2024-04-19

Added · Updated

Draft Proposed Outsourcing Standards under the Financial Institutions and Markets Act, 2021

The Namibia Financial Institutions Supervisory Authority (NAMFISA) has issued draft proposed standards requiring all financial institutions and intermediaries to comply with a comprehensive outsourcing framework under the Financial Institutions and Markets Act, 2021. The standards prohibit the outsourcing of principal business functions, mandate board and senior management oversight with a triennially reviewed policy, and establish seven core principles governing due diligence, contractual obligations, IT security, confidentiality, concentration risks, data access, and termination. Institutions must notify NAMFISA in writing within thirty business days of entering into or amending outsourcing agreements, while existing arrangements must be brought into compliance with the new regulatory requirements.

Namibia Financial Institutions Supervisory Authority logo

Namibia

Namibia Financial Institutions Supervisory Authority

Click to view thumbnail

N$8.00 WINDHOEK - 16 April 2024 No. 8347 GOVERNMENT GAZETTE OF THE REPUBLIC OF NAMIBIA CONTENTS Page GENERAL NOTICE No. 162 Namibia Financial Institutions Supervisory Authority: Draft Proposed Standards under the Financial Institutions and Markets Act, 2021 ........................................................................................................... 1


General Notice NAMIBIA FINANCIAL INSTITUTIONS SUPERVISORY AUTHORITY No. 162 2024 DRAFT PROPOSED STANDARDS UNDER THE FINANCIAL INSTITUTIONS AND MARKETS ACT, 2021 The draft standard - Standard No. GEN.S.10.10, as set out in Schedule I, that was previously published, are re-published due to significant changes in content by the Namibia Financial Institutions Supervisory Authority (NAMFISA) under section 409(3) of the Financial Institutions and Markets Act, 2021. All financial institutions, financial intermediaries, industry associations or self-regulatory organisations are invited to make representations in writing to NAMFISA with respect to the draft proposed standards, within 30 calendar days after the date of publication. Such representations will be taken into account in determining whether to issue the standards as originally published or in a modified form. Written representations must be supplied in the template provided under Schedule 3, and must be submitted to NAMFISA at the Upper Ground floor, Gutenberg Plaza, 51-55 Werner List Street, Windhoek or email: acloete@namfisa.com.na and projectnewdawn@namfisa.com.na.

2 Government Gazette 16 April 2024 8347 S. MATOMOLA CHIEF EXECUTIVE OFFICER NAMIBIA FINANCIAL INSTITUTIONS SUPERVISORY AUTHORITY Windhoek, 27 March 2024 SCHEDULE 1 FINANCIAL INSTITUTIONS AND MARKETS ACT, 2021 GENERAL OUTSOURCING OF FUNCTIONS AND RESPONSIBILITIES BY FINANCIAL INSTITUTIONS AND FINANCIAL INTERMEDIARIES Standard No. GEN.S.10.10 issued by NAMFISA under section 410(2)(x) of the Financial Institutions and Markets Act, 2021


Definitions

  1. (1) In this Standard, unless the context indicates otherwise – (a) “Act” means the Financial Institutions and Markets Act, 2021 (Act No. 2 of 2021), and it must be read with the regulations prescribed under the Act and the standards and other subordinate measures issued by NAMFISA under the Act; (b) “in-sourcing arrangement” means the outsourcing of a material business function by a financial institution or financial intermediary to a related service provider such as a subsidiary, affiliate or associate; (c) “material business function or activity” means a business function or activity of a financial institution or financial intermediary that has the potential, if disrupted, to significantly and negatively impact – (i) the finances, reputation or operations of the financial institution or financial intermediary; or (ii) the financial institution’s or financial intermediary’s ability to manage key risks effectively; (d) “off-shoring arrangement” means the outsourcing of a material business function by a financial institution or financial intermediary to – (i) a service provider located outside Namibia; or (ii) a service provider located in Namibia but who conducts the material business function outside Namibia. (e) “outsourcing” means an arrangement whereby a financial institution or financial intermediary uses a service provider to provide a material business function on its behalf, and it includes in-sourcing, off-shoring and sub-outsourcing arrangements; (f) “outsourcing agreement” means the written contract documenting an in-sourcing, off-shoring, outsourcing or sub-outsourcing arrangement; (g) “outsourcing arrangement” means the outsourcing of a material business function by a financial institution or financial intermediary to a service provider;

8347 Government Gazette 16 April 2024 3 (h) “principal business” means the functions or activities defined in Schedule 2 below; (i) “service provider” means a person who provides a material business function to a financial institution or financial intermediary; and (j) “sub-outsourcing arrangement” means an arrangement whereby a service provider in an outsourcing arrangement further outsources the whole or part of an outsourced material business function to another service provider. (2) Words and phrases defined in the Act have the same meaning in this Standard, unless the context indicates otherwise, including but not limited to the following as defined in section 1 of the Act: (a) affiliate; (b) associate; (c) auditor; (d) board; (e) client; (f) financial institution; (g) financial intermediary; (h) NAMFISA; and (i) subsidiary. Applicability 2. This Standard applies to all financial institutions and financial intermediaries. Principal business 3. A financial institution or financial intermediary may not outsource its principal business.

The role of the board and senior management 4. (1) The board and senior management of a financial institution or financial intermediary is ultimately responsible for ensuring compliance with this Standard. (2) The board and senior management of a financial institution or financial intermediary must designate employees responsible for continuously identifying, reporting and mitigating risks strategies of outsourced activities. (3) The designated employees referred to in sub-clause (2), must timeously inform the board and senior management of the financial institution or financial intermediary about those risks. (4) The board and senior management of a financial institution or financial intermediary must, when outsourcing any material business function – (a) ensure the development, adoption and implementation of an outsourcing policy that must be reviewed at least triennially;

4 Government Gazette 16 April 2024 8347 (b) ensure that all relevant business units are fully aware of and comply with the approved outsourcing policy; (c) identify the risks introduced by the outsourcing arrangement prior to entering into an outsourcing agreement; (d) ensure that the risks and the controls of the outsourcing arrangement are continually managed as part of the overall risk management procedures to ensure that the financial institution or financial intermediary continues to meet their financial and other obligations to their clients and other stakeholders. Outsourcing policy 5. The financial institution’s or financial intermediary’s outsourcing policy must ̶ (a) comply with this Standard; (b) establish the criteria to identify those functions which are principal business and those that are material business functions; (c) establish the criteria and procedures for appointing, renewing and terminating the services of the service provider; and (d) give effect to the outsourcing principles specified under clauses 8 to 14 and the risks associated with the outsourcing. Material business functions 6. (1) A financial institution or financial intermediary may outsource their material business functions, but any outsourcing must be done in compliance with this Standard. (2) In determining whether a business function is a material business function, the financial institution or financial intermediary must consider the following factors: (a) financial, reputational and operational impact if the material business function is disrupted, deteriorates or fails; (b) impact on the financial institution, financial intermediary or their clients if the services provided by a service provider is disrupted, deteriorates or fails; (c) sensitivity of the outsourced business function, such that failure to recover within a specific timeframe may pose contagion risk to the broader market; (d) adverse impact of outsourcing on the security and integrity of the data for the financial institution, financial intermediary or their clients; (e) degree of difficulty and time required to find an alternative service provider, or to bring the business function in-house; (f) cost of the outsourcing arrangement; (g) affiliation, association or other relationship between the financial institution or financial intermediary and the service provider; (h) regulatory compliance status of the financial institution or financial intermediary and, if applicable, of the service provider;

8347 Government Gazette 16 April 2024 5 (i) ability of the financial institution or financial intermediary to meet NAMFISA’s supervisory powers and maintain internal controls should the service provider fail to perform their activities or functions; (j) whether the outsourcing arrangement impedes NAMFISA’s supervisory powers; (k) impact on the financial institution’s or financial intermediary’s strategic objectives should the service provider fail to perform their activities or functions in terms of the outsourcing agreement; and (l) the nature or value of potential losses to the financial institution’s or financial intermediary’s customers should a service provider fail to perform the outsourcing arrangement. Outsourcing principles 7. The seven principles on the outsourcing of a material business function must be applied according to the degree of materiality and that of the risks introduced by the outsourcing to the financial institution or financial intermediary. Principle 1: Due diligence on selection and performance monitoring 8. A financial institution or financial intermediary must – (a) be satisfied that the service provider has the ability and capacity to perform in terms of the outsourcing agreement by conducting suitable due diligence when selecting a service provider; (b) perform ongoing monitoring of the performance of the service provider; (c) perform ongoing due diligence, considering ongoing reporting from the service provider; and (d) assess and manage the risks arising from over-reliance on a single service provider. Principle 2: The contract with a service provider 9. (1) A financial institution or financial intermediary and the service provider must enter into a signed outsourcing agreement in respect of each outsourcing arrangement, covering, at a minimum, the requirements contained in this Standard and the Schedule attached to this Standard. (2) The outsourcing agreement must outline the scope, nature and quality of the service to be provided, the monitoring thereof and the reporting requirements of the service provider. Principle 3: Information technology security, business resilience, continuity, and disaster recovery 10. The outsourcing agreement must contain obligations relating to the suitability of the service provider’s information technology security, software, cyber-resilience, disaster recovery capabilities and business continuity plans in relation to the performance of the obligations contained in the outsourcing agreement. Principle 4: Confidentiality issues 11. (1) A financial institution or financial intermediary must ensure that the service provider protects confidential information and data related to the financial institution or financial intermediary

6 Government Gazette 16 April 2024 8347 and their clients from intentional or inadvertent unauthorised disclosure to third parties, in compliance with applicable data protection laws. (2) Where confidential information and data related to the financial institution or financial intermediary and their clients are processed by a service provider, the regulatory environment for data security and data protection must be assessed and, if necessary, additional precautionary measures such as enhanced encryption must be considered. Principle 5: Concentration of outsourcing arrangements 12. (1) A financial institution or financial intermediary must be aware of the risks posed, and effectively manage those risks, where they are dependent on a single service provider for outsourcing, or where they are aware that the service provider provides outsourcing services to multiple persons. (2) A financial institution or financial intermediary must identify and monitor sub-out￾sourcing arrangements, intra-group arrangements and group dependency in their risk assessments. Principle 6: Access to data, premises and personnel 13. (1) A financial institution or financial intermediary must ensure that NAMFISA, their auditors (if applicable) and the financial institution or financial intermediary themselves can promptly obtain, upon request, information concerning the outsourced material business function and where necessary, there must be prompt access to the data, information technology systems, premises and personnel of the service provider. (2) The financial institution or financial intermediary remains accountable to NAMFISA for their regulatory compliance, and accordingly must ensure that they have processes and procedures in place maintaining records to facilitate NAMFISA to carry out its inspection, investigation and monitoring powers over the activities that it regulates. (3) A financial institution or financial intermediary must keep records of all outsourced functions. Principle 7: Termination of outsourcing 14. (1) A financial institution or financial intermediary must ensure that there is an orderly transition in the event of an outsourcing agreement being terminated. (2) There must be clarity on who owns the relevant data, and whether the service provider has any retention rights over the data. (3) A financial institution or financial intermediary must manage the termination of the outsourcing arrangement, which may include arrangements in respect of: (a) termination rights in case of insolvency, liquidation, change in ownership, failure to comply with regulatory requirements, poor performance, breach of confidentiality and other circumstances; (b) minimum periods before a termination can take effect, allowing for an orderly transition either to another service provider or to the financial institution or financial intermediary themselves, and to provide for the return of all client-related data, the data of the financial institution or financial intermediary and any other resources; and (c) clear delineation of ownership of information and specifications relating to the transfer of information back to the financial institution or financial intermediary, including confirmation of deletion of records, and confirmation of transfer of information.

8347 Government Gazette 16 April 2024 7 Assessment of outsourcing options 15. (1) A financial institution or financial intermediary must demonstrate to NAMFISA, as required, that in assessing the options for outsourcing, they have ̶ (a) complied with this Standard and considered all seven outsourcing principles specified under this Standard; and (b) ensured that – (i) risks associated with the outsourcing are appropriately assessed, monitored, managed and regularly reviewed; and (ii) an internal audit function, or in situations where internal audit capabilities do not exist, an alternative arrangement is in place to review any proposed outsourcing, and to regularly review and report to the board, audit committee or senior management on the financial institution’s or financial intermediary’s compliance to their outsourcing policy. (2) In the event that NAMFISA considers the audit arrangements referred to under sub-clause (1)(b)(ii) to be inadequate, NAMFISA may require the financial institution or financial intermediary to adopt an alternative audit arrangement. In-sourcing arrangements 16. A financial institution or financial intermediary must be able to demonstrate, through supporting documentation which includes a due diligence report, the selection criteria, the outsourcing agreement and a service level agreement with the service provider, submitted to NAMFISA as and when required, that in assessing the options for an in-sourcing arrangement, they have taken into account: (a) the changes to the risk profile of the business that arise from the in-sourcing arrangement, and the manner in which this changed risk profile is to be addressed in the risk management framework of the financial institution or financial intermediary; (b) the cost of the services being provided and that the financial institution or financial intermediary has taken steps to ensure that the cost is commensurate to the fair value of like services that could be provided by an arm’s-length service provider; (c) the ability of the service provider to conduct the material business function; (d) the monitoring procedures necessary to ensure that the service provider is performing effectively, and the manner in which any potential inadequate performance will be addressed; and (e) that the in-sourcing arrangement complies with this Standard. Off-shoring arrangements 17. (1) A financial institution or financial intermediary must be able to demonstrate, through supporting documentation which includes due a diligence report, the selection criteria, the outsourcing agreement and a service level agreement with the service provider, submitted to NAMFISA as and when required, that in assessing the options for an off-sourcing arrangement, they have taken into account:

8 Government Gazette 16 April 2024 8347 (a) the changes to the risk profile of the business that arise from the off-shoring ar rangement, and the manner in which this changed risk profile is to be addressed in the risk man agement framework of the financial institution or financial intermediary; (b) the cost of the services being provided and that the financial institution or financial intermediary has taken steps to ensure that the cost is commensurate to the fair value of like services that could be provided by an arm’s-length service provider; (c) the ability of the service provider to conduct the material business function; (d) the monitoring procedures necessary to ensure that the service provider is performing effectively, and the manner in which any potential inadequate performance will be addressed; and (e) that the off-shoring arrangement complies with this Standard. (2) A financial institution or financial intermediary must, prior to entering into an off-shoring arrangement with a service provider: (a) Seek written approval from NAMFISA and provide detailed justification why the function or activity cannot be feasibly conducted in Namibia. (b) Assess and ensure that the risks of the off-shoring arrangement are adequately addressed in the financial institution’s or financial intermediary’s risk management framework. (3) If the off-shoring arrangement involves risks that the financial institution or financial intermediary is not managing, or will not be able to manage appropriately, NAMFISA may require the financial institution or financial intermediary to make alternative arrangements for the performance of the material business function if the financial institution or financial intermediary cannot satisfy such concerns within the period specified by NAMFISA. Notification requirement 18. (1) A financial institution or financial intermediary must notify NAMFISA, in writing not later than 30 business days after entering into an outsourcing agreement, of such agreement. (2) A financial institution or financial intermediary must notify NAMFISA, in writing not later than 30 business days after an extension, renewal or amendment of an outsourcing agreement, of such extension, renewal or amendment. (3) Any notification made to NAMFISA in terms of sub-clauses (1) or (2) must also be accompanied by a summary of the key risks involved with the outsourcing, and the mitigation strategies put in place to address those risks. (4) If NAMFISA considers it necessary, it may request additional information and material in order to assess the impact of the outsourcing on the risk profile of the financial institution or financial intermediary and their regulatory obligations. (5) A financial institution or financial intermediary must notify NAMFISA, in writing not later than 30 business days after becoming aware of any material developments, as assessed and determined by the financial institution or financial intermediary, which may give rise to the termination of the outsourcing agreement other than termination due to the agreement reaching its termination date naturally.

8347 Government Gazette 16 April 2024 9 Existing outsourcing arrangements 19. All existing outsourcing arrangements must comply with the requirements of this Standards. SUPPORTING SCHEDULES The following supporting schedule is attached to and forms part of this Standard: SCHEDULE 1 - MINIMUM CONTRACTUAL OBLIGATIONS TO BE PROVIDED FOR IN OUTSOURCING AGREEMENTS. SCHEDULE 2 - PRINCIPAL BUSINESS FUNCTIONS OR ACTIVITIES THAT MAY NOT BE OUTSOURCED. SCHEDULE 1 (to Standard GEN.S.10.10) MINIMUM CONTRACTUAL OBLIGATIONS TO BE PROVIDED FOR IN OUTSOURCING AGREEMENTS. In addition to any requirements specified in the Standard, the contract for the outsourcing of a material business function must, at a minimum, outline the scope, nature and quality of the service to be provided, the monitoring thereof and the reporting requirements of the service provider, and specify the following: (a) duration of the outsourcing; (b) type and frequency of the material business function to be performed; (c) level and standard of service that must be rendered by the service provider, and in particular, in relation to emergency procedures, disaster recovery and contingency plans; (d) appropriate governance, risk management and internal controls to perform the out sourced function; (e) disclosures relating to conflict of interest and the management of conflict of interest; (f) remuneration or consideration payable, or the basis on which the remuneration or consideration payable will be calculated; (g) remedies for non-performance of obligations; (h) performance metrics against which the service provider will be assessed and against which the service provider must report; (i) type and frequency of reporting by the service provider; (j) monitoring of the periodic performance of the service provider and compliance with the outsourcing agreement, and the manner in and means by which that monitoring will take place; (k) confidentiality, privacy and the security of information and data of the financial institution, financial intermediary and their clients, and disclosure to third parties;

10 Government Gazette 16 April 2024 8347 (l) sub-outsourcing arrangement; (m) business contingency processes, including the continuity of functions or activities if the service provider is placed under curatorship, business rescue, becomes insolvent, is liquidated or is for any reason unable to continue to render the outsourced business function in accordance with the outsourcing agreement; (n) the circumstances under which the financial institution or financial intermediary may terminate the outsourcing agreement and a reasonable termination period irrespective of the circumstances under which the agreement is terminated (including the lapsing or non-renewal of the agreement) that will allow the financial institution or financial intermediary to implement its contingency plans; (o) indemnity and liability provisions; (p) provisions regarding the cross-border flow of information and services; (q) undertakings related to the security of automated systems to be used by the service provider, appropriate even when outsourced to cloud service providers, including the technical and non-technical organisation-wide measures protecting both the financial institution or financial intermediary and their client’s related data, as well as market sensitive data; (r) rights of each party to change or require changes to security procedures, and requirements and the circumstances under which such changes might occur; (s) terms and conditions relevant to the use of sub-contractors with respect to information technology security; (t) obligations to disclose any breaches of the provisions contained in the outsourcing agreement, including but not limited to information technology breaches which relate to the financial intermediary or financial institution or their clients. The requirements for the reporting of the breach must include – (i) an explanation of the kind of breach experienced; (ii) a statement of when the breach was discovered, how it was discovered and how long it had existed before being discovered and reported; (iii) the time to correct the issue; (iv) a clear statement of the data content that has been exposed, and whether any part of the data relates to clients of the financial institution or financial intermediary; (v) an explanation of how the security breach was resolved, and the controls that were implemented to achieve this; and (vi) an explanation of the measures that will be undertaken by the service provide to prevent recurrence of the security breach of the data loss; (u) warranties or guarantees to be furnished and insurance to be secured by the service provider in respect of their ability to fulfil their contractual obligations; (v) a process for dispute resolution; (w) for off-shoring arrangements, the choice of law and jurisdiction of the relevant court provided there is conflict with Namibian law; and

8347 Government Gazette 16 April 2024 11 (x) signature. SCHEDULE 2 (to Standard GEN.S.10.10) PRINCIPAL BUSINESS THAT MAY NOT BE OUTSOURCED Chapter Financial Institution Principal business function or activity 2. Insurer i) Assessing, determining and deciding on claims ii) Assessing and deciding to accept or decline risk Reinsurer i) Assessing, determining, and deciding on claims ii) Assessing and deciding to accept or decline risk 3. Central Securities Depository i) Safekeeping (custody) of securities ii) Supervision of participants iii) Settlement of securities Exchange i) Operating and maintaining the infrastructure for the buying, selling and matching of securities. ii) Supervision of stockbrokers Securities Clearing House i) Clearing of securities trades 4. Collective Investment Scheme i) Establishing collective investment scheme ii) Establishing portfolios iii) Fund administration (includes pricing and reporting) 5. Retirement fund i) Benefit design ii) Admission of members/participating employers iii) Holding of contributions iv) Awarding, assigning, authorizing investment mandates v) Assessing and determining claims vi) Payment of benefits for defined benefit retirement funds Beneficiary Fund i) Benefit design ii) Admission of members iii) Holding of contributions iv) Awarding, assigning, authorizing investment mandates v) Assessing and determining claims vi) Payment of benefits for defined benefit funds 6. Friendly Society i) Benefit design ii) Holding of contributions iii) Admission of members iv) Assessing and determining claims v) Assessing and deciding to accept or decline risk

12 Government Gazette 16 April 2024 8347 7. Medical Aid Funds i) Assessing and determining claims ii) Defraying healthcare related expenses on behalf of members iii) Benefit/product design iv) Executive management and governance functions v) Holding of contributions vi) Awarding, assigning, authorizing investment mandates 8. Fund Administrators Functions and duties outsourced to a fund administrator Chapter Financial Intermediary Principal business function or activity 2. Insurance Broker Providing financial advice Stockbroker Dealing and Stockbroking (Executing trades) 3. Investment Manager Portfolio Management Linked Investment Service Provider Portfolio Administration Securities Advisor Investment Planning, Security Analysis and Asset Allocation Securities Dealer Dealing (buying and selling) of securities Participant Clearing and Settlement of Transactions Securities Rating Agency Credit Rating Assignments (includes issuer credit rating and debt instrument rating) 4. Manager of Collective Investment Scheme Operating Collective Investment Scheme Nominee Company Holding of assets on behalf of persons Trustee or Custodian Safekeeping and holding of assets (custodial services) 5. Medical Aid Fund Broker i) Functions and duties outsourced to a medical aid fund broker may not be outsourced ii) Providing financial advice 6. Fund Administrator i) Functions and duties outsourced to a fund administrator may not be outsourced ii) Providing financial advice