Skip to main content
  • Other Regulations

    • Banks’ Acquisition of Own Shares Regulation

      C 20/2021 Effective from 14/2/2022


      The Central Bank is pleased to announce the issuance of the “Banks’ Acquisition of Own Shares Regulation” (Circular 20/2021 - dated 21/12/2021).

      Article 93 (3) of the Decretal Federal Law No. (14) of 2018, as amended (the ‘Central Bank Law’) prohibits a bank from purchasing, acquiring, or dealing in their own shares, in excess of any ratios set by the Central Bank .

      In issuing this Regulation, the Central Bank is setting the relevant regulatory ratio to apply under Article 93(3) of the Central Bank Law.

      In accordance with the Regulation, a bank is not permitted to directly, or indirectly, purchase, acquire, buy back or hold any amount of its own shares exceeding 10% of the bank’s paid-up capital. In addition, prior approval of the Central Bank is required, except for where shares have been acquired by a bank in settlement of a debt.

      This Regulation was published in the Official Gazette on 14 January 2022 and will come into effect one month after the date of publication.

      Please bring this Regulation to the attention of the board of directors of your bank at the next board meeting.

       

      • Outsourcing Regulation for Banks

        C 14/2021 Effective from 31/5/2021
        • Introduction

          The Central Bank seeks to promote the effective and efficient development and functioning of the banking system. To this end, any Outsourcing arrangements entered into by a Bank must be subject to appropriate due diligence, approval and ongoing monitoring, in order to identify and mitigate risks inherent in Outsourcing.

          In introducing this Regulation and the accompanying Standards, the Central Bank wishes to ensure that Banks’ approaches to managing the risks inherent in Outsourcing arrangements are in line with leading international and prudent practices.

          This Regulation and the accompanying Standards are issued pursuant to the powers vested in the Central Bank under the Central Bank Law.

          Where this Regulation, or the accompanying Standards, include a requirement to provide information or to take certain measures, or to address certain items listed at a minimum, the Central Bank may impose requirements which are additional to the listing provided in the relevant article.

          • Scope

            This Regulation applies to all Banks.

            • Objective

              The objective of this Regulation is to establish the minimum acceptable standards for Banks’ approach to managing the risks related to Outsourcing arrangements with a view to:

              1. Ensuring the soundness of Banks; and
              2. Contributing to financial stability.

              The accompanying Standards supplement the Regulation to elaborate on the supervisory expectations of the Central Bank with respect to Outsourcing arrangements.

              As one of the principles underpinning this Regulation, a Bank must ensure that its Outsourcing arrangements, neither diminish its ability to fulfill its obligations to customers and the Central Bank, nor impede effective supervision by the Central Bank.

            • Scope and Application

              This Regulation and the accompanying Standards apply to all Banks operating in the UAE. Banks established in the UAE with Group relationships, including Subsidiaries, Affiliates, or international branches, must ensure that the Regulation and the Standards are adhered to on a solo and Group-wide basis.

              This Regulation and Standards must be read in conjunction with the Risk Management Regulation and Standards which establish the requirements for Banks’ overarching approach to risk management, and the Central Bank’s Operational Risk Management Regulation and Standards, which establish a number of requirements particularly relevant to Outsourcing, including business continuity planning and disaster recovery.

              • Objective

                The objective of this Regulation is to define the regulatory obligations that apply to Banks, relating to acquisitions or buy backs of their own shares.

              • Article (1): Definitions

                1. 1.1 Affiliate: an entity that, directly or indirectly, controls, is controlled by, or is under common control with another entity. The term control as used herein shall mean the holding, directly or indirectly, of voting rights in another entity, or of the power to direct, or cause the direction of the management of another entity.
                   
                2. 1.2 Bank: any juridical person licensed in accordance with the provisions of the Central Bank Law, to primarily carry on the activity of taking deposits and any other Licensed Financial Activities.
                   
                3. 1.3 Board: The Bank’s board of directors.
                   
                4. 1.4 Central Bank: The Central Bank of the United Arab Emirates.
                   
                5. 1.5 Central Bank Law: Decretal Federal Law No. (14) of 2018 regarding the Central Bank & Organization of Financial Institutions and Activities and its amendments.
                   
                6. 1.6 Confidential Data: Account or other data relating to a Bank customer, who is or can be identified, either from the confidential data, or from the confidential data in conjunction with other information that is in, or is likely to come into, the possession of a person or organization that is granted access to the confidential data.
                   
                7. 1.7 Group: a group of entities which includes an entity (the 'first entity') and:
                  1. 1.7.1 any Parent of the first entity;
                  2. 1.7.2 any Subsidiary of the first entity or of any Parent of the first entity; and
                  3. 1.7.3 any Affiliate.

                   
                8. 1.8 Master System of Record: the collection of all data, including Confidential Data, required to conduct all core activities of a Bank, including the provision of services to clients, managing all risks, and complying with all legal and regulatory requirements.
                   
                9. 1.9 Material Business Activity: An activity of the Bank that has the potential, if disrupted, to have a significant impact on the Bank’s business operations or its ability to manage risks effectively.
                   
                10. 1.10 Outsourcing: An agreement with another party either within or outside the UAE, including a party related to the Bank, to perform on a continuing basis an activity which currently is, or could be, undertaken by the Bank itself.
                   
                11. 1.11 Parent: an entity (the 'first entity') which:
                   
                  1. 1.11.1 holds a majority of the voting rights in another entity (the 'second entity');
                     
                  2. 1.11.2 is a shareholder of the second entity and has the right to appoint or remove a majority of the board of directors or managers of the second entity; or
                     
                  3. 1.11.3 is a shareholder of the second entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the second entity.
                     
                    Or;
                    1.11.4 if the second entity is a subsidiary of another entity which is itself a subsidiary of the first entity.
                     
                12.  1.12 Person: natural or juridical person.
                   
                13. 1.13 Regulation: Any resolution, regulation, circular, rule, standard or notice issued by the Central Bank.
                   
                14. 1.14 Risk Governance Framework: the risk governance framework as defined under the Risk Management Regulation and Standards.
                   
                15. 1.15 Senior Management: the senior management as defined under the Corporate Governance Regulation and Standards.
                   
                16. 1.16 Subsidiary: an entity (the 'first entity') is a subsidiary of another entity (the 'second entity') if the second entity:
                   
                  1. 1.16.1 holds a majority of the voting rights in the first entity;
                     
                  2. 1.16.2 is a shareholder of the first entity and has the right to appoint, or remove, a majority of the board of directors or managers of the first entity;
                     
                  3. 1.16.3 is a shareholder of the first entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the first entity.
                     
                    Or;
                    1.16.4 if the first entity is a subsidiary of another entity which is itself a subsidiary of the second entity.
                • Article 2: Governance and Risk Management

                  1. 2.1 Banks are fully responsible for the risks arising from any process or activity they outsource.
                     
                  2. 2.2 Banks must have a process for determining the materiality of outsourced activities. This process should consider the potential of the outsourced activity to adversely affect the Bank’s operations and its ability to manage risks, if disrupted or performed poorly.
                     
                  3. 2.3 Banks’ Risk Governance Framework must include policies and procedures for the assessment of any proposed Outsourcing and the identification, measurement, monitoring and reporting of any risks associated with existing and proposed Outsourcing arrangements.
                     
                  4. 2.4 The Risk Governance Framework must provide a Bank-wide or, if applicable, Group-wide view of the risks associated with Outsourcing, including any services the Bank provides to, or receives from, other Group members.
                     
                  5. 2.5 The Risk Governance Framework must, at a minimum, provide for the following with respect to Outsourcing:
                     
                    1. 2.5.1 A Board-approved policy that sets out how the materiality of a proposed Outsourcing arrangement is assessed and requiring any material Outsourcing arrangements to be approved by the Board, or a committee of the Board;
                       
                    2. 2.5.2 Policies and procedures to ensure that potential conflicts of interest are identified, managed and appropriately mitigated, or avoided;
                       
                    3. 2.5.3 Policies and procedures that clearly identify and assign to the Bank’s departments, committees, internal control functions, or other individuals, the roles and responsibilities with regard to Outsourcing and determine in which cases and at which stage, they should be involved;
                       
                    4. 2.5.4 Policies and procedures to ensure all material risks related to Outsourcing are identified, measured, managed or mitigated, and reported to the Board in a timely and comprehensive manner;
                       
                    5. 2.5.5 Ensure that any outsourced critical business functions are covered in their disaster recovery and business continuity plans, that Outsourcing service providers are fully prepared to implement them and that Outsourcing service providers have their own disaster recovery and business continuity plans to resolve disruptions at their end.

                    2.6 Banks must ensure that Outsourcing service providers maintain an appropriate level of information security, risk management, and service delivery.
                     
                  6. 2.7 Banks are responsible for the compliance with all relevant laws and regulations applicable to their outsourced activities.
                     
                  • Article (2): Central Bank prior approval required for banks' acquisition of own shares

                    2.1 A Bank shall not directly or indirectly acquire, purchase, buy-back or deal in its own shares without prior written approval of the Central Bank, unless shares have devolved to it in accordance with Article 2.2 of this Regulation.

                    2.2 In accordance with Article 93(3) of the Central Bank Law, where shares have devolved to a Bank in settlement of a debt, and the Bank is therefore holding its own shares exceeding the maximum limit prescribed in Article (3) of this Regulation, the Bank must sell the excess shares, within a period of two (2) years from date of acquisition.

                    2.3 The Central Bank, in granting any approval under Article 2.1 of this Regulation, may request any information it requires in order to make an appropriate decision. The Central Bank, in granting any approval under Article 2.1 of this Regulation, may impose any limitations or conditions on the Bank that it considers appropriate.

                    2.4 The Central Bank may, on application by a Bank in writing, extend the period referred to in Article 2.2 of this Regulation for such period and on such conditions as the Central Bank considers appropriate.

                  • Article 3: Outsourcing Register

                    1. 3.1 Banks must maintain a comprehensive and updated register of all Outsourcing arrangements, including both material and non-material Outsourcing arrangements, on a solo and group wide basis.
                       
                    2. 3.2 This register must contain key information for each Outsourcing arrangement, and at a minimum:
                       
                      1. 3.2.1 Key non-risk related data, such as the details of the Outsourcing service provider, start and end date of the arrangement, and a brief description of the service delivered;
                         
                      2. 3.2.2 Whether the Outsourcing arrangement involves any Confidential Data; and
                         
                      3. 3.2.3 Whether the Outsourcing arrangement is considered material.
                         
                    • Article (3): Maximum limit

                      3.1 A Bank shall not be permitted to directly or indirectly purchase, acquire, buy-back or hold any amount of its own shares exceeding ten percent (10%) of the Bank’s Paid Up Share Capital.

                    • Article 4: Data Protection

                      1. 4.1 Banks must ensure compliance with all the applicable UAE legislation and regulations in managing and processing data, when Outsourcing.
                         
                      2. 4.2 Banks must ensure that they retain ownership of all data provided to an Outsourcing service provider, and that their customers retain ownership of their data, including but not limited to Confidential Data, and can effectively exercise their rights and duties in this regard.
                         
                      3. 4.3 Where the Outsourcing service provider subcontracts elements of the service which involve Confidential Data, Banks must ensure that the subcontractor fully complies with the applicable requirements as established by law and under this regulation.
                         
                      4. 4.4 Banks must ensure their data is secured from unauthorized access, including unauthorized access by the Outsourcing service provider or its staff.
                         
                      • Article (4): Obligation to notify the Central Bank of breach of regulatory obligations

                        4.1 Banks which breach or are likely to breach any provision as per this Regulation must immediately notify the Central Bank in writing.

                      • Article 5: Outsourcing Agreements

                        1. 5.1 Outsourcing agreements must ensure that the Bank retains full ownership of the data it shares with the Outsourcing service provider, and that their customers retain full ownership over their data, and that the Central Bank of the UAE can access this data upon request.
                           
                        2. 5.2 Outsourcing agreements must ensure that the Bank has unfettered access to all of its data for the duration of the agreement, including upon termination of the agreement.
                           
                        3. 5.3 Outsourcing agreements must include appropriate provisions to protect a Bank’s data, including non-disclosure agreements and provisions related to the destruction of the data after termination of the agreement.
                           
                        4. 5.4 Outsourcing agreements must specifically establish standards for data protection, including any nationally recognised information assurance standards in the UAE.
                           
                        5. 5.5 Outsourcing agreements must specifically establish that the Outsourcing service provider, or any of its subcontractors must not provide any other party with access to Confidential Data without first obtaining the specific authorization of the Bank, or the customer, as the case may be.
                           
                        6. 5.6 Outsourcing agreements must specify to what extent subcontracting is allowed and under which conditions.
                           
                        7. 5.7 Outsourcing agreements must include an explicit provision giving the Central Bank, and any agent appointed by the Central Bank, access to the Outsourcing service provider.
                           

                          This provision must include the right to conduct on-site visits at the Outsourcing service provider if deemed necessary by the Central Bank and require the Outsourcing service provider to provide the Central Bank, or its appointed agent, any data or information required for supervisory purposes.
                           

                        8. 5.8 Outsourcing agreements must include an obligation for the Outsourcing service provider to notify the Bank without undue delay of any breach of the Bank’s data and in particular, breaches of Confidential Data.
                           
                        9. 5.9 All Outsourcing must be governed by formal Outsourcing contracts between the Bank and the Outsourcing service provider.
                           
                        • Article (5): Enforcement & Sanctions

                          5.1 Violation of any provision of this Regulation and any accompanying Standards may be subject to supervisory action and sanctions as deemed appropriate by the Central Bank including the measures stated in Article 44 (1) of the Central Bank Law “Protection of Licensed Financial Institutions”

                        • Article (6): Interpretation of Regulation

                          6.1 The Regulatory Development Division of the Central Bank shall be the reference for interpretation of the provisions of this Regulation.

                          • Article 6: Outsourcing Outside the UAE

                            1. 6.1 Banks must ensure that the Master System of Record, which includes all Confidential Data, is continuously maintained and stored within the UAE.
                               
                            2. 6.2 As an exception to paragraph (6.1) above and subject to Central Bank approval, branches of foreign banks may comply with this requirement by retaining a copy of the Master System of Record, updated on at least a daily basis, within the UAE.
                               
                            3. 6.3 Banks customer’s Confidential Data must not be shared outside the UAE without Central Bank approval and obtaining prior written consent from the customer. Banks must also obtain written acknowledgement from the customer that his/her Confidential Data may be accessed under legal proceedings outside the UAE in such circumstances.
                               
                            4. 6.4 Banks must not enter into an Outsourcing agreement that involves sharing Confidential Data with a service provider domiciled in a jurisdiction that cannot provide the same level of safeguarding of Confidential Data that would apply if the data was kept in the UAE.
                               

                              This applies to all jurisdictions relevant to the agreement.

                            5. 6.5 Any Outsourcing agreement with a party located outside the UAE, must ensure that the Bank and the customer retain ownership of the data at all times, and that the Central Bank can access the Bank’s data upon request.
                               
                            6. 6.6 Banks are not permitted to enter into an Outsourcing agreement that proposes the storage of data in any jurisdiction where bank secrecy, or other laws, restrict or limit access to data necessary for supervisory purposes.
                               
                            7. 6.7 Banks must explicitly consider the possibility that changes in economic, political, social, legal or regulatory conditions may affect the ability of a service provider outside the UAE to fulfil the terms of the agreement.

                              This risk must be managed by a careful selection of service providers and jurisdictions, adequate contractual and practical arrangements, and appropriate business continuity planning.
                               
                            8. 6.8 Banks must explicitly consider any other relevant risks arising when the service provider is located outside the UAE. These may include but are not limited to:
                               
                              1. 6.8.1 Higher levels of operational risk due to poor infrastructure in another jurisdiction;
                                 
                              2. 6.8.2 Legal risk due to differing laws and possible shortcomings in the legal system in the countries where the service is provided; and
                                 
                              3. 6.8.3 Reputation risk.
                                 
                            9. 6.9 A Bank must ensure compliance with all relevant personal data protection legislations and regulations prior to entering into an Outsourcing agreement with an Outsourcing service provider or third party outside the UAE.
                               
                            10. 6.10 A Bank must establish policies and processes regarding controls and monitoring activities specifically addressing the business relationship of the Bank with an Outsourcing service provider, which includes the sharing of Confidential Data outside the UAE.
                               
                            11. 6.11 For each of its business relationships a Bank holds with an Outsourcing service provider, which includes the sharing of Confidential Data outside the UAE, the Bank must define concrete security requirements and must ensure that its staff is sufficiently trained in respect of these requirements.
                               
                            12. 6.12 Where the Outsourcing service provider subcontracts elements of the service to other providers, which entail Confidential Data, the Bank must ensure that the subcontractor fully complies with the obligations contained in this Regulation related to the sharing of Confidential Data outside the UAE.
                               
                            13. 6.13 Banks must ensure third parties implement and maintain the appropriate level of information security and service delivery.
                               
                            14. 6.14 With regard to Outsourcing service providers located outside the UAE, the Central Bank may exercise its powers through collaboration with the relevant authorities of any relevant jurisdiction.
                               
                          • Article (7): Publication & Effective Date

                            7.1 This Regulation shall be published in the Official Gazette in both Arabic and English and shall come into effect one month from the date of publication.

                            • Article 7: Internal Audit and Compliance

                              1. 7.1 Outsourced activities remain fully in scope of the Bank’s internal audit and compliance responsibilities.
                                 
                              2. 7.2 The internal audit function must regularly review and report to the Board, or the Board audit committee, on compliance with and the effectiveness of the Bank’s Outsourcing policies and procedures.
                                 
                              3. 7.3 The compliance function must regularly review and report to Senior Management, or to the Board as necessary, on the compliance of Outsourcing service providers with the legislations, regulations and policies applicable to the Bank.
                                 
                            • Article 8: Non-Objection by the Central Bank

                              1. 8.1 Prior to Outsourcing any material activity, including to any related party, Banks must obtain a prior notice of non-objection from the Central Bank.
                                 
                              2. 8.2 Although all requests for non-objection will be considered on their individual merits, the Central Bank will, in general, not permit the Outsourcing of core banking activities, and key management and control functions, including:
                                 
                                1. 8.2.1 Senior Management oversight;
                                   
                                2. 8.2.2 Risk management;
                                   
                                3. 8.2.3 Compliance;
                                   
                                4. 8.2.4 Internal audit; and
                                   
                                5. 8.2.5 Management of risk-taking functions including credit, investment and treasury management.
                                   
                            • Article 9: Reporting Requirements

                              1. 9.1 Banks must regularly report to the Central Bank on their Outsourcing arrangements in the format and frequency prescribed by the Central Bank.
                                 
                              2. 9.2 Banks must provide upon request any specific information with respect to Outsourcing arrangements that the Central Bank may require.
                                 
                              3. 9.3 Banks must provide the Central Bank with their Outsourcing register as required under Article 4 of this regulation upon the Central Bank’s request.
                                 
                              4. 9.4 Banks must immediately notify the Central Bank when they become aware of a material breach of the terms of an Outsourcing agreement, or other development with respect to an outsourced Material Business Activity, that has, or is likely to have, a significant impact on the Bank’s operations, reputation or financial condition.
                                 
                            • Article 10: Islamic Banking

                              1. 10.1 A Bank offering Islamic financial services must ensure that its Outsourcing policies and arrangements, insofar as they relate to the offering of Islamic financial services, are consistent with Shari’ah rules and principles that would apply if the activity were undertaken by the bank itself.
                                 
                              2. 10.2 A bank offering Islamic financial services must ensure that its policies and procedures for the assessment of any proposed Outsourcing arrangement specifically consider operational and reputational risks from failure by the Outsourcing service provider to adhere to Shari’ah rules and principles.
                                 
                            • Article 11: Enforcement

                              1. 11.1 Violation of any provision of this Regulation and Standards may be subject to supervisory action as deemed appropriate by the Central Bank.
                                 
                              2. 11.2 Supervisory action and administrative & financial sanctions by the Central Bank may include withdrawing, replacing or restricting the powers of Senior Management or members of the Board, providing for the interim management of the Bank, imposition of fines or barring individuals from the UAE banking sector.
                                 
                              3. 11.3 The Central Bank may require a Bank to terminate an Outsourcing arrangement when the arrangement is not or no longer compliant with this Regulation or where the Outsourcing presents undue risks to the soundness of the Bank, the security of Confidential Data, or to the financial system.
                                 
                            • Article 12: Interpretation of Regulation

                              The Regulatory Development Division of the Central Bank shall be the reference for interpretation of the provisions of this Regulation.

                            • Article 13: Publication and Application

                              1. 13.1 This Regulation and accompanying Standards shall be published in the Official Gazette and shall come into effect one (1) month from the date of publication.
                                 
                              2. 13.2 All Outsourcing arrangements concluded or renewed after this regulation coming into force must fully comply with the requirements of this regulation.
                                 
                              3. 13.3 In any case, all Outsourcing agreements, including those concluded prior to the coming into force of this Regulation, must fully comply with this Regulation by no later than 31 December 2023.
                                 
      • Outsourcing Standards for Banks

        C 14/2021 STA
        • 1 Introduction

          These Standards form part of the Outsourcing Regulation for Banks (Circular No. 14/2021). All Banks are required to comply with these Standards, which expand on the Regulation and will be enforced by the Central Bank.

          Banks outsource activities for a variety of business reasons. However, there are risks associated with outsourcing and these risks must be appropriately managed to ensure that the Bank is able to meet its financial and service obligations, regardless of whether a business activity is undertaken by the Bank itself or outsourced.

          A Bank’s Board is in ultimate control of the Bank and accordingly, remains responsible for any business activities which have been outsourced. The Board is responsible for ensuring that all risks related to outsourcing are identified and that appropriate policies and procedures are in place to manage those risks.

          The Standards follow the structure of the Regulation, with each article corresponding to the specific article in the Regulation.

        • 2 Governance and Risk Management

          • 2.1 Risk Governance Framework

            Banks must have an appropriate risk governance framework in place in accordance with the Central Bank’s risk management Regulations and Standards. This risk governance framework must be comprehensive and include within its scope any outsourced business activities and specifically address the additional risks that arise when a business activity is outsourced, including but not limited to:

            1. 1.Operational risk arising from inadequate processes or systems, insufficient or inadequately trained or supervised staff, fraud or error on the part of the outsourcing service provider;
            2. 2.Compliance risk arising from failure by the Outsourcing Service Provider to adhere to laws and regulations or the Bank’s policies, standards or codes of conduct;
            3. 3.Vendor lock-in and business continuity risk, arising from inadequate contractual and practical arrangements to ensure an outsourced business activity can be either transferred to another service provider or the Bank itself without undue delay, or discontinued without significantly disrupting the Bank’s operations, or its ability to manage risks;
            4. 4.Concentration risk arising from relying on the same outsourcing service provider for multiple outsourcing arrangements, or from reliance by different outsourcing providers on the same subcontractor;
            5. 5.Governance and internal control risk arising from excessive outsourcing as a whole, in a specific domain or department, or overreliance on third parties in the operation of the business;
            6. 6.The aggregate risk from all outsourcing arrangements and the marginal risk of any proposed outsourcing arrangement.
          • 2.2 Policies and Procedures for the Assessment and Approval of Outsourcing Material Business Activities

            Banks must have policies and procedures to ensure compliance with the applicable regulations and standards and to ensure the following has been achieved prior to outsourcing a business activity:

            1. 1.The Board or a committee of the Board has been adequately informed and has approved the outsourcing arrangement, as required;
            2. 2.An appropriate due diligence review has been undertaken of the selected outsourcing service provider addressing factors including, but not limited to:
              1. a.Ability, including financial capacity, to meet the requirements of the arrangement and deliver the service reliably;
              2. b.Experience with similar agreements and services;
              3. c.Governance, internal control, internal audit, reporting and monitoring capabilities;
              4. d.Security, including cyber security;
              5. e.Staffing, including employee qualifications and expertise; and
              6. f.Country risk factors and legal environment where applicable.
            3. 3.Procedures are implemented to monitor performance under the outsourcing agreement;
            4. 4.Appropriate provisions for business continuity and disaster recovery are in place, including contingency plans to bring the outsourced function back in-house should the need arise, or the identification of alternative outsourcing service providers.
          • 2.3 Materiality of Outsourcing Arrangements

            Banks must consider at least the following when determining the materiality of an outsourcing agreement:

            1. 1.The impact on the Bank’s ability to manage and control its risks;
            2. 2.The impact on the Bank’s performance and control over its performance;
            3. 3.The impact of an outsourcing service provider’s failure to deliver the service as per the agreement, including failures to mitigate risks or to operate in a safe and prudent manner;
            4. 4.The impact on the Bank’s ability to comply with its legal and regulatory requirements;
            5. 5.The nature of the data shared as part of the outsourcing agreement.
        • 3 Outsourcing Register

          The aim of the outsourcing register is to provide both internal parties as well as external parties, such as external auditors or the Central Bank, with a comprehensive overview of a Bank’s outsourcing. In order to meet these objectives, an outsourcing register should be established and maintained that is:

          1. 1.Comprehensive;
          2. 2.Up to date;
          3. 3.Allows to distinguish between material and non-material outsourcing;
          4. 4.Allows to distinguish between varying levels of risk;
          5. 5.Specifies whether data is being shared and if so, what type of data.
        • 4 Data Protection

          Banks must ensure that outsourcing agreements provide for at least the same degree of data protection that would apply if they performed the outsourced activity themselves. Banks must therefore establish adequate policies and procedures, and make all necessary steps to ensure data integrity, confidentiality, and accessibility. At a minimum, these policies and measures must address, both for digital and physical access, the following:

          1. 1.Access rights management, including but not limited to policies for granting and revoking access rights and a periodic review of user privileges;
          2. 2.Protection against digital and physical attacks;
          3. 3.Protection of the integrity of data;
          4. 4.Audit trails;
          5. 5.Measures to detect, react to, and recover from data security incidents.
        • 5 Outsourcing Agreements

          • 5.1 Required Minimum Content

            Outsourcing agreements should establish a degree of certainty with regard to at least the following:

            1. 1.Scope of the arrangement, the services to be supplied, and the rights and responsibilities of all parties involved;
            2. 2.Pricing and fee structure;
            3. 3.Service level and performance requirements;
            4. 4.Governance, security, audit, reporting and monitoring procedures;
            5. 5.Business continuity and disaster recovery management;
            6. 6.Confidentiality, privacy and security of information;
            7. 7.Default arrangements and termination provisions, addressing also premature termination for any reason;
            8. 8.Liability, indemnity and insurance;
            9. 9.Compliance with anti-money laundering and combatting the financing of terrorism laws and regulations;
            10. 10.Start and end date of the agreement, and provisions for reviewing, renewing or terminating the agreement;
            11. 11.Dispute resolution arrangements, including designation of the legal jurisdictions that will apply;
            12. 12.Whether subcontracting is allowed and under which conditions;
            13. 13.Protection of Bank’s and its customers’ data handled as part of the agreement;
            14. 14.Requirements for the outsourcing service provider to notify the Bank without undue delay of any breach of the Bank’s data, in particular breaches of Confidential Data; and
            15. 15.Right of the Central Bank, and any agent appointed by the Central Bank, to conduct on-site visits at the outsourcing service provider and obtain any data or information from the outsourcing service provider required for supervisory purposes.
          • 5.2 Access to the Outsourcing Service Provider by the Central Bank

            The Central Bank requires the same access for supervisory purposes to business activities that have been outsourced as it would have if the business activity were undertaken by the Bank itself.

            Normally, the Central Bank will obtain any information it requires from the Bank. However, each outsourcing agreement must include explicit provisions requiring the outsourcing service provider to provide directly to the Central Bank, upon request, any data or information the Central Bank deems necessary for supervisory purposes.

            In addition, outsourcing agreements must provide that the Central Bank and any agent appointed by the Central Bank, may, if deemed necessary, conduct on-site visits at the outsourcing service provider with right of access to data and staff as if the activity were undertaken by the Bank.

        • 6 Outsourcing Outside the UAE

          Banks must consider the risks associated with outsourcing business activities to outsourcing service providers who are themselves or whose subcontractors are located in other jurisdictions, and manage or mitigate these risks.

        • 7 Internal Audit and Compliance

          Outsourced activities must remain fully in scope of the internal audit and compliance responsibilities and should follow the same risk-based approach as for activities performed by the Bank itself, while taking into account the additional risks arising from outsourcing these activities.

          The internal audit function of the Bank must be able to obtain all information necessary to provide assurance to the Board, and must be able to demand an extension of the scope of audits performed by third parties where necessary.

        • 8 Non-Objection by the Central Bank

          Prior to entering into an agreement to outsource a material business activity, Banks must obtain the non-objection of the Central Bank. When requesting the non-objection, Banks must provide the Central Bank with the following at a minimum:

          1. 1.A brief explanation of the business activity to be outsourced;
          2. 2.A summary of the materiality assessment;
          3. 3.A summary of the risk assessment;
          4. 4.A summary of the due diligence performed and its outcome;
          5. 5.A confirmation of the agreement of the internal audit function and the compliance function;
          6. 6.An overview of any closely related outsourcing agreements;
          7. 7.Confirmation of compliance with the requirements of the Outsourcing for Banks Regulation;
          8. 8.Evidence of the approval of the proposed outsourcing by the Board or Board committee.

          The Central Bank will either grant the non-objection or request further information. Banks are encouraged to discuss their material outsourcing plans early on and coordinate with the Central Bank to avoid the non-objection process delaying the outsourcing.

        • 9 Reporting Requirements

          Banks must regularly report to the Central Bank on their outsourcing arrangements in the format and frequency prescribed by the Central Bank.

        • 10 Islamic Banking

          A bank offering Islamic financial services must ensure that its Sharī’ah governance system explicitly considers Sharī’ah rules and principles with respect to any outsourced activities. The rules and principles are those that would apply if the bank itself performed the activity. A bank offering Islamic financial services must also ensure that its policies and procedures for the review and approval of any proposed outsourcing arrangements explicitly address the risk that Outsourcing Service Providers may be unfamiliar with requirements relating to Sharī’ah rules and principles.

          Ensuring Shari’ah compliance for individual products requires that the entire product cycle takes into account Shari’ah rules and principles, even if some activities related to specific products are outsourced, so a bank offering Islamic financial services must include in its outsourcing agreements any necessary measures to mitigate the operational and reputational risks of Shari’ah non-compliance.