• OM-2 OM-2 Outsourcing

    • OM-2.1 OM-2.1 Introduction

      • OM-2.1.1

        This Chapter sets out the CBB's approach to outsourcing by licensees. It also sets out various requirements that licensees must address when considering outsourcing an activity or function.

        Added: January 2020

      • OM-2.1.2

        In the context of this Chapter, 'outsourcing' means an arrangement whereby a third party performs on behalf of a licensee an activity which was previously undertaken by the licensee itself (or in the case of a new activity, one which commonly would have been performed internally by the licensee). Examples of services that are typically outsourced include data processing, cloud services, customer call centres and back-office related activities.

        Added: January 2020

      • OM-2.1.3

        Most of the Directives in this Chapter are concerned with situations where the third party provider is outside the licensee's group. Section OM-2.7, however, sets out the CBB's requirements when a service is outsourced to a company within the licensee's group.

        Added: January 2020

      • OM-2.1.4

        The requirements in this Chapter only apply to 'material' outsourcing arrangements. These are arrangements that, if they failed in any way, would pose significant risks to the on-going operations of a licensee, its reputation and/or quality of service provided to its customers. For instance, the outsourcing of all or a substantial part of functions such as customer sales and relationship management, settlements and processing, IT and data processing, internal audit and financial control, would normally be considered 'material'.

        Added: January 2020

      • OM-2.1.5

        Licensees should assess whether the function/activity/process being outsourced is material based on an assessment of various factors including but not limited to:

        (i) The importance of the business activity to be outsourced in terms of its contribution to income and profit and the risk of potential loss should the outsourcing service provider fail to perform the service;
        (ii) The impact on the licensee's reputation and brand value, and on its ability to achieve its business objectives, strategy and plans if there are disruptions, irregularities, frauds or other adverse events occurring with outsourcing service provider;
        (iii) The impact on business continuity should the outsourcing service provider fail to perform the service;
        (iv) The impact on the licensee's customers, should the outsourcing service provider fail to perform the service or encounter a breach of confidentiality or security;
        (v) The cost of the outsourcing as a proportion of total operating costs of the licensee;
        (vi) The degree of difficulty, including the time taken, in finding an alternative outsourcing service provider or bringing the business activity in-house;
        (vii) The aggregate exposure to a particular outsourcing service provider in case where a licensee outsources various functions to the same outsourcing service provider;
        (viii) The ability to maintain appropriate internal controls and meet regulatory requirements due to operational problems faced by the outsourcing service provider;
        (ix) The affiliation or other relationship between the licensee and the outsourcing service provider; and
        (x) Any other factor that the licensee may consider appropriate for evaluating the materiality of an outsourcing arrangement.
        Added: January 2020

      • OM-2.1.6

        Management should carefully consider whether a proposed outsourcing arrangement falls under this Chapter's definition of 'material'. If in doubt, management should consult with the CBB.

        Added: January 2020

      • OM-2.1.7

        For outsourcing services that are not considered material outsourcing arrangements, licensees must submit a written notification to the CBB within 7 working days before committing to the new outsourcing arrangement.

        Added: January 2020

    • OM-2.2 OM-2.2 Board and Senior Management Responsibilities

      • OM-2.2.1

        The board and senior management are responsible for understanding the operational and reputational risks associated with outsourcing arrangements and ensuring that effective risk management policies, procedures and practices are in place to manage the risks in outsourcing activities. Outsourcing policies and risk management activities should encompass:

        (a) Policy for developing a business case for outsourcing of activities including policy for ascertaining the materiality of services to be outsourced;
        (b) Procedures for determining whether and how activities can be outsourced;
        (b) Processes for conducting due diligence in the selection of potential outsourcing service providers;
        (c) Sound structuring of the outsourcing arrangement, including ownership and confidentiality of data, as well as termination rights;
        (d) Programmes for managing and monitoring the risks associated with the outsourcing arrangement, including the financial condition of the outsourcing service provider;
        (e) Establishment of an effective control environment at the bank and the service provider;
        (f) Development of viable contingency plans; and
        (g) Execution of comprehensive contracts and/or service level agreements with a clear allocation of responsibilities between the outsourcing service provider and the bank.
        Added: January 2020

    • OM-2.3 OM-2.3 Notifications and Prior Approval Requests

      • OM-2.3.1

        A licensee must seek the CBB's prior written approval before committing to a new material outsourcing arrangement.

        Added: January 2020

      • OM-2.3.2

        The above request for prior approval must:

        (a) Be made in writing to the licensee's normal supervisory point of contact;
        (b) Contain sufficient detail to demonstrate that relevant issues raised in this Chapter have been addressed; and
        (c) Be made at least 6 weeks before the licensee intends to commit to the arrangement.
        Added: January 2020

      • OM-2.3.3

        The CBB will review the information provided and provide a definitive response within 5 working days of receiving the request for prior approval. Where further information is requested from the licensee, however, the time taken to provide this further information will not be taken into account. The CBB may also contact home or host supervisors of the licensee or the outsourcing service provider, to seek their comments — in such cases, the 6-week turnaround is also subject to the speed of their response.

        Added: January 2020

      • OM-2.3.4

        Once an activity has been outsourced, a licensee must immediately inform its normal supervisory point of contact at the CBB of any material problems encountered with the outsourcing service provider. The CBB reserves the right to direct a licensee to make alternative arrangements for the outsourced activity.

        Added: January 2020

      • OM-2.3.5

        The CBB reserves the right to require a licensee to terminate or make alternative outsourcing arrangements if, among other reasons, the confidentiality of its customer information was, or is likely to be, breached or the ability of the CBB to carry out its supervisory functions in view of the outsourcing arrangement cannot be assured or executed.

        Added: January 2020

    • OM-2.4 OM-2.4 Risk Assessment

      • OM-2.4.1

        Licensees must undertake a thorough risk assessment of an outsourcing proposal, before formally submitting the request for approval to the CBB and committing itself to an agreement.

        Added: January 2020

      • OM-2.4.2

        The risk assessment must, amongst other things, include an analysis of:

        (a) The business case;
        (b) The suitability of the outsourcing service provider; including but not limited to the outsourcing service provider's financial soundness, its technical competence, its commitment to the arrangement, its reputation, its adherence to international standards, and the associated country risk; and
        (c) The impact of the outsourcing on the licensee's overall risk profile and its systems and controls framework.
        Added: January 2020

      • OM-2.4.3

        Once an outsourcing agreement has been entered into, the licensees must:

        (a) Review, at least annually, the suitability of the outsourcing service provider and the on-going impact of the agreement on their risk profile and systems and controls framework; and
        (b) Monitor the associated risks and the effectiveness of its mitigating controls.
        Added: January 2020

      • OM-2.4.4

        A licensee must nominate a relevant approved person with day-to-day responsibility for handling the relationship with the outsourcing service provider and ensuring that relevant risks are addressed. This person must be notified to the CBB as part of the request for prior approval required under Section OM-2.3. Any subsequent replacement of such person must also be notified to the CBB.

        Added: January 2020

    • OM-2.5 OM-2.5 Outsourcing Agreement

      • OM-2.5.1

        The activities to be outsourced and respective contractual liabilities and obligations of the outsourcing service provider and licensee must be clearly specified in an outsourcing agreement. This agreement must, amongst other things, address the following points:

        (a) Control over outsourced activities
        1. The Board and management of licensees are held ultimately responsible by the CBB for the adequacy of systems and controls in outsourced activities. Licensees must therefore ensure that they have adequate mechanisms for monitoring the performance of, and managing the relationship with, the outsourcing service provider;
        2. A service level agreement ("SLA") — setting out the standards of service to be provided — must form part of the outsourcing agreement. Where the outsourcing provider interacts directly with a licensee's customers, the SLA must — where relevant — reflect the licensee's own standards and the CBB's relevant rulebook requirements regarding customer service;
        3. Mechanisms for the regular monitoring by licensees of performance against the SLA and other targets, and for implementing remedies in case of any shortfalls, must also form part of the agreement;
        4. Clear reporting and escalation mechanisms must be specified in the agreement; and
        5. Where an outsourcing service provider in turn decides to sub-contract to other providers, the licensee must perform a due diligence and a risk and control assessment and obtain CBB's prior written approval;
        6. In case of (5) above, the original provider must remain contractually liable to the licensee for the quality and level of service agreed, and its obligations to the licensee must remain unchanged.
        (b) Customer data confidentiality
        1. Licensees must ensure that outsourcing agreements comply with the requirements of Law No. 30 of 2018, Personal Data Protection Law (PDPL) issued on 12 July 2018, as applicable, and other applicable legal requirements regarding customer confidentiality.
        2. Licensees must ensure that the outsourcing service provider implements adequate safeguards and procedures. Amongst other things, customer data must be properly segregated from those belonging to other clients the outsourcing service provider may have.
        3. Customer information must be encrypted and licensees must ensure that all encryption keys or similar forms of authentication are kept secure within the licensee's control.
        4. Outsourcing service providers must give suitable undertakings that the company and its staff will comply with all applicable confidentiality rules. Licensees must have contractual rights to take action against the service provider in the event of a breach of confidentiality.
        5. Licensees must assess the impact of using an overseas-based outsourcing service provider on their ability to maintain customer data confidentiality, for instance, because of the powers of local authorities to access such data.
        (c) Access to information
        1. Outsourcing agreements must ensure that the licensee's internal and external auditors have timely access to any relevant information related to the outsourced function/service they may require to fulfill their responsibilities. Such access must allow them to conduct on-site examinations of the relevant function/service provided by outsourcing service provider, if required.
        2. Licensees must also ensure that the CBB inspectors and appointed experts have timely access to any relevant information related to the outsourced function/service they may reasonably require under the law. Such access must allow the CBB to conduct on-site examinations of the relevant function/service provided by the outsourcing service provider, if required.
        3. Where the outsourcing service provider is based overseas, the outsourcing service provider must confirm in the outsourcing agreement that there are no regulatory or legal impediments to either the licensee's internal and external auditors, or the CBB inspectors and appointed experts, having the access described above. Should such restrictions subsequently be imposed, the licensee must communicate this fact to the CBB as soon as it becomes aware of the matter.
        4. The outsourcing service provider must commit itself, in the outsourcing agreement, to inform the licensee of any developments that may have a material impact on its ability to meet its obligations. These may include, for example, relevant control weaknesses identified by the outsourcing service provider's internal or external auditors, and material adverse developments in the financial performance of the outsourcing service provider.
        (d) Business continuity
        1. Licensees must ensure that service providers regularly review and test plans to ensure continuity in the provision of the outsourced service.
        2. Licensees must have an adequate understanding of the outsourcing service provider's arrangements, to understand the implications for its own contingency arrangements (see Section OM-2.6).
        (e) Termination
        1. Licensees must have the right to terminate the agreement should the outsourcing service provider undergo a change of ownership (whether direct or indirect) that poses a potential conflict of interest; becomes insolvent; or goes into liquidation or administration.
        2. Termination under any other circumstances allowed under the agreement must give licensees a sufficient notice period in which they can effect a smooth transfer of the service to another provider or bring it back in-house.
        3. In the event of termination, for whatever reason, the agreement must provide for the return of all customer data where required by licensees.
        Added: January 2020

      • OM-2.5.2

        For the purposes of Paragraph OM-2.5.1(c)1 above, licensees as part of their assessments may use the following:

        a) Independent third-party certifications on the outsourcing service provider's security and other controls;
        b) Third-party or internal audit reports of the outsourcing service provider; and
        c) Pooled audits organized by the outsourcing service provider, jointly with its other clients.
        Added: January 2020

      • OM-2.5.3

        When conducting on-site examinations, licensees should ensure that the data of the outsourcing service provider's other clients is not negatively impacted, including impact on service levels, availability of data and confidentiality.

        Added: January 2020

    • OM-2.6 OM-2.6 Contingency Planning for Outsourcing Arrangements

      • OM-2.6.1

        Licensees must maintain and regularly review contingency plans to enable them to set up alternative arrangements, with minimum disruption to business, should the outsourcing contract be suddenly terminated or the outsourcing service provider fails. This may involve the identification of alternative outsourcing service providers or the provision of the service in-house. These plans must consider how long the transition would take and what interim arrangements would apply.

        Added: January 2020

      • OM-2.6.2

        See Chapter OM-4 for further guidance on business continuity and contingency planning.

        Added: January 2020

    • OM-2.7 OM-2.7 Intra-group Outsourcing

      • OM-2.7.1

        As with outsourcing to non-group companies, the Board and senior management of licensees are held ultimately responsible by the CBB for the adequacy of systems and controls in activities outsourced to group companies.

        Added: January 2020

      • OM-2.7.2

        However, the degree of formality required — in terms of contractual agreements and control mechanisms — for outsourcing within a licensee's group is likely to be less, because of common management and enhanced knowledge of other group companies.

        Added: January 2020

      • OM-2.7.3

        A licensee must seek the CBB's prior written approval at least 6 weeks before committing to a material intra-group outsourcing. The request for approval must be made in writing to the licensee's normal supervisory point of contact, and must set out a summary of the proposed outsourcing, its rationale, and an analysis of its associated risks and proposed mitigating controls. The CBB will respond to the request for approval in the same manner and timescale as set in Section OM-2.3 above.

        Added: January 2020

      • OM-2.7.4

        As a minimum, an agreed statement of the standard of service to must be provided by the group provider, including a clear statement of responsibilities allocated between the group provider and licensee.

        Added: January 2020

      • OM-2.7.5

        The licensee's management must address the issues of customer confidentiality, access to information and business continuity covered above (Section OM-2.5).

        Added: January 2020

      • OM-2.7.6

        In the case of branches of foreign banks, the CBB may consider a third party outsourcing arrangements entered by the licensee's head office/regional office as an intragroup outsourcing, provided that the head office/regional office submits to the CBB a letter of comfort which includes, but not limited to, the following conditions:

        a. The head office/regional office declares its ultimate responsibility of ensuring that adequate controlling measures are in place; and
        b. The head office/regional office is responsible to take adequate rectification measures, including compensation to the affected customers, in cases where customers suffer any loss due to inadequate controls applied by the third party service provider.
        Added: January 2020

    • OM-2.8 OM-2.8 Outsourcing of Functions Containing Customer Information

      • OM-2.8.1

        Licensees must seek the CBB's prior written approval for third party and intragroup outsourcing of functions/services containing customer information including but not limited to payment services, debt collection, card and data processing, IT function including cloud services, internal audit and electronic/internet banking services but excluding legal services. Customer information must be encrypted and the encryption keys or similar forms of authentication codes must be securely kept under the licensee's control.

        Added: January 2020

      • OM-2.8.2

        Because of the critical importance of protecting customer information confidentiality, all proposals to outsource functions containing customer information should be considered material.

        Added: January 2020

      • OM-2.8.3

        For a third party outsourcing of functions/services containing customer information, other than debt collection, IT function, internal audit, cards embossing, cheques personalization, data/documents storing and call centres, the outsourcing service providers must be licensed by the CBB and located in Bahrain. If the outsourced service is not available in Bahrain, licensees must submit to the CBB a written request. The request must provide details of the circumstances under which the extension of outsourcing activities is being requested.

        Added: January 2020

      • OM-2.8.4

        In case of an outsourcing arrangement that involves disclosure of confidential information to the outsourcing service provider, licensees must ensure that the contract with the outsourcing service provider clearly requires the latter to safeguard the confidentiality of the confidential information; provided always that the responsibility for disclosure of such confidential information must rest with the licensee. Due consideration must also be given to Law No. 30 of 2018, Personal Data Protection Law (PDPL) issued on 12 July 2018 and the CBB Law.

        Added: January 2020

      • OM-2.8.5

        For outsourcing of functions/services containing customer information, the following conditions must also be met:

        (a) [This Subparagraph was deleted in January 2021].
        (b) The service level agreement must clearly state that the CBB inspectors and appointed experts have the legal right to conduct onsite examinations of the outsourcing service provider and such expenses are to be borne by the licensee; and
        (c) Any report by any other regulatory authority on the quality of controls of the outsourcing service provider must be submitted immediately by the licensee to the CBB.
        Amended: January 2021
        Added: January 2020

      • Cloud Services

        • OM-2.8.6

          For the purpose of outsourcing of cloud services, licensees must ensure that, at a minimum, the following security measures are in place and included in the outsourcing agreement:

          (a) Customer information must be encrypted and licensees must ensure that all encryption keys or similar forms of authentication are kept secure within the licensee's control;
          (b) A secure audit trail must be maintained for all actions performed at the cloud services outsourcing service provider;
          (c) A comprehensive change management procedure must be developed to account for future changes in technology with adequate testing of such changes;
          (d) The licensee's data must be logically segregated from other entities data at the outsourcing service provider's platform;
          (e) The cloud service provider must provide information on measures taken at its platform to ensure adequate information security, data security and confidentiality, including but not limited to forms of protection available against unauthorized access and incident management process in cases of data breach or data loss; and
          (f) The right to release customer information/data in case of foreign government/court orders must be the sole responsibility of the licensee, based on the CBB Law and the Personal Data Protection Law (PDPL).
          Added: January 2020

        • OM-2.8.7

          The licensees should consider how the outsourced activity is impacted by the variety of risks associated with the cloud adoptions, for example:

          a) Vendor lock-in (cloud vendor using proprietary technology preventing migration);
          b) Vendor lock-out (cloud going out of business, preventing access to data);
          c) Data and application interoperability;
          d) Segregation of data in SaaS environments;
          e) Distributed denial of service (DDoS) prevention;
          f) Impact of regulatory enforcement processes;
          g) Safeguards for management of cryptographic keys;
          h) Unmonitored access to administrative zones by staff and 3rd parties;
          i) Remote access to administrative zones without strong authentication and accountability;
          j) Single point of failures in connectivity to cloud environments.
          Added: January 2020

        • OM-2.8.8

          The licensees must ensure that the cloud adoption does not result in data being stored in countries that are subject to United Nations sanctions.

          Added: January 2020