The Board must issue and annually update a written policy regulating outsourcing. This policy shall include in particular the following:
a.
terms of reference and responsibilities of the Board and Senior Management;
b.
eligibility criteria for outsourcing provider;
c.
risk identification criteria and risk hedging measures;
d.
rules for continuous control and supervision over the outsourced operations;
e.
criteria to identify conflict of interest as well as rules and procedures which ensure safeguarding the interests of the Consumer Microfinance Company and not putting the interest of the other party over the company's interest; and
f.
procedures to protect information and maintain confidentiality and privacy.
2.
SAMA, the Consumer Microfinance Company, and the external auditor must have the authority to obtain any information or documents related to the work of the outsourcing provider or be examined in the offices of the outsource provider.
3.
A Consumer Microfinance Company shall verify the outsourcing provider’s compliance with relevant laws, regulations and instructions. The Consumer Microfinance Company shall be held liable if the outsourcing provider shows lack of compliance with the applicable laws, regulations and instructions in all operations and tasks assigned to it.
4.
A Consumer Microfinance Company must obtain a non-objecting letter from SAMA prior to any outsourcing arrangement that, in case of disruption or other default, may affect the consumer microfinance company’s activities, reputation or financial situation, or if the tasks assigned include transferring, processing or saving the data and information of borrowers. In this case, the outsourcing provider may not subcontract these tasks to any other provider.
