Central Bank of Solomon Islands Prudential Guideline No. 11 on Outsourcing Requirements

# CENTRAL BANK OF SOLOMON ISLANDS
## Financial Market Supervision Department

### Prudential Guideline No. 11
### On Outsourcing Requirements

## Applicability

1. The Prudential Guideline is applicable to financial institutions licensed or deemed licensed by the Central Bank of Solomon Islands (CBSI).

## Purpose of Prudential Guideline

2. The Prudential Guideline aims to provide Financial Institutions (FIs) with minimum framework for managing Outsourcing arrangements. The guideline requires that all Outsourcing arrangements involving Material Business Activities entered into by FIs must be subject to appropriate pre-contractual arms-length due diligence assessments, Board or Proxy Board approval, and regular monitoring and services delivery quality and satisfaction review during the contractual period.

3. It is the responsibility of the Board or Proxy Board of FI to ensure that the FI has adequate Outsourcing policies and procedures to mitigate all inherent risks relating to all Outsourcing arrangements.

4. The key requirements of this Prudential Guideline are that a financial institution (FI) must:
    a. have adequate Outsourcing policies and procedures in place prior to outsourcing its Material Business Activities. Such policies and procedures must, in the case of a locally incorporated financial institution or a subsidiary of a foreign incorporated financial institution, be approved by its Board of Directors and, in the case of a branch of a foreign incorporated financial institution, by its Proxy Board of Directors, relating to outsourcing of material business activities;
    b. have sufficient monitoring processes in place to manage the Outsourcing of Material Business Activities;
    c. have a legally binding agreement in place for all outsourcing of Material Business Activities;
    d. consult with and obtain a no objection from CBSI prior to entering into agreements to Outsource Material Business Activities to all external service providers; and,
    e. notify CBSI after entering into agreements to outsource Material Business Activities.

## Definitions

5. As used in this Prudential Guideline the following terms, unless otherwise clearly indicated by the context, have the meanings specified below.

"A Material Business Activity" means an activity that, if disrupted, has the potential, to significantly impact the operation, reputation, and or the profitability of the FI.

"Business Continuity Plan" - means a financial institution’s risk management strategy for threats that may terminate or significantly disrupt core business activities. It involves mitigating activities and contingency planning for response and recovery actions.

"Country Head" - means a Chief Executive Officer, a Country Manager, a General Manager, or any similar designation accorded to an officer who heads the branch of a foreign financial institution in Solomon Islands.

"Offshoring" - means the outsourcing by an FI of a Material Business Activity to a service provider where the outsourced activity is to be conducted outside Solomon Islands. Offshoring includes arrangements where the service provider is incorporated in Solomon Islands, but the physical location of the outsourced activity is outside Solomon Islands.

"Outsourcing" - means the involvement of an FI entering into an arms-length arrangement with a service provider, either onshore or offshore to perform, on a continuing basis, a business activity that currently is, or could be, undertaken by the FI itself.

"Proxy Board" - means the Country Head of a branch of a foreign incorporated financial institution.

"Senior Management" - means the Country Head and senior departmental managers of the FI.

"Service Provider" - means a third party or an entity that is undertaking the outsourced activities on behalf of the FI.

## The role of Board and Proxy Board of Directors

6. It is the responsibility of the Board of Directors, the Proxy Board of Directors, and the Senior Management of FIs to ensure that adequate risk mitigation practices are in place for the effective oversight and management of outsourcing arrangements.

7. The Board and Proxy Board of Directors of FIs must appoint a Committee to:
    a. review risk management practices and policies for outsourcing;
    b. regularly review quality of outsourcing services received and compliance with the outsourcing policy;
    c. regularly review reports on outsourcing arrangements;
    d. ensure that audit function covers any outsourcing arrangements and that auditors report on compliance with the outsourcing policy.
    e. ensure that the Board or Proxy Board approved policy on Outsourcing is being followed at all times. This includes the tender and due diligence processes, evaluating the Outsourcing options and making recommendation to Senior Management and the Board or Proxy Board; and
    f. make recommendations endorsing or refusing the outsourcing of Material Business Activities based on a detailed Business Case outlining the potential costs, benefits and risks associated with Outsourcing arrangement that they receive.

8. Senior Management of the FI must:
    a. develop a risk management framework for outsourcing arrangements that reflects the Board and Proxy Board of Directors’ approved policy;
    b. establish and implement an oversight process that ensures that outsourcing arrangements, and outsourcing of Material Business Activities in particular are reported to the Board or Proxy Board of Directors prior to implementation;
    c. ensure that, for each outsourcing arrangement, there is a formal evaluation of service provider, that a contract with appropriate service level agreements (SLAs) is in place, and that confidentiality provisions and security needs are adequately addressed;
    d. ensure that appropriate reporting channels and regimes are in place, including to the Board and Proxy Board of Directors and the CBSI, to enable effective management and control of outsourcing arrangements and to identify potential problems at an early stage;
    e. ensure that the audit function regularly reviews performance under the outsourcing arrangements; and
    f. ensure that the FI and the Service Provider comply with all relevant and applicable taxation laws of Solomon Islands, particularly withholding tax requirements.

9. For branch offices operating in Solomon Islands, responsibility for Outsourcing Material Business Activity lies with the Proxy Board and appropriate delegated Committee for Outsourcing activities.

## Outsourcing Policy

10. The Board or Proxy Board of Directors approved outsourcing policy must address all risks associated with outsourcing, including managing and monitoring the outsourcing arrangement, selecting a qualified Service Provider, structuring the outsourcing agreement (including contracts and service level agreements (SLAs), and establishing appropriate Business Continuity Plans, including exit strategies.

## Due Diligence

11. The due diligence process must be undertaken prior to any final decision being made as to whether to outsource a Material Business Activity. This should address all material factors that would impact on the potential Service Provider’s ability to perform the business activity. The due diligence process should, as a minimum, assess the financial ability, technical ability and capacity of the Service Provider to deliver the required services. The evaluation process would include an assessment of the Service Provider’s control framework, covering performance standards, policies, procedures, compliance, reporting and monitoring processes.

12. The due diligence assessment should, at the minimum, consider the following:
    a. Reputation of Service Provider;
    b. An assessment on the ability and reliability of the Service Provider in providing the outsourced activity;
    c. Track record of Service Provider;
    d. An assessment of whether the Service Provider is directly or indirectly related to the FI;
    e. An assessment on whether the Service Provider has arrangements with competitors;
    f. An assessment on perceived or potential conflict of interest between the Service Provider, Board of Directors, Proxy Board of Directors, and Senior Management of FIs; and
    g. Any other issues deemed appropriate.

## Business Continuity Planning

13. Where a Material Business Activity is outsourced, the FI must ensure that its Business Continuity Plan outlines the procedures to be followed in the event that the Service Provider is unable to fulfil its obligations under the outsourcing agreement.

## Outsourcing to External Service Providers

14. Where a Material Business Activity is outsourced to external service providers, the FI must:
    a. ensure that the selected third party service provider is sufficiently skilled and equipped to undertake the functions outsourced to them;
    b. ensure that offshoring arrangements are documented in a legally binding agreement;
    c. ensure that the offshored arrangements are appropriately monitored and the FIs business continuity plan addresses any loss incurred by that arrangement;
    d. notify CBSI that a Material Business Arrangement has been offshored;
    e. provide an annual report of all arrangements offshored in the last financial year; and
    f. consult and obtain a no objection from CBSI within 30 calendar days prior to outsourcing a Material Business Activity to all external service providers and ensure applications for non-objection are managed within arm’s length.

## The Outsourcing Agreement

15. Each Outsourcing arrangement must be contained in a documented legally binding agreement. The agreement must be signed by all parties to it before the Outsourcing arrangement commences.

16. At a minimum, the agreement must address the following matters:
    a. the scope of the arrangement and services to be supplied;
    b. commencement and end dates;
    c. review provisions;
    d. pricing and fee structure;

e. service levels and performance requirements;
f. the form in which the data is to be kept and clear provisions identifying ownership and control of the data;
g. reporting requirements, including content and frequency of reporting;
h. audit and monitoring procedures;
i. business continuity management;
j. confidentiality, privacy, and security of information;
k. default arrangements and termination provisions;
l. dispute resolution arrangements;
m. liability and indemnity;
n. sub-contracting;
o. insurance; and
p. to the extent applicable, Offshoring arrangements (including through subcontracting).

17. An FI that outsources a Material Business Activity must ensure that its Outsourcing agreement includes an indemnity to the effect that any subcontracting by a Service Provider of the outsourced function will be the responsibility of the Service Provider, including liability for any failure on the part of the sub-contractor.

18. Where:
    a. An FI invokes its Business Continuity Plan as the result of an unexpected event; or
    b. there is a sudden financial or operational failure of an existing service provider, and, as a result, enters into a new outsourcing agreement, the FI must notify the Central Bank of Solomon Islands (CBSI) as soon as practicable of any such outsourcing arrangement.

## Management and Control of the Outsourcing Relationship

19. Any FI that undertakes a material outsourcing arrangement must put in place procedures to monitor and control outsourcing risk in accordance with the Board and Proxy Board approved policy. The actual reporting framework, to both the Board, Proxy Board, and senior management, should reflect the size and nature of the arrangements. Importantly, accountability for managing the outsourcing arrangement should be specifically assigned to an individual or team/committee. This ensures that there is likely to be continued focus on the outsourcing arrangement.

20. The Board, Proxy Board, responsible Committee, and Senior Management must receive regular reports on outsourcing activities. Any material problems with Outsourcing should be brought to the attention of these parties.

21. This monitoring process could involve the use of internal (or, where considered relevant, external) audit to ensure compliance with outsourcing policies and procedures. The audit function can be used to:
    a. ensure compliance with risk management policies and procedures;
    b. ensure appropriate internal controls are in place; and
    c. ensure that reporting is adequate, accurate and timely.

22. The FI should ensure that records held by the Service Provider are adequate for audit trail purposes and that those records held by the Service Provider are readily available at all times to the FI and, where necessary to the CBSI.

## External Audit

23. Where considered appropriate, the CBSI may, after consultation with the FI, request FI’s external auditor or other suitable external experts to provide an assessment of the risk management processes in place with respect to the outsourcing arrangement. This could cover areas such as IT systems, data security, internal control frameworks and business continuity plans, among others. Such reports will be paid for by the FI and would be made available to the CBSI.

## Reporting

24. The Board, Proxy Board, responsible Committee or Senior Management should report to the CBSI any material problems with outsourcing arrangement including requirements of paragraph 18.

## Enforcement and Corrective Measures

25. A financial institution, which fails to comply with the requirements contained in this Prudential Guideline or to submit certain reports to the CBSI, which are materially inaccurate, will be considered in breach of this guideline and therefore, may be subject to a monetary penalty.

26. The CBSI may pursue any or all corrective measures as provided for under section 16 of the Financial Institutions Act 1998 (as amended) to enforce the provisions of this Prudential Guideline including:
    a. Issuance of an order to cease and desist from the unsound and unsafe practices and
    b. Action to replace or strengthen the management of the financial institution.

## Effective Date

27. The effective date of this Prudential Guideline is December 1, 2017.

Issued this 31st day of October 2017.

Governor Denton Rarawa  
Central Bank of Solomon Islands