Decision on the Management of Risks Arising from Outsourced Activities

RS Official Gazette, Nos 77/2023 and 52/2024 Pursuant to Article 28, paragraph 7 and Article 36 of the Law on Banks (RS Official Gazette, Nos 107/2005, 91/2010 and 14/2015) and Article 15, paragraph 1 of the Law on the National Bank of Serbia (RS Official Gazette, Nos 72/2003, 55/2004, 85/2005 – other law, 44/2010, 76/2012, 106/2012, 14/2015, 40/2015 – CC decision and 44/2018), the Executive Board of the National Bank of Serbia adopts the following DECISION ON THE MANAGEMENT OF RISKS ARISING FROM OUTSOURCED ACTIVITIES

1. This Decision lays down more detailed terms and conditions of managing banks’ risks arising from activities outsourced to third parties (hereinafter: outsourced activities).
2. A bank shall timely include in its risk management system all risks arising from the activities in respect of its operation which it has outsourced to a third party that performs those or similar activities as its core business, and/or has appropriate experience in performing those activities (hereinafter: service provider). The activities referred to in paragraph 1 hereof shall be understood to mean:

1. activities that enable the bank to perform activities referred to in Article 4 of the Law on Banks;
2. provision of payment services in accordance with the law governing payment services;
3. activities relating to cash management in accordance with the decision governing cash management through the bank’s agent. The activities referred to in paragraph 1 hereof shall not imply the procurement of goods and standardised services, such as services relating to the use of telecommunications, advertising services, cleaning services, market intelligence services and similar. Outsourcing shall be performed based on a contract concluded between the bank and the service provider.

3. The bank that intends to outsource certain activities shall regulate the following by its internal acts:

2

1. decision-making process regarding the outsourcing of these activities and criteria for making the decision on outsourcing, in a way which ensures that the outsourcing does not jeopardise the regular business operation of the bank, its efficient risk management and internal controls system;
2. manner of including these activities in the risk management process and in the system of internal reporting on risks;
3. manner in which the bank ensures business continuity in respect of outsourced activities and measures it undertakes in the event of termination of contractual relationship with the persons whose services it uses, and in the event of temporary suspension or cessation of the provision of these services;
4. manner of supervision over outsourced activities, including supervision of the compliance of these activities with regulations, good business practices and the bank’s business ethics;
5. criteria to determine whether those are the activities referred to in Section 5, paragraph 2 hereof;
6. criteria to assess the success of earlier cooperation with the service provider for the purpose of performing the analysis referred to in Section 6, paragraph 1, subparagraph 7) hereof.

4. The bank shall ensure that each contract concluded with the service provider shall contain in particular the following:

1. clearly defined authorisations, duties and responsibilities of the service provider during the performance of the outsourced activity;
2. obligation of the service provider to act, when performing the outsourced activity, fully in line with regulations, rules of professional conduct, good business practices and business ethics, without jeopardising the bank’s reputation;
3. manner in which the bank shall continuously monitor the performance of the outsourced activity subject to the contract, including reports that the service provider shall submit to the bank and the dynamics of their submission;
4. obligation of the service provider to inform the bank without delay about all facts and circumstances which significantly impact or may significantly impact the performance of the outsourced activity subject to the contract;
5. obligation of the service provider to keep as a business secret all data and documentation that the bank submitted to it in relation to outsourcing; if the submitted data and documentation contain personal data, the obligation of the service provider to protect those data and handle them in accordance with regulations governing personal data protection;

3 6) provision about whether the service provider is obliged to obtain a policy of professional liability insurance and/or other type of insurance in relation to the performance of the outsourced activity; 7) provision about whether the service provider can outsource the activity outsourced to it by the bank to another person, in accordance with the provisions of Section 12 hereof; 8) activities the bank shall undertake if it ascertains that the service provider acts contrary to the obligations under the contract concluded with it; 9) provision obliging the service provider to carry out the obligation referred to in Section 11 hereof; 10) provision enabling the bank to unilaterally terminate the contract if ordered by the NBS; 11) provision enabling the bank to unilaterally terminate the contract if the service provider fails to act in conformity with the obligation referred to in item 2) of this paragraph. In the event of outsourcing the activity of the collection of receivables to the service provider, the bank shall ensure that the contract concluded with the service provider shall also contain the following:

1. defined number of days of arrears in the settlement of debtor’s obligations upon whose expiry the bank shall outsource the collection of receivables to the service provider;
2. provision obliging the service provider to act in accordance with the bank’s internal acts and in the manner stipulated by those acts while carrying out the procedure of the collection of receivables; it shall be ensured that the bank acts upon and makes the decision on each debtor’s request concerning debt reduction or a change in repayment modality (e.g. partial debt cancellation or instalment payments), and that the debtor addressing directly the bank shall be informed about the decision only by the bank, while the communication about other issues, preparation of contract proposals and other similar activities may also be performed by the service provider;
3. provision obliging the service provider to supply the debtor with the information that it acts in the bank’s name and for its account, and to indicate that the bank is the debtor’s creditor;
4. provision about the amount of the fee for the provision of services which shall amount to no more than 30% of the total collected receivable, including all awards, costs etc. of the service provider;
5. in the case where the collection of receivables is outsourced to an attorney – provision specifying the manner of payment of the fee for the provision of services, which may be in accordance with the tariff of fees and expenses payable for the work of attorneys (fee in line with the tariff numbers and the reimbursement of expenses) or a percentage of the total collected receivable in accordance with item 4) of this paragraph;

4 6) provision ensuring that each collection from the debtor be paid exclusively to the bank’s account; 7) provision whereby the service provider undertakes to enable the debtor at all times to initiate negotiations with the bank in relation to the collection of the bank’s receivables; 8) where the service provider, upon the order, or with the consent of the bank communicates directly with the bank’s debtor – provision specifying the time when such communication can take place and the frequency and manner of such communication. By way of exception to paragraph 2, item 6) of this Section, where the fee for the provision of services is agreed in accordance with the tariff of fees and expenses payable for the work of attorneys, the bank may agree that the debtor pay the awarded attorney’s costs to the attorney’s account. 5. The bank intending to outsource to the service provider the activities whose performance is significant for ensuring the continuity of its critical functions shall ensure the continuity of those functions in the case of application of resolution instruments and/or measures in one of the following ways:

1. by obligating that person to perform outsourced activities in all situations in which the continuity of critical functions of the bank in resolution and/or bridge bank needs to be ensured;
2. by a contract with an alternative service provider that could ensure the continuity of critical functions of the bank in resolution and/or bridge bank;
3. by a detailed business continuity plan for critical functions using internally available resources of the bank in resolution and/or bridge bank. If it intends to outsource the activities whose performance is significant for ensuring the continuity of its business processes and/or smooth provision of services to clients, the bank shall undertake the measures to ensure the continuity of these processes, and/or provision of services (e.g. by concluding the contract under a suspensive condition with the alternative service provider), while applying the provisions of this Decision which relate to outsourcing to the service provider.

6. Before making a decision on each instance of outsourcing, and/or change of the service provider, and any significant change to the outsourcing contract, the bank shall:

1. determine whether those are the activities referred to in Section 5, paragraph 2 hereof, in accordance with the bank’s internal acts;

5 2) conduct a detailed analysis of the potential service provider, which relates to its capacity to provide services, its financial standing and business reputation; 3) determine whether regulations of the country/countries in which a potential service provider operates provide for the smooth exercise of on-site supervision by the NBS of the service provider’s operations in the segment of or relating to the performance of the activities outsourced; 4) assess possible difficulties and the time needed to resume outsourced activities in the event of sudden termination of outsourcing and/or in the event of termination of the contract with the service provider, and the time needed for the selection of another service provider and the start of performance of the outsourced activities; 5) obtain a reasoned opinion of the organisational unit whose remit includes bank’s risk management about the impact of such outsourcing on the bank’s risk profile; 6) obtain a reasoned opinion of the organisational unit whose remit includes compliance about whether such outsourcing is aligned with the regulations and acts referred to in Section 3 hereof and Section 73, paragraph 3 of the Decision on Risk Management by Banks; 7) conduct an analysis of the success of earlier cooperation with the service provider (if applicable). In making the decision referred to in paragraph 1 hereof, the bank shall assess in particular the impact of outsourcing on:

1. the bank’s business continuity and reputation;
2. the bank’s costs, financial result, liquidity and solvency;
3. the bank’s risk profile;
4. the quality of services the bank provides to its clients.

7. The bank may outsource a certain activity, change the service provider, and/or significantly change the outsourcing contract (e.g. the price, extension of contract validity etc.) only if it notifies the NBS thereof 30 days before the conclusion of the outsourcing contract and/or the annex to the contract, and encloses the following documentation with the notification:

1. decision of the bank’s governing body on outsourcing, a change of the service provider, and/or a significant change to the outsourcing contract;
2. main data about the service provider (business name and seat, and/or name and place of residence, and, if the provision of payment services is outsourced – data on addresses where these services will be provided);
3. description of the activities outsourced by the bank, eligibility criteria for the service provider, and the period of time during which the activities will be outsourced;

6 4) reasoned opinion about whether those are the activities referred to in Section 5, paragraph 2 hereof and, if the bank determined it is the case – a separate overview of the manner in which the bank plans to ensure the continuity of the provision of services, in accordance with the provisions of that Section; 5) draft contract referred to in Section 2, paragraph 4 hereof, and/or the draft annex to that contract; 6) results of the analysis referred to in Section 6, paragraph 1, subparagraph 2) hereof; 7) results of the assessment referred to in Section 6, paragraph 1, subparagraph 4) hereof; 8) opinions referred to in Section 6, paragraph 1, subparagraphs 5) and 6) hereof; 9) results of the analysis referred to in Section 6, paragraph 1, subparagraph 7) hereof (if applicable); 10) results of the assessment referred to in Section 6, paragraph 2 hereof. If the service provider is headquartered outside the Republic of Serbia or if agreed that the outsourced activities will be performed outside the Republic of Serbia, the bank shall, in addition to the documentation specified in paragraph 1 hereof, submit to the National Bank of Serbia (NBS) evidence that regulations of the country/countries in which the service provider operates provide for the smooth exercise of on-site supervision by the NBS of the service provider’s operations in the segment of or relating to the performance of the activities outsourced. If based on the documentation and evidence referred to in paragraphs 1 and 2 hereof it is not possible to determine all facts important for acting upon the notification referred to in paragraph 1 hereof, the NBS may request from the bank to also submit to it other documentation deemed necessary. The deadline referred to in paragraph 1 hereof shall be calculated from the date of submission of complete documentation specified therein. If following the notification referred to in paragraph 1 hereof the NBS requires supplementary documentation, it may set a deadline not longer than six months, before whose expiry the bank may not submit the supplementary documentation. If the contract referred to in paragraph 1 hereof is changed, without changing the outsourced activity or the service provider, and without having the contract change considerably affecting the results of the analysis, assessments and opinions under that paragraph – the bank shall within no

7 later than 15 days before concluding an annex to the contract inform the NBS thereof and submit to it the draft annex. The deadline referred to in paragraph 6 hereof shall be calculated from the date of submission of complete documentation specified therein. 8. The bank shall submit to the NBS the contract referred to in Section 2, paragraph 4 of this Decision, including the annexes to this contract – within 15 days from the day of conclusion of that contract and/or annex. In the event of termination of the contract referred to in paragraph 1 hereof, the bank shall inform the NBS thereof without delay and specify the reason for the termination. 9. In the event of outsourcing payment services, the bank shall display on its business premises and publish on its website the information on the service provider and the address where such services are provided, and shall ensure that such provider informs payment service users that it is acting in the bank’s name and for its account. 10. During the contractual relationship with the service provider, the bank shall conduct regular analyses and assessments referred to in Section 6, paragraph 1 hereof and obtain reasoned opinions referred to in that paragraph and shall submit them to the NBS at least once a year. If based on the submitted documentation referred to in paragraph 1 hereof it ascertains any deficiencies, the NBS shall order the bank to undertake activities to eliminate them within a relevant deadline and inform the NBS thereof. 11. The bank shall ensure that the service provider enables the bank, the external auditor and the NBS to exercise on-site supervision at the location of service provision, and/or timely and unlimited access to the documentation and data relating to the outsourced activities. 12. The service provider may sub-outsource the outsourced activities to a sub-contractor, except for the collection of receivables, only subject to prior consent of the bank, which shall be granted on a case-by-case basis in accordance with the provisions of Sections 3, 6, 7, 10 and 11 hereof. The service provider – attorney shall not be considered to be outsourcing the collection of receivables to another person if it only outsources the taking of some individual actions within the procedure of collection of receivables before a court and other competent authorities, such

8 as presentation at a hearing before a court which is outside the place of the service provider’s head office. The bank may grant the consent referred to in paragraph 1 hereof only if it has notified the NBS of the intended sub-outsourcing at least 30 days before the granting of the consent and if it has enclosed the following documentation with the notification:

1. decision of the bank’s governing body on granting of the consent referred to in paragraph 1 hereof;
2. main data about the sub-contractor referred to in paragraph 1 hereof (business name and seat, and/or name and place of residence);
3. description of the activities sub-outsourced by the service provider, eligibility criteria for the sub-contractor referred to in paragraph 1 hereof and the period of time during which the activities will be sub-outsourced;
4. draft contract between the service provider and the sub-contractor referred to in paragraph 1 hereof on the sub-outsourcing referred to in that paragraph;
5. results of the analysis referred to in Section 6, paragraph 1, subparagraph 2) hereof;
6. results of the assessment referred to in Section 6, paragraph 1, subparagraph 4) hereof;
7. opinions referred to in Section 6, paragraph 1, subparagraphs 5) and 6) hereof;
8. results of the analysis referred to in Section 6, paragraph 1, subparagraph 7) hereof (if applicable);
9. results of the assessment referred to in Section 6, paragraph 2 hereof. If the sub-contractor referred to in paragraph 1 hereof is headquartered outside the Republic of Serbia or if agreed that the sub￾outsourced activities will be performed outside the Republic of Serbia, the bank shall, in addition to the documentation specified in paragraph 3 hereof, submit to the NBS evidence that regulations of the country/countries in which the sub-contractor operates provide for the smooth exercise of on-site supervision by the NBS of the sub-contractor’s operations in the segment of or relating to the performance of the activities sub-outsourced. The deadline referred to in paragraph 3 hereof shall be calculated from the date of submission of complete documentation specified therein. If following the notification referred to in paragraph 3 hereof the NBS requires supplementary documentation, it may set a deadline not longer than

9 six months, before whose expiry the bank may not submit the supplementary documentation. The bank shall submit to the NBS a contract concluded between the service provider and the sub-contractor referred to in paragraph 1 hereof – within 15 days from the day of concluding the contract. In the event of contract termination referred to in paragraph 7 hereof, the bank shall inform the NBS thereof without delay. 13. The bank shall establish and keep single records of activities outsourced to the service provider including the activities that the service provider outsourced to a sub-contractor in accordance with Section 12 hereof. The bank shall submit the excerpts from the records containing an overview of all activities referred to in paragraph 1 hereof to the NBS on a quarterly basis, as follows:

1. as at 31 March of the current year – by no later than 20 April of the current year;
2. as at 30 June of the current year – by no later than 20 July of the current year;
3. as at 30 September of the current year – by no later than 20 October of the current year;
4. as at 31 December of the current year – by no later than 20 January of the following year. The excerpts from the records referred to in paragraph 2 hereof shall be defined in Annexes 1 and 2, which are printed along with this Decision and make its integral part. The bank shall submit the excerpts from the records referred to in paragraph 2 hereof in accordance with the NBS’s guidelines which govern the electronic submission of data from the records and which are published on the NBS website.

14. The bank’s internal audit shall assess the process of bank’s outsourcing to service providers, in accordance with the bank’s internal acts and the assessment of risks arising from that process, and shall submit the assessment to the NBS.
15. The bank shall be liable for activities relating to its business operation that have been outsourced to the service provider.

10 If it establishes in the process of supervision that the bank, service provider or sub-contractor referred to in Section 12 hereof does not act in compliance with this Decision and other regulations, the NBS may order the bank to terminate the outsourcing contract concluded with the service provider within a defined deadline. 16. The bank shall harmonise its internal acts with the provisions of this Decision by no later than 31 December 2023. The bank shall review the compliance of all contracts on the outsourcing of activities to a service provider concluded in accordance with the Decision on Risk Management by Banks (RS Official Gazette, Nos 45/2011, 94/2011, 119/2012, 123/2012, 23/2013 – other decision, 43/2013, 92/2013, 33/2015, 61/2015, 61/2016, 103/2016, 119/2017, 76/2018, 57/2019, 88/2019, 27/2020, 67/2020 – other decision and 89/2022) with the provisions of this Decision and shall inform the NBS thereof by no later than 31 January 2024. 17. The bank shall submit to the NBS the first excerpts from the records referred to in Section 13, paragraph 2 hereof as at 31 December 2023 by no later than 20 January 2024. 18. This Decision enters into force on the eighth day following its publication in the Official Gazette of the Republic of Serbia. NBS EB No 71 Chairperson 7 September 2023 Belgrade Executive Board of the National Bank of Serbia Governor National Bank of Serbia

Dr Jorgovanka Tabaković