Decision on Managing Outsourcing and Outsourcing-Related Risks

[unofficially consolidated translation] DECISION ON MANAGING OUTSOURCING AND OUTSOURCING-RELATED RISKS (OGM 127/20 of 29 December 2020, 112/25 of 06 October 2025) Subject matter Article 1 This Decision prescribes the management of outsourcing and outsourcing-related risks, as well as the content of information, the structure and maintenance of the registry of outsourcing arrangements. Outsourcing service provider Article 2 An outsourcing service provider (hereinafter: the service provider) may be:

1. a member of a group of credit institutions to which the credit institution is a member;
2. a legal or a natural person, which is, according to the regulations of the country in which it is established or in which it has habitual residence or temporary residence, authorised to perform processes, services or activities which are subject to outsourcing (hereinafter: outsourcing functions). Entrusting of services that do not fall under the definition of outsourcing Article 3 (1) A credit institution shall establish whether the entrusting by a credit institution of the performance of services to a service provider falls under the definition of outsourcing. (2) Within the meaning of paragraph (1) of this Article, the following shall not be considered as outsourcing:
3. services that are legally required to be performed by a service provider (e.g., statutory audit);
4. market information services and services of interbank communication and trading services (e.g. services provided by Bloomberg, Moody’s, Standard & Poor’s, Fitch, Reuters);
5. global electronic payment networks (e.g., Visa, MasterCard);
6. clearing and settlement arrangements between clearing houses and settlement institutions and their members;
7. global financial messaging infrastructures that are subject to oversight by relevant authorities (e.g. SWIFT);
8. correspondent banking services;
9. non-financial services that would otherwise not be undertaken by the credit institution (e.g. advertising services, providing legal opinion and representation in front of the court and administrative bodies, advice from an architect, cleaning, gardening and maintenance of the credit institution’s premises, servicing of company cars, catering, vending machine services, transportation services, services of sending, receiving, transmitting and/or storing electronic

[unofficially consolidated translation]

---

Decision on Managing Outsourcing and Outsourcing-Related Risks (OGM 127/20, 112/25) 2 documents or electronic invoices, acquisition of goods (e.g. plastic cards, card readers, office supplies and furniture) and utility services (e.g. electricity, water, gas, telecommunication services)). Critical and important functions Article 4 (1) Critical and important functions, within the meaning of this Decision, mean activities for which it is establish that:

1. a defect or failure in their performance would materially impair the ability of the credit institution to meet obligations laid down in the Law on Credit Institutions (OGM 72,19), (hereinafter: the Law) and other regulations and/or the continuity of its regular operations;
2. have significant impact on efficient risk management, including risks associated with outsourcing. (2) Critical and important functions shall be also functions performed by the control functions referred to in Article 120 paragraph (1) of the Law. (3) A service provider may engage other person to perform outsourced critical and important functions supported by the prior authorisation of the credit institution. Maintaining control over outsourced functions Article 5 (1) For the purpose of preventing adverse impact of outsourcing on operations, a credit institution shall, in the outsourcing process, including the outsourcing within the same group of credit institutions, maintain the adequate level of control over outsourced functions or possibility to adopt and implement outsourcing-related decisions. (2) A credit institution shall ensure that their responsibility to third parties, as well as responsible persons in credit institutions may not be transferred by outsourcing to the service provider. Activities that cannot be outsourced Article 6 The following activities cannot be outsourced:
3. taking of cash deposits and granting loans for its own account and other activities specified in the decision on issuing authorisations to the credit institution;
4. activities for which the Central Bank granted authorisation in accordance with Article 70 paragraph (2) of the Law;
5. activities performed by the members of the management board;
6. implementation of measures and activities taken to prevent and detect money laundering and terrorist financing which outsourcing is prohibited by other regulation. Outsourcing of activities that enable the performance of critical and important functions Article 7 A credit institution may outsource activities that enable the credit institution to perform activities referred to in Article 5 of the Law or that support the performance of such activities, provided that there are not impediments referred to in Article 116 paragraph (3) of the Law.

[unofficially consolidated translation]

---

Decision on Managing Outsourcing and Outsourcing-Related Risks (OGM 127/20, 112/25) 3 Assessments before adopting a decision on outsourcing Article 8 (1) Before reaching a decision on outsourcing, the decision on the change of service provider and before granting authorisation to engage a person referred to in Article 4 paragraph (3) of this Decision, a credit institution shall:

1. make a detailed analysis of prospective service provider which refers to its ability to provide services, its financial situation and business reputation;
2. establish, in case where the prospective service provider has a head office or performs outsourcing functions outside Montenegro, whether the regulations of a country or countries in which the service provider performs its activities enable the Central Bank of Montenegro (hereinafter: the Central Bank) undisturbed supervision of service provider in accordance with the Law;
3. assess potential difficulties and time needed to select other service provider or to perform independently activities in case of termination of outsourcing, and to assess the feasibility of those activities (easy, moderate, difficult or impossible);
4. assess the impact of outsourcing on:

• business continuity and the reputation of the credit institution,
• costs, financial result, liquidity, capital and solvency of the credit institution,
• the quality of services provided by the credit institution to its clients,
• risk profile of the credit institution,
• reporting. (2) In addition to the requirements referred to in paragraph (1) of this Article, a credit institution shall determine, when selecting service provider for critical and important functions, whether the prospective service provider has an appropriate business continuity plan and assess whether the service provider may meet the requirements to perform critical and important functions as defined in the business continuity plan of the credit institution. Risk management Article 9 (1) A credit institution shall ensure that the performance of outsourcing enables the credit institution to continuously monitor the outsourced functions and manage risks associated with outsourcing. (2) A credit institution’s internal control system shall cover outsourced functions. (3) For all outsourced functions, including functions that are not subject to outsourcing, within the meaning of this Decision, but are associated with outsourcing, a credit institution shall identify, assess, monitor and control risks associated with outsourcing to which it is or might be exposed. Identifying and assessing risks associated with outsourcing Article 10 (1) A credit institution shall, when identifying and assessing risks associated with outsourcing, take into account expected benefits and costs of the proposed outsourcing, including comparative analysis of risks that may be reduced in outsourcing or may be managed better compared to risks that may arise due to the planned outsourcing. (2) For the purpose of identifying and assessing risks referred to in paragraph (1) of this Article, a credit institution shall at least take into consideration the following:

1. concentration risk, including risk arising from:

[unofficially consolidated translation]

---

Decision on Managing Outsourcing and Outsourcing-Related Risks (OGM 127/20, 112/25) 4

• transferring of outsourced function to a dominant service provider that is not easily substitutable;
• multiple outsourcing arrangements with the same service provider or closely connected service providers;

2. the aggregated risks resulting from outsourcing several functions of the credit institution and, in the case of groups of credit institutions, the aggregated risks on a consolidated basis;
3. the measures implemented by the credit institution and by the service provider to mitigate risks associated with outsourcing. Data and system protection Article 11 (1) For the purpose of ensuring data protection in accordance with the law and separate regulations, and when carrying out risk assessment prior to outsourcing and during continuous oversight of the performance of the service provider in the process of the performance of outsourced functions, a credit institution shall:
4. identify and classify all relevant functions and associated confidential data and systems, as well as measures prescribed to protect those data;
5. carry out a detailed analysis of functions to be outsourced or have been already outsourced and data and systems associated with outsourcing and take into account potential risks, in particular operational risk, including legal risk, ICT-related risk, compliance and reputational risks, and potential control limits for performing outsourced activities laid down in the regulations of country or countries from which the outsourced function is performed or in which data is kept;
6. define the required level of protection of data confidentiality, integrity and availability, the continuity of outsourced functions and possibility of creating trails of using data and systems;
7. analyse, where applicable, the ability of service provider to apply measures of protection during their processing, transfer and standstill, such as cryptograph techniques in combination with using adequate architecture for managing cryptographic keys. (2) A credit institution shall ensure that the service provider, where relevant, observe appropriate IT security standards. Regular risk assessment and oversight of outsourced functions Article 12 (1) A credit institution shall regularly carry out risk assessment in accordance with the provisions of this Decision and to ensure periodic reporting to the supervisory and management boards on identified risks associated with outsourced functions. (2) A credit institution shall ensure that the outsourced functions, at least critical and important functions, are performed on an ongoing basis in line with the defined performance quality standards. (3) For the purpose of ensuring performance and quality of outsourced functions in accordance with paragraph (2) of this Article, a credit institution shall:
8. ensure the submission of the appropriate reports by the service providers;
9. assess the activity of the service provider based on key performance indicators, overseeing results, reports of the service providers on the achieved level of service provided and independent reviews;
10. analyse and assess other relevant information submitted by the service provider, including reports on measures implemented to ensure the business continuity of the service provider and their testing results.

[unofficially consolidated translation]

---

Decision on Managing Outsourcing and Outsourcing-Related Risks (OGM 127/20, 112/25) 5 Outsourcing management policy Article 13 A credit institution shall identify in its outsourcing management policy the following:

1. the process of the adoption of decision on outsourcing;
2. planning of outsourcing:

• definition of business requests in respect of outsourcing;
• identification of critical and important functions;
• identification and assessment of risks resulting from outsourcing and management of those risks;
• detailed analysis of potential service providers;
• identification, assessment, mitigation or prevention of actual and potential conflicts of interest and their management;
• business continuity related to the outsourced activities; and
• approval of new outsourcing;

3. the method of implementation, monitoring and managing outsourcing that refers at least to the following:

• ongoing oversight or assessment of service providers’ performance;
• activities in the case of changes of arranged outsourcing or service providers;
• independent audit or review of compliance with legal and regulatory requirements; and
• terms and conditions for renewing outsourcing arrangements;

4. documentation and the manner of keeping registry of outsourced functions; and
5. exit strategy referred to in Article 18 of this Decision. Individual outsourced functions Article 14 (1) For the activities which are subject to outsourcing, a credit institution shall define in its internal acts the following:
6. powers and responsibilities of organisational units or persons responsible for monitoring and managing outsourcing which have adequate professional knowledge and experience to perform such activities;
7. performance and quality standards to carry out outsourced functions;
8. the method for monitoring performance and quality of carrying out outsourced functions;
9. the method of notifying the management board of the credit institution of all important events related to the outsourcing;
10. activities carried out by the credit institution in case of early termination of agreement and/or inability to meet contractual obligations. (2) Internal acts referred to in paragraph (1) of this Article shall be taken into consideration when granting authorisations and decisions referred to in Article 4 paragraph (3) and Article 8 of this Decision. Internal audit of outsourcing Article 15 (1) A credit institution shall, in line with the risk assessment, cover by the internal audit the outsourcing management process, including outsourced functions.

[unofficially consolidated translation]

---

Decision on Managing Outsourcing and Outsourcing-Related Risks (OGM 127/20, 112/25) 6 (2) Internal audit referred to in paragraph (1) of this Article shall at least include the review of:

1. adequacy of compliance with policies and internal acts related to the outsourcing;
2. adequacy, quality and efficiency of the assessment of the criticality and the importance outsourced functions;
3. adequacy, quality and efficiency of assessment of risks associated with outsourcing and their ongoing compliance with the risk management strategy;
4. whether there is adequate engagement of supervisory and management boards; and
5. whether there is adequate oversight of outsourced functions and adequate management of outsourcing. Outsourcing agreement Article 16 (1) Outsourcing arrangement shall be carried out on the basis of written agreement entered into between the credit institution and the service provider entrusted to perform outsourced functions. (2) The agreement referred to in paragraph (1) of this Article must be adequate to the risks associated with outsourcing and to the scope and complexity of outsourced functions. (3) The agreement referred to in paragraph (1) of this Article should contain at least the following:
6. a detailed description of the outsourced function which is the subject of the agreement;
7. place, time and the method of meeting the contractual obligations;
8. time period of the agreement; 3a) the contractual parties’ financial obligations;
9. qualitative and, if applicable, quantitative indicators based on which the requirements of the credit institution are defined for the service levels and the quality of performance for the outsourced function;
10. the manner in which a credit institution continuously monitors the performance of the function which are the subject of the agreement and the fulfilment of the agreed level of quality of the performance of outsourced functions;
11. reports and information to be received by the credit institution from the service provider and the frequency of their delivery;
12. the obligation of keeping confidential data in accordance with the law and separate regulations;
13. the obligation of the service provider to request the authorisation from the credit institution in the case of engaging other person for critical and important functions;
14. the obligation of the service provider to notify the credit institution in a timely manner of all facts and changes in the circumstances that have, or might have, a significant influence on meeting the contractual obligations;
15. provisions on whether the service provider should take a professional indemnity insurance policy and, if applicable, the level of insurance cover requested;
16. the obligation of the service provider to provide the services in such a way that it fully complies with the existing regulations of the Montenegro;
17. the obligation of the service provider and person referred to in Article 4 paragraph (3) of this Decision to ensure supervision of the Central Bank for the part referring to the performance of outsourced functions, including on-site examination at the location of the service provision or with service provider, and to ensure timely and unlimited submission of outsourcing-related documentation and data;
18. provisions for termination of agreement, including the right of credit institution to terminate or cancel outsourcing agreement with the service provider, if so ordered by the Central Bank;

[unofficially consolidated translation]

---

Decision on Managing Outsourcing and Outsourcing-Related Risks (OGM 127/20, 112/25) 7 14) provisions that ensure that the data that are owned by the credit institution can be accessed in the case of bankruptcy, resolution or discontinuation of business operations of the service provider; 15) the rights and obligations of contracting parties in case of early termination of agreement for the purpose of ensuring business continuity; 16) the jurisdiction for settlement of disputes; 17) the method of dispute settlement. Notification of the Central Bank Article 17 (1) A credit institution shall notify the Central Bank of outsourcing of critical and important functions or on the change of the service provider which was entrusted with the performance of these activities, without delay, but no later than 60 days before entering into an outsourcing arrangement with the credit provider. (2) The notification to be submitted to the Central Bank in accordance with Article 116 paragraph (4) item 1) of the Law shall contain a detail description of functions to be outsourced and the reasons for outsourcing or change of service provider. (3) The notification referred to in paragraph (1) of this Article shall be supported by the following:

1. a decision of the competent authority of the credit institution on intended outsourcing or change of the service provider;
2. the results of the assessment of critical and important functions to be outsourced in accordance with Article 4 of this Decision;
3. the assessments and analyses referred to in Article 8 of this Decision;
4. internal acts referred to in Articles 13 and 14 of this Decision;
5. documentation on technical equipment and organisational structure of service provider that enable safe and qualitative performance of functions to be outsourced, including the method of protection of confidential data;
6. evidence on prior experience of the service provider for performing functions which are subject to outsourcing;
7. a list of persons connected with service provider and the description of their connectedness;
8. a statement of the credit institution that outsourcing will not lead to conflict of interest;
9. a draft of the outsourcing agreement referred to in Article 16 of this Decision;
10. other information and circumstances which the credit institution finds important with regard to the intended outsourcing. Exit strategies Article 18 (1) For the purpose of ensuring a continuous performance of the functions which are subject to outsourcing, without adverse impact on the compliance with regulatory requirements and on the quality of provision of services to clients, a credit institution shall establish for all outsourced critical and important functions an exit strategy at least in the case of:
11. the termination of outsourcing arrangements;
12. the failure of the service provider;
13. the deterioration of the quality of the outsourced function and actual or potential business disruptions caused by the inappropriate or failed provision of services associated with the outsourced function;

[unofficially consolidated translation]

---

Decision on Managing Outsourcing and Outsourcing-Related Risks (OGM 127/20, 112/25) 8 4) material risks arising for the appropriate and continuous application of the outsourced function. (2) When developing an exit strategy, a credit institution shall: define the objectives of the exit strategy;

1. perform a business impact analysis that is commensurate with the risk of the outsourced processes, services or activities, with the aim of identifying what human and financial resources would be required to implement the exit strategy and determine the time limit for the implementation of the strategy;
2. assign roles, responsibilities and sufficient resources to manage the exit strategy and the transition of outsourced activities to a new service provider or a credit institution;
3. define success criteria for the transition of outsourced functions and data to a new service provider or a credit institution;
4. define the indicators to be used for the monitoring of the outsourcing arrangement, in accordance with Article 12 of this Decision, including indicators based on unacceptable service levels that should trigger the exit strategy. Registry of outsourced functions Article 19 (1) The registry of outsourced functions shall be kept by the credit institution in accordance with the Law, which shall contain the following information:
5. the name of the service provider;
6. the subject of outsourcing and description of outsourced functions; 2a) the type of the outsourcing arrangement that reflects the nature of the outsourced function (e.g., IT outsourcing, control function, etc.);
7. whether or not the critical and important functions are subject to outsourcing, including, where applicable, a brief summary of the reasons why the outsourced function is considered critical or important;
8. the country where the service is to be performed;
9. location where outsourced data are placed, including information on whether or not (yes/no) the data contain also information on person to be protected in line with the law;
10. the number, the name, the date and entering into an outsourcing agreement and the end date of the contractual relationship;
11. the date of the most recent assessment of risks associated with outsourcing;
12. list of persons referred to in Article 4 paragraph (3) of this Decision in case of their engagement;
13. the result of the assessment referred to in Article 12 paragraph 3) item 3) of this Decision;
14. the name of organisational unit or persons responsible for monitoring and managing outsourcing.
15. in the case of outsourcing to a cloud service provider, the cloud service type and deployment model (e.g., public/private/hybrid/community;
16. the date of the most recent assessment of the criticality and importance of the outsourced function. (2) In addition to the information referred to in paragraph (1) of this decision, the registry of outsourcing of critical and important functions shall contain the following:
17. whether or not the service provider or sub-contractor referred to in Article 4 paragraph 93) of this Decision is a part of the group to which a credit institution belongs or is owned by that credit institution or group to which a credit institution belongs;
18. results of the assessment referred to in paragraph (1) item 7) of this Article;

[unofficially consolidated translation]

---

Decision on Managing Outsourcing and Outsourcing-Related Risks (OGM 127/20, 112/25) 9 3) data on person or body in the credit institution that approved the outsourcing arrangement; 4) data on jurisdiction for settlement of disputes referred to outsourcing agreements; 5) the date of the most recent and next scheduled audit, where applicable; 6) where applicable, the names of persons referred to in Article 4 paragraph (3) of this Decision to which material parts of critical and important functions are sub-outsourced, the country or countries where the sub-contractors have their head offices or domicile or where the service will be performed and the location where the data will be stored; 7) identification of alternative service providers for outsourced critical and important function; 7a) an outcome of the assessment referred to in Article 8 paragraph (1) item 3) of this Decision, as well as the assessment of the impact of credit institution’s discontinuing of the critical or important function; 8) whether the outsourced critical and important function supports business operations that are time-critical; 9) the estimated annual budget costs for performing outsourced critical and important function. Notification of the outsourced functions Article 20 (1) A credit institution shall notify the Central Bank, no later than six months following the day of the application of this Decision, of the outsourcing of critical and important functions completed before the beginning of implementation of this Decision. (2) The notification referred to in paragraph (1) of this Article should contain data from the registry referred to in Article 19 of this Decision. Updating of existing outsourcing agreements Article 21 A credit institution shall review agreements that have been entered into with the service providers to perform critical and important functions before entering into force of this Decision, and if needed, align them with the provisions of this Decision no later than 12 months following the day of its effectiveness. Entry into force Article 22 This Decision shall enter into force on the eighth day following that of its publication in the “Official Gazette of Montenegro.