Banks must have an appropriate risk governance framework in place in accordance with the Central Bank’s risk management Regulations and Standards. This risk governance framework must be comprehensive and include within its scope any outsourced business activities and specifically address the additional risks that arise when a business activity is outsourced, including but not limited to:

1. 1.Operational risk arising from inadequate processes or systems, insufficient or inadequately trained or supervised staff, fraud or error on the part of the outsourcing service provider;
2. 2.Compliance risk arising from failure by the Outsourcing Service Provider to adhere to laws and regulations or the Bank’s policies, standards or codes of conduct;
3. 3.Vendor lock-in and business continuity risk, arising from inadequate contractual and practical arrangements to ensure an outsourced business activity can be either transferred to another service provider or the Bank itself without undue delay, or discontinued without significantly disrupting the Bank’s operations, or its ability to manage risks;
4. 4.Concentration risk arising from relying on the same outsourcing service provider for multiple outsourcing arrangements, or from reliance by different outsourcing providers on the same subcontractor;
5. 5.Governance and internal control risk arising from excessive outsourcing as a whole, in a specific domain or department, or overreliance on third parties in the operation of the business;
6. 6.The aggregate risk from all outsourcing arrangements and the marginal risk of any proposed outsourcing arrangement.

Banks must have policies and procedures to ensure compliance with the applicable regulations and standards and to ensure the following has been achieved prior to outsourcing a business activity:

1. 1.The Board or a committee of the Board has been adequately informed and has approved the outsourcing arrangement, as required;
2. 2.An appropriate due diligence review has been undertaken of the selected outsourcing service provider addressing factors including, but not limited to:
   1. a.Ability, including financial capacity, to meet the requirements of the arrangement and deliver the service reliably;
   2. b.Experience with similar agreements and services;
   3. c.Governance, internal control, internal audit, reporting and monitoring capabilities;
   4. d.Security, including cyber security;
   5. e.Staffing, including employee qualifications and expertise; and
   6. f.Country risk factors and legal environment where applicable.
3. 3.Procedures are implemented to monitor performance under the outsourcing agreement;
4. 4.Appropriate provisions for business continuity and disaster recovery are in place, including contingency plans to bring the outsourced function back in-house should the need arise, or the identification of alternative outsourcing service providers.

Banks must consider at least the following when determining the materiality of an outsourcing agreement:

1. 1.The impact on the Bank’s ability to manage and control its risks;
2. 2.The impact on the Bank’s performance and control over its performance;
3. 3.The impact of an outsourcing service provider’s failure to deliver the service as per the agreement, including failures to mitigate risks or to operate in a safe and prudent manner;
4. 4.The impact on the Bank’s ability to comply with its legal and regulatory requirements;
5. 5.The nature of the data shared as part of the outsourcing agreement.