Chapter 9: Outsourcing of Functions
Introduction
Outsourcing is an arrangement whereby a third party performs a function as a whole or a part thereof, on behalf of the Licensed Person. This chapter provides standards in relation to outsourcing of functions considering its inherent vulnerabilities in relation to confidentiality, accessibility of information, etc.
9.1 Outsourcing of Functions
- 9.1.1The Licensed Person may outsource various functions, if necessary, with the exceptions under Paragraph 9.1.2 of this Chapter. The Licensed Person must fulfil the requirements of this Chapter at all times and also comply with any future Regulations in relation to outsourcing as and when issued by the Central Bank;
- 9.1.2The Licensed Person is not permitted to outsource the following functions under any circumstances:
- a)AML compliance function with the exception of document retention to an external party. However, the Licensed Person is permitted to outsource specific AML compliance tasks (examples: Enhanced Due Diligence, AML/CFT Training, Framing AML/CFT Controls, System Support etc.) after obtaining the Letter of No Objection from the Banking Supervision Department; and
- b)Permitted Activities of the Licensed Person (examples: buying and selling of foreign currencies, acceptance/execution/disbursement of money transfers of customers, etc.).
9.2 Responsibilities of the Licensed Person
- 9.2.1The ultimate responsibility/accountability of an outsourced function remains with the Licensed Person and the Board of Directors (or with the Owner/Partners where there is no Board of Directors);
- 9.2.2The Licensed Person must:
- a)ensure that it continues to satisfy all regulatory obligations with respect to an outsourced function;
- b)ensure that a dedicated employee, who is a subject matter expert, is appointed to manage the relationship between the Licensed Person and the Outsourcing Service Provider (i.e. “the Service Provider”) in the case of functions which are outsourced as per the conditions of this Chapter. Such dedicated employee may be allowed to manage the relationships for multiple outsourced functions provided that such multiple roles handled by the dedicated employee remains free from any conflict of interest;
- c)ensure that adequate mechanisms are implemented for monitoring the performance of the Service Provider;
- d)immediately inform the Banking Supervision Department of any material problems encountered with an outsourced function or the Service Provider; and
- e)continue to monitor the associated risks of outsourced functions and pay due attention to the security and effectiveness of internal controls implemented by the Service Provider to mitigate such risks.
9.3 Outsourcing Policy
- 9.3.1The Licensed Person must have an outsourcing policy approved by the Board of Directors (or by the Owner/Partners where there is no Board of Directors); and
- 9.3.2The outsourcing policy must cover the following aspects, at a minimum:
- a)Enhanced Due Diligence (EDD) process to be applied on the Service Provider;
- b)Responsibilities of the Licensed Person and the Board of Directors (or with the Owner/Partners where there is no Board of Directors) in relation to all outsourced functions;
- c)Annual risk assessment of outsourced functions;
- d)Control mechanisms to mitigate various outsourcing risks; and
- e)Requirement of a Service Level Agreement between the Licensed Person and the Service Provider.
9.4 Data Confidentiality
- 9.4.1The customer and transaction database must be held/stored within the UAE and held confidential at all times; and
- 9.4.2The Licensed Person must have contractual rights to take legal action against the Service Provider in the event of breach of confidentiality.
9.5 Access to Information
- 9.5.1The Licensed Person must ensure that the Central Bank and its Examiners have timely access to any information, that may be required to fulfil their responsibilities under the Regulations and the Standards, with respect to outsourced functions;
- 9.5.2The Licensed Person must ensure that its Internal and External Auditors have timely access to any relevant information that they may be required to fulfil their responsibilities; and
- 9.5.3Access must be given to the Central Bank and the Licensed Person’s Internal/External Auditors to conduct on-site reviews of outsourced functions at the Service Provider’s premises when it is necessary.
9.6 Business Continuity
- 9.6.1The Licensed Person must ensure that the Service Provider maintains and tests a plan to ensure the continuity of outsourced functions with a minimum disruption to the business in the event of unforeseen incidents;
- 9.6.2The Licensed Person must maintain and regularly review a contingency plan to enable it to set-up alternative arrangements, with minimum disruption to the business, should the outsourcing contract suddenly be terminated or the Service Provider fails;
- 9.6.3Such contingency plans must include various options, such as:
- a)the identification of alternative Service Providers;
- b)plans to in-source the outsourced functions; and
- c)any other practical interim arrangements.
9.7 Outsourcing Agreement
- 9.7.1The Licensed Person must have a Service Level Agreement with the Service Provider for each function to be outsourced;
- 9.7.2This agreement must address the issues identified below, at a minimum:
- a)Details of functions and activities to be outsourced;
- b)Responsibilities, contractual liabilities and obligations of the Service Provider and the Licensed Person;
- c)Reporting of issues and escalation mechanism;
- d)Mechanisms for monitoring and assessing the performance of the Service Provider;
- e)Designated persons for maintaining the relationship between both parties;
- f)Confidentiality of customer data and related conditions;
- g)Disputes resolution arrangements;
- h)Access to information;
- i)Business continuity in case the Service Provider temporarily or permanently fails to provide service; and
- j)Termination clause.
9.8 Termination
- 9.8.1Termination of the agreement by the Service Provider under any circumstances must be permitted only under a sufficient notice period within which the Licensed Person is able to identify another Service Provider or to in-source the function;
- 9.8.2The Licensed Person must retain the right to terminate the Service Level Agreement without any notice period under the following conditions:
- a)The Service Provider fails to provide quality services as agreed;
- b)The Service Provider is in breach of any sanction laws or any other applicable laws;
- c)Ownership of the Service Provider changes that has an impact on the interest of the Licensed Person or has a conflict of interest with the Licensed Person; and
- d)The Service Provider becomes insolvent or bankrupt or is under liquidation.
- 9.8.3The Service Level Agreement must provide for the return of all customer data to the Licensed Person in the event of the termination of such agreement without retaining any copies.
9.9 Letter of No Objection from the Central Bank
- 9.9.1The Licensed Person must obtain a Letter of No Objection from the Banking Supervision Department in order to outsource specific tasks of the AML Compliance function as mentioned under Paragraph 9.1.2 (a) of this Chapter; and
- 9.9.2The request for the Letter of No Objection must:
- a)be submitted to the Banking Supervision Department in writing and at least thirty (30) calendar days before the effective date of outsourcing the function; and
- b)be accompanied by the following documents:
- •the profile of the Service Provider;
- •a draft of the service level agreement between both parties;
- •a confirmation letter signed by the Authorized Signatory of the Licensed Person stating that an Enhanced Due Diligence Process has been applied on the Service Provider; and
- •a confirmation letter signed by the Owner/Partners/shareholders of the Licensed Person stating that ultimate responsibility/accountability of the outsourced function remains with the Licensed Person and the Board of Directors (or with the Owner/Partners where there is no Board of Directors).