Rules on Outsourcing
No: 41027017 Date(g): 15/12/2019 | Date(h): 18/4/1441 Status: In-Force I. Introduction
A. Background
1. Banks are increasingly using third party services to carry out activities, functions and processes such as outsourcing arrangements. While outsourcing can bring down cost and provide other benefits, it may increase the risk profile of an institution through such risks as strategic, reputation, compliance, financial and operational risks arising from failure of a third-party or a related party service provider in providing the service, breaches in security, or inability to comply with legal and regulatory requirements by the institution. Banks can also be exposed to country risk when a third-party or a related party service provider is located overseas and systemic risk when there is lack of control by a group of banks over a common third-party service provider. It is therefore important that banks adopt a sound and responsive risk management framework when outsourcing. These requirements aim to ensure that all outsourcing arrangements are subjected to appropriate due diligence, approval and ongoing monitoring. All risks arising from outsourcing must be appropriately managed to ensure that the bank is able to meet both its financial and service obligations to its depositors.
2. These rules shall supersede the existing SAMA Rules in Outsourcing issued vide SAMA circular no. 34720/ B.C.S dated 20 July 2008 and Outsourcing for Foreign Banks Branches vide SAMA circular no. 391000014241 dated 06/02/1439 H.
B. Definitions
3. Unless otherwise stated, the key terms used in this document are set out below.
Banking agent A legal entity authorized by SAMA to provide a financial services on behalf of the commercial bank based on the Regulation of Agent Banking (circular No. 37541/67 dated 1440/06/15 H).
Board or Board Directors a) In the case of an institution incorporated in Saudi Arabia, the of board of Directors.
b) In the case of an institution incorporated outside Saudi Arabia, a local board, a management committee or body beyond local management empowered with oversight and supervision responsibilities for the institution in Saudi Arabia.
Customer data Any information or document relating to the affairs or account of a customer (whether held physically or electronically and whether held by the Banks themselves or by Third Party Service Provider on their behalf).
Financial data All financial data including books of accounts, general and sub-ledger, financial statements and various financial data other than Customer Data.
Insourcing An arrangement where a Bank is utilizing personnel provided under a contract with a Third Party Service Provider to undertake certain functions within or outside the Bank's premises, under its direct supervision, control and management.
Material outsourcing Outsourcing of a function or activity that has the potential, if disrupted, to have a material impact on the bank's business operations or its ability to manage risks effectively. The materiality can be assessed by taking the following into consideration:
a) The financial and operational impact and impact on reputation of a failure of the third party service provider to perform over a given period.
b) The cost of the outsourcing arrangement as a share of total cost of operations.
c) The degree of difficulty, including the time taken, in finding an alternative third party service provider or bringing the business function or activity in-house.
d) The ability of the bank to meet regulatory requirements if there are problems with the third party service provider.
e) potential losses to the bank's customers and other affected parties in the event of a third party service provider failure.
f) Affiliation or other relationship between the bank and the third party service provider.
g) Sharing any customer data whether it is personal, financial or credit.
h) Sharing any non-published financial data with a third party service provider.
i) The complexity of the outsourced function or activity i.e., the number of the party that have been involving in the function or the activity include subcontracting.
Outsourcing Involves a bank entering into an arrangement with another party (both domestic and Foreign) to perform, on a continuing basis, a business function or activity which currently is, or could be, undertaken by the bank itself.
Overseas Entities located outside of Saudi Arabia and subject to laws and regulations of the jurisdiction in which they are located.
Third-party service provider An entity undertaking the outsourced activity on behalf of the Banks. (Head Offices and Related entities of Foreign Bank Branches operating in KSA are not considered as Third-Party Service Providers)
II. Applicability of the Rules
C. Level of Application
4. The rules are applicable to banks licensed under the Banking Control Law (Royal Decree No. M/5 dated 22/2/1386 H), including all branches of local and foreign banks and banking subsidiaries ("Banks") located in Saudi Arabia. The banks are required to ensure that their branches and subsidiaries located overseas are aware of these rules.
D. Scope
5. The rules set out in this document enumerate SAMA's requirements of banks that have entered or are planning to enter into outsourcing arrangements. These rules are applicable to all outsourcing arrangements with domestic as well as foreign third party and related party (in the case of foreign bank branches) service providers.
6. Insourcing contracts utilizing third party personnel under the direct supervision, control and management of Banks are exempt from the purview of these outsourcing Rules.
7. In addition to the above, the following are examples of activities that are not considered as part of outsourcing arrangements:
a) Contractual arrangement with market information data providers (e.g. provision of data by Bloomberg, Moody's, Standard & Poor's, Fitch).
b) Clearing and settlement arrangements between clearing houses, central counterparties and settlement institutions and their members.
c) Correspondent banking relationship arrangements.
d) Utilities services (e.g. electricity, gas, water, telephone line).
E. Related Regulations and "No Objections" Requirements
8. While deciding to outsource any function, banks should ensure that outsourcing does not reduce the protection available to depositors nor be used as a way of avoiding compliance with regulatory requirements. It is the responsibility of the bank to continue to satisfy all regulatory and legal requirements when entering into any outsourcing arrangements.
9. Banks are not allowed to outsource any services or activities mentioned in article 19 of the Regulation of Agent Banking that has been issued under circular No. 37541/67 dated 15/06/1440 H).
10. Banks are explicitly required to obtain a written "no objection" from SAMA for Material outsourcing to Third Party Service Providers.
III. Governance
F. Board of Directors
11. The Board of Directors of the bank retains the ultimate responsibility for the outsourcing policy and all outsourcing arrangements, including compliance with all relevant legal and regulatory requirements. The bank and the Board are responsible for complying with all prudential requirements relating to the outsourced business activity.
12. The Board of Directors should ensure that appropriate policies are developed and implemented within the proper risk management framework for outsourcing arrangements. The Board or its delegated authority must approve the bank's outsourcing policy, which must set out its approach to outsourcing of Material business activities, including a detailed framework for managing all outsourcing arrangements.
G. Reporting Requirements
13. Banks are required to notify SAMA of any breaches of legal or regulatory requirements in their outsourcing arrangements. In such event, SAMA may require the bank to modify or cancel the arrangement, or re-integrate an outsourced function into the organization.
14. All Banks are required to provide annual report of their outsourcing activities using the prudential return in Annex 1 as of the end of each year within 30 business days to be sent to BankingDataSection@SAMA.GOV.SA.
IV. Outsourcing Policy and Procedures
15. The policy and procedures should cover, at minimum, all requirements stated below.
H. Assessment of Outsourcing Options
16. Banks must be able to demonstrate to SAMA that, in assessing the options for outsourcing a Material business function or activity to a third party, it has:
a) Prepared and analyzed a business case for outsourcing the Material business function or activity;
b) Analyzed the impact of the outsourcing on the overall risk profile and its impact on systems and controls within the bank;
c) Undertaken a tender or other selection process for third-party service providers;
d) Undertaken a due diligence review of the chosen third-party service providers, and its financial, technical and ethical capabilities;
e) Considered the risk arising from outsourcing multiple activities to the same third-party service provider;
f) Involved the Board or its delegated authority or a Board committee, in approving the agreement;
g) Has put in place a comprehensive outsourcing agreement;
h) Established procedures for monitoring performance under the outsourcing agreement on a continuing basis;
i) Addressed the renewal process for outsourcing agreements and how the renewal will be conducted; and
j) Developed contingency plans that would enable the outsourced business function or activity to be provided by an alternative third-party service provider or brought in-house, if required.
17. Banks are required to ensure that the process of awarding outsourcing contracts is free from any conflict of interest. Banks must declare to SAMA any affiliation or relationship with the third-party service provider.
I. Contractual Arrangements
18. Banks should document all their outsourcing arrangements through a written and legally binding agreement. As a minimum, the contract should incorporate the following:
a) Scope of the Contract;
b) Regulatory status (legal entity & registered) of the third party service provider
c) Service levels and performance requirements;
d) Audit and monitoring procedures;
e) Business continuity plans;
f) Default arrangements, termination clause and minimum periods to execute a termination provisions. The clause should take into account insolvency or any material changes.
g) Pricing and fee structure;
h) Dispute resolution mechanisms;
i) Liability and indemnity;
j) Confidentiality, privacy and security of information;
k) Ensuring access to SAMA and the Bank's internal and external auditors;
l) Compliance with all applicable regulatory and legal requirements;
m) Contractual obligations of the third-party service provider in case of subcontracting all or part of the outsourcing;
n) Mechanisms for reporting and escalation;
o) Commitment of the third-party service provider to report to the bank any control weaknesses or adverse developments in its financial performance;
p) Commitment of foreign third-party service provider that there are no regulatory impediments to the data and record access as per Article 33 and 34 of these rules.
19. The contract should allow for renewal, renegotiation, default termination and early exit, to enable the bank to retain control over the outsourced function or activity and should include provisions that prohibit sub-contracting of the Material outsourcing under the contract without the prior approval of the Bank and no objection from SAMA.
20. The contract should also incorporate a clause for providing SAMA access to documentation and accounting records in relation to the outsourcing arrangements. The contract should require the third-party service provider to cooperate with SAMA.
21. The contract should preferably include Saudi Arabia as the legal jurisdiction of the contract.
22. Banks should institute a defined internal mechanism for receipt and resolution of any customer complaints regarding their outsourced services and the outsourcing contract should include appropriate clauses to ensure that the third party service provider will facilitate the resolution mechanism.
J. Material Outsourcing
23. Proposals for all Material outsourcing should be submitted in writing for SAMA no objection, at least 15 business days for domestic banks and 30 days for foreign, of the proposed commencement of the outsourcing arrangement.
K. Data Confidentiality and Security
24. Banks should ensure that, prior to providing customer and financial data to a third-party service provider, the proposed outsourcing arrangement complies with the relevant statutory requirements related to confidentiality of its customers. In particular, with the provision of Article #19 of the Banking Control Law dated 22/2/1386 H, regulations and instructions issued by SAMA and other relevant local laws.
25. Banks should establish appropriate safeguards to protect the integrity and confidentiality of customer and financial data.
26. Upon termination of the outsourcing arrangement and contract, banks should ensure that any sensitive/confidential data is either retrieved from the third-party service provider or destroyed in a controlled manner, with any exceptions to be reported immediately to SAMA.
L. Control and Monitoring of Outsourcing
27. Banks should setup an internal structure to effectively control, monitor and manage all of their outsourcing activities, and to provide timely reports to senior management, depending on the level and complexity of the outsourcing activities.
28. In case of poor performance by a third-party service provider, banks must account for potential additional costs, which may accrue if the bank decides to change the third party service provider, moving the activity in-house or even exiting the business. Banks should negotiate those probabilities and specify it in the contract.
M. Risk Assessment
29. The Board of Directors should ensure the existence of relevant policies and procedures that would require existing and proposed outsourcing arrangements to be subjected to a comprehensive risk review process. The risk review process should identify and evaluate the exposure relating to operational, legal, financial reputation and regulatory risks and assess the risk mitigation strategies. This should be undertaken by:
a) Conducting a comprehensive risk evaluation of the outsourcing at inception and for all subsequent renewals.
b) Evaluating risk of outsourcing at inception and then reviewed at renewal only in case of a change in scope or occurrence of operational errors etc.
30. In analyzing the business case, and the suitability of the third-party service provider, the level and extent of due diligence should depend on the nature of outsourcing arrangement i.e. Material outsourcing will entail a more comprehensive exercise. At a minimum:
a) Banks should ensure that the third-party service provider has the ability, capacity and authorization to perform the outsourced function reliably and professionally.
b) Banks must establish a method for periodically assessing the third-party service provider.
c) The Bank must retain the necessary expertise to supervise the outsourced functions effectively.
N. Business Continuity Management
31. Banks should ensure that their business continuity is not compromised by any outsourcing arrangements. For all Material outsourcing, banks should have a separate contingency plan for each outsourcing arrangement, which outlines the procedures to be followed in the event that the arrangement is suddenly terminated or the third-party service provider is unable to fulfill its obligations under the outsourcing agreement for any reason.
32. Banks should document within their business continuity plans, the availability of alternate third-party service providers, or the procedures and time for selecting an alternative third-party service providers. In addition, banks must set a procedure if they choose to bring the outsourced function in-house for each of their Material outsourcing contracts.
O. Access to Outsourced Data
33. Banks are required to ensure that for all outsourcing arrangements, SAMA has unrestricted and timely access to current and accurate records pertaining to the outsourcing as per Article # 17 and 18 of the Banking Control Law dated 22/2/1386 H (11/6/1966).
34. Banks are also required to ensure that for all outsourcing arrangements, SAMA has unrestricted access to data pertaining to the outsourcing, if located at the premises of the third-party service provider; and SAMA and the Banks' auditors must be able to exercise those rights of access.
P. Monitoring the Relationship
35. Banks must ensure they have sufficient and appropriate resources to manage and monitor the outsourcing relationship. The type and extent of resources required will depend on the materiality of the outsourced business function or activity. At a minimum, monitoring must include:
a) Maintaining appropriate levels of regular contact with the third-party service provider. This will range from daily operational contact to senior management involvement; and
b) A process for regular monitoring of performance under the agreement, including meeting criteria concerning service levels.
36. Banks should immediately report any breaches of legal and or regulatory requirements or any adverse developments and problems affecting the outsourcing arrangement to SAMA. The report should also include measures proposed and taken for continuity of the service.
37. Where a Material outsourcing agreement is terminated, banks must notify SAMA immediately and provide a statement about the transition arrangements and future strategies for carrying out the outsourced material business function or activity.
Q. Audit Arrangements
38. Banks' internal audit function must audit Material outsourced activities on a regular basis and report to the Board or Board Audit Committee on compliance with the outsourcing policy.
39. SAMA may request an appropriate external expert to provide an assessment of the risk management processes in place in regards to the outsourcing of a Material business function or activity. This could cover areas such as information technology systems, data security, internal control frameworks and business continuity plans.
R. Documentation Requirements
40. Banks are required to keep a register of all their outsourcing arrangements. The documentation for each outsourcing arrangement should include at least the following information:
With regard to the outsourcing arrangement
a) A reference number for each outsourcing arrangement;
b) A brief description of the function that is outsourced;
c) Whether it is considered Material or not, the reasons why it is considered as such and the date of the last respective assessment; and
d) Whether or not personal and confidential data is processed, transferred or held by the third party service provider.
With regard to the third party service provider
a) Their name and registered address; and
b) Location of third party service provider.
In addition, the outsourcing register should include at least the following information with regard to the outsourcing of Material functions:
a) The date of the last risk assessment and a brief summary of the main results;
b) The individual or decision-making body or committee in the bank that approved the outsourcing arrangement;
c) The commencement date and, as applicable, the expiry date and/or notice periods; and
d) The date of the last and next scheduled audit, where applicable.
V. Outsourcing to Third-Party Service Providers Located Overseas
41. The outsourcing of activities by banks to third-party service providers located overseas exposes them to a number of additional risks including the foreign country's economic, political, regulatory, legal and infrastructure conditions. Furthermore an outsourcing activity involving transmission to and retention of customer and financial data by a third-party service provider located overseas raises a number of risks. This includes potential breach of customer confidentiality (as stated in Article 19 of the Banking Control Law), and access to customer data by foreign regulatory and or judicial authorities, right of access by SAMA to the third-party service providers' overseas operations and any restrictions and or delays on timely provision of data to SAMA as required under Article 17 and 18 of the Banking Control Law.
42. For any proposed outsourcing arrangements to a third-party service provider located overseas, banks are required to seek a written SAMA no objection and provide the following information to SAMA with their request:
a) Details of the function to be outsourced;
b) Categorization of the function (Material and non-Material outsourcing);
c) Rationale for outsourcing (including why it cannot be done within KSA);
d) Details on the third-party service provider located overseas;
e) Details on the nature and disposal of the data to be transferred (if applicable);
f) Legal opinion confirming that the outsourcing arrangement is in compliance with Banking Control Law and other regulations; and
g) Confirmation in writing by the Bank supported by a legal opinion confirming SAMA's right of access to the outsourcing activity at the third-party service provider.
VI. Outsourcing for Foreign Bank Branches (Material and Non-Material)
43. Foreign bank branches are required to book KSA business in the Saudi branch, unless SAMA otherwise agrees to an alternative treatment for specific business activities where local booking is not practical.
44. Foreign bank branches are required to maintain appropriate and sufficient local staffing to demonstrate adequate local control over the KSA business and compliance with all of SAMA's prudential requirements applicable to foreign bank branches. However, during the initial stages of a foreign bank branch operations in the Kingdom, SAMA would take a reasonable and proportionate view of local staffing requirements keeping in view the nature, scale, size and complexity of their business.
45. Key management responsibilities, such as business decision-making, along with functions such as compliance and Anti-Money Laundering (AML)/Combatting the Financing of Terrorism (CFT) are not allowed to be outsourced. Foreign bank branches could decide on the outsourcing model of other functions (e.g. Internal Audit, Risk Management) based on the nature, scale and complexity of the branch). Outsourcing to Head Office or a related party does not diminish the obligations of the foreign bank branch, and those of its management to comply with relevant laws and regulations in Saudi Arabia.
46. The outsourced operation to the head office/other group member must be audited annually by the group internal audit team or by an independent third party and the audit findings shared with SAMA.
47. Any report to or by any other regulatory authority on the quality of controls of the outsourcing arrangement must be submitted immediately by the foreign bank branch to SAMA.
48. Foreign bank branches must ensure that head office/other group member outsourcing arrangements do not constrain SAMA's ability to provide effective prudential supervision of the local operations or they do not contravene the Banking Control Law and other applicable Laws and Regulations.
49. Foreign bank branches should adopt good risk management practices to mitigate any potential outsourcing risks. At a minimum and subject to the Rules, a foreign bank branch entering into an outsourcing arrangement with its head office or a member of its group should:
a) Establish policies and procedures relating to ownership and access, resolution of differences, sub-contracting confidentiality and security, separation of property, business continuity management, monitoring of the performance and circumstances of outsourcing arrangements and annual reviews to gauge compliance with agreed service levels.
b) Perform a due diligence process to address all aspects of the arrangement, particularly those pertaining to any unique operational requirements of the branch.
c) Develop an outsourcing agreement that details, among other things, the scope of the arrangement, the services to be supplied, the nature of the relationship between the branch and the head office/other group member (e.g., roles, responsibilities and expectations).
d) Develop procedures governing any subcontracting of services.
e) Develop an appropriate business continuity plan (BCP) that should be supported with IT disaster recovery plan. In addition, a branch's BCP plan should consider applicable controls from SAMA business continuity management framework.
f) Implement a process for monitoring and oversight.
g) Implement procedures for record keeping.
50. Given a foreign bank branch is a dependent unit of a bank and is integrated into the parent entity, whether by legal set-up and/or other organizational designs, outsourcing certain functions/services containing customer information to their head office or other members of the group may occasionally be needed. Subject to the Rules, the foreign bank branch, in outsourcing functions/services containing customer information to head office and other group members is required to put in place a policy that, at minimum, ensures that the following additional conditions are met:
a) A service level agreement that should clearly state that SAMA has the legal right to conduct examinations of the head office/member of the group having outsourcing arrangement with the branch if required.
b) A customer's consent for data sharing with the head office and to transmit the data through reliable secure channel supported by a strong encryption mechanism.
c) Access to such information at the head office/other group member is limited to key control functions such as compliance, risk management, operations, IT and internal audit. Any such customer information should only be for the sole use of the bank and should not be shared with any party outside of the bank without prior written approval of SAMA. The bank is also required to keep a log of who and when such information is accessed.
d) Any changes to customer data stored or in transit shall be completely logged and monitored.
51. For Foreign bank branches that would like to use the services of a third party already contracted by their Head Offices or other member of the group, SAMA will only consider such a third party outsourcing arrangement if the Head Office submits to SAMA a letter of comfort which specifies which operations are to be outsourced and must also include the following conditions:
a) The Head office declares its ultimate responsibility of ensuring that adequate controlling measures for the outsourcing arrangement are in place; and
b) The Head Office is responsible to take adequate rectification measures, including compensation to the affected customers, in cases where customers suffer any loss due to inadequate outsourcing controls applied by the third party service provider.
52. In line with SAMA's risk-based supervisory framework, SAMA may have additional expectations (for all or specific foreign bank branches) depending on the risks related to such outsourcing arrangements and following its supervisory review. Furthermore, SAMA has the right to revoke any outsourcing arrangements, if such an arrangement poses risk to the bank.
53. Foreign bank branches would still be required to comply with all other aspects of these outsourcing requirements in relation to outsourcing arrangements with unrelated third parties.
Annex 1 - Annual Return on Outsourcing Services Provided and Received
Annex 1 - Annual Return on Outsourcing Services Provided and Received
1- Outsourcing Services Provided
Please provide details of all Material services provided BY the bank to the group and / or third parties
No. Service Description Service provided to which Group Company and / or third party 2- Outsourcing Services Received
a) Please provide details of all Material services provided TO the bank by the group and / or third parties for which SAMA no-objection was obtained.
No. Service Description Service Provider b) Please provide details of all non-Material services provided TO the bank to the group and / or third parties for which SAMA no objection is not required.
No. Service Description Service Provider