Book traversal links for Outsourcing Regulation for Banks
Outsourcing Regulation for Banks
C 14/2021 Effective from 31/5/2021Introduction
The Central Bank seeks to promote the effective and efficient development and functioning of the banking system. To this end, any Outsourcing arrangements entered into by a Bank must be subject to appropriate due diligence, approval and ongoing monitoring, in order to identify and mitigate risks inherent in Outsourcing.
In introducing this Regulation and the accompanying Standards, the Central Bank wishes to ensure that Banks’ approaches to managing the risks inherent in Outsourcing arrangements are in line with leading international and prudent practices.
This Regulation and the accompanying Standards are issued pursuant to the powers vested in the Central Bank under the Central Bank Law.
Where this Regulation, or the accompanying Standards, include a requirement to provide information or to take certain measures, or to address certain items listed at a minimum, the Central Bank may impose requirements which are additional to the listing provided in the relevant article.
Objective
The objective of this Regulation is to establish the minimum acceptable standards for Banks’ approach to managing the risks related to Outsourcing arrangements with a view to:
1. Ensuring the soundness of Banks; and
2. Contributing to financial stability.The accompanying Standards supplement the Regulation to elaborate on the supervisory expectations of the Central Bank with respect to Outsourcing arrangements.
As one of the principles underpinning this Regulation, a Bank must ensure that its Outsourcing arrangements, neither diminish its ability to fulfill its obligations to customers and the Central Bank, nor impede effective supervision by the Central Bank.
Scope and Application
This Regulation and the accompanying Standards apply to all Banks operating in the UAE. Banks established in the UAE with Group relationships, including Subsidiaries, Affiliates, or international branches, must ensure that the Regulation and the Standards are adhered to on a solo and Group-wide basis.
This Regulation and Standards must be read in conjunction with the Risk Management Regulation and Standards which establish the requirements for Banks’ overarching approach to risk management, and the Central Bank’s Operational Risk Management Regulation and Standards, which establish a number of requirements particularly relevant to Outsourcing, including business continuity planning and disaster recovery.
Article (1): Definitions
- 1.1 Affiliate: an entity that, directly or indirectly, controls, is controlled by, or is under common control with another entity. The term control as used herein shall mean the holding, directly or indirectly, of voting rights in another entity, or of the power to direct, or cause the direction of the management of another entity.
- 1.2 Bank: any juridical person licensed in accordance with the provisions of the Central Bank Law, to primarily carry on the activity of taking deposits and any other Licensed Financial Activities.
- 1.3 Board: The Bank’s board of directors.
- 1.4 Central Bank: The Central Bank of the United Arab Emirates.
- 1.5 Central Bank Law: Decretal Federal Law No. (14) of 2018 regarding the Central Bank & Organization of Financial Institutions and Activities and its amendments.
- 1.6 Confidential Data: Account or other data relating to a Bank customer, who is or can be identified, either from the confidential data, or from the confidential data in conjunction with other information that is in, or is likely to come into, the possession of a person or organization that is granted access to the confidential data.
- 1.7 Group: a group of entities which includes an entity (the 'first entity') and:
- 1.7.1 any Parent of the first entity;
- 1.7.2 any Subsidiary of the first entity or of any Parent of the first entity; and
- 1.7.3 any Affiliate.
- 1.8 Master System of Record: the collection of all data, including Confidential Data, required to conduct all core activities of a Bank, including the provision of services to clients, managing all risks, and complying with all legal and regulatory requirements.
- 1.9 Material Business Activity: An activity of the Bank that has the potential, if disrupted, to have a significant impact on the Bank’s business operations or its ability to manage risks effectively.
- 1.10 Outsourcing: An agreement with another party either within or outside the UAE, including a party related to the Bank, to perform on a continuing basis an activity which currently is, or could be, undertaken by the Bank itself.
- 1.11 Parent: an entity (the 'first entity') which:
- 1.11.1 holds a majority of the voting rights in another entity (the 'second entity');
- 1.11.2 is a shareholder of the second entity and has the right to appoint or remove a majority of the board of directors or managers of the second entity; or
- 1.11.3 is a shareholder of the second entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the second entity.
Or;
1.11.4 if the second entity is a subsidiary of another entity which is itself a subsidiary of the first entity.
- 1.11.1 holds a majority of the voting rights in another entity (the 'second entity');
- 1.12 Person: natural or juridical person.
- 1.13 Regulation: Any resolution, regulation, circular, rule, standard or notice issued by the Central Bank.
- 1.14 Risk Governance Framework: the risk governance framework as defined under the Risk Management Regulation and Standards.
- 1.15 Senior Management: the senior management as defined under the Corporate Governance Regulation and Standards.
- 1.16 Subsidiary: an entity (the 'first entity') is a subsidiary of another entity (the 'second entity') if the second entity:
- 1.16.1 holds a majority of the voting rights in the first entity;
- 1.16.2 is a shareholder of the first entity and has the right to appoint, or remove, a majority of the board of directors or managers of the first entity;
- 1.16.3 is a shareholder of the first entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the first entity.
Or;
1.16.4 if the first entity is a subsidiary of another entity which is itself a subsidiary of the second entity.
- 1.16.1 holds a majority of the voting rights in the first entity;
- 1.1 Affiliate: an entity that, directly or indirectly, controls, is controlled by, or is under common control with another entity. The term control as used herein shall mean the holding, directly or indirectly, of voting rights in another entity, or of the power to direct, or cause the direction of the management of another entity.
Article 2: Governance and Risk Management
- 2.1 Banks are fully responsible for the risks arising from any process or activity they outsource.
- 2.2 Banks must have a process for determining the materiality of outsourced activities. This process should consider the potential of the outsourced activity to adversely affect the Bank’s operations and its ability to manage risks, if disrupted or performed poorly.
- 2.3 Banks’ Risk Governance Framework must include policies and procedures for the assessment of any proposed Outsourcing and the identification, measurement, monitoring and reporting of any risks associated with existing and proposed Outsourcing arrangements.
- 2.4 The Risk Governance Framework must provide a Bank-wide or, if applicable, Group-wide view of the risks associated with Outsourcing, including any services the Bank provides to, or receives from, other Group members.
- 2.5 The Risk Governance Framework must, at a minimum, provide for the following with respect to Outsourcing:
- 2.5.1 A Board-approved policy that sets out how the materiality of a proposed Outsourcing arrangement is assessed and requiring any material Outsourcing arrangements to be approved by the Board, or a committee of the Board;
- 2.5.2 Policies and procedures to ensure that potential conflicts of interest are identified, managed and appropriately mitigated, or avoided;
- 2.5.3 Policies and procedures that clearly identify and assign to the Bank’s departments, committees, internal control functions, or other individuals, the roles and responsibilities with regard to Outsourcing and determine in which cases and at which stage, they should be involved;
- 2.5.4 Policies and procedures to ensure all material risks related to Outsourcing are identified, measured, managed or mitigated, and reported to the Board in a timely and comprehensive manner;
- 2.5.5 Ensure that any outsourced critical business functions are covered in their disaster recovery and business continuity plans, that Outsourcing service providers are fully prepared to implement them and that Outsourcing service providers have their own disaster recovery and business continuity plans to resolve disruptions at their end.
2.6 Banks must ensure that Outsourcing service providers maintain an appropriate level of information security, risk management, and service delivery.
- 2.5.1 A Board-approved policy that sets out how the materiality of a proposed Outsourcing arrangement is assessed and requiring any material Outsourcing arrangements to be approved by the Board, or a committee of the Board;
- 2.7 Banks are responsible for the compliance with all relevant laws and regulations applicable to their outsourced activities.
- 2.1 Banks are fully responsible for the risks arising from any process or activity they outsource.
Article 3: Outsourcing Register
- 3.1 Banks must maintain a comprehensive and updated register of all Outsourcing arrangements, including both material and non-material Outsourcing arrangements, on a solo and group wide basis.
- 3.2 This register must contain key information for each Outsourcing arrangement, and at a minimum:
- 3.2.1 Key non-risk related data, such as the details of the Outsourcing service provider, start and end date of the arrangement, and a brief description of the service delivered;
- 3.2.2 Whether the Outsourcing arrangement involves any Confidential Data; and
- 3.2.3 Whether the Outsourcing arrangement is considered material.
- 3.2.1 Key non-risk related data, such as the details of the Outsourcing service provider, start and end date of the arrangement, and a brief description of the service delivered;
- 3.1 Banks must maintain a comprehensive and updated register of all Outsourcing arrangements, including both material and non-material Outsourcing arrangements, on a solo and group wide basis.
Article 4: Data Protection
- 4.1 Banks must ensure compliance with all the applicable UAE legislation and regulations in managing and processing data, when Outsourcing.
- 4.2 Banks must ensure that they retain ownership of all data provided to an Outsourcing service provider, and that their customers retain ownership of their data, including but not limited to Confidential Data, and can effectively exercise their rights and duties in this regard.
- 4.3 Where the Outsourcing service provider subcontracts elements of the service which involve Confidential Data, Banks must ensure that the subcontractor fully complies with the applicable requirements as established by law and under this regulation.
- 4.4 Banks must ensure their data is secured from unauthorized access, including unauthorized access by the Outsourcing service provider or its staff.
- 4.1 Banks must ensure compliance with all the applicable UAE legislation and regulations in managing and processing data, when Outsourcing.
Article 5: Outsourcing Agreements
- 5.1 Outsourcing agreements must ensure that the Bank retains full ownership of the data it shares with the Outsourcing service provider, and that their customers retain full ownership over their data, and that the Central Bank of the UAE can access this data upon request.
- 5.2 Outsourcing agreements must ensure that the Bank has unfettered access to all of its data for the duration of the agreement, including upon termination of the agreement.
- 5.3 Outsourcing agreements must include appropriate provisions to protect a Bank’s data, including non-disclosure agreements and provisions related to the destruction of the data after termination of the agreement.
- 5.4 Outsourcing agreements must specifically establish standards for data protection, including any nationally recognised information assurance standards in the UAE.
- 5.5 Outsourcing agreements must specifically establish that the Outsourcing service provider, or any of its subcontractors must not provide any other party with access to Confidential Data without first obtaining the specific authorization of the Bank, or the customer, as the case may be.
- 5.6 Outsourcing agreements must specify to what extent subcontracting is allowed and under which conditions.
- 5.7 Outsourcing agreements must include an explicit provision giving the Central Bank, and any agent appointed by the Central Bank, access to the Outsourcing service provider.
This provision must include the right to conduct on-site visits at the Outsourcing service provider if deemed necessary by the Central Bank and require the Outsourcing service provider to provide the Central Bank, or its appointed agent, any data or information required for supervisory purposes.
- 5.8 Outsourcing agreements must include an obligation for the Outsourcing service provider to notify the Bank without undue delay of any breach of the Bank’s data and in particular, breaches of Confidential Data.
- 5.9 All Outsourcing must be governed by formal Outsourcing contracts between the Bank and the Outsourcing service provider.
- 5.1 Outsourcing agreements must ensure that the Bank retains full ownership of the data it shares with the Outsourcing service provider, and that their customers retain full ownership over their data, and that the Central Bank of the UAE can access this data upon request.
Article 6: Outsourcing Outside the UAE
- 6.1 Banks must ensure that the Master System of Record, which includes all Confidential Data, is continuously maintained and stored within the UAE.
- 6.2 As an exception to paragraph (6.1) above and subject to Central Bank approval, branches of foreign banks may comply with this requirement by retaining a copy of the Master System of Record, updated on at least a daily basis, within the UAE.
- 6.3 Banks customer’s Confidential Data must not be shared outside the UAE without Central Bank approval and obtaining prior written consent from the customer. Banks must also obtain written acknowledgement from the customer that his/her Confidential Data may be accessed under legal proceedings outside the UAE in such circumstances.
- 6.4 Banks must not enter into an Outsourcing agreement that involves sharing Confidential Data with a service provider domiciled in a jurisdiction that cannot provide the same level of safeguarding of Confidential Data that would apply if the data was kept in the UAE.
This applies to all jurisdictions relevant to the agreement.
- 6.5 Any Outsourcing agreement with a party located outside the UAE, must ensure that the Bank and the customer retain ownership of the data at all times, and that the Central Bank can access the Bank’s data upon request.
- 6.6 Banks are not permitted to enter into an Outsourcing agreement that proposes the storage of data in any jurisdiction where bank secrecy, or other laws, restrict or limit access to data necessary for supervisory purposes.
- 6.7 Banks must explicitly consider the possibility that changes in economic, political, social, legal or regulatory conditions may affect the ability of a service provider outside the UAE to fulfil the terms of the agreement.
This risk must be managed by a careful selection of service providers and jurisdictions, adequate contractual and practical arrangements, and appropriate business continuity planning.
- 6.8 Banks must explicitly consider any other relevant risks arising when the service provider is located outside the UAE. These may include but are not limited to:
- 6.8.1 Higher levels of operational risk due to poor infrastructure in another jurisdiction;
- 6.8.2 Legal risk due to differing laws and possible shortcomings in the legal system in the countries where the service is provided; and
- 6.8.3 Reputation risk.
- 6.8.1 Higher levels of operational risk due to poor infrastructure in another jurisdiction;
- 6.9 A Bank must ensure compliance with all relevant personal data protection legislations and regulations prior to entering into an Outsourcing agreement with an Outsourcing service provider or third party outside the UAE.
- 6.10 A Bank must establish policies and processes regarding controls and monitoring activities specifically addressing the business relationship of the Bank with an Outsourcing service provider, which includes the sharing of Confidential Data outside the UAE.
- 6.11 For each of its business relationships a Bank holds with an Outsourcing service provider, which includes the sharing of Confidential Data outside the UAE, the Bank must define concrete security requirements and must ensure that its staff is sufficiently trained in respect of these requirements.
- 6.12 Where the Outsourcing service provider subcontracts elements of the service to other providers, which entail Confidential Data, the Bank must ensure that the subcontractor fully complies with the obligations contained in this Regulation related to the sharing of Confidential Data outside the UAE.
- 6.13 Banks must ensure third parties implement and maintain the appropriate level of information security and service delivery.
- 6.14 With regard to Outsourcing service providers located outside the UAE, the Central Bank may exercise its powers through collaboration with the relevant authorities of any relevant jurisdiction.
- 6.1 Banks must ensure that the Master System of Record, which includes all Confidential Data, is continuously maintained and stored within the UAE.
Article 7: Internal Audit and Compliance
- 7.1 Outsourced activities remain fully in scope of the Bank’s internal audit and compliance responsibilities.
- 7.2 The internal audit function must regularly review and report to the Board, or the Board audit committee, on compliance with and the effectiveness of the Bank’s Outsourcing policies and procedures.
- 7.3 The compliance function must regularly review and report to Senior Management, or to the Board as necessary, on the compliance of Outsourcing service providers with the legislations, regulations and policies applicable to the Bank.
- 7.1 Outsourced activities remain fully in scope of the Bank’s internal audit and compliance responsibilities.
Article 8: Non-Objection by the Central Bank
- 8.1 Prior to Outsourcing any material activity, including to any related party, Banks must obtain a prior notice of non-objection from the Central Bank.
- 8.2 Although all requests for non-objection will be considered on their individual merits, the Central Bank will, in general, not permit the Outsourcing of core banking activities, and key management and control functions, including:
- 8.2.1 Senior Management oversight;
- 8.2.2 Risk management;
- 8.2.3 Compliance;
- 8.2.4 Internal audit; and
- 8.2.5 Management of risk-taking functions including credit, investment and treasury management.
- 8.2.1 Senior Management oversight;
- 8.1 Prior to Outsourcing any material activity, including to any related party, Banks must obtain a prior notice of non-objection from the Central Bank.
Article 9: Reporting Requirements
- 9.1 Banks must regularly report to the Central Bank on their Outsourcing arrangements in the format and frequency prescribed by the Central Bank.
- 9.2 Banks must provide upon request any specific information with respect to Outsourcing arrangements that the Central Bank may require.
- 9.3 Banks must provide the Central Bank with their Outsourcing register as required under Article 4 of this regulation upon the Central Bank’s request.
- 9.4 Banks must immediately notify the Central Bank when they become aware of a material breach of the terms of an Outsourcing agreement, or other development with respect to an outsourced Material Business Activity, that has, or is likely to have, a significant impact on the Bank’s operations, reputation or financial condition.
- 9.1 Banks must regularly report to the Central Bank on their Outsourcing arrangements in the format and frequency prescribed by the Central Bank.
Article 10: Islamic Banking
- 10.1 A Bank offering Islamic financial services must ensure that its Outsourcing policies and arrangements, insofar as they relate to the offering of Islamic financial services, are consistent with Shari’ah rules and principles that would apply if the activity were undertaken by the bank itself.
- 10.2 A bank offering Islamic financial services must ensure that its policies and procedures for the assessment of any proposed Outsourcing arrangement specifically consider operational and reputational risks from failure by the Outsourcing service provider to adhere to Shari’ah rules and principles.
- 10.1 A Bank offering Islamic financial services must ensure that its Outsourcing policies and arrangements, insofar as they relate to the offering of Islamic financial services, are consistent with Shari’ah rules and principles that would apply if the activity were undertaken by the bank itself.
Article 11: Enforcement
- 11.1 Violation of any provision of this Regulation and Standards may be subject to supervisory action as deemed appropriate by the Central Bank.
- 11.2 Supervisory action and administrative & financial sanctions by the Central Bank may include withdrawing, replacing or restricting the powers of Senior Management or members of the Board, providing for the interim management of the Bank, imposition of fines or barring individuals from the UAE banking sector.
- 11.3 The Central Bank may require a Bank to terminate an Outsourcing arrangement when the arrangement is not or no longer compliant with this Regulation or where the Outsourcing presents undue risks to the soundness of the Bank, the security of Confidential Data, or to the financial system.
- 11.1 Violation of any provision of this Regulation and Standards may be subject to supervisory action as deemed appropriate by the Central Bank.
Article 12: Interpretation of Regulation
The Regulatory Development Division of the Central Bank shall be the reference for interpretation of the provisions of this Regulation.
Article 13: Publication and Application
- 13.1 This Regulation and accompanying Standards shall be published in the Official Gazette and shall come into effect one (1) month from the date of publication.
- 13.2 All Outsourcing arrangements concluded or renewed after this regulation coming into force must fully comply with the requirements of this regulation.
- 13.3 In any case, all Outsourcing agreements, including those concluded prior to the coming into force of this Regulation, must fully comply with this Regulation by no later than 31 December 2023.
- 13.1 This Regulation and accompanying Standards shall be published in the Official Gazette and shall come into effect one (1) month from the date of publication.