Book traversal links for Article 6: Outsourcing Outside the UAE
Article 6: Outsourcing Outside the UAE
C 14/2021 Effective from 31/5/2021- 6.1 Banks must ensure that the Master System of Record, which includes all Confidential Data, is continuously maintained and stored within the UAE.
- 6.2 As an exception to paragraph (6.1) above and subject to Central Bank approval, branches of foreign banks may comply with this requirement by retaining a copy of the Master System of Record, updated on at least a daily basis, within the UAE.
- 6.3 Banks customer’s Confidential Data must not be shared outside the UAE without Central Bank approval and obtaining prior written consent from the customer. Banks must also obtain written acknowledgement from the customer that his/her Confidential Data may be accessed under legal proceedings outside the UAE in such circumstances.
- 6.4 Banks must not enter into an Outsourcing agreement that involves sharing Confidential Data with a service provider domiciled in a jurisdiction that cannot provide the same level of safeguarding of Confidential Data that would apply if the data was kept in the UAE.
This applies to all jurisdictions relevant to the agreement.
- 6.5 Any Outsourcing agreement with a party located outside the UAE, must ensure that the Bank and the customer retain ownership of the data at all times, and that the Central Bank can access the Bank’s data upon request.
- 6.6 Banks are not permitted to enter into an Outsourcing agreement that proposes the storage of data in any jurisdiction where bank secrecy, or other laws, restrict or limit access to data necessary for supervisory purposes.
- 6.7 Banks must explicitly consider the possibility that changes in economic, political, social, legal or regulatory conditions may affect the ability of a service provider outside the UAE to fulfil the terms of the agreement.
This risk must be managed by a careful selection of service providers and jurisdictions, adequate contractual and practical arrangements, and appropriate business continuity planning.
- 6.8 Banks must explicitly consider any other relevant risks arising when the service provider is located outside the UAE. These may include but are not limited to:
- 6.8.1 Higher levels of operational risk due to poor infrastructure in another jurisdiction;
- 6.8.2 Legal risk due to differing laws and possible shortcomings in the legal system in the countries where the service is provided; and
- 6.8.3 Reputation risk.
- 6.8.1 Higher levels of operational risk due to poor infrastructure in another jurisdiction;
- 6.9 A Bank must ensure compliance with all relevant personal data protection legislations and regulations prior to entering into an Outsourcing agreement with an Outsourcing service provider or third party outside the UAE.
- 6.10 A Bank must establish policies and processes regarding controls and monitoring activities specifically addressing the business relationship of the Bank with an Outsourcing service provider, which includes the sharing of Confidential Data outside the UAE.
- 6.11 For each of its business relationships a Bank holds with an Outsourcing service provider, which includes the sharing of Confidential Data outside the UAE, the Bank must define concrete security requirements and must ensure that its staff is sufficiently trained in respect of these requirements.
- 6.12 Where the Outsourcing service provider subcontracts elements of the service to other providers, which entail Confidential Data, the Bank must ensure that the subcontractor fully complies with the obligations contained in this Regulation related to the sharing of Confidential Data outside the UAE.
- 6.13 Banks must ensure third parties implement and maintain the appropriate level of information security and service delivery.
- 6.14 With regard to Outsourcing service providers located outside the UAE, the Central Bank may exercise its powers through collaboration with the relevant authorities of any relevant jurisdiction.