Explanatory Notes to the Outsourcing Directive

Bank of Ghana I PUBLIC PUBLIC

BANK OF GHANA EXPLANATORY NOTES ON THE REVISED OUTSOURCING DIRECTIVE FOR BANKS, SAVINGS AND LOANS, FINANCE HOUSES, FINANCIAL HOLDING COMPANIES AND DEVELOPMENT FINANCE INSTITUTIONS NOVEMBER 2024 BANK OF GHANA EST. 19 5 7

Bank of Ghana II PUBLIC PUBLIC TABLE OF CONTENTS INTRODUCTION............................................................................................................1 NOTES EXPLAINING REVISIONS REFLECTED IN THE OUTSOURCING DIRECTIVE, 2024 ......................................................................................................................................2

Bank of Ghana 1 PUBLIC PUBLIC INTRODUCTION Pursuant to Section 92(1) of the Banks and Specialised Deposit-Taking Institutions Act, 2016 (Act 930), as well as Section 84 of the Development Finance Institutions Act, 2020 (Act 1032), the Bank of Ghana (BOG) has issued the Outsourcing Directive in November 2024 following consultation with the banking industry (herein called “the industry”) as well as the IMF Resident Advisor. The Outsourcing Directive is aimed at ensuring that banks, savings and loans, finance houses, financial holding companies and development finance institutions, hereafter referred to as Regulated Financial Institutions (RFIs), have a framework for effectively managing outsourcing risks, sets BOG’s supervisory approach to outsourcing, provide guidance on regulatory requirements regarding outsourcing arrangements and operationalising section 60(12) of Act 930 and section 57 (12) of Act 1032. The Bank of Ghana has since carefully considered the Outsourcing Directive in the light of feedback, comments and contributions received during the public consultation process. This has culminated in a revised Outsourcing Directive dated November 2024 which addresses material issues identified in the Exposure Draft of the Outsourcing Directive. This document therefore explains the significant revisions reflected in the final version of the Directive titled Bank of Ghana’s Outsourcing Directive, 2024.

Bank of Ghana 2 PUBLIC PUBLIC NOTES EXPLAINING REVISIONS REFLECTED IN THE OUTSOURCING DIRECTIVE, 2024 Introduction This section, which provides a background to the rationale behind the issuance of the Outsourcing Directive has been broadened with a newly inserted paragraph: “Per Principle 25 (Operational Risk and Operational Resilience) of the Basel Core Principles for Effective Supervision (BCP) issued by the Basel Committee for Banking Supervision (BCBS) in April 2024, supervisors are to require Board and Senior Management of RFIs to understand the risks associated with banking activities performed by Service Providers and ensure that effective risk management policies and processes are in place to adequately manage these risks”. The insertion is to reemphasise the alignment of the Outsourcing Directive to the revised BCPs issued in April 2024 by the BCBS. Part I – Interpretation i. The definitions of “function”, “outsourcing”, “service provider”, have been broadened to align with the definitions provided by the BCBS. ii. In addition, definitions for related interest, related persons, security information and event management, and security operations centre have been newly inserted. Part I – Objectives i. The section on objectives has been rearranged and placed after the interpretation section to prioritise BOG’s objectives. ii. Objectives of the Directive have been expanded to include the following: a. Set BOG’s supervisory approach to outsourcing. This is to align with the BCBS’ supervisory expectations with respect to outsourcing.

Bank of Ghana 3 PUBLIC PUBLIC Part I – Supervisory Approach Paragraphs 6 and 9 of the Exposure Draft have been deleted to avoid duplication. Part I – Transitional Arrangements and Effective Implementation i. The effective implementation date and transitional period have been updated in light of the date of issuance of the revised Outsourcing Directive. ii. New insertion (“An RFI shall submit its materiality assessment framework to the BOG not later than 2nd June 2025”) to ensure that materiality assessment frameworks are submitted by the RFIs to BOG on time for BOG to review and provide feedback. iii. The timeline for RFIs’ notification to BOG on non-core outsourced functions has been extended (from ten days to ten working days). Part II – Governance One of the Board responsibilities has been appropriately moved to Senior Management responsibilities. Part II – Risk Management i. New paragraphs inserted that considers BOG’s minimum expectations for RFIs with regards to Risk Assessment. This is in alignment with CP25 (Operational Risk and Operational Resilience) of the BCPs. ii. In addition, there is a provision that restricts RFIs from procuring the services of Service Providers/ sub-contractors that are owned or controlled by related interest and related persons. iii. Paragraph 26c of the Exposure Draft has been deleted because some business operations of the Service Provider may be non-financial which are not permissible under Act 930 and Act 1032. Part II – Business Continuity Planning as well as Data Protection and Confidentiality i. The above mentioned two new Headers inserted to provide further clarity and facilitate referencing to the Directive.

Bank of Ghana 4 PUBLIC PUBLIC ii. The section on Data Protection and Confidentiality just below the monitoring and control section has been added to this newly inserted section. Part II – Materiality Assessment i. New insertion that requires the use of data from the recent Audited Financial Statement in determining supervisory thresholds for materiality assessments. ii. A footnote has been inserted, providing clarity to the reference date to apply when computing the total operating cost. iii. The factors to consider when conducting a materiality assessment has been rearranged with the quantitative requirements separated from the qualitative criteria. iv. The reviews of an RFI’s outsourcing arrangements to identify new outsourcing risks and materiality have been amended. RFIs are required to conduct the reviews annually. Part II – Due Diligence Process i. New insertion to the minimum requirements for conducting due diligence by an RFI on a service provider or sub-contractor. “The reputation of the service provider or sub-contractor in respect of services offered, the quality and dependability of its personnel”. The above was inserted to assure the BOG of the quality of services to be provided by the service provider. ii. Minimum factors to consider when conducting a cost benefit assessment has been newly inserted. iii. Timelines for conducting due diligence on existing Service Providers have been amended from biannually to annually. Part II – Minimum Contractual Requirements i. Paragraph 50 of the Exposure Draft has been deleted. The section on risk management has been enhanced and the content of this paragraph is highlighted in the risk management section.

Bank of Ghana 5 PUBLIC PUBLIC ii. Paragraphs 53, 54 and 55 of the Exposure Draft have also been deleted to avoid duplication. iii. A new insertion requiring RFIs to put in place Service Level Agreements with a combination of qualitative and quantitative targets. This is to provide further clarity. iv. Revised insertion to the list of minimum contractual requirements pertaining to audit rights and access to records of the service provider/ sub-contractor. “Provisions on audit rights and access to records, which include the following: a. allow the RFI to conduct audits on the service provider and its sub-contractors, either directly or through its agents, and to obtain any report or findings on the outsourcing arrangements from the service provider and its sub-contractors; and b. grant BOG and its agents the contractual rights to have direct, timely and unrestricted access to the systems and any information or documents relating to the outsourced function as well as conduct on-site inspection of the service provider and sub-contractor, where necessary”. Revised to further enhance the requirements on audit and access rights to the RFI and BOG. This is in alignment with the BCPs. Part II – Monitoring and Control of Outsourcing Arrangements i. Paragraph 60a of the Exposure Draft has been amended with RFIs required to review their outsourcing risk register quarterly. ii. Paragraphs 60b and 60c are similar and have been merged to avoid redundancies. Part II – Audit and Inspection i. Paragraph 64 of the Exposure Draft has been deleted and incorporated into the list of minimum contractual requirements with regards to provisions on audit and access to records rights.

Bank of Ghana 6 PUBLIC PUBLIC ii. The internal audit function is required to undertake independent reviews of all outsourced activities every two (2) years or less. A timeline was not provided in the exposure draft. Part III – Information Technology Functions i. Security Information and Event Management (SIEM) services has been included to the list of permissible IT functions that can be outsourced. This is to align with the Bank of Ghana Cyber and Information Security Directive, 2018 (CISD). ii. Outsourcing of Security Operations Centre (SOC) services is no longer a permissible function to be outsourced in accordance with the CISD. Part IV – Regulatory Approval Requirements for Core Functions (Non￾Strategic) The Heading for this section has been amended to provide further clarity. Part VI – Regulatory Reporting and Disclosure Requirements i. Paragraph 95 of the Exposure Draft has been amended to include a timeline of every two (2) years for RFIs to submit their internal audit reports. ii. A provision requiring RFIs to submit their outsourcing risk registers to BOG has been moved from materiality assessment section to regulatory reporting section, as it is a reporting requirement. iii. Disclosure of list of service providers have been deleted. RFIs are therefore required to disclose only on all existing core and non-core outsourced functions in the Audited Financial Statements. iv. In addition, a new insertion to the section is as follows: “Service providers shall disclose to the RFI breaches in confidentiality with respect to customer information and the RFI will immediately report to the BOG”. This is aimed at protecting customer information. Annexure I – Examples of Core and Non-Core Functions i. The following have been included to the list of core (non-strategic) functions: a. SIEM;

Bank of Ghana 7 PUBLIC PUBLIC b. Legal function; c. Company secretary; d. Registration of collaterals for loans and advances e. Cashier/ teller services; and f. Call centre services and other customer-related media services. ii. Footnote inserted to clarify what types of training services should be considered as a core (non-strategic) function. iii. Some examples of non-core functions have been deleted because they are not considered as permissible activities in accordance with Act 930 and Act 1032. iv. Paragraph 4 of Annexure I amended to provide further clarity. Annexure II – Examples of Core Functions which shall not be Outsourced (Strategic Functions) i. The following have been included to the list of core (strategic) functions that shall not be outsourced to align with the CISD: a. Cyber and information security management function; and b. Security operations centre (SOC) – situation room. ii. Paragraph 2 of Annexure II in the Exposure Draft made provision for all RFIs to apply for an exemption to outsource a strategic function. However, the provision has been amended to exempt banks. Annexure VII – Outsourcing of Security Operations Centre This section has been deleted as it is no more permissible to be outsourced. Annexure VIII – Outsourcing Risk Register Template New Column inserted that requires the Taxpayers Identification Number for corporates as well as the Ghana Card PIN, where necessary. This is to facilitate identification of ultimate beneficiary owners of these service providers. NOVEMBER 2024