South African Reserve Bank Directive 8/2015: Reporting requirements for material outsourced and critical third-party service providers

[Logo: South African Reserve Bank]

South African Reserve Bank From the Office of the Registrar of Banks

Ref: 15/8/3 D8/2015

2015-06-23

To: All banks, controlling companies, branches of foreign institutions, eligible institutions and auditors of banks or controlling companies

Directive 8/2015 issued in terms of section 6(6) of the Banks Act, 1990

Reporting requirements relating to material outsourced service providers and critical third-party service providers

Executive summary

The outsourcing of functions or activities that were traditionally executed within banks, controlling companies or branches of foreign institutions (hereinafter collectively referred to as banks) has increased substantially in recent years. This increasing trend in outsourcing arrangements may be due to a variety of reasons, which may include matters related to a reduction in cost or the achievement of specific strategic objectives.

Ultimately the board of directors of a bank is responsible for setting the bank's tolerance for risk and the senior management of the bank has to ensure that all relevant risk exposures are managed within the risk tolerance level set by the bank's board of directors, which will, of course, include risks that may arise from or be related to the outsourcing of specific functions or activities.

Supervisors have to continuously assess and evaluate, among other things, how well banks are managing and mitigating their respective exposures to risk, including risks that may arise from outsourcing. For this purpose, supervisors often require banks to submit specified information within indicated time intervals.

The purpose of this directive is to direct all banks to submit specified information in respect of their outsourcing arrangements within indicated timelines.

---

PO Box 8432 Pretoria 0001 · 370 Helen Joseph Street Pretoria 0002 · South Africa · Tel +27 12 3133911/0861 12 7272 · Fax +27 12 3133758 · www.reservebank.co.za

---

2

1. Introduction

1.1 This Office previously issued Banks Act Guidance Note 5/2014, titled ‘Outsourcing of functions within banks’-

1.1.1 to remind banks of the potential risks that may arise from the use of service providers; and

1.1.2 to provide guidelines to banks in respect of the assessment and management of risks pertaining to outsourcing relationships.

1.2 To this end, the definitions as contained in paragraph 2 of GN5/2014 refer.

1.3 In order-

1.3.1 to obtain a better understanding of banks' exposures to risks arising from their outsourcing arrangements; and

1.3.2 to identify any mutual or common exposure to operational risk or potential vulnerability within the banking sector,

this Office has decided to require banks to submit specified information in respect of top material outsourced service providers.

1.4 Despite the fact that banks have no control over critical third-party service providers, such as Eskom and Telkom, and banks are unable to produce their own electricity and telecoms lines, this Office still requires specified information in respect of these critical third party service providers, in order to measure concentration, exposure and vulnerability. Banks are also required to include specified information in respect of banking industry service providers, such as SBV and Bankserv.

2. Directive related to required information

2.1 Based on the aforesaid, and in accordance with the provisions of section 6(6) of the Banks Act, 1990, banks are hereby directed to submit to this Office the information specified in Annexure A-

2.1.1 in respect of the twelve-month period that ends on 30 June 2015 (once-off), and in respect of every twelve-month period that ends on 31 December of each relevant year thereafter, that is, from 31 December 2015, onwards;

2.1.2 which information shall be submitted within 30 business days following the relevant reporting date to which the information relates; and

2.1.3 which information shall be submitted in respect of the relevant bank on a bank solo, bank consolidated and a controlling company consolidated basis, provided that in the case of a branch of a foreign institution, the information shall relate only to the relevant branch of the foreign institution conducting business in the Republic.

---

3

2.2 Banks shall use the Excel format of Annexure A, which is necessary for capturing and submission purposes.

3. Sign-off

3.1 Annexure A shall be signed-off by the chief risk officer of the bank, and attested by the chief executive officer of the bank.

4. Acknowledgement of receipt

4.1 Two additional copies of this directive are enclosed for the use of your institution's independent auditors. The attached acknowledgement of receipt, duly completed and signed by both the chief executive officer of the institution and the said auditors, should be returned to this Office at the earliest convenience of the aforementioned signatories.

[Signature]

René van Wyk Registrar of Banks

Encl. 1

The previous directive was Directive 7/2015, dated 12 May 2015.

---

Annexure A

SPECIFIED INFORMATION IN RESPECT OF OUTSOURCING AND THIRD PARTY SERVICE PROVISION (Confidential and not available for inspection by the public) Name of bank/ controlling company.................................................. Period ended .................................................. (yyyy-mm-dd)

(All amounts to be rounded off to the nearest R'000)

| Full name of top fifteen material outsourced service providers (MOSP)¹ | Line no. | Primary reason for classification as 'material'¹,² | Short description of services provided | Industry³ | Specify⁴ | Segment/ cluster/ business unit⁵ | Additional comments⁶ | Contingency plans in place⁷ | Name of alternate service provider/s⁸ | Contract period⁹ | Contract expiry date¹⁰ | Contract value¹¹ | Exposure value¹² | | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | | | | | | | | | | | | | | | Current 12-month rolling period | Prior 12-month rolling period | | | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | | 1 | | | | | | | | | | | | | | | | 2 | | | | | | | | | | | | | | | | 3 | | | | | | | | | | | | | | | | 4 | | | | | | | | | | | | | | | | 5 | | | | | | | | | | | | | | | | 6 | | | | | | | | | | | | | | | | 7 | | | | | | | | | | | | | | | | 8 | | | | | | | | | | | | | | | | 9 | | | | | | | | | | | | | | | | 10 | | | | | | | | | | | | | | | | 11 | | | | | | | | | | | | | | | | 12 | | | | | | | | | | | | | | | | 13 | | | | | | | | | | | | | | | | 14 | | | | | | | | | | | | | | | | 15 | | | | | | | | | | | | | | |

1. Based on the definition of material as set out in Guidance Note 5/2014.
2. Based on the following specified keys: 1 = financial; 2 = strategic.
3. Based on the majority of services rendered and the following specified keys: 1 = communication; 2 = construction; 3 = electricity, gas and water; 4 = financial; 5 = manufacturing; 6 = security (other than technology related); 7 = technology; 8 = transport; 9 = other (details provided in column 4).
4. If "Other" was selected in column 3.
5. Please specify in which segment, cluster or business unit the Material Outsourced Service Provider (MOSP) is used.
6. Relates to any further information in respect of the MOSP that is regarded as significant.
7. Based on the specified keys where 1 = yes and 2 = no, state whether an alternate provider/s has been identified to continue key functions /services should existing outsourcing arrangement fail.
8. If "yes" was selected in column 7 state the full name/s of the alternate service providers.
9. Please specify the total contract period agreed with the relevant service provider.
10. Please specify the expiry date of the current contract with the relevant service provider.
11. Please specify the total value of the contract with the relevant service provider, for the entire duration of the contract.
12. Please specify the value of the contract with the relevant service provider, for the respective specified periods.

---

2

(All amounts to be rounded off to the nearest R'000)

| Full name of top fifteen critical third-party service providers¹,² | Line no. | Primary reason for classification as 'critical'³ | Short description of services provided | Industry⁴ | Specify⁵ | Segment/ cluster/ business unit⁶ | Additional comments⁷ | Contingency plans in place⁸ | Name of alternate service provider/s⁹ | Contract period¹⁰ | Contract expiry date¹¹ | Contract value¹² | Exposure value¹³ | | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | | | | | | | | | | | | | | | Current 12-month rolling period | Prior 12-month rolling period | | | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | | 16 | | | | | | | | | | | | | | | | 17 | | | | | | | | | | | | | | | | 18 | | | | | | | | | | | | | | | | 19 | | | | | | | | | | | | | | | | 20 | | | | | | | | | | | | | | | | 21 | | | | | | | | | | | | | | | | 22 | | | | | | | | | | | | | | | | 23 | | | | | | | | | | | | | | | | 24 | | | | | | | | | | | | | | | | 25 | | | | | | | | | | | | | | | | 26 | | | | | | | | | | | | | | | | 27 | | | | | | | | | | | | | | | | 28 | | | | | | | | | | | | | | | | 29 | | | | | | | | | | | | | | | | 30 | | | | | | | | | | | | | | |

1. In order to identify any mutual or common exposure to operational risk or potential vulnerability within the banking sector, please include in items 16 to 30 the relevant full names of critical third-party service providers, such as Eskom and Telkom, as banks are unable to produce their own electricity and telecom lines; and banks cannot control these service providers).
2. Please also include banking industry service providers, such as SBV and Bankserv.
3. Based on the following specified keys: 1 = financial; 2 = strategic.
4. Based on the majority of services rendered and the following specified keys: 1 = communication; 2 = construction; 3 = electricity, gas and water; 4 = financial; 5 = manufacturing; 6 = security (other than technology related); 7 = technology; 8 = transport; 9 = other (details provided in column 4).
5. If "Other" was selected in column 3.
6. Please specify in which segment, cluster or business unit the critical third-party service provider is used.
7. Relates to any further information in respect of the critical third-party service provider that is regarded as significant.
8. Based on the specified keys where 1 = yes and 2 = no, state whether an alternate provider/s has been identified to continue key functions /services should existing outsourcing arrangement fail.
9. If "yes" was selected in column 7 state the full name/s of the alternate service providers.
10. Please specify the total contract period agreed with the relevant service provider.
11. Please specify the expiry date of the current contract with the relevant service provider.
12. Please specify the total value of the contract with the relevant service provider, for the entire duration of the contract.
13. Please specify the value of the contract with the relevant service provider, for the respective specified periods.