Skip to main content
Back Custom print Text Only Rich Text Print / Save as PDF
Download Original PDF

  • IV. Outsourcing Policy and Procedures

    15.The policy and procedures should cover, at minimum, all requirements stated below.
     

    • H. Assessment of Outsourcing Options

      16.Banks must be able to demonstrate to SAMA that, in assessing the options for outsourcing a Material business function or activity to a third party, it has:
       
       a)Prepared and analyzed a business case for outsourcing the Material business function or activity;
       
       b)Analyzed the impact of the outsourcing on the overall risk profile and its impact on systems and controls within the bank;
       
       c)Undertaken a tender or other selection process for third-party service providers;
       
       d)Undertaken a due diligence review of the chosen third-party service providers, and its financial, technical and ethical capabilities;
       
       e)Considered the risk arising from outsourcing multiple activities to the same third-party service provider;
       
       f)Involved the Board or its delegated authority or a Board committee, in approving the agreement;
       
       g)Has put in place a comprehensive outsourcing agreement;
       
       h)Established procedures for monitoring performance under the outsourcing agreement on a continuing basis;
       
       i)Addressed the renewal process for outsourcing agreements and how the renewal will be conducted; and
       
       j)Developed contingency plans that would enable the outsourced business function or activity to be provided by an alternative third-party service provider or brought in-house, if required.
       
      17.Banks are required to ensure that the process of awarding outsourcing contracts is free from any conflict of interest. Banks must declare to SAMA any affiliation or relationship with the third-party service provider.
       

    • I. Contractual Arrangements

      18.Banks should document all their outsourcing arrangements through a written and legally binding agreement. As a minimum, the contract should incorporate the following:
       
       a)Scope of the Contract;
       
       b)Regulatory status (legal entity & registered) of the third party service provider
       
       c)Service levels and performance requirements;
       
       d)Audit and monitoring procedures;
       
       e)Business continuity plans;
       
       f)Default arrangements, termination clause and minimum periods to execute a termination provisions. The clause should take into account insolvency or any material changes.
       
       g)Pricing and fee structure;
       
       h)Dispute resolution mechanisms;
       
       i)Liability and indemnity;
       
       j)Confidentiality, privacy and security of information;
       
       k)Ensuring access to SAMA and the Bank's internal and external auditors;
       
       l)Compliance with all applicable regulatory and legal requirements;
       
       m)Contractual obligations of the third-party service provider in case of subcontracting all or part of the outsourcing;
       
       n)Mechanisms for reporting and escalation;
       
       o)Commitment of the third-party service provider to report to the bank any control weaknesses or adverse developments in its financial performance;
       
       p)Commitment of foreign third-party service provider that there are no regulatory impediments to the data and record access as per Article 33 and 34 of these rules.
       
      19.The contract should allow for renewal, renegotiation, default termination and early exit, to enable the bank to retain control over the outsourced function or activity and should include provisions that prohibit sub-contracting of the Material outsourcing under the contract without the prior approval of the Bank and no objection from SAMA.
       
      20.The contract should also incorporate a clause for providing SAMA access to documentation and accounting records in relation to the outsourcing arrangements. The contract should require the third-party service provider to cooperate with SAMA.
       
      21.The contract should preferably include Saudi Arabia as the legal jurisdiction of the contract.
       
      22.Banks should institute a defined internal mechanism for receipt and resolution of any customer complaints regarding their outsourced services and the outsourcing contract should include appropriate clauses to ensure that the third party service provider will facilitate the resolution mechanism.
       

    • J. Material Outsourcing

      23.Proposals for all Material outsourcing should be submitted in writing for SAMA no objection, at least 15 business days for domestic banks and 30 days for foreign, of the proposed commencement of the outsourcing arrangement.
       

    • K. Data Confidentiality and Security

      24.Banks should ensure that, prior to providing customer and financial data to a third-party service provider, the proposed outsourcing arrangement complies with the relevant statutory requirements related to confidentiality of its customers. In particular, with the provision of Article #19 of the Banking Control Law dated 22/2/1386 H, regulations and instructions issued by SAMA and other relevant local laws.
       
      25.Banks should establish appropriate safeguards to protect the integrity and confidentiality of customer and financial data.
       
      26.Upon termination of the outsourcing arrangement and contract, banks should ensure that any sensitive/confidential data is either retrieved from the third-party service provider or destroyed in a controlled manner, with any exceptions to be reported immediately to SAMA.
       

    • L. Control and Monitoring of Outsourcing

      27.Banks should setup an internal structure to effectively control, monitor and manage all of their outsourcing activities, and to provide timely reports to senior management, depending on the level and complexity of the outsourcing activities.
       
      28.In case of poor performance by a third-party service provider, banks must account for potential additional costs, which may accrue if the bank decides to change the third party service provider, moving the activity in-house or even exiting the business. Banks should negotiate those probabilities and specify it in the contract.
       

    • M. Risk Assessment

      29.The Board of Directors should ensure the existence of relevant policies and procedures that would require existing and proposed outsourcing arrangements to be subjected to a comprehensive risk review process. The risk review process should identify and evaluate the exposure relating to operational, legal, financial reputation and regulatory risks and assess the risk mitigation strategies. This should be undertaken by:
       
       a)Conducting a comprehensive risk evaluation of the outsourcing at inception and for all subsequent renewals.
       
       b)Evaluating risk of outsourcing at inception and then reviewed at renewal only in case of a change in scope or occurrence of operational errors etc.
       
      30.In analyzing the business case, and the suitability of the third-party service provider, the level and extent of due diligence should depend on the nature of outsourcing arrangement i.e. Material outsourcing will entail a more comprehensive exercise. At a minimum:
       
       a)Banks should ensure that the third-party service provider has the ability, capacity and authorization to perform the outsourced function reliably and professionally.
       
       b)Banks must establish a method for periodically assessing the third-party service provider.
       
       c)The Bank must retain the necessary expertise to supervise the outsourced functions effectively.
       

    • N. Business Continuity Management

      31.Banks should ensure that their business continuity is not compromised by any outsourcing arrangements. For all Material outsourcing, banks should have a separate contingency plan for each outsourcing arrangement, which outlines the procedures to be followed in the event that the arrangement is suddenly terminated or the third-party service provider is unable to fulfill its obligations under the outsourcing agreement for any reason.
       
      32.Banks should document within their business continuity plans, the availability of alternate third-party service providers, or the procedures and time for selecting an alternative third-party service providers. In addition, banks must set a procedure if they choose to bring the outsourced function in-house for each of their Material outsourcing contracts.
       

    • O. Access to Outsourced Data

      33.Banks are required to ensure that for all outsourcing arrangements, SAMA has unrestricted and timely access to current and accurate records pertaining to the outsourcing as per Article # 17 and 18 of the Banking Control Law dated 22/2/1386 H (11/6/1966).
       
      34.Banks are also required to ensure that for all outsourcing arrangements, SAMA has unrestricted access to data pertaining to the outsourcing, if located at the premises of the third-party service provider; and SAMA and the Banks' auditors must be able to exercise those rights of access.
       

    • P. Monitoring the Relationship

      35.Banks must ensure they have sufficient and appropriate resources to manage and monitor the outsourcing relationship. The type and extent of resources required will depend on the materiality of the outsourced business function or activity. At a minimum, monitoring must include:
       
       a)Maintaining appropriate levels of regular contact with the third-party service provider. This will range from daily operational contact to senior management involvement; and
       
       b)A process for regular monitoring of performance under the agreement, including meeting criteria concerning service levels.
       
      36.Banks should immediately report any breaches of legal and or regulatory requirements or any adverse developments and problems affecting the outsourcing arrangement to SAMA. The report should also include measures proposed and taken for continuity of the service.
       
      37.Where a Material outsourcing agreement is terminated, banks must notify SAMA immediately and provide a statement about the transition arrangements and future strategies for carrying out the outsourced material business function or activity.
       

    • Q. Audit Arrangements

      38.Banks' internal audit function must audit Material outsourced activities on a regular basis and report to the Board or Board Audit Committee on compliance with the outsourcing policy.
       
      39.SAMA may request an appropriate external expert to provide an assessment of the risk management processes in place in regards to the outsourcing of a Material business function or activity. This could cover areas such as information technology systems, data security, internal control frameworks and business continuity plans.
       

    • R. Documentation Requirements

      40.Banks are required to keep a register of all their outsourcing arrangements. The documentation for each outsourcing arrangement should include at least the following information:
       
       With regard to the outsourcing arrangement
       
       a)A reference number for each outsourcing arrangement;
       
       b)A brief description of the function that is outsourced;
       
       c)Whether it is considered Material or not, the reasons why it is considered as such and the date of the last respective assessment; and
       
       d)Whether or not personal and confidential data is processed, transferred or held by the third party service provider.
       
       With regard to the third party service provider
       
       a)Their name and registered address; and
       
       b)Location of third party service provider.
       
       In addition, the outsourcing register should include at least the following information with regard to the outsourcing of Material functions:
       
       a)The date of the last risk assessment and a brief summary of the main results;
       
       b)The individual or decision-making body or committee in the bank that approved the outsourcing arrangement;
       
       c)The commencement date and, as applicable, the expiry date and/or notice periods; and
       
       d)The date of the last and next scheduled audit, where applicable.