Outsourcing Guidelines for Banks and Financial Institutions 2021

OUTSOURCING GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS, 2021 BANK OF TANZANIA

1 PART I INTRODUCTION AND BACKGROUND

1. (a) Banks and financial institutions are increasingly using third party services to carry out activities, functions and processes under outsourcing arrangements as a way of reducing cost and accessing specialist expertise and capabilities, which are not available internally, as well as for achieving strategic objectives and business goals. (b) While outsourcing arrangements can reduce costs and bring benefits, they can also increase risk profile of a bank or financial institution due to, among others, reputation, compliance and operational risks arising from failure of a service provider in providing the service, breaches in security or inability to comply with legal and regulatory requirements. These guidelines set out the Bank’s expectations of a bank or financial institution that has entered or is planning to outsource its business activities to third parties. (c) The key underlying principle of these guidelines is that a bank or financial institution shall ensure that outsourcing arrangements neither diminish its ability to fulfill its obligations to customers and the Bank nor impede effective supervision by the Bank. Banks and financial institutions, therefore, shall take steps to ensure that the service provider employs the same standard of care in performing the services as would be employed by the bank or financial institution if the activities were conducted within the bank or financial institution and not outsourced.
2. These guidelines may be cited as the Outsourcing Guidelines for Banks and Financial Institutions, 2021 and are made under Section 71 of the Banking and Financial Institutions Act, 2006.
3. (a) These guidelines shall apply to all outsourcing arrangements entered into by banks and financial institutions. (b) For avoidance of doubt, outsourcing arrangements shall also include the provision of non-strategic but material services by a bank or financial institution's foreign head office or all material outsourcing arrangements between a bank or financial institution and regulated or unregulated entities in its corporate group or any other related entity.

2 4. In these guidelines, unless the context otherwise requires: “Act” means the Banking and Financial Institutions Act, 2006; “Bank” means the Bank of Tanzania; “bank” has the same meaning ascribed to it in the Act; “financial institution” has the same meaning ascribed to it in the Act.; “outsourcing” means an arrangement whereby a bank or financial institution receives goods, or services from another entity that form part of the business processes and which are necessary to support the provision of banking or related financial services; “service provider” means the supplier of goods or, services who may be related entity or independent third party. 5. The objective of these guidelines is to provide framework which guides banks and financial institutions in all outsourcing arrangements in order to ensure that: (a) All material outsourcing arrangements entered into by a bank or financial institution are subject to appropriate due diligence, approval and on-going monitoring; (b) All risks arising from material outsourcing arrangements are appropriately managed to ensure that a bank or financial institution is able to meet both its financial and service obligations to customers, the Bank and other stakeholders; and (c) All dealings between the bank or financial institution and outsourced service providers and their related interests are conducted at arm's length. 6. For the purpose of these guidelines, activities of a bank or financial institution must be classified as (1) strategic or- (2) non-strategic. (a) Strategic activities and functions These activities and functions should not be outsourced because they are generally compatible with the managers’ obligation to run the institution under their own responsibility. Examples of strategic and core management responsibility and functions include, strategic oversight, risk management and strategic control.

3 (b) Non-strategic but material activities. For the purpose of these guidelines material activities means activities of such importance that any weakness or failure in the provision of those activities can have a significant effect on the bank’s or financial institution’s ability to meet its regulatory responsibilities or to carry on its business. 7. A bank or financial institution that is planning material outsourcing or is planning to vary any such outsourcing arrangements shall seek prior written approval of the Bank. The minimum criteria for evaluating requests from the bank or financial institution for outsourcing will include the following: (a) Demonstration of the need for the services being outsourced; (b) A clear basis for determining the fees payable and methodology for allocating costs of shared services; (c) Potential impact of outsourcing arrangements on the bank’s or financial institution’s tariff structure; (d) Evidence of due diligence on the capacity of the service provider; (e) Potential impact of the outsourcing on earnings, solvency, liquidity, funding, capital and risk profile; (f) Aggregate exposure to a particular service provider in cases where the bank or financial institution outsources various functions to the same service provider; and (g) Ability to maintain appropriate internal controls and meet regulatory requirements, if there were operational problems faced by the service provider. PART II ASSESSMENT OF OUTSOURCING ARRANGEMENTS 8. A bank or financial institution shall assess if an outsourcing arrangement that is in existence or being planned involves material business activity. Material outsourcing arrangements are those, which if disrupted, have the potential to significantly impact the business operations, reputation or profitability of a bank or financial institution.

4 Factors to be considered when making this assessment will include: (a) The level of importance to the bank or financial institution of the activity being outsourced; (b) The likely impact on the bank’s or financial institution’s reputation and brand value, and ability to achieve its business objectives, strategy and plans, should the service provider fail to deliver the service; (c) the cost of the outsourcing arrangement as a proportion of total operating costs of a bank or financial institution; (d) The potential impact of the outsourcing on the bank or financial institution on various performance measures such as earnings, solvency, liquidity, funding and capital and risk profile; (e) the ability of the institution to meet regulatory requirements should there be any problems with the service provider; (f) The aggregate exposure to that particular service provider, in cases where the bank or financial institution outsources various functions to the same service provider; and (g) the degree of difficulty, including the time taken, to find an alternative outsourcing service provider or bring the business activity “in house”. 9. A bank or financial institution shall consult the Bank where there is an uncertainty as to whether a business activity that is to be outsourced would be regarded as material for the purposes of these guidelines. 10. Banks and financial institutions shall not outsource the following: (a) Core management functions such as corporate planning, organization, management and control and decision-making functions; (b) Determining compliance with Anti-Money Laundering and Combating of Financing of Terrorism and Know Your Customer (KYC) norms for opening accounts; (c) Decisions whether or not to grant credit; (d) Treasury function;

5 (e) Risk management and compliance functions; (f) Activities considered illegal under any law in the United Republic of Tanzania; and (g) Primary data centre outside the country. 11. The following activities shall not be considered as Outsourcing: (a) Market information services such as Bloomberg, Moody's, Fitch Ratings, Standard & Poor's; (b) Common network infrastructures such as Visa and MasterCard; (c) Clearing and settlement arrangements between clearing and settlement institutions and their members and similar arrangements between members and non-members; (d) Correspondent banking services; and (e) Introducer arrangements (where the institution does not have any contractual relationship with customers). PART III: OUTSOURCING POLICY AND CONTRACTS 12. The bank or financial institution should have a general policy on its approach to all aspects of outsourcing. To be effective, the policy must be communicated in a timely manner and should be implemented through all relevant levels of the bank or financial institution, and be revised periodically in light of changing circumstances and applicable laws. 13. In setting up the policy, the bank or financial institution should bear in mind that no outsourcing is risk free. Therefore, at minimum the policy should: (a) cover the mechanism for appropriate monitoring and assessment of the outsourcing service provider by the bank or financial institution; (b) specify an internal unit or individual responsible for supervising and managing each outsourcing; (c) specify off-shore processing arrangement, modalities of recovering the outsourced resources such as data, in case of any dispute on the contract or political imbalances, by the bank or financial institution;

6 (d) reflect the main phases in the outsourcing. Such phases include: (i) The decision to or not to outsource or change an existing outsourcing (the decision-making phase); (ii) Initial and periodic due diligence on the outsourcing service provider; (iii) A well-defined acquisition process with evaluation components such as terms of reference document, specification of requirements and evaluation of proposals; (iv) Drafting a written outsourcing contract and service level agreement (the contract-drafting phase); (v) The implementation, monitoring and maintenance of an outsourcing arrangement (the contract phase); and (vi) Dealing with the expected or unexpected termination of a contract and other service interruptions (the post-contract phase). (e) cover bank’s or financial institution’s plan and implementation arrangements to maintain the continuity of its business in the event that the provision of services by an outsourced service provider fails or deteriorates to an unacceptable degree, or the ‘experiences other changes or problems; (f) include some form of contingency planning and the establishment of a clearly defined exit strategy, evaluated against the costs and benefits of such planning; and (g) require a bank or financial institution to manage the risks associated with its outsourcing arrangements. Such risks include loss of operational control, service provider failure, inadequate confidentiality and security of information, and failure to meet regulatory requirements. 14. A bank or financial institution shall submit the outsourcing policy to the Bank for clearance before its implementation. 15. All outsourcing arrangements shall be subject to a written contract, which must be approved by the Bank before implementation.

7 16. The contract should be reviewed by the bank’s or financial institution’s legal counsel to ensure that it is legally enforceable and that it reasonably protects the bank or financial institution from risk. 17. Banks and financial institutions shall ensure that the written outsourcing contracts contain, among others, provisions pertaining to: (a) Clearly define the activities to be outsourced including appropriate service and performance standards; (a) Provide the bank or financial institution with the right to conduct audits, on the service provider whether by its internal or external auditors, or by agents appointed to act on its behalf and to obtain copies of any audit or review reports and findings made on the service provider in conjunction with the services performed for the bank or financial institution; (b) business continuity plans, recovery times in the event of disruption, and responsibility for backup of programs or data; (c) notification requirements and approval rights for any material changes to services, systems, controls, key project personnel including changes to the service provider’s significant sub-contractors; (d) ownership of records and, where relevant, software, data usage and compliance with bank’s or financial institution’s security policies; (e) default arrangements and termination rights for a variety of conditions including change in control, convenience, substantial increase in cost and insolvency; (f) price or fee structure, duration and the mode of payment; (g) dispute resolution arrangements which attempt to resolve problems in an expeditious manner as well as provision for continuation of services during the dispute resolution period; (h) liability and indemnity for failed, delayed, or erroneous transactions processed by the outsourcing service provider;

8 (i) confidentiality and security of information of both the bank or financial institution and its clients; (j) prohibition of assignment of the contract to a third party without the bank’s or financial institution’s prior consent; (k) review of the outsourcing service provider standards, policies, and procedures relating to internal controls, security, and business contingency to ensure that they meet the bank’s or financial institution’s minimum standards; (l) the Bank’s right to access at any time records of transactions and any information given to, stored at or processed by the service provider, any report or any results of audits and security reviews on the service provider and any sub-contractor that the service provider may use; (m)the Bank’s right to physical access at any time of the premises or equipment of the service provider; and (n) a clause to recognize the right of the Bank to cause an inspection to be made of a service provider of a bank or financial institution and its books and accounts by one or more of its officers or employees or other persons. 18. Banks and financial institutions shall seek prior approval of the Bank before paying outsourcing fees to service providers. 19. Outsourcing contracts between parties shall not have any exclusivity clauses that will prevent the bank or financial institution to obtain similar services from other providers, in order to ensure that the bank or financial institution retains control over the outsourced activity. PART IV DUTIES AND RESPONSIBILITIES OF THE BANK OR FINANCIAL INSTITUTION 20. Each bank or financial institution will be responsible for the operations of the outsourced activities. Therefore, the ultimate responsibility for proper management of the risks associated with outsourcing, lies with board of directors and senior management of a bank or financial institution.

9 21. The Board of Directors of a bank or financial institution shall: (a) review and approve outsourcing policy and the risk-management policies for outsourcing as recommended by management; (b) review periodically, but at least quarterly, management reports demonstrating compliance with the approved risk-management policies for outsourcing; (c) approve any outsourcing arrangement that exceeds the level of authority delegated to management; (d) prescribe the content and frequency of management's outsourcing reports to the Board or to its committee; (e) ensure that person(s) responsible for administering the risk management policies for outsourcing possess the competency required; and (f) ensure that the audit function regularly reviews operations to assess whether or not the risk-management policies and procedures for outsourcing are being followed and to confirm that sufficient risk management processes for outsourcing are in place. 22. In relation to outsourcing, management of each bank or financial institution is expected to: (a) develop a risk management programme for outsourcing that reflects institutions outsourcing policies and recommending it for approval by the board; (b) establish procedures adequate to the operation and monitoring of the risk management programme, which provide for an assessment of all outsourcing arrangements to identify those that are material, an evaluation of the service provider, a satisfactory service contract, confidentiality and security needs, the requirements of the Bank, and accountability for monitoring outsourcing of material activities; (c) implement the risk management programme for outsourcing; (d) carry out periodic internal self-assessment to test the effectiveness of the risk management programme; (e) manage and control outsourcing risk within the risk management programme;

10 (f) develop and implement appropriate reporting systems for effective management and control of existing and potential outsourcing risk exposure; (g) ensure that an audit function reviews regularly the operation of the risk-management programme relating to outsourcing; (h) develop lines of communication to ensure timely dissemination of outsourcing policies and procedures and other relevant outsourcing information to all individuals involved in the process; and (i) report to the board, or to a committee of the board, on the operation and effectiveness of the programme and the risk or materiality of outsourcing arrangements. 23. Intra group outsourcing may be allowed provided the bank or financial institution meets the following conditions: (a) it demonstrates that it can manage the risk involved; (b) it is a member of a group that is subject to supervision on a consolidated basis in conformity with Core Principles for Effective Banking Supervision issued by Basel Committee; (c) the arrangement between the bank or financial institution and the affiliate or subsidiary is on terms that are substantially the same, or at least as favourable to the bank or financial institution, as those available from a nonaffiliated service provider; (d) it obtains adequate information on how the parent group manages the risk to demonstrate to the Bank that it is compliant with Risk Management Guidelines relating to outsourcing. 24. A bank or financial institution shall report to the Bank in case of any problem with its outsourcing arrangements which may impair provision of the outsourced services. 25. Sub-contracting of outsourced activities and functions by outsourced service provider is not allowed.

11 PART V EVALUATION AND CONDUCT OF SERVICE PROVIDERS 26. A bank or financial institution shall carryout a detailed due diligence of the service providers encompassing assessment of, but not limited to: - (a) Past experience and competence to implement and support the proposed activity over the contracted period; (b) Financial soundness and ability to service commitments even under adverse conditions; (c) Ability of service provider to manage risks; (d) Business reputation and culture, compliance, complaints and outstanding or potential litigation; (e) Security and internal control, audit coverage, reporting and monitoring environment, Business continuity management; (f) External factors like political, economic, social and legal environment of the jurisdiction in which the service provider operates and other events that may impact service performance; (g) Due diligence by service provider of its employees; and (h) Potential conflict of interest in case service provider is related party. 27. Public confidence and customer trust in a bank or financial institution is a prerequisite for the stability and reputation of the bank or financial institution. In that regard bank or financial institution shall ensure that: (a) There is preservation and protection of the security and confidentiality of customer information in the custody or possession of the service provider; (b) Access to customer information by staff of the service provider should be limited to those areas where the information is required in order to perform the outsourced function; (c) The service provider is able to isolate and clearly identify the bank’s or financial institution’s customer information, documents, records and assets to protect the confidentiality of the information;

12 (d) It reviews and monitors the security practices and control processes of the service provider on a regular basis and require the service provider to disclose security breaches; and (e) It notifies the Bank in the event of any breach of security and leakage of confidential customer related information. 28. A bank or financial institution shall ensure that the service providers are properly trained to handle with care, their responsibilities particularly aspects like soliciting customers, hours of calling, privacy of customer’s information and conveying the correct terms and conditions of the products on offer. PART VI BUSINESS CONTINUITY MANAGEMENT AND DISASTER RECOVERY PLAN 29. (1) A bank or financial institution shall require its service providers to develop and establish a robust framework for documenting, maintaining and testing business continuity and recovery procedures. (2) The bank or financial institution shall ensure that the service provider periodically tests the Business Continuity and Recovery Plan and may also consider occasional joint testing and recovery exercises with its service provider. (3) The bank or financial institution shall keep copies of Business Continuity and Recovery Plans of all outsourced service providers 30. In order to mitigate the risk of unexpected termination of the outsourcing agreement or liquidation of the service provider, a bank or financial institution shall retain an appropriate level of control over their outsourced services and the right to intervene with appropriate measures to continue its business operations in such cases without incurring prohibitive expenses and without any break in the operations of the bank or financial institution and its services to the customers. 31. In establishing its contingency plan, a bank or financial institution shall consider the availability of alternative service providers or the possibility of bringing the outsourced activity back in-house in an emergency and the costs, time and resources that would be involved.

13 32. Outsourcing often leads to the sharing of facilities operated by the service provider. The bank or financial institution shall ensure that service providers are able to isolate the bank’s or financial institution’s information, documents and records, and other assets. This is to ensure that in adverse conditions, all documents, records of transactions and information given to the service provider, and assets of the bank or financial institution, can be deleted, destroyed, rendered unusable or removed from the possession of the service provider. PART VII MONITORING AND CONTROL OF OUTSOURCED ACTIVITIES 33. The bank or financial institution shall have in place a management structure to monitor and control its outsourcing activities. It shall ensure that outsourcing agreements with the service provider contain provisions to address their monitoring and control of outsourced activities. 34. A central record of all material outsourcing that is readily accessible for review by the board and senior management of the bank or financial institution shall be maintained. The records shall be updated promptly and form part of the corporate governance reviews undertaken by the board and senior management of the bank or financial institution. 35. Regular audits by either the internal auditors or external auditors of the bank or financial institution shall assess the adequacy of the risk management practices adopted in overseeing and managing the outsourcing arrangement, the bank’s or financial institution’s compliance with its risk management framework and the requirements of these guidelines. 36. A bank or financial institution shall at least on an annual basis, review the financial and operational condition of the service provider to assess its ability to continue to meet its outsourcing obligations. Such due diligence reviews, which can be based on all available information about the service provider should highlight any deterioration or breach in performance standards, confidentiality and security, and in business continuity preparedness. 37. In order to ensure there is adequate redressal mechanisms for grievances related to outsourced services:

14 (a) A bank or financial institution shall have clear procedures for addressing grievances/complaints relating to outsourced activities; (b) A bank or financial institution shall constitute grievance handling procedures and give wide publicity about it through electronic and print media. The name and contact number of designated grievance redress officer of the bank or financial institution should be made known and widely publicized. The designated officer shall ensure that genuine grievances of customers are redressed promptly; (c) The grievance redress procedure of the bank or financial institution and the time frame fixed for responding to the complaints shall be placed in a conspicuous place within the bank’s or financial institution’s premises or website. PART VIII TRANSFER PRICING 38. Transfer pricing generally relates to the system of pricing the cross-border transfer of goods, services and intangibles between entities in a group of companies. Transfer pricing also applies if such transactions were to take place between associated companies within the country. Ideally, the transfer price should not differ from the prevailing market price. However, when business dealings are made between connected entities, there is a possibility that these may not always reflect the dynamics of market forces as would be expected if such transactions were carried out by independent enterprises. 39. A bank or financial institution that seeks to engage in intra-group outsourcing shall ensure that it adopts reasonable transfer pricing methodologies and that the bank or financial institution pays its fair share of tax. In order to do so, bank or financial institution involved must be able to provide adequate documented proof to support their transfer pricing policies. Further, the transfer pricing methodologies used should be consistent with Transfer Pricing Regulations issued by Tanzania Revenue Authority (TRA). 40. The bank or financial institution shall clearly articulate and demonstrate evidence of its arms' length pricing methodologies when seeking approval to outsource. The resulting pricing should not be significantly different from prices of independent service providers.

15 41. The Bank may, in appropriate circumstances, if it is of opinion that the price of an intra￾group outsourced service or goods is not reasonably reflective of market forces, disallow an outsourcing arrangement or otherwise approve it to proceed only upon such terms regarding pricing as the Bank considers to be reasonably representative of market pricing. PART IX GENERAL PROVISIONS 42. Without prejudice to the other penalties and actions prescribed by the Act, the Bank may impose one or more of the following sanctions where any of the provisions herein are contravened: - (a) civil money penalty on the banking institution or directors, officers or employees responsible for non-compliance in such amounts as may be determined by the Bank; (b) prohibition from engaging in outsourcing arrangements; (c) suspension of access to the credit facilities of the Bank; (d) suspension of lending and investment operations; (e) suspension of capital expenditure; (f) suspension of the privilege to accept new deposits; (g) suspension from office of the defaulting director, officer or employee; (h) disqualification from holding any position or office in any banking institution in Tanzania; and revocation of banking license. 43. Outsourcing Guidelines for Banks and Financial Institutions, 2008 are hereby dis-applied Dar Es Salaam, FLORENS D. A. M LUOGA 17th June 2021 Governor