2024-10-11

Added · Updated

NAMFISA Outsourcing Standard GEN.S.10.10 (2024)

Issued by the Namibia Financial Institutions Supervisory Authority (NAMFISA), this standard mandates that all financial institutions and intermediaries comply with structured outsourcing rules for material business functions while prohibiting the outsourcing of principal business. It requires boards and senior management to implement a triennially reviewed outsourcing policy, conduct rigorous due diligence, maintain robust contractual obligations, and manage risks related to IT security, confidentiality, concentration, data access, and orderly termination. Institutions must notify NAMFISA in writing within thirty days of entering into or amending agreements, and existing arrangements must be reviewed to achieve full compliance within a twelve-month transitional period.

Namibia Financial Institutions Supervisory Authority logo

Namibia

Namibia Financial Institutions Supervisory Authority

Click to view thumbnail

FINANCIAL INSTITUTIONS AND MARKETS ACT, 2021 GENERAL OUTSOURCING OF FUNCTIONS AND RESPONSIBILITIES BY FINANCIAL INSTITUTIONS AND FINANCIAL INTERMEDIARIES Standard No. GEN.S.10.10 issued by NAMFISA under section 410(2)(x) of the Financial Institutions and Markets Act, 2021


Definitions

  1. (1) In this Standard, unless the context indicates otherwise – (a) “Act” means the Financial Institutions and Markets Act, 2021 (Act No. 2 of 2021), and it must be read with the regulations prescribed under the Act and the standards and other subordinate measures issued by NAMFISA under the Act; (b) “in-sourcing arrangement” means the outsourcing of a material business function by a financial institution or financial intermediary to a related service provider such as a subsidiary, affiliate or associate; (c) “material business function or activity” means a business function or activity of a financial institution or financial intermediary that has the potential, if disrupted, to significantly and negatively impact – (i) the finances, reputation or operations of the financial institution or financial intermediary; or (ii) the financial institution’s or financial intermediary’s ability to manage key risks effectively; (d) “off-shoring arrangement” means the outsourcing of a material business function by a financial institution or financial intermediary to – (i) a service provider located outside Namibia; or (ii) a service provider located in Namibia but who conducts the material business function outside Namibia; (e) “outsourcing” means an arrangement whereby a financial institution or financial intermediary uses a service provider to provide a material business function on its behalf, and it includes in-sourcing, off-shoring and sub-outsourcing arrangements; (f) “outsourcing agreement” means the written contract documenting an in-sourcing, off-shoring, outsourcing or sub-outsourcing arrangement; (g) “outsourcing arrangement” means the outsourcing of a material business function by a financial institution or financial intermediary to a service provider;

(h) “principal business” means the functions or activities defined in Schedule 2 attached to this Standard; (i) “service provider” means a person who provides a material business function to a financial institution or financial intermediary; and (j) “sub-outsourcing arrangement” means an arrangement whereby a service provider in an outsourcing arrangement further outsources the whole or part of an outsourced material business function to another service provider. (2) Words and phrases defined in the Act have the same meaning in this Standard, unless the context indicates otherwise, including but not limited to the following as defined in section 1 of the Act: (a) affiliate; (b) associate; (c) auditor; (d) board; (e) client; (f) financial institution; (g) financial intermediary; (h) NAMFISA; and (i) subsidiary. Applicability 2. This Standard applies to all financial institutions and financial intermediaries. Principal business 3. A financial institution or financial intermediary may not outsource its principal business. The role of the board and senior management 4. (1) The board and senior management of a financial institution or financial intermediary is ultimately responsible for ensuring compliance with this Standard. (2) The board and senior management of a financial institution or financial intermediary must designate employees responsible for continuously identifying, reporting and mitigating risk strategies of outsourced arrangements. (3) The designated employees referred to in sub-clause (2), must timeously inform the board and senior management of the financial institution or financial intermediary about those risks.

(4) The board and senior management of a financial institution or financial intermediary must, when outsourcing any material business function – (a) ensure the development, adoption and implementation of an outsourcing policy that must be reviewed at least triennially; (b) ensure that all relevant business units are fully aware of and comply with the approved outsourcing policy; (c) identify the risks introduced by the outsourcing arrangement prior to entering into an outsourcing agreement; and (d) ensure that the risks and the controls of the outsourcing arrangement are continually managed as part of the overall risk management procedures to ensure that the financial institution or financial intermediary continues to meet their financial and other obligations to their clients and other stakeholders. Outsourcing policy 5. The financial institution’s or financial intermediary’s outsourcing policy must - (a) adhere to this Standard; (b) establish the criteria to identify those functions which are principal business and those that are material business functions; (c) establish the criteria and procedures for appointing, renewing and terminating the services of the service provider; and (d) give effect to the outsourcing principles specified under clauses 8 to 14 and the risks associated with the outsourcing. Material business functions 6. (1) A financial institution or financial intermediary may outsource their material business functions, but any outsourcing must be done in compliance with this Standard. (2) In determining whether a business function is a material business function, the financial institution or financial intermediary must consider the following factors: (a) financial, reputational and operational impact if the material business function is disrupted, deteriorates or fails; (b) impact on the financial institution, financial intermediary or their clients if the services provided by a service provider is disrupted, deteriorates or fails; (c) sensitivity of the outsourced business function, such that failure to recover within a specific timeframe may pose contagion risk to the broader market; (d) adverse impact of outsourcing on the security and integrity of the data for the financial institution, financial intermediary or their clients; (e) degree of difficulty and time required to find an alternative service provider, or to

bring the business function in-house; (f) cost of the outsourcing arrangement; (g) affiliation, association or other relationship between the financial institution or financial intermediary and the service provider; (h) regulatory compliance status of the financial institution or financial intermediary and, if applicable, of the service provider; (i) ability of the financial institution or financial intermediary to meet NAMFISA’s supervisory powers and maintain internal controls should the service provider fail to perform their activities or functions; (j) whether the outsourcing arrangement impedes NAMFISA’s supervisory powers; (k) impact on the financial institution’s or financial intermediary’s strategic objectives should the service provider fail to perform their activities or functions in terms of the outsourcing agreement; and (l) the nature or value of potential losses to the financial institution’s or financial intermediary’s customers should a service provider fail to perform the outsourcing arrangement. Outsourcing principles 7. The seven principles on the outsourcing of a material business function must be applied according to the degree of materiality and that of the risks introduced by the outsourcing to the financial institution or financial intermediary. Principle 1: Due diligence on selection and performance monitoring 8. A financial institution or financial intermediary must – (a) be satisfied that the service provider has the ability and capacity to perform in terms of the outsourcing agreement by conducting suitable due diligence when selecting a service provider; (b) perform ongoing monitoring of the performance of the service provider; (c) perform ongoing due diligence, considering ongoing reporting from the service provider; and (d) assess and manage the risks arising from over-reliance on a single service provider. Principle 2: The contract with a service provider 9. (1) A financial institution or financial intermediary and the service provider must enter into a signed outsourcing agreement in respect of each outsourcing arrangement, covering, at a minimum, the requirements contained in this Standard and Schedule 1 attached to this Standard.

(2) The outsourcing agreement must outline the scope, nature and quality of the service to be provided, the monitoring thereof and the reporting requirements of the service provider. Principle 3: Information technology security, business resilience, continuity, and disaster recovery 10. The outsourcing agreement must contain obligations relating to the suitability of the service provider’s information technology security, software, cyber-resilience, disaster recovery capabilities and business continuity plans in relation to the performance of the obligations contained in the outsourcing agreement. Principle 4: Confidentiality 11. (1) A financial institution or financial intermediary must ensure that the service provider protects confidential information and data related to the financial institution or financial intermediary and their clients from intentional or inadvertent unauthorised disclosure to third parties, in compliance with applicable data protection laws. (2) Where confidential information and data related to the financial institution or financial intermediary and their clients are processed by a service provider, the regulatory environment for data security and data protection must be assessed and, if necessary, additional precautionary measures such as enhanced encryption must be considered. Principle 5: Concentration of outsourcing arrangements 12. (1) A financial institution or financial intermediary must be aware of the risks posed, and effectively manage those risks, where they are dependent on a single service provider for outsourcing, or where they are aware that the service provider provides outsourcing services to multiple persons. (2) A financial institution or financial intermediary must identify and monitor sub￾outsourcing arrangements, intra-group arrangements and group dependency in their risk assessments. Principle 6: Access to data, premises and personnel 13. (1) A financial institution or financial intermediary must ensure that NAMFISA, the auditors of the financial institution or financial intermediary (if applicable) and the financial institution or financial intermediary themselves can promptly obtain, upon request, information concerning the outsourced material business function and where necessary, there must be prompt access to the data, information technology systems, premises and personnel of the service provider. (2) The financial institution or financial intermediary remains accountable to NAMFISA for their regulatory compliance, and accordingly must ensure that they have processes and procedures in place maintaining records to facilitate NAMFISA to carry out its inspection, investigation and monitoring powers over the activities that it regulates. (3) A financial institution or financial intermediary must keep records of all outsourced arrangements for:

a) the duration of the arrangement. b) a minimum period of five years from the date of termination the arrangement. Principle 7: Termination of outsourcing 14. (1) A financial institution or financial intermediary must ensure that there is an orderly transition in the event of an outsourcing agreement being terminated. (2) There must be clarity on who owns the relevant data, and whether the service provider has any retention rights over the data. (3) A financial institution or financial intermediary must manage the termination of the outsourcing arrangement, which may include arrangements in respect of: (a) termination rights in case of insolvency, liquidation, change in ownership, failure to comply with regulatory requirements, poor performance, breach of confidentiality and other circumstances; (b) minimum periods before a termination can take effect, allowing for an orderly transition either to another service provider or to the financial institution or financial intermediary themselves, and to provide for the return of all client-related data, the data of the financial institution or financial intermediary and any other resources; and (c) clear delineation of ownership of information and specifications relating to the transfer of information back to the financial institution or financial intermediary, including confirmation of deletion of records, and confirmation of transfer of information. Assessment of outsourcing options 15. (1) A financial institution or financial intermediary must demonstrate to NAMFISA, as required, that in assessing the options for outsourcing, they have - (a) complied with this Standard and considered all seven outsourcing principles specified under this Standard; and (b) ensured that – (i) risks associated with the outsourcing are appropriately assessed, monitored, managed and regularly reviewed; and (ii) an internal audit function, or in situations where internal audit capabilities do not exist, an alternative arrangement is in place to review any proposed outsourcing, and to regularly review and report to the board, audit committee or senior management on the financial institution’s or financial intermediary’s compliance to their outsourcing policy. (2) In the event that NAMFISA considers the audit arrangements referred to under sub￾clause (1)(b)(ii) to be inadequate, NAMFISA may require the financial institution or financial

intermediary to adopt an alternative audit arrangement. In-sourcing arrangements 16. A financial institution or financial intermediary must be able to demonstrate, through supporting documentation which includes a due diligence report, the selection criteria and the outsourcing agreement with the service provider, submitted to NAMFISA as and when required, that in assessing the options for an in-sourcing arrangement, they have taken into account: (a) the changes to the risk profile of the business that arise from the in-sourcing arrangement, and the manner in which this changed risk profile is to be addressed in the risk management framework of the financial institution or financial intermediary; (b) the cost of the services being provided and that the financial institution or financial intermediary has taken steps to ensure that the cost is commensurate to the fair value of like services that could be provided by an arm’s-length service provider; (c) the ability of the service provider to conduct the material business function; (d) the monitoring procedures necessary to ensure that the service provider is performing effectively, and the manner in which any potential inadequate performance will be addressed; and (e) that the in-sourcing arrangement complies with this Standard. Off-shoring arrangements 17. (1) A financial institution or financial intermediary must be able to demonstrate, through supporting documentation which includes a due diligence report, the selection criteria and the outsourcing agreement with the service provider, submitted to NAMFISA as and when required, that in assessing the options for an off-shoring arrangement, they have taken into account: (a) the changes to the risk profile of the business that arise from the off-shoring arrangement, and the manner in which this changed risk profile is to be addressed in the risk management framework of the financial institution or financial intermediary; (b) the cost of the services being provided and that the financial institution or financial intermediary has taken steps to ensure that the cost is commensurate to the fair value of like services that could be provided by an arm’s-length service provider; (c) the ability of the service provider to conduct the material business function; (d) the monitoring procedures necessary to ensure that the service provider is performing effectively, and the manner in which any potential inadequate performance will be addressed; and (e) that the off-shoring arrangement complies with this Standard.

(2) A financial institution or financial intermediary must, prior to entering into an off￾shoring arrangement with a service provider – (a) seek written approval from NAMFISA and provide detailed justification why the function or activity cannot be feasibly conducted in Namibia; and (b) assess and ensure that the risks of the off-shoring arrangement are adequately addressed in the financial institution’s or financial intermediary’s risk management framework. (3) If NAMFISA determines that the off-shoring arrangement involves risks that the financial institution or financial intermediary is not managing, or will not be able to manage appropriately, NAMFISA may require the financial institution or financial intermediary to make alternative arrangements for the performance of the material business function if the financial institution or financial intermediary cannot satisfy such concerns within the period specified by NAMFISA. Notification requirement 18. (1) A financial institution or financial intermediary must notify NAMFISA, in writing not later than 30 business days after entering into an outsourcing agreement, of such agreement. (2) A financial institution or financial intermediary must notify NAMFISA, in writing not later than 30 business days after an extension, renewal or amendment of an outsourcing agreement, of such extension, renewal or amendment. (3) Any notification made to NAMFISA in terms of sub-clauses (1) or (2) must also be accompanied by a summary of the key risks involved with the outsourcing, and the mitigation strategies put in place to address those risks. (4) If NAMFISA considers it necessary, it may request additional information and material in order to assess the impact of the outsourcing on the risk profile of the financial institution or financial intermediary and their regulatory obligations. (5) A financial institution or financial intermediary must notify NAMFISA, in writing not later than 30 business days after becoming aware of any material developments, as assessed and determined by the financial institution or financial intermediary, which may give rise to the termination of the outsourcing agreement other than termination due to the agreement reaching its termination date naturally. Transitional period in respect of existing outsourcing arrangements 19. (1) A transitional period of 12 months, from the effective date of this Standard, is provided in respect of existing outsourcing arrangements. (2) Financial institutions and financial intermediaries must take the necessary steps to ensure existing outsourcing arrangements are reviewed within the transitional period in order for it to comply with the requirements of this Standard directly following the expiry of the transitional period.

SUPPORTING SCHEDULES The following supporting schedules are attached to and forms part of this Standard: SCHEDULE 1: MINIMUM CONTRACTUAL OBLIGATIONS TO BE PROVIDED FOR IN OUTSOURCING AGREEMENTS SCHEDULE 2: PRINCIPAL BUSINESS FUNCTIONS OR ACTIVITIES THAT MAY NOT BE OUTSOURCED

SCHEDULE 1 (to Standard GEN.S.10.10) MINIMUM CONTRACTUAL OBLIGATIONS TO BE PROVIDED FOR IN OUTSOURCING AGREEMENTS In addition to any requirements specified in the Standard, the contract for the outsourcing of a material business function must, at a minimum, outline the scope, nature and quality of the service to be provided, the monitoring thereof and the reporting requirements of the service provider, and specify the following: (a) duration of the outsourcing; (b) type and frequency of the material business function to be performed; (c) level and standard of service that must be rendered by the service provider, and in particular, in relation to emergency procedures, disaster recovery and contingency plans; (d) appropriate governance, risk management and internal controls to perform the outsourced function; (e) disclosures relating to conflict of interest and the management of conflict of interest; (f) remuneration or consideration payable, or the basis on which the remuneration or consideration payable will be calculated; (g) remedies for non-performance of obligations; (h) performance metrics against which the service provider will be assessed and against which the service provider must report; (i) type and frequency of reporting by the service provider; (j) monitoring of the periodic performance of the service provider and compliance with the outsourcing agreement, and the manner in and means by which that monitoring will take place; (k) confidentiality, privacy and the security of information and data of the financial institution, financial intermediary and their clients, and disclosure to third parties; (l) sub-outsourcing arrangement; (m) business contingency processes, including the continuity of functions or activities if the service provider is placed under curatorship, business rescue, becomes insolvent, is liquidated or is for any reason unable to continue to render the outsourced business function in accordance with the outsourcing agreement; (n) the circumstances under which the financial institution or financial intermediary may terminate the outsourcing agreement and a reasonable termination period

irrespective of the circumstances under which the agreement is terminated (including the lapsing or non-renewal of the agreement) that will allow the financial institution or financial intermediary to implement its contingency plans; (o) indemnity and liability provisions; (p) provisions regarding the cross-border flow of information and services; (q) undertakings related to the security of automated systems to be used by the service provider, appropriate even when outsourced to cloud service providers, including the technical and non-technical organisation-wide measures protecting both the financial institution or financial intermediary and their client’s related data, as well as market sensitive data; (r) rights of each party to change or require changes to security procedures, and requirements and the circumstances under which such changes might occur; (s) terms and conditions relevant to the use of sub-contractors with respect to information technology security; (t) obligations to disclose any breaches of the provisions contained in the outsourcing agreement, including but not limited to information technology breaches which relate to the financial intermediary or financial institution or their clients. The requirements for the reporting of the breach must include – (i) an explanation of the nature of breach experienced; (ii) a statement of when the breach was discovered, the manner in which it was discovered and how long it had existed before being discovered and reported; (iii) the time to correct the issue; (iv) a clear statement of the data content that has been exposed, and whether any part of the data relates to clients of the financial institution or financial intermediary; (v) an explanation of how the security breach was resolved, and the controls that were implemented to achieve this; and (vi) an explanation of the measures that will be undertaken by the service provider to prevent recurrence of the security breach of the data loss; (u) warranties or guarantees to be furnished and insurance to be secured by the service provider in respect of their ability to fulfil their contractual obligations; (v) a process for dispute resolution; (w) for off-shoring arrangements, the choice of law and jurisdiction of the relevant court provided there is conflict with Namibian law; and (x) signature.

SCHEDULE 2 (to Standard GEN.S.10.10) PRINCIPAL BUSINESS THAT MAY NOT BE OUTSOURCED Chapter Financial Institution Principal business function or activity 2 Insurer (i) Assessing, determining and deciding on claims; and (ii) Assessing and deciding to accept or decline risk. Reinsurer (i) Assessing, determining, and deciding on claims; and (ii) Assessing and deciding to accept or decline risk. 3 Central Securities Depository (i) Facilitating the safekeeping (custody) of securities; (ii) Supervision of participants; and (iii) Settlement of securities. Exchange (i) Facilitating the infrastructure for the buying, selling and matching of securities; and (ii) Supervision of stockbrokers. Securities Clearing House Clearing of securities trades. 4 Collective Investment Scheme (i) Establishing collective investment schemes; (ii) Establishing portfolios; and (iii) Fund administration (includes pricing of participatory interests and reporting). 5 Retirement fund (i) Benefit design; (ii) Eligibility of determining members/ employers participation into the retirement fund; (iii) Holding of contributions; (iv) Awarding, assigning, authorising investment mandates; (v) Assessing and determining claims; and (vi) Payment of benefits for defined benefit retirement funds. Beneficiary Fund (i) Benefit design; (ii) Admission of members; (iii) Holding of contributions; (iv) Awarding, assigning, authorising investment mandates; (v) Assessing and determining claims; and (vi) Payment of benefits for defined benefit funds. 6 Friendly Society (i) Benefit design; (ii) Holding of contributions; (iii) Admission of members; (iv) Assessing and determining claims; and (v) Assessing and deciding to accept or decline risk. 7 Medical Aid Funds (i) Assessing and determining claims; (ii) Defraying healthcare related expenses on

behalf of members; (iii) Benefit/product design; (iv) Executive management and governance functions; (v) Holding of contributions; and (vi) Awarding, assigning, authorising investment mandates. Chapter Financial Intermediary Principal business function or activity 2 Insurance Broker Providing financial advice. 3 Investment Manager Portfolio management. Stockbroker Dealing and executing trades. Linked Investment Service Provider Implementation or capturing investment instructions on behalf of a client or another person. Securities Advisor Investment planning, security analysis and asset allocation. Securities Dealer Dealing (buying and selling) of securities. Participant Clearing and settlement of transactions. Securities Rating Agency Credit rating assignments (includes issuer credit rating and debt instrument rating). 4 Manager of Collective Investment Scheme (i) Operating, controlling and managing Collective Investment Scheme; (ii) Receiving, paying or investing money or other assets including income accruals; (iii) Selling, repurchasing, issuing or cancelling of a participatory interest, giving financial advice or disclosing information on any matters to investors or potential investors; and (iv) Buying and selling of assets or the handing over of the assets to a trustee or custodian for safe custody. Nominee Company Holding of assets on behalf of persons. Trustee or Custodian Safekeeping and holding of assets (custodial services). 5 Fund Administrator (i) Functions and duties outsourced to a fund administrator may not be outsourced; and (ii) Providing financial advice. 7 Medical Aid Fund Broker (i) Functions and duties outsourced to a medical aid fund broker may not be outsourced; and (ii) Providing financial advice. 8 Fund Administrator (i) Functions and duties outsourced to a fund administrator may not be outsourced; and (ii) Providing financial advice.