Bank of Papua New Guinea Prudential Standard BPS252: Outsourcing of Business Activities, Functions and Processes



Similar documents
SUPERVISORY AND REGULATORY GUIDELINES: PU GUIDELINES ON MINIMUM STANDARDS FOR THE OUTSOURCING OF MATERIAL FUNCTIONS

Guidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004

Bank of Papua New Guinea Prudential Standard BPS251: Business Continuity Management

GUIDELINES FOR THE MANAGEMENT OF OPERATIONAL RISK FOR CREDIT UNIONS

Objective and key requirements of this Prudential Standard

Guideline. Outsourcing of Business Activities, Functions and Processes. Category: Sound Business and Financial Practices

Prudential Practice Guide

OUTSOURCING GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS, 2008

GUIDANCE NOTE ON OUTSOURCING

OUTSOURCING POLICY

Managing Outsourcing Arrangements

SUPERVISION GUIDELINE

GUIDELINES ON OUTSOURCING ARRANGEMENTS

PROPERTY OF THE SECURITIES COMMISSION OF THE BAHAMAS

Outsourcing Risk Guidance Note for Banks

Statement of Guidance: Outsourcing All Regulated Entities

GUIDELINES ON OUTSOURCING

GUIDANCE FOR MANAGING THIRD-PARTY RISK

GUIDELINE ON THE APPLICATION OF THE OUTSOURCING REQUIREMENTS UNDER THE FSA RULES IMPLEMENTING MIFID AND THE CRD IN THE UK

Financial Services Guidance Note Outsourcing

Guidance Note on Outsourcing/Delegation of Functions

Decision on outsourcing. Article 1

GUIDANCE NOTE OUTSOURCING OF FUNCTIONS BY ENTITIES LICENSED UNDER THE PROTECTION OF INVESTORS (BAILIWICK OF GUERNSEY) LAW, 1987

Proposed Principles to be addressed in APES GN 20 Outsourced Accounting Services

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

BANKING UNIT BANKING RULES OUTSOURCING BY CREDIT INSTITUTIONS AUTHORISED UNDER THE BANKING ACT 1994

Supervisory Policy Manual

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel

14 December 2006 GUIDELINES ON OUTSOURCING

Risk Management of Outsourced Technology Services. November 28, 2000

FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB OVERSIGHT OF SINGLE-FAMILY SELLER/SERVICER RELATIONSHIPS. Purpose

NOTICE ON OUTSOURCING

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

Banking Supervision Policy Statement No.18. Agent Banking Guideline

Principles on Outsourcing by Markets

Draft Guidelines on Outsourcing of activities by Insurance Companies

Mapping of outsourcing requirements

GUIDELINES ON OUTSOURCING

Outsourcing. FSA Regulated firms (including offshore outsourcing) Contents. March 2004

BANKS AND DEPOSIT COMPANIES ACT 1999: The Outsourcing of Services or Functions by Institutions Licensed under the Banks and Deposit Companies Act 1999

Guidance note on Outsourcing/Delegation of Functions and inward outsourcing

Any business relationship between a bank and another entity, by contract or otherwise

POLICY STATEMENT AND GUIDANCE NOTES ON: (1) OUTSOURCING; AND

Guidelines. ADI Authorisation Guidelines. Australian Prudential Regulation Authority. April 2008

Credit Union Liability with Third-Party Processors

APES GN 30 Outsourced Services

Terms and Conditions of Offer and Contract (Works & Services) Conditions of Offer

Managing General Agents (MGAs) Guideline

STELLENBOSCH MUNICIPALITY

Clearing and Settlement Procedures. New Zealand Clearing Limited. Clearing and Settlement Procedures

CONTRACT MANAGEMENT POLICY

Business Continuity Management

Objectives and key requirements of this Prudential Standard

July Objectives and key requirements of this Prudential Standard

APES GN 30 Outsourced Services

OUTSOURCING REGULATIONS IN THE BANKING AND INSURANCE INDUSTRIES IN ASIA PACIFIC

Authorised Persons Regulations

Banking Guidance Note No. 1 Outsourcing of Services or Functions by Gibraltar- Licensed Banks. Date of Paper : 31 January 2000 Version Number : 1.

If you are in full agreement with the document, kindly return the signature page at the end of the documents

Procurement of Goods, Services and Works Policy

Statement of Principles

Appendix A. Call-off Terms and Conditions for the Provision of Services

Appendix 1. This appendix is a proposed new module of the DFSA Rulebook. Therefore, the text is not underlined as it is all new text.

GENERAL INSURANCE CODE OF PRACTICE 2014

GUIDELINES ON COMPLIANCE FUNCTION FOR FUND MANAGEMENT COMPANIES

CONSULTATION PAPER ON HIGH LEVEL PRINCIPLES ON OUTSOURCING COVER NOTE

INSURANCE ACT 2008 CORPORATE GOVERNANCE CODE OF PRACTICE FOR REGULATED INSURANCE ENTITIES

POV on Draft Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by NBFCs

Supervisory Policy Manual

Are You Ready for the New Foreclosure Processing Regulations?

Authorisation Requirements and Standards for Debt Management Firms

REGULATION FOR LIFE INSURANCE AND FAMILY TAKAFUL INSURANCE BUSINESSES ON PREVENTION OF MONEY LAUNDERING AND FINANCING OF TERRORISM

Advisory Guidelines of the Financial Supervisory Authority. Requirements regarding the arrangement of operational risk management

To: Our Clients and Friends March 25, 2014

ACT ON BANKS. The National Council of the Slovak Republic has adopted this Act: SECTION I PART ONE BASIC PROVISIONS. Article 1

Real Estate Agents Act (Professional Conduct and Client Care) Rules 2012

InterAnalysis Limited Sales and Licence Agreement

Requirements made under the Intermediaries Byelaw

GUIDELINES ON RISK MANAGEMENT AND INTERNAL CONTROLS FOR INSURANCE AND REINSURANCE COMPANIES

Corporate Standard. Contractor Management

Third Party Relationships

Breed Communications Limited - limited company consultancy agreement

PROCEDURES FOR ENVIRONMENTAL AND SOCIAL APPRAISAL AND MONITORING OF INVESTMENT PROJECTS

SECURITIES AND FUTURES ACT (CAP. 289)

Application for a Banking Authority Foreign Bank Branches Prudential Statement J2

Morgan Stanley. Policy for the Management of Third Party Residential Mortgage Servicing Providers

Business Continuity Management

Outsourcing Technology Services A Management Decision

CHAPTER 11 MONEY BROKERS

VII 4.1. VII. Unfair and Deceptive Practices Third Party Risk. Third Party Risk. Introduction. Background

Privacy Statement Relating to the Collection, Use and Disclosure of Personal Data & Customer Information

Proposed guidance for firms outsourcing to the cloud and other third-party IT services

TERMS OF BUSINESS FROM ROYAL LONDON INCORPORATING OUR TRADING NAME SCOTTISH PROVIDENT

Standard Conditions of Appointment. Architect s Copy ONLINE VERSION ONLINE VERSION ONLINE VERSION. for an Architect (CA-S-07-A)

The Banking Act of 29 August 1997 (Journal of Laws of 2015, item 128) (consolidated version) CHAPTER 1 GENERAL PROVISIONS

COLLECTIVE INVESTMENT LAW DIFC LAW No. 2 of 2010

Firm Registration Form

Prudential Standard CPS 232 Business Continuity Management

Chase Surety Bond Facility Application Form

English Translation of Finance Companies Control Law

Transcription:

Bank of Papua New Guinea Prudential Standard BPS252: Outsourcing of Business Activities, Functions and Processes Issued under Section 27 of the Banks and Financial Institutions Act 2000

Overview and Key Requirements Outsourcing involves an Authorised Institution entering into an arrangement with another party (including a related company) to perform, on a continuing basis, a business activity that currently is, or could be, undertaken by the Authorised Institution itself. Authorised Institutions outsource business activities, functions and processes to meet the challenges of technological innovation, specialisation, cost control and competition. However, outsourcing can increase dependence on third parties that in turn, may increase the risk profile of the institution. This Prudential Standard aims to ensure that each Authorised Institution implements appropriate due diligence, approval and ongoing monitoring of all outsourcing arrangements involving material business activities, functions and processes. All risks arising from outsourcing must be appropriately identified and managed to ensure that the Authorised Institution meets both its financial and service obligations to depositors and investors and to ensure that outsourcing arrangements are not an impediment to BPNG s ability to supervise prudentially. The key requirements include: Board approved policy and procedures for outsourcing business activities; monitoring program to ensure activities outsourced meet requirements and service standards contracted; business activities, functions and processes that must not be outsourced; legally binding agreements for all outsourcing of material activities, unless otherwise agreed by BPNG; consultation with BPNG prior to entering into agreements to outsource material business activities, processes or functions including to service providers that conduct their activities outside PNG or a parent or related company; restrictions on outsourcing arrangements that may impede BPNG s ability to supervise prudentially; and maintaining a register of all agreements to outsource material business activities.

Application This Prudential standard applies to each Bank and Licensed Financial Institution authorized under the Banks and Financial Institutions Act 2000 (BFIA), collectively referred to as Authorised Institutions (AIs) for the purposes of this prudential standard. Definitions 1. Refer to BPS 001 Bank of Papua New Guinea Prudential Standards Glossary and Definitions for a complete set of acronyms and glossary of terms used in this Prudential Standard. Defined terms are hyperlinked in the electronic version of this Prudential Standard. Materiality 2. A material business activity has the potential, if disrupted, to have a significant impact on the AI s business operations or its ability to manage risks effectively, having regard to such factors as: a. the financial and operational impact and impact on reputation of a failure of the service provider to perform over a given period of time; b. the cost of the outsourcing arrangement as a share of total costs; c. the degree of difficulty, including the time taken, in finding an alternative service provider or bringing the business activity in-house; d. the ability of the regulated institution to meet regulatory requirements if there are problems with the service provider; e. whether outsourcing the activity may affect BPNG s ability to supervise the AI or have access to information or personnel; f. potential losses to the AI s customers and other affected parties in the event of a service provider failure; g. affiliation or other relationship between the AI and the service provider; and h. relations with a service provided such as a mobile banking or branchless banking agent. 3. Attachment A provides further guidance on activities that are likely to be deemed material for the purpose of managing outsourcing risks. 4. For the purposes of this Prudential Standard, the internal audit function is a material business activity. BPS252 1

Principles and Prudential Requirements Approval, management and administration 5. The Board of directors (Board) must establish policies and procedures that set out the approach to outsourcing of material business activities, including a detailed framework for identification and evaluation of proposals, development of service agreements and standards, due diligence and approvals, assessment and mitigation of risks arising and review and reporting arrangements. 6. The Board and senior management must be satisfied that the AI will continue to meet its financial and service obligations to depositors, investors and clients. 7. The AI continues to be responsible for compliance with all prudential and other regulations even if the service provider has day-to-day responsibility for delivery of the business activity, function or process. For the avoidance of doubt, the AI is not relieved from any prudential or other regulatory requirement as a result of an activity being outsourced and will be held accountable for any non-compliance. 8. The Board and senior management must ensure that outsourcing arrangements do not interfere or obscure prudential supervision by BPNG. Generally, approved agreements or service contracts should reflect requirements for regulatory compliance, provision of information and unfettered access by BPNG as if the function continued to be delivered from within the AI. 9. The AI s outsourcing policy must set out specific requirements in relation to outsourcing to related parties and to service providers that undertake outsourcing on behalf of the AI outside outside PNG. In both cases, the AI must consult with BPNG prior to entering such arrangements. Assessment of outsourcing options 10. Each AI must be able to demonstrate to BPNG that, in assessing the options for outsourcing, it has: a. prepared a business case; b. undertaken a tender or other selection process for service providers; c. undertaken a due diligence review of the chosen service provider; d. involved the Board, Board committee or senior manager with delegated authority from the Board, in approving the agreement; e. established procedures for monitoring performance under the outsourcing agreement on a continuing basis; f. addressed the renewal process for outsourcing agreements and how the renewal will be conducted as well as conditions for termination that include inability of the AI to satisfy compliance with prudential and other regulations or directions by BPNG. In such cases, early termination penalties must be voided or minimal; g. developed contingency plans that would enable the outsourced business activity to be provided by an alternative service provider or brought in-house if required; and BPS252 2

h. Developed binding Agency Agreements stipulating roles, responsibilities, limitations of the AI and the mobile banking or branchless banking agent. 11. Each AI must be able to demonstrate to BPNG that the assessment of an option to outsource to a related party has addressed: a. evaluation of changes to the risk profile and how changes will be addressed in the AI s risk management framework; b. that the related party has the ability to conduct the business activity on an ongoing basis; c. the required monitoring procedures to ensure that the related party is performing effectively and how potential inadequate performance would be addressed; d. contingency issues in accordance with Prudential Standard BPS251 Business Continuity Management should the outsourced activity need to be brought in-house; and e. the need to apply any of the requirements set out in paragraph 22 to the extent they are relevant to outsourcing agreements with a related party. Matters to be covered in outsourcing agreement 12. Except where otherwise provided in this Prudential Standard, all outsourcing arrangements must be contained in a documented legally binding agreement. 13. The agreement must be signed by all parties before the outsourcing arrangement commences. 14. At a minimum, the agreement (including arrangements with related parties) must address the following matters: a. the scope of the arrangement and services to be supplied; b. commencement and end dates; c. review provisions; d. pricing and fee structure; e. service levels and performance requirements; f. ownership of intellectual property, models, data, use of brands and logos and similar; g. audit and monitoring procedures; h. business continuity management; i. confidentiality, privacy and security of information; j. default arrangements and termination provisions; k. dispute resolution arrangements; l. liability and indemnity; m. sub-contracting; n. insurance; BPS252 3

o. to the extent applicable, offshoring arrangements (including through subcontracting) where key aspects of the work will be undertaken in a country different to the location of the service provider; p. financial problems or takeover of service provider; and q. legal and regulatory compliance expectations including reporting to the AI of potential problems 15. An AI must ensure that its outsourcing agreement includes appropriate indemnities by the third-party service provider of the AI for any sub-contracting the service provider may enter into with respect to the outsourcing arrangement, including failures on the part of the subcontractor. For example, outsourcing of IT to a local company that subcontracts offshore software development work to another country, eg. India. 16. There may be urgent circumstances where the AI enters arrangement without first completing all aspects under paragraphs 9-11. Such circumstances may include failure of a third-party provider and the need to find an immediate replacement or triggering of the BCM or Contingency Funding Plan. Under these circumstances, arrangements must be of a duration sufficient to allow proper process to be followed and new agreements entered and in any case, no longer than 3 months. The AI must notify BPNG of such arrangements within 14 days. BPNG access to service providers 17. All outsourcing agreements must provide for BPNG to access documentation, information and relevant personnel related to the outsourcing arrangement. More particularly, confidentiality provisions of any agreement must not preclude the service provider from giving copies of agreements, service arrangements and cooperating with any requests for information from BPNG. Further, the agreement must explicitly address the right of BPNG to conduct on-site visits to the service provider if BPNG considers it necessary in its role as prudential supervisor. 18. BPNG will in the normal course of its relationship with the AI, obtain required material from the AI as well as advise the AI of intentions to undertake an on-site visit to a service provider. 19. The Board must ensure that any outsourcing arrangements with a related company will not impede access by BPNG to that related company or any material or personnel involved in the provision of outsourced activities. Restrictions on outsourcing business activities, functions and processes 20. There are certain fundamental business activities, functions and processes that are not appropriate for outsourcing. Generally, these will relate to core responsibilities, decision making and risk management. BPNG may also limit outsourcing where it is of the opinion that an AI has outsourced too many key activities affecting its ability to realistically control and manage operations and increases the risk profile of the AI to an unacceptable level. 21. While not an exhaustive list, business activities, functions or processes that must not be outsourced include: BPS252 4

a. matters under law, regulation or prudential standard that require decision or approval by the Board and senior management ; b. decisions regarding granting of credit and making financial investments; and c. appointment as a director, senior manager or responsible person. Such positions must be filled by natural persons and not outsourced to companies or service providers because the individual must be held responsible and accountable for meeting obligations under law and fit and proper person requirements and similar. Register of outsourcing contracts and ongoing monitoring 22. Each AI must establish and maintain a Register of all material business activities, processes and functions that have been outsourced. The Register must identify the key information of the arrangements as well as review and renewal dates and department or position responsible for managing and monitoring the arrangements. 23. Each AI must have sufficient and appropriate resources to manage and monitor the outsourcing relationship. The type and extent of resources required will depend on the materiality of the outsourced business activity. At a minimum, monitoring must include: a. appropriate frequency and intensity of contact with the service provider which may range from daily operational contact to senior management performance review and relationship management; b. monitoring of performance under the agreement, usually detailed in Service Level Agreements; and c. testing of service arrangements as appropriate and continued compliance with related regulatory and prudential requirements. 24. The AI s internal audit function must review any proposed outsourcing of a material business activity and regularly review and report to the Board or Board Audit Committee on compliance with the AI s outsourcing policy and the ability of the AI to continue to manage risks. Notification Requirements 25. An AI must consult with BPNG as required under this standard prior to entering any outsourcing agreement. Where there is no explicit requirement to consult prior to entering the agreement, the AI must notify BPNG as soon as possible after entering into an outsourcing agreement, and in any event no later than 20 business days after execution of the outsourcing agreement. 26. The notification in paragraph 25 must include a summary of the key risks and the risk mitigation strategies implemented. BPNG may request additional material to assess the impact of the outsourcing arrangement on the AI s risk profile. 27. Each AI must advise BPNG if there are problems emerging with any outsourcing arrangement which may affect materially the business operations, profitability or reputation or present other additional risks. BPS252 5

28. Each AI must advise BPNG as soon as practicable if a material outsourcing agreement is terminated. The AI must provide a statement to BPNG about the transition arrangements and future strategies for carrying out the outsourced activity. 29. An AI must consult with BPNG prior to entering into any offshoring agreement involving a material business activity, function or process. The AI must satisfy BPNG that the impact of the offshoring arrangement has been addressed effectively as part of the risk management framework. If, in BPNG s opinion, the offshoring agreement involves risks not addressed appropriately, BPNG may require the AI to make other arrangements for the outsourced activity as soon as practicable. Reporting 30. Each AI will provide as part of the annual attestation, statements regarding the effective assessment and ongoing management of outsourcing arrangements. Remedial measures and sanctions 31. BPNG may request the external auditor of an AI, or an appropriate external expert, to provide an assessment of the risk management processes in place with respect to outsourcing on an individual contract or collective basis. This could cover areas such as information technology systems, data security, internal control frameworks and business continuity plans. Such reports will be paid for by the AI and must be made available to BPNG. 32. If BPNG is not satisfied with the adequacy of an AI s outsourcing policies and procedures or management of outsourced activities, BPNG may require the AI to make other arrangements for the outsourced activity as soon as practicable 33. BPNG may also vary the conditions of the AI s licence under section 14 of the BFIA. Such conditions may include, but are not limited, to: a. suspend or limit certain business activities relating to the outsourced activity; b. prohibit certain transaction or a class of transactions; c. require appointment of additional staff or third party support to address weaknesses identified; or d. suspend or require the removal of any directors, managers or chief executive. Commencement 34. This prudential standard commences immediately. 35. AIs shall comply with the requirements of this prudential standard for all future outsourcing arrangements. BPS252 6

Attachment 1: Samples of material business activities, functions and processes Examples of Outsourcing Arrangements include: Information system management and maintenance (For example, data processing, data centres, facilities management, end-user support, local area networks, help desks) Document processing (For example, cheques, credit card slips, bill payments, bank statements, other corporate payments) Application processing (For example, loan originations, credit cards) Loan administration (For example, loan negotiations, loan processing, collateral management, collection of bad loans) Investment management (For example, treasury management, cash management) Correspondent banking services Cash in transit management (For example, the secure storage and distribution of cash) Marketing and research (For example, product development, data warehousing and mining, advertising, media relations, call centres, telemarketing) Back office management (For example, payments, processing, custody operations, quality control, purchasing) Real estate administration (For example, building maintenance, lease negotiation, property evaluation, rent collection) Professional services related to the business activities of the AI (For example, accounting, internal audit) and Human resources (For example, benefits administration, recruiting). This Prudential Standard and materiality test is not expected to apply to: Courier services, regular mail, utilities, telephone Procurement of specialised training Discrete advisory services (For example, legal opinions, certain investment advisory services that do not result directly in investment decisions, independent appraisals, administrators or liquidators in bankruptcy) Purchase of goods, wares, commercially available software and other commodities Independent audit reviews Credit background and background investigation and information services Market information services (For example, Bloomberg, Moody s) Independent consulting Services the AI is not legally able to provide Printing services Repair and maintenance of fixed assets Supply and service of leased telecommunication equipment Travel agency and transportation services Maintenance and support of licensed software Specialised recruitment services, temporary help and contract personnel Fleet leasing services External conferences Sales of insurance policies by agents or brokers Syndication of loans BPS252 Att 1 1

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information