BSP Circular No. 899: Amendments to the Guidelines on Outsourcing

20 January 2016

TO: All Rural Banks

Dear Rural Bankers,

The Monetary Board in its Resolution No. 2115 dated 18 December 2015, approved the following amendments in the Manual of Regulations for Banks (MORB) and Manual of Regulations for Non-Bank Financial Institutions (MORNBFI) on the guidelines on outsourcing. These guidelines shall be read in conjunction with the guidelines on operational risk management.

Section 1. Section X162 and all its subsections in the MORB shall now read as follows:

Section X162. Statement of Principle on Outsourcing. A bank may outsource to third parties or to related companies in the group, in accordance with existing BSP regulations, certain services or activities to have access to certain areas of expertise or to address resource constraints, Provided, That it has in place appropriate processes, procedures, and information system that can adequately identify, monitor, and mitigate operational risks arising from the outsourced activities. Provided further, that the bank’s board of directors and senior management shall remain responsible for ensuring that outsourced activities are conducted in a safe and sound manner and in compliance with applicable laws, rules and regulations.
Subsection XL62.T Definition. Outsourcing shall refer to any contractual arrangement between a bank and a qualified service provider for the latter to perform designated activities on a continuing basis on behalf of the bank.

Subsection XL62.2 Prohibition against outsourcing of inherent banking functions. No bank shall outsource inherent banking functions such as:

a. Services normally associated with placement of deposits and withdrawals including the recognition based on recording of movements in the deposit accounts;
b. Granting of loans and extension of other credit exposures;
c. Position-taking and market risk-taking activities;
d. Managing of risk exposures; and
e. Strategic decision-making.

Subsection X162.3 Authority to outsource. Only those banks with a CAMELS composite rating of at least 3 and a Management rating of not lower than 3 shall be allowed to outsource designated activities without prior Bangko Sentral approval. Otherwise, the bank must secure prior approval from the appropriate department of the SES whose evaluation will be based on the bank’s ability to manage risks attendant to outsourcing.

Subsection XL62.4 Governance and Managing of Outsourcing Risks. Key risk areas related to outsourcing such as strategic; reputation /legal; operational, compliance, country and concentration risks should be evaluated before entering into and while managing outsourcing contracts. In this regard, banks shall:

a. Perform risk assessment of a business activity and evaluate the implications of performing the activity in-house or having the activity outsourced.

The following factors shall be considered in the assessment:
(1) Level of importance to the bank of the activity to be outsourced and potential impact on bank’s operations, financial condition, reputation, and ability to achieve its objectives, strategies and plans, should the service provider fail to perform the services;
(2) Outsourcing costs in proportion to total operating expenses and compared with costs of developing own infrastructure and expertise;
(3) Aggregate exposure to a particular service provider, in cases when the bank outsources various functions to the same service provider;
(4) Ability to maintain appropriate controls and meet regulatory requirements, in cases of operational constraints of the service provider; and
(5) Exposure to risk of confidentiality, integrity and availability of customer and bank data.

In cases when the risk management system is deemed inadequate for purposes of managing outsourcing-related risks, the BSP may direct the bank to terminate, modify, make alternative arrangements or re-integrate the outsourced activity into its operations, as may be necessary.

b. Establish policies and criteria to select the “best” service provider for the outsourced activities and to get said services at reasonable price. The following factors should be considered in evaluating potential service providers:

(1) Reputation, ownership structure (to identify potential conflict of interest), technical expertise, and operational capability;

(2) Financial performance and condition (e.g., ongoing viability, outstanding commitments, capital/funding strength, liquidity and operating results; and reliance on subcontractors) of the service provider and its closely-related affiliates;

(3) Operations and internal control environment (e.g., internal controls, facilities management, training, security of system, privacy protection, maintenance and retention of records, business resumption and contingency plans, systems development and maintenance, and employee background checks);

(4) Fees and charges (e.g., outsourcing cost should be lower than developing the necessary infrastructure and expertise, comparable with market rates, and reasonable vis-à-vis scope and complexity of services);

(5) Actual performance vis-à-vis service level agreement;

(6) Performance of the service provider (past and present engagements) including the reasons/causes of disengagements, if any; and

(7) Compliance with provisions of service agreements, performance standards and adherence to applicable laws, regulations, and supervisory expectations.

In cases when the clients are prejudiced due to errors, omissions, and frauds by the service provider, the bank shall be liable in providing the appropriate remedies or remuneration as may be allowed under existing laws or regulations, without prejudice to the bank’s right of recourse to the service provider.

c. Establish, maintain, and regularly test business continuity and contingency plans for situations wherein the service provider cannot deliver the required services. The contingency plan must indicate whether another service provider will be tapped or the service/activity will be brought back in-house. This should in turn consider the costs, time, and resources that would be involved.

Contingency arrangements in respect of daily operational and systems problems should be covered in the service provider’s own contingency plan. The contingency plan must be reviewed regularly to ensure that it remains relevant and ready for implementation.
d. Ensure that it has adequate resources to manage and monitor outsourcing relationships on a continuing basis. Banks are expected to develop acceptable performance metrics to assess outsourcing contracts. They shall also maintain records of all outsourcing activities which should be updated and reviewed regularly.

e. Ensure that personnel with oversight and management responsibilities for service providers have the appropriate level of expertise and stature to manage the outsourcing arrangement. The oversight process, including the level and frequency of management reporting, should be risk-focused. Banks should design and implement risk mitigation plans for higher risk service providers. These may include certain requirements or processes such as additional reporting by the service provider or heightened monitoring. Further, more frequent and stringent monitoring is necessary for service providers that exhibit performance, financial, compliance, or control concerns.

Subsection X162.5 Documentations. The bank should maintain necessary documentation to show that outsourcing arrangements are properly reviewed and the appropriate due diligence has been undertaken prior to implementation. The bank shall keep in its file the documents shown in Appendix 100 and the same shall be made available to authorized representatives of the Bangko Sentral for inspection.

Subsection X162.6 Intra-group outsourcing. The guidelines and requirements of outsourcing to third-party service providers shall be observed when outsourcing within a business group including its head office, another branch or related company. When the bank is the service provider, the bank may only render services it performs in the ordinary course of its banking business: Provided, That (i) the service is rendered to subsidiaries, affiliates and companies related to it by at least five percent (5%) common ownership; or (ii) the service is rendered to its own depositors on account of the bank being a depository. The bank, acting as a service provider within its group, shall uphold the following:

a. Confidentiality of deposits and investments in government bonds as defined under R.A. No. L4O5, as amended;

b. Prohibition on cross-selling except as allowed under applicable regulations.

Subsection X162.7 Offshore outsourcing. Offshore outsourcing exists when the service provider is located outside the country. Subsec. X162.7 on intra-group outsourcing likewise applies in cases of offshore outsourcing. ln addition, offshore outsourcing of bank’s domestic operations is permitted only when the service provider operates in jurisdictions which uphold confidentiality. When the service provider is located in other countries, the bank should take into account and closely monitor, on continuing basis, government policies and other conditions in countries where the service provider is based during risk assessment process. The bank shall also develop appropriate contingency and exit strategies.

The Bangko Sentral examiners shall be given access to the service provider and those relating to the outsourced domestic operations of the bank. Such access may be fulfilled by on-site examination through coordination with host authorities, if necessary. The domestic branch of foreign bank shall be principally liable in cases where the clients are prejudiced due to errors, omissions and frauds of the service provider located offshore.

The Bangko sentral may require the bank to terminate, modify, make alternative outsourcing arrangement or re-integrate the outsourced activity into the bank, as may be necessary, if confidentiality of customer information, effective customer redress mechanisms or the ability of the Bangko sentral to carry out its supervision functions cannot be assured.

Subsection X162.8. Transitory provision. All outsourcing agreements must be aligned with the provisions of sec. xL62. Existing outsourcing agreements which are not in accordance with this section will not be unwound. However, it must comply with the requirements provided herein upon renewal of the agreements.

Subsection X162.9. Supervisory Enforcement Actions. Consistent with Circular No’ 875 dated 15 April 2015, the BSP may deploy enforcement actions to promote adherence with the requirements set forth in this Circular and bring about timely corrective actions’ The BSP may issue directives to improve the management of outsourcing arrangements, or impose sanctions to limit the level of or suspend any business activity that has adverse effects on the safety or soundness of the BSFI, among others. Sanctions may likewise be imposed on a BSFI and/or its directors, officers and / or employees.

Section 2. Section 4162e and 4190N shall now read as follows:

Section 4162Q Guidelines on Outsourcing. The rules on outsourcing of banking functions as shown under section X162 of the MORB and Appendix e_37 of the MORNBFT shall likewise apply to eBs.

Section 4190N Guidelines on Outsourcing. The rules on outsourcing of banking functions as shown under section X162 of the MoRB and Appendix e-37 of the MORNBFI shall likewise apply to NBFIs.

Section 3. Effectivity. This Circular shall take effect fifteen (15) calendar days after its publication either in the official Gazette or in a newspaper of general circulation.

To download full copy of the guidelines, please refer to this link: c899 – Amendments to the Guidelines on Outsourcing

Thank you.

RBAP Secretariat