2024-10-11
Added · Updated
Credit Info Bureau Namibia submitted industry comments on the FIMA General Standard 10.10-2024, which mandates financial institutions and intermediaries to govern outsourced functions through designated board oversight, risk reporting, and data security protocols. The submission seeks clarification on whether credit bureaus fall under the standard’s regulatory scope, specifically addressing reporting frequencies, cross-border hosting access, and compliance timelines for pre-existing partnerships. It further outlines operational impacts regarding notification burdens, existing partnership transitions, and breach consequences to ensure streamlined regulatory alignment.
1 CREDIT BUREAUS INDUSTRY COMMENTS ON FIMA GENERAL STANDARD 10.10- 2024 (OUTSOURCING OF FUNCTIONS AND RESPONSIBILITIES BY FINANCIAL INSTITUTIONS AND FINANCIAL INTERMEDIARIES) Company Name: STD/REG No. & Section/Clause: Comment/Description of issue: Proposed Amendment/Solution: Accepted (Comments) Rejected (Comments) Credit Info Bureau Namibia (Pty) Ltd 3 A financial institution or financial intermediary may not outsource its principal business. As a credit bureau, several services / solutions are outsourced and not developed in-house. Please clarify. We appreciate the time taken to provide comments. We wish to clarify that the Outsourcing Standard applies to financial institutions and financial intermediaries regulated by NAMFISA. Since credit bureaus are not within NAMFISA’s regulatory ambit, , the Outsourcing Standard is not applicable to credit bureaus. 4 (2) The board and senior management of a financial institution or financial intermediary must designate employees responsible for continuously identifying, reporting and mitigating risks strategies of outsourced activities. Does this need to be reported to NAMFISA or for internal reference only? If needed to be reported to NAMFISA, steps to be provided. 4 (3) The designated employees referred to in sub-clause (2), must timeously inform the board and senior management of the financial institution or financial intermediary about those risks. Please clarify frequency of reports and what format / template its required including contacts to be shared with. 11 (2) Where confidential information and data related to the financial Further clarity to be provided to what extend the measures need to
2 institution or financial intermediary and their clients are processed by a service provider, the regulatory environment for data security and data protection must be assessed and, if necessary, additional precautionary measures such as enhanced encryption must be considered. be addressed. Several service providers work with Credit Bureaus, were they informed of the requirements? 13 (1) A financial institution or financial intermediary must ensure that NAMFISA, their auditors (if applicable) and the financial institution or financial intermediary themselves can promptly obtain, upon request, information concerning the outsourced material business function and where necessary, there must be prompt access to the data, information technology systems, premises and personnel of the service provider. What if the data is hosted outside of the country as per approval from the Central Bank for hosting. No onsite access is possible unless traveling to the mentioned hosting country. 13 (2) The financial institution or financial intermediary remains accountable to NAMFISA for their regulatory compliance, and accordingly must ensure that they have processes and procedures in place maintaining records to facilitate NAMFISA to carry out its inspection, investigation and monitoring powers over the activities that it regulates. Awaiting clarity why Bureaus are being moved from BoN to NAMFISA as the services we provide does not fall under any of the categories that NAMFISA regulates.
shoring arrangement with a service provider: What happens with all partnerships already in place prior to the implementation of the FIMA Act??? Seeking approval from NAMFISA will be burdensome and delay the outsourcing 18 (1) -(4) Notification requirement What happens with all partnerships already in place prior to the implementation of the FIMA Act??? These requirements were never previously a requirement under BoN. Notifying NAMFISA will be burdensome meaning extra resources 19 All existing outsourcing arrangements must comply with the requirements of this Standards. Will this be enacted even if the outsourced entities are not linked or regulated under NAMFISA? Schedule 2 PRINCIPAL BUSINESS THAT MAY NOT BE OUTSOURCED Credit Bureaus are not listed, does that mean that the requirements are not applicable to Credit Bureaus? General note What are the consequences for breach of the Act? How can we make a risk assessment of this Act?