourced function or activity. ANNEXURE 2 Risks Involved in Outsourcing Financial Activities The key risks involved in outsourcing that need to be considered as part of risk management by a banking institution or microfinance banking institution include:

8515 Government Gazette 26 November 2024 17 (a) Strategic Risk - Arises when the business practices of an outsourced third￾party service provider conflict with the short and long-term objectives of the banking institution or microfinance banking institution. The service provider should align with the banking institution or microfinance banking institution’s strategic goals. (b) Reputation Risk - Occurs due to poor service from the outsourced third￾party service provider or customer interaction that do not meet the banking institution’ or microfinance banking institution’s standards. (c) Compliance Risk - Arises when privacy, consumer and prudential laws are not adequately complied with, or the outsourced third-party service provider has inadequate compliance systems and controls. (d) Operational Risk - Includes risks due to technology failure, fraud, error, or the outsourced third-party service provider’s inadequate financial capacity to fulfil obligations and provide remedies. (e) Exit Strategy Risk - Occurs when appropriate exit strategies are not in place. This risk can arise from overreliance on one outsourced third-party firm, the loss of relevant skills within the outsourced third-party institution, or contracts that make speedy exits prohibitively expensive. (f) Counterparty Risk - Results from inappropriate underwriting or credit assessments that can diminish the quality of loans. (g) Country Risk - Arises from the political, social, or legal climate in the service provider’s country, which can create additional risks and complexities in business continuity planning. (h) Contractual Risk - Occurs when the banking institution or microfinance banking institution may not have the ability to enforce the contract effectively. (i) Concentration and Systemic Risk - Arises when there is a lack of control over an outsourced third-party service provider, especially if the entire banking industry has considerable exposure to the same outsourced third￾party provider, leading to systemic risk. (j) Legal Risk - The risk that the banking institution or microfinance banking institution may face fines, penalties, or punitive damages due to supervisory actions or private settlements resulting from the outsourced third-party service provider’s actions or omissions.

---