Back Custom print Link Text Only Rich Text Print

  • OM-3.2 OM-3.2 Supervisory Approach

    • OM-3.2.1

      The CBB recognises the benefits that can potentially be achieved through outsourcing an activity to a third party provider. They can include reduced costs, enhanced service quality and a reduction in management time spent on non-core activities. However, outsourcing an activity also poses potential risks. These include the ability of the service provider to maintain service quality levels, reduced control over the activity and access to relevant information, and increased legal and client confidentiality risks.

      Amended: January 2011
      October 07

    • OM-3.2.2

      The CBB's approach is to allow licensees the freedom to enter into outsourcing arrangements, providing these have been properly structured and associated risks addressed.

      Amended: April 2012
      Amended: January 2011
      October 07

    • OM-3.2.3

      The CBB expects licensees to have undertaken a thorough assessment of a proposal before formally submitting the request for prior approval to the CBB. However, the CBB is also willing to discuss ideas informally at an early stage of development, on a 'no-commitment' basis. It especially encourages an early approach when the proposed outsourcing is particularly material or innovative.

      Amended: October 2017
      Amended: January 2011
      October 07

    • OM-3.2.4

      Once an outsourcing arrangement has been implemented, the CBB requires a licensee to continue to monitor the associated risks and the effectiveness of its mitigating controls. It will verify this through the course of its normal on-site and off-site supervisory processes, such as prudential meetings and on-site examinations. The CBB also requires access to the outsourced activity, which it may occasionally want to examine itself, through management meetings or on-site examinations.

      Amended: January 2011
      October 07

    • OM-3.2.5

      Fundamental to the CBB's supervisory approach to outsourcing is that the Board and management of the licensee may not abdicate their responsibility for a licensee's business and the way its customers are treated. The Board and management remain ultimately responsible for the effectiveness of systems and controls in outsourced activities.

      Amended: January 2011
      October 07

    • OM-3.2.6

      The board and senior management are responsible for understanding the operational risks associated with outsourcing arrangements and ensuring that effective risk management policies and practices are in place to manage the risk in outsourcing activities. Outsourcing policies and risk management activities should encompass:

      (a) Procedures for determining whether and how activities can be outsourced;
      (b) Processes for conducting due diligence in the selection of potential service providers;
      (c) Sound structuring of the outsourcing arrangement, including ownership and confidentiality of data, as well as termination rights;
      (d) Programmes for managing and monitoring the risks associated with the outsourcing arrangement, including the financial condition of the service provider;
      (e) Establishment of an effective control environment at the bank and the service provider;
      (f) Development of viable contingency plans; and
      (g) Execution of comprehensive contracts and/or service level agreements with a clear allocation of responsibilities between the outsourcing provider and the bank.
      Added: October 2012