GUIDELINES ON OUTSOURCING ARRANGEMENTS



Similar documents
SUPERVISORY AND REGULATORY GUIDELINES: PU GUIDELINES ON MINIMUM STANDARDS FOR THE OUTSOURCING OF MATERIAL FUNCTIONS

Statement of Guidance: Outsourcing All Regulated Entities

GUIDANCE NOTE ON OUTSOURCING

Objective and key requirements of this Prudential Standard

Managing Outsourcing Arrangements

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

PROPERTY OF THE SECURITIES COMMISSION OF THE BAHAMAS

GUIDANCE NOTE OUTSOURCING OF FUNCTIONS BY ENTITIES LICENSED UNDER THE PROTECTION OF INVESTORS (BAILIWICK OF GUERNSEY) LAW, 1987

Guidance note on Outsourcing/Delegation of Functions and inward outsourcing

Guidance Note on Outsourcing/Delegation of Functions

Guidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004

14 December 2006 GUIDELINES ON OUTSOURCING

Financial Services Guidance Note Outsourcing

Mapping of outsourcing requirements

POV on Draft Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by NBFCs

OUTSOURCING POLICY

Supervisory Policy Manual

GUIDANCE FOR MANAGING THIRD-PARTY RISK

BANKING UNIT BANKING RULES OUTSOURCING BY CREDIT INSTITUTIONS AUTHORISED UNDER THE BANKING ACT 1994

Draft Guidelines on Outsourcing of activities by Insurance Companies

GUIDELINES ON COMPLIANCE FUNCTION FOR FUND MANAGEMENT COMPANIES

Outsourcing Risk Guidance Note for Banks

NOTICE ON OUTSOURCING

Prudential Practice Guide

CORPORATE GOVERNANCE POLICY Srei Equipment Finance Limited

Guidelines. ADI Authorisation Guidelines. Australian Prudential Regulation Authority. April 2008

Privacy Statement Relating to the Collection, Use and Disclosure of Personal Data & Customer Information

Statement of Principles

Clearing and Settlement Procedures. New Zealand Clearing Limited. Clearing and Settlement Procedures

CONSULTATION PAPER ON HIGH LEVEL PRINCIPLES ON OUTSOURCING COVER NOTE

Pursuant to Article 95, item 3 of the Constitution of Montenegro I hereby pass the ENACTMENT PROCLAIMING THE LAW ON BANKS

Any business relationship between a bank and another entity, by contract or otherwise

POLICY STATEMENT AND GUIDANCE NOTES ON: (1) OUTSOURCING; AND

Credit Union Liability with Third-Party Processors

Guideline. Outsourcing of Business Activities, Functions and Processes. Category: Sound Business and Financial Practices

Basel Committee on Banking Supervision. Consolidated KYC Risk Management

RS Official Gazette, No 51/2015

Requirements made under the Intermediaries Byelaw

Authorisation Requirements and Standards for Debt Management Firms

Cloud Computing: Legal Risks and Best Practices

GUIDELINE ON THE APPLICATION OF THE OUTSOURCING REQUIREMENTS UNDER THE FSA RULES IMPLEMENTING MIFID AND THE CRD IN THE UK

Principles on Outsourcing by Markets

System of Governance

NOTICE TO BANKS MONETARY AUTHORITY OF SINGAPORE ACT, CAP. 186 PREVENTION OF MONEY LAUNDERING AND COUNTERING THE FINANCING OF TERRORISM - BANKS

Appendix 1. This appendix is a proposed new module of the DFSA Rulebook. Therefore, the text is not underlined as it is all new text.

August 10, Many of these principles will be familiar to U.S. readers, but these are global principles that would be new to many countries.

FEDERAL DEPOSIT INSURANCE CORPORATION WASHINGTON, D.C.

Board means the Board of Directors of each of Scentre Group Limited, Scentre Management Limited, RE1 Limited and RE2 Limited.

INSURANCE ACT 2008 CORPORATE GOVERNANCE CODE OF PRACTICE FOR REGULATED INSURANCE ENTITIES

Risk Management of Outsourced Technology Services. November 28, 2000

OUTSOURCING GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS, 2008

Regulation for Establishing the Internal Control System of an Investment Management Company

INTERNATIONAL ASSOCIATION OF INSURANCE SUPERVISORS PRINCIPLES FOR THE CONDUCT OF INSURANCE BUSINESS

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively.

Managing General Agents (MGAs) Guideline

Electronic Payment Schemes Guidelines

LIST OF AVAILABLE COURSES

Finansinspektionen s Regulatory Code

SUPERVISORY AND REGULATORY GUIDELINES: PU BUSINESS CONTINUITY GUIDELINES

LAW ON PROVIDING FAST MONEY TRANSFER SERVICES (unofficial fair copy) 1 I. GENERAL PROVISIONS

GUIDELINES ON OUTSOURCING

Application for a Banking Authority Foreign Bank Branches Prudential Statement J2

GUIDANCE PAPER No. 2 ON CORPORATE GOVERNANCE IN INSURANCE COMPANIES

PRINCIPLES OF CORPORATE GOVERNANCE FOR SUPERVISED INSTITUTIONS

PART A : OVERVIEW INTRODUCTION OBJECTIVE SCOPE APPLICABILITY DEFINITION LEGAL PROVISIONS...

DEVELOPING AN AML (ANTI-MONEY LAUNDERING) PROGRAM:

Approach to Regulating and Supervising Financial Groups

Policy Statement: Licensing Policy in respect of those activities that require a permit under the Insurance Business (Jersey) Law 1996

Part 1 of Schedule 1 of IFSA

OUTSOURCING REGULATIONS IN THE BANKING AND INSURANCE INDUSTRIES IN ASIA PACIFIC

Banking Supervision Policy Statement No.18. Agent Banking Guideline

CONTENT OF THE AUDIT LAW

Application for Status as a Registered Bank:

APES GN 30 Outsourced Services

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel

PART I - PRELIMINARY...1 Objective...1 Applicability...2 Legal and Regulatory Provision...2

Privacy Rules for Customer, Supplier and Business Partner Data. Directive 7.08 Protection of Personal Data

BAC to the Basics: Business Associate Contracts Made Easy

KINGDOM OF SAUDI ARABIA. Capital Market Authority CREDIT RATING AGENCIES REGULATIONS

SUPERVISION GUIDELINE

TO ALL CHIEF EXECUTIVE OFFICERS OF BANKS, BRANCHES OF FOREIGN BANKS AND MUTUAL BANKS

Regulatory Compliance Management (RCM) (formerly Legislative Compliance Management (LCM))

July Objectives and key requirements of this Prudential Standard

Advisory Guidelines of the Financial Supervisory Authority. Requirements regarding the arrangement of operational risk management

Code of Conduct for Mobile Money Providers

FEDERAL DEPOSIT INSURANCE CORPORATION WASHINGTON, D.C. ) CONSENT ORDER. ) FDIC b

Consultation Document: Review of the Treatment of Charitable and Religious Organisations under the Non-bank Deposit Takers Regime

Solvency Assessment and Management: Pillar II Sub Committee Governance Task Group Discussion Document 81 (v 3)

THE CORPORATE GOVERNANCE CODE FOR THE COMPANIES LISTED ON THE NATIONAL STOCK EXCHANGE OF LITHUANIA

FEDERAL DEPOSIT INSURANCE CORPORATION WASHINGTON, D.C. CALIFORNIA DEPARTMENT OF FINANCIAL INSTITUTIONS SAN FRANCISCO, CALIFORNIA

The Banking Act of 29 August 1997 (Journal of Laws of 2015, item 128) (consolidated version) CHAPTER 1 GENERAL PROVISIONS

Transcription:

GUIDELINES ON OUTSOURCING ARRANGEMENTS STATE BANK OF PAKISTAN BANKING POLICY & REGULATIONS DEPARTMENT KARACHI

CONTENTS Page No I INTRODUCTION:... 1 II APPLICABILITY:... 1 III DEFINITION OF OUTSOURCING:... 2 IV POLICY FOR OUTSOURCING ARRANGEMENTS:... 2 V - TIMINGS AND TRANSITORY REQUIREMENTS:... 3 VI - MATERIAL OUTSOURCING:... 3 VII RESTRICTED ACTIVITIES:... 5 VIII INFORMATION TECHNOLOGY OUTSOURCING:... 6 IX REQUIREMENTS FOR OUTSOURCING:... 6 1. Accountability:... 6 2. Due Diligence:... 7 3. Confidentiality of Customer Information in Outsourced Functions:... 8 4. Continued Supervision:... 8 5. Anti-Money Laundering Requirements:... 9 6. Redressal of Grievances about Outsourced Services:... 9 7. Contingency Planning:... 9 X - BOARD & MANAGEMENT RESPONSIBILITIES:... 10 XI - THE OUTSOURCING AGREEMENT:... 10

I INTRODUCTION: 1. Banks are increasingly using third party services to carry out activities, functions and processes as outsourcing arrangements to meet new & complex challenges like innovation in technology, increasing competition, economies of scale and improvement in quality of service to clients (i.e., customers, depositors or investors). The practice, however, can increase their dependence on third parties and consequently their risk profile. In order to allow the licensed institutions to effectively manage the outsourcing arrangements, the guidelines have been formulated to ensure that they are able to meet their financing and service obligations. These guidelines, however, in no way encourage outsourcing, especially the performance of core banking functions. 2. The licensed institutions, while deciding to outsource any function, should ensure that outsourcing should not reduce the protection available to depositors or investors nor be used as a way of avoiding compliance with regulatory requirements. It will be responsibility of the licensed institutions to continue to satisfy all regulatory/legal requirements issued to them from time to time, while entering into any outsourcing arrangement. II APPLICABILITY: 3. The guidelines are applicable on all outsourcing arrangements entered into by: i) Commercial banks, Islamic banks, and stand alone Islamic banking branches (hereinafter referred exclusively as banks ) licensed under Banking Companies Ordinance, 1962(BCO, 1962). ii) Development Financial Institutions(DFIs) as notified under section 3-A of the BCO, 1962. iii) Microfinance Banks and Standalone Microfinance Branches licensed under Microfinance Institutions Ordinance 2001 and Khushhali Bank BPRD 1 SBP

established under the Khushhali Bank (Microfinance Bank) Ordinance 2000. Banks, DFIs and Microfinance Banks (MFBs) are hereinafter jointly referred to as licenced institutions. 4. These guidelines are applicable on all outsourcing arrangements with local as well as foreign service providers. III DEFINITION OF OUTSOURCING: 5. For the purpose of these guidelines, outsourcing means use of a third party (affiliated entity or un-affiliated) to perform material activities normally to save money and/or use the skills/technology of another entity on a continuing basis that would normally be undertaken by licenced institutions, now or in the future. However, it will not cover purchase contracts, for example, contracts to purchase standardized products such as furniture, software, Automated Teller Machine (ATM), etc. Any licensed institution may approach State Bank of Pakistan (SBP) if it is uncertain whether a particular arrangement falls within this definition. 6. Third party or service provider for the purpose of these guidelines refers to the entity that is undertaking the outsourced activity on behalf of the licenced institution. IV POLICY FOR OUTSOURCING ARRANGEMENTS: 7. Licenced institutions should develop outsourcing policy duly approved by their Board of Directors. The outsourcing policy should include detailed framework for managing outsourcing arrangements, roles and responsibilities of board of directors and management, risk mitigation measures and systems for review and monitoring of these activities. The policy should also include all the requirements as laid down in these guidelines. The outsourcing policy should be disseminated across the institution for information and compliance. BPRD 2 SBP

V - TIMINGS AND TRANSITORY REQUIREMENTS: 8. All those licensed institutions which have made any outsourcing arrangements or are interested in entering into such arrangements are required to formulate the outsourcing policy and submit a copy thereof to SBP duly approved by their respective Board of Directors within three months of issuance of these guidelines. If such a policy already exists, licensed institutions should ensure that it is aligned with the guidelines and submit a copy of the policy to SBP within 3 months. 9. All new outsourcing arrangements as well as renewal of existing arrangements should be made in terms of outsourcing policy of the licenced institution prepared in light of these guidelines. The licenced institutions should submit details of all existing material outsourcing arrangements to SBP for its information. All proposals to outsource material functions within Pakistan should be submitted for information to Banking Policy and Regulations Department in writing well in advance (at least 30 business days) of the commencement of outsourcing arrangement. Licenced institution will also inform SBP within seven days of commencement of such an arrangement. 10. In case of any adverse developments relating to material outsourcing arrangement that could significantly/adversely affect the institution, licenced institutions must inform SBP immediately along with measures for continuity of the service. VI - MATERIAL OUTSOURCING: 11. In general terms, material outsourcing refers to an outsourcing arrangement which, if disrupted, has the potential to significantly impact an institution s business operations, reputation or profitability. Material functions are those that are fundamental to the conduct of business of licenced institutions. BPRD 3 SBP

12. It is responsibility of the licensed institutions to assess whether the function being outsourced is material or not. Further, the board and senior management of the institution should follow a systematic process to identify risks to which their institution is exposed as a result of outsourcing the material function. The licenced institution should assess the following factors while deciding whether a function to be outsourced is material or not:- Importance of the business activity to be outsourced, for example, in terms of its contribution to income and profit; Potential impact of the outsourcing on earnings, solvency, liquidity, funding, capital, and risk profile; Impact on the institution s reputation and brand value, and ability to achieve its business objectives, strategy and plans, should the service provider fail to perform the service; Cost of the outsourcing as a proportion of total operating costs of the institution; Aggregate exposure to a particular service provider in cases where the institution outsources various functions to the same service provider; Ability to maintain appropriate internal controls and meet regulatory requirements, if there are operational problems faced by the service provider; and Any other factor that the licensed institution may consider appropriate for evaluating the materiality. 13. The licensed institutions may include appropriate quantitative criteria in their assessment while carefully analyzing and assessing assumptions behind those criteria. BPRD 4 SBP

VII RESTRICTED ACTIVITIES: 14. There are certain core management high risk functions that require effective involvement of board of directors and senior management on continuing basis. As such, licenced institutions are not allowed to outsource their core activities, functions and processes. Specifically they cannot outsource risk management function, internal audit function, treasury function, internal control function, compliance functions and decision-making including determining compliance with Know Your Customer (KYC) requirements for opening deposit accounts & credit functions. 15. Outsourcing of Information Technology (IT) Audit is allowed subject to conditions that: (a) licenced institution will make arrangements for capacity building of their staff enabling them to perform IT Audit internally in future and (b) the existing external auditor of the licensed institution is not assigned the task of IT audit. 16. Any outsourcing outside Pakistan will require SBP s prior approval. No offshore outsourcing arrangement will be allowed in case the offshore service provider is not a regulated entity. All such requests should include details of the functions to be outsourced, rationale for the outsourcing, details relating to the proposed service provider, data to be transferred, legal opinion on confidentiality of data and a description of the methods that the licenced institution will employ to ensure that it retains its ability to control and monitor the outsourced functions. 17. Sub-contracting of material outsourcing arrangements both in case of local and offshore outsourcing is not allowed. State Bank of Pakistan reserves the right in all outsourcing cases to review proposals/restrict the licenced institution to enter/stop any local/off-shore outsourcing agreement with any party. In such cases, SBP will provide full opportunity to the licenced institution for a representation in writing. BPRD 5 SBP

18. The licenced institution will not enter into outsourcing arrangement of any kind with service providers whose ownership fully/partly include management/employees of the licensed institutions. VIII INFORMATION TECHNOLOGY OUTSOURCING: 19. The licenced institutions may utilize IT outsourcing services within Pakistan and abroad within the parameters of its outsourcing policy and these guidelines. It will be responsibility of the licensed institution to provide uninterrupted services to the customers in a reliable manner. They should assess legal risk arising out of offshore IT outsourcing, especially on maintaining confidentiality of customers information, operational risk ensued from using cross border IT services and international communication, as well as country risk of off-shore service provider s country. 20. They should ensure that information needed for operations is available domestically in the event that there is an interruption in cross border communication, and is also available for inspection by SBP at any time. Moreover, service provider abroad will give its written consent to SBP that it is a regulated entity and, if required, will provide access to its operations. IX REQUIREMENTS FOR OUTSOURCING: 1. Accountability: 21. In any outsourcing arrangement, the accountability for the business activity remains with the licenced institution, though day-to-day managerial responsibility of the function moves to the service provider. The licenced institutions should assess the risks arising out of outsourcing of business activity and ensure that they are adequately captured within their risk management framework. Further, they should be able to address all risks associated with the business activity to the same extent as they would be if the activity was performed in house. BPRD 6 SBP

22. The State Bank will hold the board and management responsible for ensuring that the outsourced functions are carried out to an appropriate standard and that the integrity of the systems and controls is maintained. The management must have adequate procedures in place and ability to monitor and control the outsourced function on an ongoing basis. The licensed institutions should be in a position to satisfy all the reporting requirements related to outsourced arrangement. 2. Due Diligence: 23. The licenced institution should first internally carry out due diligence of the business activity to be outsourced. They should then do a detailed due diligence of the service providers before finalizing outsourcing arrangement. The due diligence process of service provided should encompass assessment of all areas including the experience, technical competence, financial strength, reputation, existence of control framework, performance standards, policies, procedures, compliance, reporting and monitoring environment and business continuity planning. The due diligence should also address other issues, such as potential conflicts of interest in case service provider is related/affiliated party, or where it provides similar services to competitors. In cases where only one specialist service provider is operating for a certain outsourcing activity, licenced institution will be required to enhance the due diligence process to mitigate new risks like access, contractual, compliance and operational risks. 24. When the service is being supplied from abroad, the due diligence should also involve review of the regulatory requirements of the service providers country, specially the conflicting requirements, political, economic and social conditions, and events that may limit the foreign service provider s ability to provide the service as well as any additional risk factor(s) that may needs to be made part of risk management framework. The licenced institution should review BPRD 7 SBP

the service provider, at least on an annual basis, to ascertain its ability to deliver the outsourcing arrangement in the manner expected. 3. Confidentiality of Customer Information in Outsourced Functions: 25. The outsourcing of banking services usually involves transfer of customer/client data to the third party, which raises issue of privacy/confidentiality of customers data. It is important that before providing data to third party, the licenced institution should ensure that proposed outsourcing arrangement complies with the relevant statutory requirements related to confidentiality of its customers/clients, specifically the provision of Banking Companies Ordinance, 1962, relevant local laws, regulations and instructions issued by SBP from time to time. The licenced institutions should establish proper safeguards to protect the integrity and confidentiality of customer information including their prior consent. 26. In case of outsourcing arrangement that involves disclosure of confidential information to service provider abroad, the licenced institution should seek prior written approval of SBP. Such approval is necessary regardless of the fact that the specified data is provided to a third party or head office of foreign banking company, it s holding or Group Company. Such requests should be submitted in terms of requirements listed in para 16 above. 4. Continued Supervision: 27. The State Bank must be in a position to continue its supervision of the function outsourced by a licensed institution. All outsourcing agreements to be signed by the licensed institution, should include a clause for providing SBP access to documentation and accounting records in relation to the outsourced activities and right to conduct on-site visits to the service provider, if required. Outsourcing should not be allowed to entities or jurisdictions including foreign jurisdictions where visits by the staff of the licenced institution, external BPRD 8 SBP

auditors or SBP inspectors would be impractical/prohibited. Exceptions may be made where, for example, the outsourcing is to other group entities or where alternative arrangements can be made with external auditors or with financial regulators in those jurisdictions to exchange supervisory information. 28. In general, approvals as envisaged in para 16 and 26, will only be granted where the outsourcing is to a regulated entity in a jurisdiction with high standard of regulation or supervision. If SBP so requires, the service provider must give consent of its home regulator to release any relevant information in relation to its operations that the SBP would wish to receive and in no case should it be prohibited, implicitly or explicitly, from doing so. 29. In the event SBP is prevented, for whatever reason, from accessing the outsoucee or its record relating to outsourced function, SBP can direct licensed institution to discontinue such outsourcing arrangement. 5. Anti-Money Laundering Requirements: 30. The licensed institutions must satisfy the SBP that outsourcing activity does not violate any statutory/prudential requirements on anti-money laundering or record keeping procedures as per existing laws/rules and regulations of local as well as foreign jurisdiction. 6. Redressal of Grievances about Outsourced Services: 31. The licensed institutions will give a well defined mechanism for redressal of complaints of their customers regarding outsourced services and the service provider will make sure that they facilitate the redressal mechanism. 7. Contingency Planning: 32. Where a material business activity is outsourced, the licensed institution should have a contingency plan which outlines the procedures to be followed in BPRD 9 SBP

the event that the arrangement is suddenly terminated or the outsourcee is unable to fulfill its obligations under the outsourcing agreement for any reason. X - BOARD & MANAGEMENT RESPONSIBILITIES: 33. As envisaged in the Prudential Regulation G-1 of the Prudential Regulations for Corporate/Commercial Banking, the Board of Directors focus on policy making and shall ensure that well designed policies and procedures, and adequate risk mitigation practices are in place for the effective oversight and management of outsourcing arrangements. The Board shall ensure that requirement of outsourcing does emanate from the business strategy of the licensed institutions. 34. The functions of the board in case of a foreign banking company can be delegated to and performed by a local or regional management committee. All material outsourcing arrangements should be approved by the board or its committee. However, managing of the outsourcing arrangements will be responsibility of the management, who should develop Management Information System to regularly inform and update the Board about the progress. 35. The management of the licensed institution, before entering into any outsourcing arrangement, should carry out formal evaluation, sign the contract with appropriate service level agreements and ensure that the confidentiality provisions and security needs are adequately addressed. Further, the audit function should regularly review performance under the outsourcing arrangement. XI - THE OUTSOURCING AGREEMENT: 36. Outsourcing arrangements should be undertaken using a written, legally binding agreement. At a minimum, the contract should address the following issues: (a) Service levels and performance requirements; (b) Audit and monitoring procedures; BPRD 10 SBP

(c) Business continuity plans; (d) Default arrangements and termination provisions; (e) Pricing and fee structure; (f) Dispute resolution arrangements; (g) Liability and indemnity; (h) Confidentiality, privacy and security of information. (i) Ensuring access to SBP. 37. A copy of the agreement signed by the licensed institution with the service provider shall be submitted to the SBP for information. ****************** BPRD 11 SBP

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information