Banks Act Circular 14/2004: Outsourcing of Functions Within Banks

2004-09-20 BANKS ACT CIRCULAR 14/2004 TO ALL CHIEF EXECUTIVE OFFICERS OF BANKS, BRANCHES OF FOREIGN BANKS AND MUTUAL BANKS OUTSOURCING OF FUNCTIONS WITHIN BANKS This Office has received several approaches from banks pertaining to outsourcing arrangements. The proposed outsourcing arrangements covered a variety of traditional in￾house functions performed by banks, such as treasury management, internal audit and compliance, amongst others. This Office also noted that, in several instances, banks were in the process of outsourcing, or had already outsourced, certain important functions that had direct implications for either the risk profile of banks, or this Office’s supervisory process. The purpose of this circular is to provide the banking industry with guidelines on important issues pertaining to the outsourcing of functions and activities that banks have to consider prior to entering into outsourcing agreements.

1. Concern of this Office This Office recognises that, in general, the outsourcing of certain functions and/or activities could be beneficial to banks and their customers. It is, however, of concern to this Office that important banking functions are sometimes performed independently of a bank, resulting in the bank having less control over those activities and, thereby, increasing the risks to the bank. Furthermore, outsourcing arrangements could also impair this Office’s ability to exercise its powers under the Banks Act, 1990 (Act No. 94 of 1990 – “the Banks Act”), especially when the relevant service-level agreements do not specifically cater therefor.
2. Scope of outsourcing arrangements Outsourcing arrangements have a broad application in the banking industry. It is important to note that this circular aims to address only those outsourcing arrangements that could:

2

• Have a bearing on the risk profile of a bank.
• Affect the systems and controls of a bank.
• Be classified by the management of a bank as being of strategic importance.
• Have implications for the discharge of duties in respect of the supervisory processes followed by this Office. Outsourcing arrangements falling outside the above criteria are not included in the scope of this circular. Furthermore, when functions or activities are outsourced, they are outsourced mainly to external suppliers. In many cases, however, functions and activities are also outsourced within a particular group of institutions forming part of a banking group. It is unlikely that outsourced functions or activities within a particular group of institutions would pose the same risks to banks as outsourcing arrangements with external suppliers. None the less, the management of a bank has to ensure that the same amount of care and diligence is taken with all outsourcing arrangements. In its assessment of a proposed outsourcing arrangement, the management of a bank should analyse the impact of such an arrangement and take into account the factors that determine the scope of the arrangement, as mentioned above. Management also has to ensure that this Office and other parties, such as the banks’ external auditors, will have access to required information to enable them to exercise their duties under the Banks Act and other relevant legislation. Furthermore, management should immediately inform this Office of any material problem encountered with outsourcing arrangements after the implementation of such arrangements.

3. Ongoing monitoring of relationships with suppliers This Office requires the management of a bank to ensure that all outsourced functions are performed adequately and in accordance with proper internal policies and standards and that the integrity of the bank’s systems and controls are maintained at all times. It is therefore important for the management of a bank to investigate the soundness and competence of a supplier with which the bank intends to enter into an outsourcing arrangement, in order to ensure that the supplier will be in a position to guarantee the required level of performance required by the bank. The management of a bank should also be in a position to demonstrate, to this Office, during on-site visits undertaken by this Office, the steps taken with regard to the verification of a supplier’s performance levels. Management should further ensure that proper structures are created at the appropriate organisational levels to ensure the ongoing management and monitoring of the terms of the outsourcing arrangements. In this regard, it is essential to ensure that the integrity of the systems and controls of the suppliers are maintained and that management constantly remains aware of any problem encountered with a supplier. Furthermore, the management of a bank should ensure that the particular supplier is committed to providing, and is able to provide, the required service at agreed levels, for the duration of the arrangement.

3 4. Service-level agreements (“SLAs”) The importance of comprehensive SLAs cannot be overemphasised. SLAs should be exposed to legal scrutiny before implementation, and the management of the bank should ensure that written agreements exist for all outsourced functions and activities. Furthermore, management should consider including, in SLAs, provisions for periodic reviews and appropriate remedies (including early-exit options) should problems arise, as well as for amendments to an SLA on the basis of the supplier’s performance against agreed, specified targets for the supplier. Banks’ management should also consider including specifications pertaining to subcontracting by suppliers. In certain cases, banks’ management may wish to ensure that, depending on the importance of the outsourced function or activity, suppliers are not permitted to make use of subcontractors. 5. Contingency planning Outsourcing of any function always carries a risk that the supplier may fail, or that the contract may be terminated prematurely. Banks’ management should, accordingly, put in place contingency plans to ensure business continuity in the event of the occurrence of such an event(s). Contingency plans pertaining to outsourced activities should also be reviewed regularly. Issues that require particular consideration by management are the availability of alternative suppliers and hand-over procedures to new suppliers. Management should pay special attention to procedures that need to be in place to ensure minimum disruption to business when an alternative supplier is sought. Since the hand-over process may be time consuming, detailed planning is required to ensure a smooth hand-over process to a new supplier. A bank might also need to reinstate an outsourced function or activity in-house should a supplier fail. Such reinstatement is likely to require a high level of detailed planning and consideration of issues such as resources, system capacity, etc. 6. Supervisory access to information It is of critical importance that a bank’s management ensures that SLAs are structured in such a way as to ensure that the bank is able at all times to provide this Office with the necessary information on the outsourced functions or activities, regardless of whether or not the functions or activities have been outsourced within the group of institutions or to external suppliers. Consideration should also be given to jurisdictional issues. When an outsourced function or activity has been outsourced to a supplier that is located outside the borders of the Republic of South Africa, management should ensure that the information required by this Office to conduct effective supervision is available at all times.

4 Should management become aware of any possible restriction on the provision of information relating to the outsourced function, this Office has to be informed thereof. Other jurisdictional issues may include permission to undertake on-site inspections by host regulators, access to information by host authorities, such as taxation and law￾enforcement agencies, legal claims on assets and secrecy provisions. 7. Provision of information to other parties The management of a bank should also ensure that the bank has processes in place to identify and deal with any weakness in a supplier’s service that may have an adverse impact on the service provided to the bank. This may include access to the supplier by the bank’s internal and external auditors, as well as access by external agencies conducting independent reviews for assessment by management. Therefore, management should ensure that there is capacity to address problems that arise from such investigations and that appropriate actions are taken when required. 8. Outsourcing of internal audit and compliance This Office does not support the outsourcing of the compliance function which should be housed within the bank. This Office is concerned about the outsourcing of the internal audit function. Generally, this Office would not support the outsourcing of the internal audit function to any service provider, including the external auditors. A bank should have an internal audit function that is independent from the external audit function, in order to guard against the segregation of responsibilities being compromised. In certain circumstances, however, this Office may consider condoning the outsourcing of the internal audit function (for example, when the head office of a branch of a foreign bank undertakes the internal audit function). This Office will consider submissions for condonation of outsourcing arrangements of the internal audit function of banks on a case-by-case basis. 9. Conclusion The above-mentioned issues do not constitute a complete list of issues to be considered when the management of a bank decides to outsource a function or activity. Management should, however, be satisfied that when functions or activities are outsourced, all decisions and information flows pertaining to such outsourced functions or activities are covered by an overarching internal policy, which addresses proper structures, controls and systems and other necessary factors to ensure that the standard of the outsourced functions or activities are of a similar standard as functions or activities that are performed internally. The board of directors of a bank should also endorse outsourcing arrangements to which the management of the bank has agreed. Should management be of the view that an outsourcing arrangement falls within the scope of this circular, management is required to advise this Office of its proposed future outsourcing arrangements, prior to finalisation of such arrangements, and to

5 provide this Office with copies of the minutes of the board risk sub-committee meeting at which the proposed agreements were considered. (The aforesaid board risk sub￾committee appointed in terms of section 64A of the Banks Act) In terms of current outsourcing arrangements, this Office requires each bank, by 31 March 2005, to provide: (i) a list of all outsourcing agreements which fall within the ambit of this Circular; (ii) confirmation that current outsourcing arrangements have been reviewed by the bank’s board risk sub-committee and endorsed by the board of directors of the bank; and (iii) certified copies of the minutes of the board risk sub-committee meetings at which such outsourcing arrangements were reviewed. 10. Acknowledgement of receipt Two additional copies of this circular are enclosed for the use of your institution's independent auditors. The attached acknowledgement of receipt, duly completed and signed by both the chief executive officer of the institution and the said auditors, should be returned to this Office at the earliest convenience of the aforementioned signatories. E M Kruger Registrar of Banks The previous circular issued was Banks Act Circular 13/2004 dated 9 July 2004.