2021-11-11

Added · Updated

Outsourcing (GEN.S.10.10)

NAMFISA has issued Standard GEN.10-10 to regulate the outsourcing of material business functions by financial institutions and intermediaries to external service providers. The Standard mandates board and senior management oversight, requires comprehensive written outsourcing agreements with explicit sub-contracting liability and off-shoring consultation provisions, and enforces continuous performance monitoring alongside fair remuneration. Industry participants must notify NAMFISA of new or amended agreements within thirty business days, while the regulator retains direct access to service providers and discretionary authority to adjust or exclude specific requirements.

Namibia Financial Institutions Supervisory Authority logo

Namibia

Namibia Financial Institutions Supervisory Authority

Click to view thumbnail

Outsourcing of functions and responsibilities by financial institutions and financial intermediaries Standard GEN. 10-10 made by NAMFISA under subsection 410(2)(x) of the Financial Institutions and Markets Act, 2021 OUTSOURCING OF FUNCTIONS AND RESPONSIBILITIES BY FINANCIAL INSTITUTIONS AND FINANCIAL INTERMEDIARIES

  1. Citation of Standard This Standard may be cited as Standard GEN.10-10.
  2. Interpretation of Standard This Standard applies to every industry participant and the material business functions of that industry participant, and to all service providers with respect to the outsourcing of any such material business function.
  3. Materiality (1) In determining whether a business function is a material business function, NAMFISA will exercise discretion with regard to such factors as: (a) the financial, operational and reputational impact of a failure of the service provider to perform the business function on the industry participant; (b) the potential impact of outsourcing the business function on the provision of financial services to the clients of the industry participant; (c) the potential losses to the clients of the industry participant on the failure of a service provider;

(d) the cost of the outsourcing arrangement; (e) the degree of difficulty, including the time it would take, in finding an alternative service provider or bringing the outsourced activity back in-house; (f) the ability of the industry participant to meet regulatory requirements if there are problems with the service provider; (g) any affiliation or association between the industry participant and the service provider; (h) any potential conflicts of interest that may result through outsourcing to a particular service provider; and (i) the regulatory status of the industry participant and, if applicable, of the service provider. (2) Any business function directly related to the principal business of the registered person is a material business function. (3) An industry participant must not enter into an outsourcing arrangement with a service provider with respect to: (a) its principal business; or (b) any business function that is deemed by NAMFISA as likely to inhibit the ability of the industry participant to perform its duties and obligations under the Act. 4. Requirements for outsourcing a material business function In assessing any potential outsourcing arrangements, an industry participant must take into account all relevant matters including, but not limited to, those referred to from sub-clauses 5 to 13. 5. The role of the board and senior management (1) The board and senior management of an industry participant that is an entity, in assessing a potential outsourcing arrangement, must:

(a) identify, assess, manage, mitigate and report to NAMFISA on risks associated with the outsourcing arrangement to ensure that the industry participant will remain able to meet its financial and other obligations to its clients and other stakeholders; (b) approve the industry participant’s outsourcing policy, which must set out the approach of the industry participant to outsourcing material business activities, including a detailed framework for managing all outsourcing arrangements; (c) ensure that the industry participant has procedures in place to ensure that all of its officers and relevant business units are fully aware of, and comply with, the outsourcing policy; (2) The board and senior management of an industry participant are ultimately responsible for the outsourcing of a material business function by an industry participant, and although the outsourcing arrangement may result in the service provider having day-to-day managerial responsibility for a business function, the industry participant remains responsible for complying with the Act, (3) The board and senior management must ensure that the industry participant’s outsourcing risks and controls are taken into account as part of its overall risk management systems. (4) The board and senior management must ensure that the industry participant’s outsourcing policy sets out specific requirements in relation to outsourcing material business functions to: (a)subsidiaries, affiliates or associates; and (b)service providers located outside Namibia or conducting the material business activity outside Namibia. 6. Assessment of outsourcing options (1) An industry participant must be able to demonstrate to NAMFISA, as required, that, in assessing the options for outsourcing a material business function, the industry participant has: (a) prepared a business plan for outsourcing the material business function;

(b) undertaken a tender or other selection process for selecting the service provider; (c) undertaken a due diligence review of the chosen service provider; (d) involved the board, a committee of the board or senior manager and provided delegated authority from the board, in approving the outsourcing agreement; (e) considered all the matters outlined in clause 7(2) that must, at a minimum, be included in the outsourcing agreement; (f) established procedures for monitoring performance under the outsourcing agreement on a continuing basis; (g) addressed the renewal process for the outsourcing agreement and how the renewal will be conducted; (h) developed contingency plans that will enable the outsourced business activity to be provided by an alternative service provider or brought in-house if required; and (i) considered all key risks associated with the outsourcing and the risk mitigation strategies that will be put in place to address these risks. (2) In addition to the factors listed under sub-clause (1), an industry participant must be able to demonstrate to NAMFISA, as required, that in assessing the options for outsourcing to subsidiaries, affiliates or associates of the industry participant or a key person, it has taken into account: (a) the changes to the risk profile of the material business function that arise from outsourcing it to a subsidiary, affiliate or associate of the industry participant or of a key person, and the manner in which this changed risk profile is to be addressed in risk management framework of the industry participant; (b) the cost of the services being provided and that the industry participant has taken steps to ensure that the cost will not be greater than the fair value of like services that could be provided by an arm’s-length service provider;

(c) the ability of the subsidiary, affiliate or associate in question to conduct the business activity on an ongoing basis; and (d) the monitoring procedures necessary to ensure that the subsidiary, affiliate or associate is performing effectively, and the manner in which any potential inadequate performance will be addressed. 7. The outsourcing agreement (1) All outsourcing arrangements must be in writing, and the agreement, hereinafter the “Outsourcing Agreement”, must be signed by all parties before the outsourcing arrangement commences. (2) At a minimum, the Outsourcing Agreement must address the following matters: (a) the scope of the outsourcing arrangement and the business functions to be supplied; (b) commencement and termination dates; (c) provisions for review; (d) remuneration, pricing and fee structure; (e) service levels and performance requirements; (f) audit and monitoring procedures; (g) business continuity management and disaster recovery management; (h) confidentiality, privacy and security of information; (i) default arrangements and termination provisions; (j) dispute resolution arrangements; (k) liability and indemnity provisions;

(l) sub-contracting requirements; (m) insurance; and (n) to the extent applicable, off-shore arrangements (including through sub-contracting agreements). (3) An industry participant that outsources a material business function must ensure that the Outsourcing Agreement includes an indemnity to the effect that in the event of any sub￾contract by the service provider to another service provider, the original service provider remains responsible for that other service provider, including liability for any failure on the part of that other service provider. (4) Where an unexpected event results in: (a) the industry participant legally withdrawing from a continuous engagement under an Outsourcing Agreement; or (b) the sudden financial or operational failure of a service provider with whom the industry participant has entered into an Outsourcing Agreement, and it becomes necessary for the industry participant to enter into an Outsourcing Agreement with another service provider, then clauses 5(1) to 7(2) need to be complied with only to the extent that it is reasonably possible to do so, having regard to the nature of the unexpected event, and the industry participant must notify NAMFISA as soon as practicable of any such new Outsourcing Agreement and must fully comply with this Standard within a period not exceeding 90 business days. 8. Right of NAMFISA to access service providers (1) An Outsourcing Agreement must contain provisions that allow NAMFISA access to the service provider, including: (a) documentation and information held by the service provider relating to the outsourcing arrangement; and

(b) the right for NAMFISA to conduct on-site visits to the service provider if NAMFISA considers this necessary. (2)NAMFISA expects service provider to cooperate with any request NAMFISA may make for information and assistance, and will normally inform the industry participant if NAMFISA intends to undertake an on-site visit to a service provider. (3) The industry participant must take all reasonable steps to ensure that a service provider will not disclose that NAMFISA has conducted an on-site visit, except as necessary to coordinate with other industry participants that are clients of the service provider. 9. Off-shoring arrangements: requirement for consultation (1) An off-shoring arrangement means the outsourcing of a material business function by an industry participant to a service provider located outside Namibia or to a service provider located in Namibia but who conducts the material business function outside Namibia. (2) A regulated person must consult with NAMFISA prior to entering into an Outsourcing Agreement with any service provider referred to in sub-clause (1) so that NAMFISA may be satisfied that the risks of the off-shoring arrangement are adequately addressed by the industry participant’s risk management framework. (3) If, in NAMFISA’s view, an off-shoring arrangement involves risks that the industry participant is not managing or will not be able to manage appropriately, NAMFISA may require the industry participant to make other outsourcing arrangements for the material business function as soon as practicable, if the industry participant cannot satisfy such concerns of NAMFISA within a reasonable period or the period specified by NAMFISA. 10. Remuneration

Remuneration paid to a service provider pursuant to an Outsourcing Agreement must: (a) be reasonable and consistent with the fair value of the business function to be provided; (b) not be structured in a manner that may encourage the unreasonable or unfair treatment of the clients of the industry participant; and (c) not be linked to a measure that will result in, or encourage an activity that may result in, an undesirable practice or the mistreatment of the clients of the industry participant. 11. Monitoring (1) An industry participant must ensure that it has sufficient and appropriate resources to manage and monitor an Outsourcing Agreement at all times. (2) The type and extent of resources referred to in sub-clause (1) that are required will depend on the nature of the material business function to which the Outsourcing Agreement relates, and at a minimum, monitoring the Outsourcing Agreement must include: (a) maintaining appropriate levels of regular contact with the service provider, ranging from daily operational contact to senior management involvement; and (b) a process for regular monitoring of performance under the Outsourcing Agreement, including meeting criteria concerning service levels. (3) An industry participant must advise NAMFISA as soon as possible of any problems that have the potential to affect the Outsourcing Agreement and, as a consequence, to affect the business operations, profitability or reputation of the industry participant. (4) In the event that an Outsourcing Agreement is terminated, the industry participant must notify NAMFISA forthwith and provide a statement describing the transition arrangements and future strategies for carrying out the material business function.

  1. Audit arrangements (1) The audit committee or other dedicated internal audit function of an industry participant must review any proposed outsourcing arrangement relating to a material business function and must regularly review and report to the board or senior management on compliance by both the industry participant and the service provider with the industry participant’s outsourcing policy. (2) In the situation where an industry participant does not have an audit committee or other dedicated internal audit function, it must have in place an alternative arrangement, a description of which must be submitted to NAMFISA, and in the event that NAMFISA considers the arrangement to be inadequate, NAMFISA may require the industry participant to adopt some other arrangement satisfactory to NAMFISA. (3) NAMFISA may request the external auditor of an industry participant, or some other appropriate external expert, to assess the risk management processes in place with respect to an outsourcing arrangement related to a material business function and to provide a report thereon. [For example, this could cover areas such as information technology systems, data security, internal control frameworks and business continuity plans.] (4) A report referred to in sub-clause (3) must be paid for by the industry participant concerned and be made available to NAMFISA.

  2. Adjustments and exclusions NAMFISA may, by notice in writing to an industry participant, adjust or exclude a specific requirement of this Standard in relation to: (a) that particular industry participant; or (b) the outsourcing of a particular material business function by that industry participant.

  3. Notification requirement (1) An industry participant must notify NAMFISA as soon as possible after entering into an Outsourcing Agreement, and in any event no later than 30 business days after execution of the Outsourcing Agreement. (2) An industry participant must notify NAMFISA as soon as possible after any extension, renewal or amendment of an Outsourcing Agreement, and in any event no later than 30 business days after such extension, renewal or amendment comes into effect. (3) When an industry participant notifies NAMFISA of a new Outsourcing Agreement, it must also provide NAMFISA with a summary of the key risks involved in the outsourcing arrangement and the risk mitigation strategies put in place to address these risks, and NAMFISA, if NAMFISA considers it necessary, may request additional information and material in order to assess the impact of the outsourcing arrangement on the industry participant’s risk profile. (4) An industry participant must notify NAMFISA of any material developments (for example terminations, material non-performance or disputes), with respect to the outsourcing arrangement documented in any Outsourcing Agreement that take place prior to the termination of the Outsourcing Agreement.

  4. Compliance (1) An Outsourcing Agreement entered into on or after the date on which this Standard takes effect must comply with this Standard. (2) An Outsourcing Agreement entered into prior to the date on which this Standard takes effect must comply with this Standard from and after the date of any extension, renewal or amendment of the Outsourcing Agreement.