Banks must ensure that outsourcing agreements provide for at least the same degree of data protection that would apply if they performed the outsourced activity themselves. Banks must therefore establish adequate policies and procedures, and make all necessary steps to ensure data integrity, confidentiality, and accessibility. At a minimum, these policies and measures must address, both for digital and physical access, the following:

1. 1.Access rights management, including but not limited to policies for granting and revoking access rights and a periodic review of user privileges;
2. 2.Protection against digital and physical attacks;
3. 3.Protection of the integrity of data;
4. 4.Audit trails;
5. 5.Measures to detect, react to, and recover from data security incidents.