• OM-2.1 OM-2.1 Introduction

    • OM-2.1.1

      This Chapter sets out the CBB's approach to outsourcing by licensees. It also sets out various requirements that licensees must address when considering outsourcing an activity or function.

      Added: January 2020

    • OM-2.1.2

      In the context of this Chapter, 'outsourcing' means an arrangement whereby a third party performs on behalf of a licensee an activity which was previously undertaken by the licensee itself (or in the case of a new activity, one which commonly would have been performed internally by the licensee). Examples of services that are typically outsourced include data processing, cloud services, customer call centres and back-office related activities.

      Added: January 2020

    • OM-2.1.3

      Most of the Directives in this Chapter are concerned with situations where the third party provider is outside the licensee's group. Section OM-2.7, however, sets out the CBB's requirements when a service is outsourced to a company within the licensee's group.

      Added: January 2020

    • OM-2.1.4

      The requirements in this Chapter only apply to 'material' outsourcing arrangements. These are arrangements that, if they failed in any way, would pose significant risks to the on-going operations of a licensee, its reputation and/or quality of service provided to its customers. For instance, the outsourcing of all or a substantial part of functions such as customer sales and relationship management, settlements and processing, IT and data processing, internal audit and financial control, would normally be considered 'material'.

      Added: January 2020

    • OM-2.1.5

      Licensees should assess whether the function/activity/process being outsourced is material based on an assessment of various factors including but not limited to:

      (i) The importance of the business activity to be outsourced in terms of its contribution to income and profit and the risk of potential loss should the outsourcing service provider fail to perform the service;
      (ii) The impact on the licensee's reputation and brand value, and on its ability to achieve its business objectives, strategy and plans if there are disruptions, irregularities, frauds or other adverse events occurring with outsourcing service provider;
      (iii) The impact on business continuity should the outsourcing service provider fail to perform the service;
      (iv) The impact on the licensee's customers, should the outsourcing service provider fail to perform the service or encounter a breach of confidentiality or security;
      (v) The cost of the outsourcing as a proportion of total operating costs of the licensee;
      (vi) The degree of difficulty, including the time taken, in finding an alternative outsourcing service provider or bringing the business activity in-house;
      (vii) The aggregate exposure to a particular outsourcing service provider in case where a licensee outsources various functions to the same outsourcing service provider;
      (viii) The ability to maintain appropriate internal controls and meet regulatory requirements due to operational problems faced by the outsourcing service provider;
      (ix) The affiliation or other relationship between the licensee and the outsourcing service provider; and
      (x) Any other factor that the licensee may consider appropriate for evaluating the materiality of an outsourcing arrangement.
      Added: January 2020

    • OM-2.1.6

      Management should carefully consider whether a proposed outsourcing arrangement falls under this Chapter's definition of 'material'. If in doubt, management should consult with the CBB.

      Added: January 2020

    • OM-2.1.7

      For outsourcing services that are not considered material outsourcing arrangements, licensees must submit a written notification to the CBB within 7 working days before committing to the new outsourcing arrangement.

      Added: January 2020