| 1. | The Risk Governance System must address the following matters:
| a. | Companies' Risk Governance Systems must include policies and procedures for the assessment of any proposed Outsourcing and the identification, assessment measurement, monitoring, controlling, reporting and mitigating of any risks associated with existing and proposed Outsourcing arrangements.
| | b. | The Risk Governance System must provide an entity-wide or, if applicable, Group-wide view of the risks associated with Outsourcing, including any services the Company provides to, or receives from, other Group members.
| | c. | Companies must maintain a comprehensive and updated register of all Outsourcing arrangements, including all material and non-material Outsourcing arrangements, on an entity and group-wide basis.
|
|
| 2. | When a Company is Outsourcing, it must ensure that the following measures are in place, at a minimum:
| a. | Any outsourced Material Business Activity or function must be subject to oversight, accountability, review and assessment in the equivalent manner that non-outsourced activities or functions are. Outsourcing must not adversely affect the Company's ability to manage its risks.
| | b. | A Company is fully responsible for the risks arising from any process or activity they outsource.
| | c. | A Company must have a process for determining the materiality of outsourced activities. The process of identifying Material Business Activity must consider the potential of the outsourced activity to adversely affect the Company's operations and its ability to manage risks, if disrupted or performed poorly.
| | d. | Companies must obtain the 'no objection' of the Central Bank prior to outsourcing any Material Business Activity.
|
|
| 3. | The Board and Senior Management are ultimately responsible for any outsourced functions or activities. The Board must assess the ability of the Company's Risk Management and Internal Controls to manage the outsourced risks effectively in respect of business continuity.
|
| 4. | Outsourced activity must be governed by written contracts that state the parties' rights and obligations. The Board and Senior Management must consider when outsourcing an activity, the effects of the Company's Risk Profile, the service provider's expertise, knowledge, governance, Risk Management, Internal Controls, financial viability along with the succession issues upon the ending of the contractual relationship with the service provider.
|
| 5. | A Company is responsible for compliance with Central Bank Laws and Regulations and all other relevant laws and regulations applicable to their outsourced activities.
|
| 6. | The compliance function must regularly review and report to Senior Management, or to the Board as necessary, on the compliance of Outsourcing service providers with the laws, regulations and policies applicable to the Company.
|
| 7. | When Outsourcing outside the State:
| a. | The Master System of Record, which includes all Confidential Data, must be ontinuously maintained and stored within the State.
| | b. | As an exception to paragraph (12.7.a) above and subject to Central Bank approval, branches of foreign Companies may comply with this requirement by retaining a copy of the Master System of Record, updated on at least a daily basis, within the State.
| | c. | A Company's customers' Confidential Data must not be shared outside the State without Central Bank approval and obtaining prior written consent from the customer. Companies must also obtain written acknowledgement from their customers that their Confidential Data may be accessed as part of legal proceedings or pursuant to an order of a court of competent jurisdiction outside the State in such circumstances.
| | d. | A Company must not enter into Outsourcing agreements that involve sharing Confidential Data with a service provider domiciled in a jurisdiction that cannot provide the same level of safeguarding of Confidential Data that would apply if the data was kept in the tate. This applies to all jurisdictions applicable to all parties to the agreement.
| | e. | Companies are not permitted to enter into Outsourcing agreements that propose the storage of data in any jurisdiction where Company secrecy, or other laws, restrict or limit access to data necessary for supervisory and regulatory purposes.
|
|