Skip to main content
Entire section Custom print Text Only Rich Text Print

Article 5: Outsourcing Agreements

C 14/2021 Effective from 31/5/2021
  1. 5.1 Outsourcing agreements must ensure that the Bank retains full ownership of the data it shares with the Outsourcing service provider, and that their customers retain full ownership over their data, and that the Central Bank of the UAE can access this data upon request.
     
  2. 5.2 Outsourcing agreements must ensure that the Bank has unfettered access to all of its data for the duration of the agreement, including upon termination of the agreement.
     
  3. 5.3 Outsourcing agreements must include appropriate provisions to protect a Bank’s data, including non-disclosure agreements and provisions related to the destruction of the data after termination of the agreement.
     
  4. 5.4 Outsourcing agreements must specifically establish standards for data protection, including any nationally recognised information assurance standards in the UAE.
     
  5. 5.5 Outsourcing agreements must specifically establish that the Outsourcing service provider, or any of its subcontractors must not provide any other party with access to Confidential Data without first obtaining the specific authorization of the Bank, or the customer, as the case may be.
     
  6. 5.6 Outsourcing agreements must specify to what extent subcontracting is allowed and under which conditions.
     
  7. 5.7 Outsourcing agreements must include an explicit provision giving the Central Bank, and any agent appointed by the Central Bank, access to the Outsourcing service provider.
     

    This provision must include the right to conduct on-site visits at the Outsourcing service provider if deemed necessary by the Central Bank and require the Outsourcing service provider to provide the Central Bank, or its appointed agent, any data or information required for supervisory purposes.
     

  8. 5.8 Outsourcing agreements must include an obligation for the Outsourcing service provider to notify the Bank without undue delay of any breach of the Bank’s data and in particular, breaches of Confidential Data.
     
  9. 5.9 All Outsourcing must be governed by formal Outsourcing contracts between the Bank and the Outsourcing service provider.