Banks must have policies and procedures to ensure compliance with the applicable regulations and standards and to ensure the following has been achieved prior to outsourcing a business activity:

1. 1.The Board or a committee of the Board has been adequately informed and has approved the outsourcing arrangement, as required;
2. 2.An appropriate due diligence review has been undertaken of the selected outsourcing service provider addressing factors including, but not limited to:
   1. a.Ability, including financial capacity, to meet the requirements of the arrangement and deliver the service reliably;
   2. b.Experience with similar agreements and services;
   3. c.Governance, internal control, internal audit, reporting and monitoring capabilities;
   4. d.Security, including cyber security;
   5. e.Staffing, including employee qualifications and expertise; and
   6. f.Country risk factors and legal environment where applicable.
3. 3.Procedures are implemented to monitor performance under the outsourcing agreement;
4. 4.Appropriate provisions for business continuity and disaster recovery are in place, including contingency plans to bring the outsourced function back in-house should the need arise, or the identification of alternative outsourcing service providers.