B. Management and Governance Standards
Chapter 6: Management and Corporate Governance
Introduction
Corporate governance broadly refers to mechanisms and processes by which the Licensed Person is managed, controlled and directed. Governance structures and principles identify the distribution of powers and responsibilities within the management structure of a Licensed Person. This chapter provides standards on how to organize the Management and Governance framework of a Licensed Person.
6.1 Head Office
- 6.1.1The Licensed Person must have a Head Office within the UAE where the Manager in Charge and other functional heads must be based to carry out their responsibilities;
- 6.1.2All files and physical records of the Licensed Person, whether they are related to the incorporation, governance, customers, transactions, accounting, employees, etc., must be available in the Head Office or otherwise accessible during the Central Bank examination;
- 6.1.3The Central Bank expects the Licensed Person to maintain its Head Office at the same address as mentioned in the main license (or the first license) unless otherwise agreed by the Central Bank in writing;
- 6.1.4The Head Office must not be located in a free zone or any other place (such as inside an Airport) where the free entry is restricted for the Central Bank Examiners to visit such office at any time to conduct an examination; and
- 6.1.5The Licensed Person must obtain a Letter of No Objection from the Banking Supervision Department in order to re-locate the Head Office from its approved location to another location.
6.2 Management Office
- 6.2.1The Licensed Person may open a separate Management Office, after obtaining a Letter of No Objection from the Banking Supervision Department, to be used for the same purposes as mentioned under Paragraphs 6.1.1 and 6.1.2 of this Chapter in case the Head Office does not have sufficient space;
- 6.2.2The Licensed Person is not permitted to carry out Exchange Business from its Management Office unless otherwise approved by the Central Bank in writing; and
- 6.2.3Conditions under Paragraphs 6.1.4 and 6.1.5 of this Chapter are also applicable to the Management Office of a Licensed Person.
6.3 Organisational Structure
- 6.3.1The organizational structure of the Licensed Person must be approved by its Board of Directors (or by the Owner/Partners where there is no Board of Directors); and
- 6.3.2The organizational structure must reflect reporting lines of the Manager in Charge, Compliance Officer and other functional heads and must be free from any conflict of interests to ensure functional independence.
6.4 Appointment of the Manager in Charge
- 6.4.1The Licensed Person must obtain a Letter of No Objection from the Banking Supervision Department prior to the appointment of its Manager in Charge by submitting a duly completed APA Form (Refer to Appendix 5 for this Form) along with all required documents to the Banking Supervision Department;
- 6.4.2The Central Bank shall conduct a fit and proper test on the proposed Manager in Charge before issuing the Letter of No Objection. The Central Bank reserves the right to:
- a)interview the proposed Manager in Charge as part of the fit and proper test; and
- b)issue or decline the approval for the proposed Manager in Charge.
- 6.4.3In case the prior approval is rejected by the Central Bank, the Licensed Person must propose a new Manager in Charge within the timeline provided by the Central Bank in the Letter of Rejection. If a specific timeline is not provided in the Letter of Rejection, then the Licensed Person must propose a new Manager in Charge within a period of one hundred and eighty (180) calendar days from the date of Letter of Rejection.
- 6.4.4Minimum Qualification and Experience of the Manager in Charge:
- a)If the Licensed Person is in possession of a Category A License:
- •A minimum of five (5) years of experience within any financial institution(s), of which at least two (2) years in senior management position(s), such as head of a core function, Manager in Charge, General Manager/CEO or member of the Board of Directors; and
- •Sound knowledge of all applicable Laws, Rules, Regulations, Notices and the Standards related to Exchange Business in the UAE.
- b)If the Licensed Person is in possession of either a Category B or Category C License:
- •A minimum of eight (8) years of experience within any financial institution(s), of which at least four (4) years in a senior management position(s), such as head of a core function, Manager in Charge, General Manager/CEO or member of the Board of Directors;
- •Sound knowledge of all applicable Laws, Rules, Regulations, Notices and the Standards related to Exchange Business in the UAE; and
- •Preference may be given to those with a Bachelor degree or higher in any discipline.
- a)If the Licensed Person is in possession of a Category A License:
- 6.4.5Employment Type and Residential Status of the Manager in Charge:
- a)The Manager in Charge must be a full time employee of the Licensed Person;
- b)The Manager in Charge is not permitted to hold any position or responsibility or role in or on behalf of any other entity or business, whether inside or outside the UAE;
- c)The Manager in Charge must be a resident in the UAE; and
- d)Foreign national must be under the employment visa of the Licensed Person when employed as a Manager in Charge.
- 6.4.6Responsibilities of the Manager in Charge:
- a)The Manager in Charge is responsible for the effective management of all aspects/activities of a Licensed Person.
- 6.4.7Resignation of the Manager in Charge and notification to the Central Bank:
- a)The Licensed Person must notify the Banking Supervision Department, within five (5) working days, in case the Manager in Charge resigns or vacates the office in any other manner with reasons thereof via email to: info.ehs@cbuae.gov.ae;
- b)The Licensed Person must also provide, in the above notification email, the contact details of an alternate person (i.e. Interim Manager in Charge) who will be responsible for managing the business until the position of the Manager in Charge is permanently filled in; and
- c)A permanent replacement must be appointed after obtaining a Letter of No Objection from the Banking Supervision Department within a period of one hundred and eighty (180) calendar days from the date when the position of the Manager in Charge falls vacant (Refer to Paragraphs 6.4.1, 6.4.2 and 6.4.3 of this Chapter).
- 6.4.8Removal of the Manager in Charge:
- a)The Central Bank reserves the right to remove the Manager in Charge of a Licensed Person at its sole discretion;
- b)The Licensed Person, in such cases, must comply with Paragraphs 6.4.7 (b) and 6.4.7 (c) of this Chapter; and
- c)The Central Bank reserves the right to communicate or not to communicate the reasons to the Licensed Person for its decision to remove the Manager in Charge.
6.5 Functional Heads
- 6.5.1The Functional Heads must possess appropriate qualifications and experience required to carry out their responsibilities.
6.6 Appointment of a Compliance Officer and an Alternate Compliance Officer
- 6.6.1The Licensed Person must appoint a Compliance Officer and an Alternate Compliance Officer who will be primarily responsible for its AML compliance function; and
- 6.6.2The Licensed Person must refer to Paragraphs 16.4 and 16.5 of Chapter 16 for additional standards regarding the appointment of the Compliance Officer and the Alternate Compliance Officer.
6.7 Constitution of the Board of Directors and its Responsibilities
- 6.7.1The Licensed Person must appoint a Board of Directors, if required by the prevailing Commercial Companies Law of the UAE;
- 6.7.2Qualifications and Experience of Directors of the Board:
- a)A minimum of eight (8) years of experience within any financial institution(s), of which at least five (5) years in senior management position(s), such as head of a core function, Manager in Charge, General Manager/CEO or as member of the Board of Directors;
- b)Knowledge of all applicable Laws, Rules, Regulations, Notices and the Standards related to Exchange Business in the UAE;
- c)Preference may be given to those with a Bachelor degree or higher in any discipline; and
- d)The Licensed Person’s Shareholders, Partners and their immediate family members (i.e. father, mother, brother, sister, children or grandchildren, in laws, etc.) are eligible to become Directors on the Board regardless of their qualifications and experience (i.e. Paragraphs 6.7.2 (a) to (c) of this Chapter are not applicable in these cases).
- 6.7.3Residential Status of Directors of the Board:
- a)The majority of Directors of the Board (i.e. more than 50% of Directors of the Board) must be resident in the UAE.
- 6.7.4The Roles and Responsibilities of the Board of Directors:
- a)The Board of Directors is responsible for the oversight of all activities of the Licensed Person;
- b)The Board of Directors is also responsible to appoint and monitor the performance of the Manager in Charge in addition to the following:
- •Maintain honesty, integrity and transparency throughout the business activities;
- •Ensure that a robust and independent compliance function is established and maintained;
- •Ensure that appropriate AML/CFT compliance and other related policies are implemented;
- •Ensure that actions are taken by the relevant stakeholders to resolve internal/external audit findings and regulatory compliance issues including AML compliance in a timely manner;
- •Ensure that sufficient time, freedom, resources, systems and tools are available for the Manager in Charge and Compliance Officer to fulfil their responsibilities effectively;
- •Ensure that an internal audit function is established and maintained; and
- •Review the effectiveness of the internal audit function at the end of every year.
- 6.7.5The Resignation or Termination of Director of the Board:
- a)Upon the resignation or termination of a Director of the Board, a permanent replacement must be appointed within one hundred and twenty (120) calendar days from the date when the position of a Director of the Board falls vacant; and
- 6.7.6In case a Licensed Person does not have any obligation to appoint a Board of Directors as per the prevailing Commercial Companies Law of the UAE, its Owner or Partners must be responsible for carrying out the responsibilities under Paragraph 6.7.4 of this Chapter.
6.8 Board Meetings, Shareholders Meeting and other Meetings:
- 6.8.1Shareholders must meet at least once every year to approve the External Auditors’ report and financial statements for the previous financial year, annual budgets, appointment of External Auditors for the current financial year etc.;
- 6.8.2The Board of Directors must meet at regular intervals, in accordance with the provisions of the prevailing Commercial Companies Law of the UAE, with a pre-agreed agenda to discuss all aspects of the business activities with the Manager in Charge, Compliance Officer and other functional heads;
- 6.8.3Where the Licensed Person does not have a Board of Directors, the Owner/Partners, Manager in Charge, Compliance Officer and other functional heads must meet at least once in six (6) months to discuss all aspects of the business; and
- 6.8.4The minutes of above meetings must be available for the verification of the Central Bank Examiners.
6.9 Committees
- 6.9.1The Licensed Person, irrespective of its legal form or constitution, must constitute at least two committees as per Paragraphs 6.9.2 and 6.9.3 of this Chapter;
- 6.9.2An Audit Committee must be constituted in order to:
- a)recommend the name(s) of appropriate External Auditors for the approval of the Board of Directors (or of the Owner/ Partners where there is no Board of Directors) to carry out the annual financial audit;
- b)review and ensure that the Internal Audit Charter and the Internal Audit Plan are appropriate to the nature, size and complexity of the business prior to obtaining approval from the Board of Directors (or from the Owner/Partners where there is no Board of Directors);
- c)review all internal/external audit reports, management letters, etc.;
- d)review action plans to address findings of the internal/external reports; and
- e)provide updates about various matters mentioned under Paragraphs 6.9.2 (a) to (d) of this Chapter to the Board of Directors (or to the Owner/Partners where there is no Board of Directors).
- 6.9.3A Compliance Committee must be constituted in order to:
- a)recommend the name(s) of appropriate External Auditors for the approval of the Board of Directors (or of the Owner/Partners where there is no Board of Directors) to perform an Agreed-Upon Procedures on the AML/CFT compliance function annually;
- b)review various ML/FT risks associated with the business and confirm that appropriate policies, procedures, controls, resources, etc. are in place to mitigate such risks;
- c)periodically review resources, systems and tools available to the Compliance Officer and ensure that they are appropriate to the nature, size and complexity of the business;
- d)review recommendations from the Annual Report of the Compliance officer;
- e)review findings of internal audit, independent review of the AML/CFT compliance function by External Auditors, the Central Bank examinations and all related action plans; and
- f)provide updates about various matters mentioned under Paragraphs 6.9.3 (a) to (e) of this Chapter to the Board of Directors (or to the Owner/Partners where there is no Board of Directors).
- 6.9.4Composition of Committees:
- a)The Audit Committee must include the following members at a minimum:
- b)The Compliance Committee must include the following members at a minimum:
- •at least one Director of the Board or the Owner or at least one Partner;
- •Manager in Charge;
- •Compliance Officer;
- •Alternate Compliance Officer; and
- •Any other functional heads, if the Licensed Person deems it necessary.
- 6.9.5Committees must meet at least once in every quarter and minutes of such meetings must be available for the verification of the Central Bank Examiners.
Chapter 7: Accounts and Audit
Introduction
The Standards for the Regulations Regarding Licensing and Monitoring of Exchange Business The Licensed Person must maintain appropriate books of accounts that reflect the true and fair view of its financial position at any point in time. This chapter provides standards to be maintained on Accounting and Auditing functions of the Licensed Person.
7.1 Accountant
- 7.1.1Appointment of an Accountant
- a)The Licensed Person must appoint an Accountant who is primarily responsible to maintain appropriate books of accounts and prepare periodical financial reports for submission to the Central Bank;
- b)The job title of the Accountant may vary at the discretion of the Licensed Person, for example Accounts Manager, Chief Accountant, etc.; and
- c)The Accountant must possess sufficient knowledge and appropriate experience to deal with all issues related to the bookkeeping, financial accounting, reporting to the Central Bank and to manage the annual audit of the books of accounts by External Auditors.
- 7.1.2Accountant’s Responsibilities (the list is not exhaustive)
- a)Ensure accuracy and completeness in the bookkeeping and financial accounting;
- b)Arrange to submit accurate regulatory reports, such as monthly returns, quarterly returns, monthly remittance reports, audited financial statements, etc. within the submission deadlines to the Central Bank;
- c)Obtain statements related to remittances, foreign currency export/import, hedge accounts or special products/services from banks, remittance partners or other relevant institutions/partners to perform reconciliation of balances on a regular basis, preferably daily;
- d)Investigate differences identified during the reconciliation process and report all unreconciled items to the Manager in Charge immediately;
- e)Assess the amount of unclaimed funds as on the last day of every month; and
- f)Assess the liquidity position and capital adequacy on a regular basis to inform the Manager in Charge.
- 7.1.3Books of Accounts
- a)The Licensed Person must maintain comprehensive and accurate books of accounts and supporting records that reflect its correct liquidity/financial positions at all times;
- b)The books of accounts and other records must be available within the UAE at all times and for the examination by the Central Bank;
- c)The Licensed Person must introduce automated books of accounts in order to generate periodical Central Bank returns with the aid of suitable accounting software; and
- d)The systems of the Licensed Person must be capable of generating appropriate reports related to the foreign currency exchange and remittance transactions at any point in time and for any period. Such reports must provide the below information at a minimum:
- •Number, total value and average value of transactions for each product;
- •Number, total value and average value of foreign currency exchange transactions for each currency;
- •Number, total value and average value of outward/inward money transfers to/from each correspondent, country and for each currency; and
- •Number, total value and average value of outward/inward money transfers via instant money transfer service providers to/from each service provider, country and for each currency.
- 7.1.1Appointment of an Accountant
7.2 Internal Audit
- 7.2.1Appointment of Internal Auditor
- a)The Licensed Person must appoint an Internal Auditor who is responsible to carry out regular audits across all aspects of its business; and
- b)The Internal Auditor must possess sufficient knowledge and appropriate experience to deal with all issues related to internal audit.
- 7.2.2Scope of the Internal Audit
- a)The Licensed Person must have an Internal Audit Charter, that clearly states the purpose, scope and reporting lines of the Internal Auditor;
- b)The Internal Audit Charter must be reviewed by the Audit Committee and then approved by the Board of Directors (or by the Owner/Partners where there is no Board of Directors);
- c)The Internal Auditor must adhere to relevant auditing standards and code of ethics that are applicable to the internal audit profession;
- d)All business activities of the Licensed Person, core functions, non-core functions, branches, Head Office, Management Office (if any), reconciliation process, unreconciled items, unclaimed funds, liquidity, capital adequacy, etc. must be covered under the scope of internal audit in addition to the AML and regulatory compliance;
- e)The Internal Auditor must be given access to employees, data and records which may reasonably be required to fulfil all responsibilities;
- f)The Internal Auditor must be informed, on a timely basis, of any changes in the applicable Regulations, the Standards and the Licensed Person’s policies or procedures;
- g)The Internal Auditor must prepare the Annual Internal Audit Plan after discussing with the Audit Committee and obtain the approval of the Board of Directors (or of the Owner/Partners where there is no Board of Directors) at the beginning of each financial year;
- h)The Annual Internal Audit Plan must contain timelines for each internal audit, internal audit reporting deadlines, allocation of resources, areas to be audited, follow up audit plans etc.;
- i)Internal audits must be performed in accordance with the Annual Internal Audit Plan and the Board of Directors (or the Owner/Partners where there is no Board of Directors) must ensure that internal audit findings are addressed in a timely manner; and
- j)The Internal Audit Charter and Plan must be reviewed by the Audit Committee at the end of each year to assess the effectiveness of the internal audit function and a summary of such reviews must be presented to the Board of Directors (or to the Owner/Partners where there is no Board of Directors).
- 7.2.3Internal Audit Reporting Lines
- a)The Internal Auditor must report directly to the Board of Directors (or to the Owner/Partners where there is no Board of Directors); and
- b)Copies of all internal audit reports and corrective actions taken by the Manager in Charge must be available for verification by the Central Bank Examiners.
- 7.2.4Independence and Conflict of Interest
- a)The Internal Auditor’s role must be handled by a dedicated resource and must not be combined with any other function of the Licensed Person; and
- b)The Internal Auditor must bring any matter affecting their independence such as creating any conflict of interest or limiting the scope of internal audit, restricting access to any information, etc. to the attention of the Board of Directors (or of the Owner/Partners where there is no Board of Directors).
- 7.2.1Appointment of Internal Auditor
7.3 External Audit
- 7.3.1Appointment of External Auditor
- a)The Licensed Person must appoint an External Auditor after obtaining a Letter of No Objection from the Banking Supervision Department for each financial year to audit its books of accounts and the financial statements;
- b)The Central Bank reserves the right to appoint an External Auditor at its sole discretion to audit the books of accounts of the Licensed Person for any financial year in the following cases:
- •The Licensed Person had failed to obtain the Letter of No Objection from the Banking Supervision Department to appoint an External Auditor; and
- •The Licensed Person had appointed an External Auditor contrary to instructions from the Banking Supervision Department.
- c)The Central Bank reserves the right to appoint additional External Auditors where it deems it appropriate, reasonable and necessary;
- d)In all cases of appointments as per Paragraphs 7.3.1 (a) to (c) of this Chapter, the audit fee payable to External Auditors must be paid by the Licensed Person; and
- e)The Central Bank reserves the right to instruct External Auditors to submit the audit report, financial statements and any other relevant information directly to the Central Bank if it deems it necessary.
- 7.3.2Approval Process to Appoint the External Auditor
- a)The Licensed Person must submit the request for the Letter of No Objection to the Banking Supervision Department on or before 31st May of each financial year; and
- b)The request letter must be signed by the authorised signatory of the Licensed Person and accompanied by the following documents:
- •duly completed Form BSD IIIA & IIIB which must be signed by the proposed External Auditor; and
- •a copy of the professional license of the proposed External Auditor.
- 7.3.3Rotation of External Auditors
- a)The Licensed Person is permitted to appoint the same External Auditor to audit its books of accounts and financial statements for a maximum period of six (6) consecutive financial years provided that the following conditions are fulfilled:
- •A Letter of No Objection from the Banking Supervision Department is obtained to appoint the same External Auditor for each financial year; and
- •The audit partner is changed after a maximum period of three (3) consecutive financial years.
- b)After six (6) consecutive financial years, the Licensed Person must appoint a different External Auditor for a minimum period of one (1) financial year after obtaining a Letter of No Objection from the Banking Supervision Department in accordance with Paragraph 7.3.2 of this Chapter;
- c)In case the External Auditor is unable to change the audit partner after a period of three (3) consecutive financial years as required under Paragraph 7.3.3 (a) of this Chapter, the Licensed Person must appoint a different External Auditor for a minimum period of one (1) financial year after obtaining a Letter of No Objection from the Banking Supervision Department in accordance with Paragraph 7.3.2 of this Chapter;
- d)An External Auditor appointed for a period of less than one (1) year, usually for a start-up business, will be considered as one (1) full financial year for the purpose of calculating the limit of six (6) consecutive financial years under Paragraph 7.3.3 (a) of this Chapter; and
- e)The limit of six (6) consecutive financial years shall be applied retrospectively, starting from the financial year 2012.
- a)The Licensed Person is permitted to appoint the same External Auditor to audit its books of accounts and financial statements for a maximum period of six (6) consecutive financial years provided that the following conditions are fulfilled:
- 7.3.4Auditors’ Report and Financial Statements
- a)Audited Financial Statements and the Auditors’ Report for any financial year must be submitted to the Banking Supervision Department on or before 31st March of the following year;
- b)External Auditors must expressly state their views on the following matters in the Auditors’ Report in addition to their audit opinion:
- •Whether the Licensed Person has kept regular books of accounts and it was available in the UAE during the audit;
- •Whether suitable accounting software has been implemented in accordance with Paragraphs 7.1.3 (c) and (d) of this Chapter; and
- •Whether there is any major breach of the Regulations or the Standards applicable to Exchange Business.
- c)Where the Licensed Person has Subsidiaries, whether inside or outside the UAE, the Consolidated Financial Statements and Auditors’ Report must be submitted to the Central Bank within six (6) months from the end of each financial year;
- d)External Auditors must directly report to the Banking Supervision Department, if there are any serious violations or breaches of applicable Laws, Rules, Regulations, Notices and the Standards or deficiencies/manipulations in the books of accounts which comes to its attention during the course of audit engagement; and
- e)An External Auditor issuing a report under Paragraph 7.3.4 (d) of this Chapter to the Banking Supervision Department, in good faith, shall bear no liability to the Licensed Person or to its Owner, Partners, Shareholders or any other party for the breach or alleged breach of confidentiality.
- 7.3.5The Management Letter
- a)The Licensed Person must request the External Auditor to issue a Management Letter highlighting all deficiencies in its internal controls along with recommendations for the mitigation of such deficiencies;
- b)The Licensed Person must provide its comments for each finding in the Management Letter;
- c)In case the Management Letter was not issued by an External Auditor, a letter stating the same and the reasons thereof must be issued by the External Auditor; and
- d)A copy of the Management Letter or the letter as per Paragraph 7.3.5 (c) of this Chapter must be submitted to the Banking Supervision Department along with the Auditors’ Report and financial statements for each financial year.
- 7.3.1Appointment of External Auditor
Chapter 8: Human Resources
Introduction
The Standards for the Regulations Regarding Licensing and Monitoring of Exchange Business The Human Resources (HR) function plays a vital role in hiring and maintaining the appropriate employees for the Licensed Person. The Licensed Person may appoint a dedicated person to manage the HR function or combine the HR function with another suitable function subject to the conditions of Paragraphs 7.2.4 (a) of Chapter 7, 16.4.7 (a) and 16.5.1 (g) of Chapter 16. This chapter provides minimum standards to be maintained by the Licensed Person in relation to the HR function.
8.1 Human Resource Policy
- 8.1.1The Licensed Person must implement a Human Resource Policy approved by the Board of Directors (or by the Owner/Partners where there is no Board of Directors);
- 8.1.2The Human Resource Policy must cover the following at a minimum:
- a)Recruitment and Know Your Employee (KYE) Policy;
- b)Induction and trainings;
- c)Job descriptions and KPIs;
- d)Segregation of duties;
- e)Staff rotation;
- f)Working hours and overtime pay;
- g)Leave, holidays and vacation;
- h)Performance evaluation;
- i)Rights and responsibilities of employees; and
- j)The Disciplinary Process.
- 8.1.3The Human Resource Policy must be in line with all applicable Laws and Rules of the UAE. The Human Resource Policy must be reviewed at regular intervals.
8.2 Recruitment and Know Your Employee (KYE) Process
- 8.2.1The Licensed Person is responsible to establish and confirm the background of applicants prior to placing them in the employment; and
- 8.2.2The KYE Procedure must include the following at a minimum:
- a)Initial screening of CVs;
- b)Verification of applicants’ academic qualifications;
- c)Testing and interview;
- d)Employment history verification by contacting previous employers to confirm the employee’s work experience and to gather information on previous role(s);
- e)Police Clearance Certification from the police authorities of each respective Emirate if the applicant is already in the UAE. In other cases, Police Clearance Certificates must be obtained from the home country of the candidate, if available; and
- f)Sanction checks must be applied on applicants before placing them in the employment.
8.3 Job Descriptions
- 8.3.1Job descriptions must be precise and all employees must be provided with a copy of it in order for them to have clarity on their responsibilities; and
- 8.3.2A copy of the job description signed by the employee and the Licensed Person must be held in the personal file of the employee.
8.4 Segregation of Duties
- 8.4.1The Licensed Person must segregate duties to ensure that no single employee has unlimited access to data or is responsible to carry out major tasks, especially in areas such as payment authorization, information access, reconciliations, cash management, etc.
8.5 Staff Rotation
- 8.5.1The Licensed Person must rotate its employees at regular intervals among its different branches, among different sections within the same branch or within different roles in the same Department. However, this requirement is not applicable to the head of any function.
8.6 Succession Plan
- 8.6.1Succession Plan must be in place to ensure timely replacements of key personnel such as the Manager in Charge, Compliance Officer, Alternate Compliance Officer, Accountant, etc. immediately once such positions become vacant; and
- 8.6.2The Succession Plan must be approved by the Board of Directors (or by the Owner/Partners where there is no Board of Directors).
8.7 Code of Conduct:
- 8.7.1The Licensed Person must have a Code of Conduct for its employees which must include the following at a minimum:
- a)Guidelines for acceptable behaviour;
- b)Require employees to comply with policies & procedures of the Licensed Person and all applicable Laws, Rules, Regulations, Notices and the Standards;
- c)Confidentiality;
- d)Conflict of interest;
- e)Disciplinary procedures; and
- f)Right to appeal.
- 8.7.1The Licensed Person must have a Code of Conduct for its employees which must include the following at a minimum:
Chapter 9: Outsourcing of Functions
Introduction
Outsourcing is an arrangement whereby a third party performs a function as a whole or a part thereof, on behalf of the Licensed Person. This chapter provides standards in relation to outsourcing of functions considering its inherent vulnerabilities in relation to confidentiality, accessibility of information, etc.
9.1 Outsourcing of Functions
- 9.1.1The Licensed Person may outsource various functions, if necessary, with the exceptions under Paragraph 9.1.2 of this Chapter. The Licensed Person must fulfil the requirements of this Chapter at all times and also comply with any future Regulations in relation to outsourcing as and when issued by the Central Bank;
- 9.1.2The Licensed Person is not permitted to outsource the following functions under any circumstances:
- a)AML compliance function with the exception of document retention to an external party. However, the Licensed Person is permitted to outsource specific AML compliance tasks (examples: Enhanced Due Diligence, AML/CFT Training, Framing AML/CFT Controls, System Support etc.) after obtaining the Letter of No Objection from the Banking Supervision Department; and
- b)Permitted Activities of the Licensed Person (examples: buying and selling of foreign currencies, acceptance/execution/disbursement of money transfers of customers, etc.).
9.2 Responsibilities of the Licensed Person
- 9.2.1The ultimate responsibility/accountability of an outsourced function remains with the Licensed Person and the Board of Directors (or with the Owner/Partners where there is no Board of Directors);
- 9.2.2The Licensed Person must:
- a)ensure that it continues to satisfy all regulatory obligations with respect to an outsourced function;
- b)ensure that a dedicated employee, who is a subject matter expert, is appointed to manage the relationship between the Licensed Person and the Outsourcing Service Provider (i.e. “the Service Provider”) in the case of functions which are outsourced as per the conditions of this Chapter. Such dedicated employee may be allowed to manage the relationships for multiple outsourced functions provided that such multiple roles handled by the dedicated employee remains free from any conflict of interest;
- c)ensure that adequate mechanisms are implemented for monitoring the performance of the Service Provider;
- d)immediately inform the Banking Supervision Department of any material problems encountered with an outsourced function or the Service Provider; and
- e)continue to monitor the associated risks of outsourced functions and pay due attention to the security and effectiveness of internal controls implemented by the Service Provider to mitigate such risks.
9.3 Outsourcing Policy
- 9.3.1The Licensed Person must have an outsourcing policy approved by the Board of Directors (or by the Owner/Partners where there is no Board of Directors); and
- 9.3.2The outsourcing policy must cover the following aspects, at a minimum:
- a)Enhanced Due Diligence (EDD) process to be applied on the Service Provider;
- b)Responsibilities of the Licensed Person and the Board of Directors (or with the Owner/Partners where there is no Board of Directors) in relation to all outsourced functions;
- c)Annual risk assessment of outsourced functions;
- d)Control mechanisms to mitigate various outsourcing risks; and
- e)Requirement of a Service Level Agreement between the Licensed Person and the Service Provider.
9.4 Data Confidentiality
- 9.4.1The customer and transaction database must be held/stored within the UAE and held confidential at all times; and
- 9.4.2The Licensed Person must have contractual rights to take legal action against the Service Provider in the event of breach of confidentiality.
9.5 Access to Information
- 9.5.1The Licensed Person must ensure that the Central Bank and its Examiners have timely access to any information, that may be required to fulfil their responsibilities under the Regulations and the Standards, with respect to outsourced functions;
- 9.5.2The Licensed Person must ensure that its Internal and External Auditors have timely access to any relevant information that they may be required to fulfil their responsibilities; and
- 9.5.3Access must be given to the Central Bank and the Licensed Person’s Internal/External Auditors to conduct on-site reviews of outsourced functions at the Service Provider’s premises when it is necessary.
9.6 Business Continuity
- 9.6.1The Licensed Person must ensure that the Service Provider maintains and tests a plan to ensure the continuity of outsourced functions with a minimum disruption to the business in the event of unforeseen incidents;
- 9.6.2The Licensed Person must maintain and regularly review a contingency plan to enable it to set-up alternative arrangements, with minimum disruption to the business, should the outsourcing contract suddenly be terminated or the Service Provider fails;
- 9.6.3Such contingency plans must include various options, such as:
- a)the identification of alternative Service Providers;
- b)plans to in-source the outsourced functions; and
- c)any other practical interim arrangements.
9.7 Outsourcing Agreement
- 9.7.1The Licensed Person must have a Service Level Agreement with the Service Provider for each function to be outsourced;
- 9.7.2This agreement must address the issues identified below, at a minimum:
- a)Details of functions and activities to be outsourced;
- b)Responsibilities, contractual liabilities and obligations of the Service Provider and the Licensed Person;
- c)Reporting of issues and escalation mechanism;
- d)Mechanisms for monitoring and assessing the performance of the Service Provider;
- e)Designated persons for maintaining the relationship between both parties;
- f)Confidentiality of customer data and related conditions;
- g)Disputes resolution arrangements;
- h)Access to information;
- i)Business continuity in case the Service Provider temporarily or permanently fails to provide service; and
- j)Termination clause.
9.8 Termination
- 9.8.1Termination of the agreement by the Service Provider under any circumstances must be permitted only under a sufficient notice period within which the Licensed Person is able to identify another Service Provider or to in-source the function;
- 9.8.2The Licensed Person must retain the right to terminate the Service Level Agreement without any notice period under the following conditions:
- a)The Service Provider fails to provide quality services as agreed;
- b)The Service Provider is in breach of any sanction laws or any other applicable laws;
- c)Ownership of the Service Provider changes that has an impact on the interest of the Licensed Person or has a conflict of interest with the Licensed Person; and
- d)The Service Provider becomes insolvent or bankrupt or is under liquidation.
- 9.8.3The Service Level Agreement must provide for the return of all customer data to the Licensed Person in the event of the termination of such agreement without retaining any copies.
9.9 Letter of No Objection from the Central Bank
- 9.9.1The Licensed Person must obtain a Letter of No Objection from the Banking Supervision Department in order to outsource specific tasks of the AML Compliance function as mentioned under Paragraph 9.1.2 (a) of this Chapter; and
- 9.9.2The request for the Letter of No Objection must:
- a)be submitted to the Banking Supervision Department in writing and at least thirty (30) calendar days before the effective date of outsourcing the function; and
- b)be accompanied by the following documents:
- •the profile of the Service Provider;
- •a draft of the service level agreement between both parties;
- •a confirmation letter signed by the Authorized Signatory of the Licensed Person stating that an Enhanced Due Diligence Process has been applied on the Service Provider; and
- •a confirmation letter signed by the Owner/Partners/shareholders of the Licensed Person stating that ultimate responsibility/accountability of the outsourced function remains with the Licensed Person and the Board of Directors (or with the Owner/Partners where there is no Board of Directors).