OUTSOURCING GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS, 2008



Similar documents
SUPERVISORY AND REGULATORY GUIDELINES: PU GUIDELINES ON MINIMUM STANDARDS FOR THE OUTSOURCING OF MATERIAL FUNCTIONS

Guidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004

GUIDELINES FOR THE MANAGEMENT OF OPERATIONAL RISK FOR CREDIT UNIONS

Financial Services Guidance Note Outsourcing

14 December 2006 GUIDELINES ON OUTSOURCING

Outsourcing Risk Guidance Note for Banks

Guideline. Outsourcing of Business Activities, Functions and Processes. Category: Sound Business and Financial Practices

SUPERVISION GUIDELINE

Mapping of outsourcing requirements

GUIDANCE NOTE ON OUTSOURCING

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

CONSULTATION PAPER ON HIGH LEVEL PRINCIPLES ON OUTSOURCING COVER NOTE

GUIDANCE NOTE OUTSOURCING OF FUNCTIONS BY ENTITIES LICENSED UNDER THE PROTECTION OF INVESTORS (BAILIWICK OF GUERNSEY) LAW, 1987

OUTSOURCING POLICY

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

GUIDANCE FOR MANAGING THIRD-PARTY RISK

Prudential Practice Guide

Managing Outsourcing Arrangements

BANKING UNIT BANKING RULES OUTSOURCING BY CREDIT INSTITUTIONS AUTHORISED UNDER THE BANKING ACT 1994

Objective and key requirements of this Prudential Standard

GUIDELINES ON OUTSOURCING

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel

GUIDELINE ON THE APPLICATION OF THE OUTSOURCING REQUIREMENTS UNDER THE FSA RULES IMPLEMENTING MIFID AND THE CRD IN THE UK

Risk Management of Outsourced Technology Services. November 28, 2000

Third Party Relationships

NOTICE ON OUTSOURCING

Principles on Outsourcing by Markets

GUIDELINES ON OUTSOURCING

POV on Draft Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by NBFCs

Draft Guidelines on Outsourcing of activities by Insurance Companies

Guidance Note on Credit and Credit Control for Credit Unions. October Office of the Registrar of Credit Unions

PROPERTY OF THE SECURITIES COMMISSION OF THE BAHAMAS

To: Our Clients and Friends March 25, 2014

Statement of Guidance: Outsourcing All Regulated Entities

Guidelines. ADI Authorisation Guidelines. Australian Prudential Regulation Authority. April 2008

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012

Code of Practice - Risk Management Including With Regard To Debtors

Guidance on Arrangements to Support Operational Continuity in Resolution. Consultative Document

POLICY STATEMENT AND GUIDANCE NOTES ON: (1) OUTSOURCING; AND

PRINCIPLES OF CORPORATE GOVERNANCE FOR SUPERVISED INSTITUTIONS

Any business relationship between a bank and another entity, by contract or otherwise

Advisory Guidelines of the Financial Supervision Authority. Requirements for Organising the Business Continuity Process of Supervised Entities

Resolution No. 391/2008 of the Polish Financial Supervision Authority. of 17 December 2008

GUIDELINES ON COMPLIANCE FUNCTION FOR FUND MANAGEMENT COMPANIES

REGULATORY GUIDELINES PROVIDE INSIGHT INTO OUTSOURCING. The Canadian IT outsourcing market currently generates approximately $6 billion in annual

Authorised Persons Regulations

BANKS AND DEPOSIT COMPANIES ACT 1999: The Outsourcing of Services or Functions by Institutions Licensed under the Banks and Deposit Companies Act 1999

Decision on outsourcing. Article 1

VII 4.1. VII. Unfair and Deceptive Practices Third Party Risk. Third Party Risk. Introduction. Background

RS Official Gazette, No 51/2015

Credit Union Liability with Third-Party Processors

Outsourcing Technology Services A Management Decision

GUIDELINES ON RISK MANAGEMENT AND INTERNAL CONTROLS FOR INSURANCE AND REINSURANCE COMPANIES

PART I - PRELIMINARY...1 Objective...1 Applicability...2 Legal and Regulatory Provision...2

OUTSOURCING POLICY. Version Number 1.0 Dated 15 th July 2009

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ Ã

Guidance Note on Outsourcing/Delegation of Functions

Corporate Finance Adviser. Code of Conduct

KINGDOM OF SAUDI ARABIA. Capital Market Authority CREDIT RATING AGENCIES REGULATIONS

Polish Financial Supervision Authority. Guidelines

CONTRACT MANAGEMENT FRAMEWORK

FinTech Webinar Series: Vendor Management Principles

ANNEX XI REFERRED TO IN ARTICLE 3.19 FINANCIAL SERVICES

Advisory Guidelines of the Financial Supervisory Authority. Requirements regarding the arrangement of operational risk management

How To Set Up A Committee To Check On Cit

AGENCY MANAGEMENT FRAMEWORK FOR INSURANCE AGENT

INTERNATIONAL ASSOCIATION OF INSURANCE SUPERVISORS PRINCIPLES FOR THE CONDUCT OF INSURANCE BUSINESS

Morgan Stanley. Policy for the Management of Third Party Residential Mortgage Servicing Providers

Audit and Risk Committee Charter. Knosys Limited ACN (Company)

REGULATION FOR LIFE INSURANCE AND FAMILY TAKAFUL INSURANCE BUSINESSES ON PREVENTION OF MONEY LAUNDERING AND FINANCING OF TERRORISM

Starbucks Audit & Compliance Committee Policy For Pre-Approval of Independent Auditor Services

Key matters in examining Liquidity Risk Management at Large Complex Financial Groups

Core Principles for Effective Banking Supervision: New Edition Released

CREDIT RISK MANAGEMENT

STELLENBOSCH MUNICIPALITY

GUIDELINES ON OUTSOURCING ARRANGEMENTS

APPENDIX A NCUA S CAMEL RATING SYSTEM (CAMEL) 1

STANDARDS OF BEST PRACTICE ON COUNTRY AND TRANSFER RISK

Annex 7 referred to in Chapter 7. Financial Services. Article 1 Scope of Application

Managing General Agents (MGAs) Guideline

15. Policy on Institutions Participating in Title IV Programs

Risk Management Programme Guidelines

RISK FACTORS AND RISK MANAGEMENT

Smart Meters Programme Schedule 8.6. (Business Continuity and Disaster Recovery Plan) (CSP North version)

Cloud Computing: Legal Risks and Best Practices

Proposed Principles to be addressed in APES GN 20 Outsourced Accounting Services

Capital Management Standard Banco Standard de Investimentos S/A

Guideline. Large Exposure Limits. Category: Prudential Limits and Restrictions. No: B-2 Date: August I. Introduction

Relevant COSO Principles. Policies and procedures are maintained. Policies and Procedures. Roles and responsibilities are identified

BARRAMUNDI L IMITED RISK MANAGEMENT POLICY

Outsourcing Technology Services OT

ANNEX ON FINANCIAL SERVICES

Basel Committee on Banking Supervision. Consolidated KYC Risk Management

Proposed guidance for firms outsourcing to the cloud and other third-party IT services

Act on Investment Firms /579

VII 5.1. VII. Abusive Practices Third Party Procedures. Third Party Risk. Introduction. Background

Guidance note on Outsourcing/Delegation of Functions and inward outsourcing

Part A OVERVIEW Introduction Applicability Legal Provision...2. Part B SOUND DATA MANAGEMENT AND MIS PRACTICES...

TITLE VIII PAYMENT, CLEARING AND SETTLEMENT SUPERVISION

OUTSOURCING DUE DILIGENCE FORM

Transcription:

OUTSOURCING GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS, 2008

BANK OF TANZANIA

PART I PRELIMINARY 1 These guidelines may be cited as the Outsourcing Guidelines for Banks and Financial Institutions, 2008 and are made under Section 71 of the Banking and Financial; Institutions Act, 2006. 2 (a) These guidelines shall apply to all outsourcing arrangements entered into by banks or financial institutions. (b) For avoidance of doubt, outsourcing arrangements shall also include the provision of non-strategic but material services by a bank or financial institution's foreign head office or all material outsourcing arrangements between a bank or financial institution and regulated or unregulated entities in its corporate group or any other related entity. 3 In these Guidelines, unless the context otherwise requires: Act means the Banking and Financial Institutions Act, 2006; Bank means the Bank of Tanzania; bank has the same meaning ascribed to it in the Act; financial institution has the same meaning ascribed to it in the Act.; outsourcing means an arrangement whereby a bank or financial institution receives goods, or services from another entity that form part of the business processes and which are necessary to support the provision of banking or related financial services; outsourcing institution means a bank or a financial institution; outsourced service provider means the supplier of goods or, services who may be related entity or independent third party. PART II BACKGROUND 4 The Bank has observed growing activity among banks and financial institutions in Tanzania seeking to outsource their business functions in the

form of technical assistance agreements, management services contracts, etc, with their parent companies or third parties. 5 Some examples of the outsourcing arrangements include: (a) Information and Communications Technology and maintenance (software development, data entry and processing, data centers, facilities management, end-user support, local area networks, web-site hosting and development, internet accessing and help desk); (b) Disaster Recovery Site in case of inaccessibility of the primary site for the purpose of business continuity; (c) Document processing (cheques, credit card slips, bill payments, bank statements and other corporate payments); (d) Application processing (loan originations and credit cards); (e) Loan administration (loan processing, collateral management and collection of bad loans); (f) Investment management (investment advice, portfolio management and cash management); (g) Marketing and research (product development, data warehousing and mining, advertising, media relations, call centers and telemarketing); (h) Back office management (electronic funds transfer, payroll processing, custody operations, quality control, printing and purchasing); (i) Real estate administration (lease negotiation, property evaluation and rent collection); (j) Professional services (legal, accounting, internal audit and actuarial); and (k) Human resources (benefits administration, recruiting and training for capacity building). 6 The Bank recognizes that outsourcing arrangements can create benefits to the outsourcing institutions. The Bank also recognizes that certain important functions that have direct implications to the risk profile of an outsourcing institution are now being outsourced. This leads to some important banking functions being performed by third parties resulting in the outsourcing institution having less control over those activities and hence increasing the risks to the outsourcing institution. Outsourcing can also impair the Bank s

ability to exercise its supervisory and regulatory powers. Therefore, the Bank has decided to issue these guidelines to all banks and financial institutions to guide them on outsourcing arrangements. In supervising banks and financial institutions the Bank will review the extent to which they apply these guidelines to assess the quality of their risk management systems. 7 For the purpose of these guidelines, activities of a bank or financial institution must be classified as (1) strategic or- (2) non-strategic. (a) Strategic activities and functions These activities and functions should not be outsourced because they are generally compatible with the managers obligation to run the institution under their own responsibility. Examples of strategic and core management responsibility and functions include, strategic oversight, risk management and strategic control. (b) Non-strategic but material activities. These activities may be outsourced after obtaining prior approval of the Bank. For the purpose of these guidelines material activities means activities of such importance that any weakness or failure in the provision of those activities can have a significant effect on the outsourcing institution s ability to meet its regulatory responsibilities or to carry on its business. 8 Outsourcing institutions should consult the Bank where there is an uncertainty as to whether a business activity that is to be outsourced would be regarded as material for the purposes of these guidelines. PART III OBJECTIVES 9 The objectives of these guidelines are to:- (a) Promote sound risk management practices and curtail excessive risk taking or dependence on external parties in performing operations of the outsourcing institution thereby enhancing the stability of the financial system; (b) Encourage outsourcing institutions boards of directors and senior management to take full responsibility over the affairs and activities of their institutions; (c) Provide framework which guides outsourcing institutions in all outsourcing arrangements;

(d) Set out in broad terms on what the Bank and outsourcing institutions should expect from each other in terms of prudent and best business practices; and (e) Promote arm's length relationship in dealings between the outsourcing institutions and outsourced service providers and their related interests. PART IV ASSESSMENT OF OUTSOURCING ARRANGEMENTS 10 An outsourcing institution should assess if an outsourcing arrangement that is in existence or being contemplated involves material business activity. As a guide, a material business activity would include a significant part of the outsourcing institution s information and communication technology function, internal audit, loan processing or administration arrangements. Factors to be considered when making this assessment will include: (i) the financial and reputation impact of a failure of the outsourcing service provider to perform over a given period of time. Depending on the importance of the business activity, this may be measured in hours; (ii) the cost of the outsourcing arrangement as a share of total costs or operational income;. (iii) the degree of difficulty, including the time taken, to find an alternative outsourcing service provider or bring the business activity in house ; and (iv) the ability of the institution to meet regulatory requirements should there be any problems with the service provider. PART V: OUTSOURCING POLICY AND CONTRACTS 11 The outsourcing institution should have a general policy on its approach to all aspects of outsourcing. To be effective, the policy must be communicated in a timely manner and should be implemented through all relevant levels of the outsourcing institution, and be revised periodically in light of changing circumstances and applicable laws. 12 In setting up the policy, the outsourcing institution should bear in mind that no outsourcing is risk free. Therefore, at minimum the policy should: (a) cover the mechanism for appropriate monitoring and assessment of the outsourcing service provider by the outsourcing institution; (b) specify an internal unit or individual responsible for supervising and managing each outsourcing;

(c) specify off-shore processing arrangement, modalities of recovering the outsourced resources such as data, in case of any dispute on the contract or political imbalances, by the outsourcing institution; (d) reflect the main phases in the outsourcing. Such phases include: (i) The decision to or not to outsource or change an existing outsourcing (the decision-making phase); (ii) Initial and periodic due diligence on the outsourcing service provider; (iii) A well defined acquisition process with evaluation components such as terms of reference document, specification of requirements and evaluation of proposals; (iv) Drafting a written outsourcing contract and service level agreement (the contract-drafting phase); (v) The implementation, monitoring and maintenance of an outsourcing arrangement (the contract phase); and (vi) Dealing with the expected or unexpected termination of a contract and other service interruptions (the post-contract phase). (e) Cover outsourcing institution s plan and implementation arrangements to maintain the continuity of its business in the event that the provision of services by an outsourced service provider fails or deteriorates to an unacceptable degree, or the outsourcing institution experiences other changes or problems; (f) include some form of contingency planning and the establishment of a clearly defined exit strategy, evaluated against the costs and benefits of such planning; and (g) require an outsourcing institution to manage the risks associated with its outsourcing arrangements. Such risks include loss of operational control, service provider failure, inadequate confidentiality and security of information, and failure to meet regulatory requirements. 13 An outsourcing institution shall submit the outsourcing policy to the Bank for clearance before its implementation. 14 All outsourcing arrangements should be subject to a written contract, which must be approved by the Bank before implementation as per guideline number

7. 15 The contract should be reviewed by outsourcing institution s legal counsel to ensure that it is legally enforceable and that it reasonably protects the outsourcing institution from risk. 16 Outsourcing institutions should ensure that the written outsourcing contracts contain, among others, provisions pertaining to: (a) the operational area or activity that needs an outsourced service; (b) service levels and performance requirements; (c) audit and monitoring procedures; (d) business continuity plans, recovery times in the event of disruption, and responsibility for backup of programs or data; (e) where appropriate, insurance to be maintained by the outsourced service providers; (f) transition period and acceptance; (g) notification requirements and approval rights for any material changes to services, systems, controls, key project personnel including changes to the service provider s significant sub-contractors; (h) ownership of records and, where relevant, software, data usage and compliance with outsourcing institution s security policies; (i) default arrangements and termination rights for a variety of conditions including change in control, convenience, substantial increase in cost and insolvency; (j) price or fee structure, duration and the mode of payment; (k) dispute resolution arrangements which attempt to resolve problems in an expeditious manner as well as provision for continuation of services during the dispute resolution period; (l) liability and indemnity for failed, delayed, or erroneous transactions processed by the outsourcing service provider; (m)confidentiality and security of information of both the outsourcing institution and its clients;

(n) prohibition of assignment of the contract to a third party without the outsourcing institution s prior consent; (o) where appropriate training of outsourcing institution staff; (p) review of the outsourcing service provider standards, policies, and procedures relating to internal controls, security, and business contingency to ensure that they meet the outsourcing institution s minimum standards; and (q) the Bank s right to access at any time records of transactions and any information given to, stored at or processed by the service provider, any report or any results of audits and security reviews on the service provider and any sub-contractor that the service provider may use. PART VI DUTIES AND RESPONSIBILITIES OF AN OUTSOURCING INSTITUTION 17 Each outsourcing institution will be responsible for the operations of the outsourced activities. Therefore, the ultimate responsibility for proper management of the risks associated with outsourcing, lies with an outsourcing institution s board of directors and senior management. 18 The Board of Directors of an outsourcing institution should: (a) review and approve outsourcing policy and the risk-management policies for outsourcing as recommended by management; (b) review periodically, but at least annually, management reports demonstrating compliance with the approved risk-management policies for outsourcing; (c) approve any outsourcing arrangement that exceeds the level of authority delegated to management; (d) review periodically the content and frequency of management's outsourcing reports to the Board or to its committee; (e) ensure that person(s) responsible for administering the riskmanagement policies for outsourcing possess the quality and competency required; and (f) ensure that the audit function regularly reviews operations to assess

whether or not the risk-management policies and procedures for outsourcing are being followed and to confirm that sufficient riskmanagement processes for outsourcing are in place. 19 In relation to outsourcing, management of each outsourcing institution is expected to: (a) develop a risk-management programme for outsourcing that reflects institutions outsourcing policies and recommending it for approval by the board; (b) establish procedures adequate to the operation and monitoring of the risk-management programme, which provide for an assessment of all outsourcing arrangements to identify those that are material, an evaluation of the service provider, a satisfactory service contract, confidentiality and security needs, the requirements of the Bank, and accountability for monitoring outsourcing of material activities; (c) implement the risk-management programme for outsourcing; (d) carry out periodic internal self-assessment to test the effectiveness of the programme; (e) manage and control outsourcing risk within the risk-management programme; (f) develop and implement appropriate reporting systems to permit the effective management and control of existing and potential outsourcing risk exposure; (g) ensure that an audit function reviews regularly the operation of the risk-management programme relating to outsourcing; (h) develop lines of communication to ensure timely dissemination of outsourcing policies and procedures and other relevant outsourcing information to all individuals involved in the process; and, (i) report to the board, or to a committee of the board, on the operation and effectiveness of the programme and the risk or materiality of outsourcing arrangements, as comprehensively and frequently as required by the board. 20 Intra group outsourcing may be allowed provided the outsourcing institution meets the following conditions: (a) it demonstrates that it can manage the risk involved;

(b) it is a member of a group that is subject to supervision on a consolidated basis in conformity with Core Principles for Effective Banking Supervision issued by Basel Committee; (c) the arrangement between the outsourcing institution and the affiliate or subsidiary is on terms that are substantially the same, or at least as favourable to the outsourcing institution, as those available from a nonaffiliated service provider; (d) the relevant information, whether written or otherwise on how the parent group manages the risk should be made available to the outsourcing institution, and (e) it should be able to adequately demonstrate to the Bank that it is compliant with Risk Management Guidelines, 2005 relating to outsourcing. 21 An outsourcing institution should report to the Bank in case of any problem with its outsourcing arrangements which may impair provision of the outsourced services. 22 Sub contracting of outsourced activities and functions by outsourced service provider is not allowed. PART VII EFFECTIVE DATE 23 (a) Outsourcing institutions should use best efforts to bring existing outsourcing contracts into compliance with these Guidelines as soon as practicable. However, as it may be difficult to amend some of these contracts. The Bank has specified a transition period for full compliance with these Guidelines. (b) By the end of December 2008, all outsourcing institutions should have approved an outsourcing policy and established a process for assessing outsourcing arrangements for material activities and such arrangements must comply with these Guidelines as from March 2009.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information