GR-9.1 GR-9.1 Outsourcing Arrangements
GR-9.1.1
This Chapter sets out the CBB’s approach to outsourcing by licensees. It also sets out various requirements that licensees must address when considering outsourcing an activity or function.
Amended: July 2022
May 2011GR-9.1.2
In the context of this Chapter, ‘outsourcing’ means an arrangement whereby a third party performs on behalf of a licensee an activity which commonly would have been performed internally by the licensee. Examples of services that are typically outsourced include data processing, cloud services, customer call centres and back-office related activities.
Amended: July 2022
Amended: October 2017
May 2011GR-9.1.3
In the case of branches of foreign entities, the CBB may consider a third-party outsourcing arrangement entered into by the licensee’s head office/regional office or other offices of the foreign entity as an intragroup outsourcing, provided that the head office/regional office submits to the CBB a letter of comfort which includes, but is not limited to, the following conditions:
i. The head office/regional office declares its ultimate responsibility of ensuring that adequate control measures are in place; andii. The head office/regional office is responsible to take adequate rectification measures, including compensation to the affected customers, in cases where customers suffer any loss due to inadequate controls applied by the third-party service provider.Amended: July 2022
May 2011GR-9.1.4
The
licensee must not outsource the following functions:(i) Compliance;(ii) AML/CFT;(iii) Financial control;(iv) Risk management; and(v) Business line functions offering regulated services directly to the customers (refer to Regulation No. (1) of 2007 and its amendments for the list of CBB regulated services).Amended: July 2022
May 2011GR-9.1.5
For the purposes of Paragraph GR-9.1.4, certain support activities, processes and systems under these functions may be outsourced (e.g. call centres, data processing, credit recoveries, cyber security, e-KYC solutions) subject to compliance with Paragraph GR-9.1.7. However, strategic decision-making and managing and bearing the principal risks related to these functions must remain with the licensee.
Amended: July 2022
May 2011GR-9.1.6
Branches of foreign entities may be allowed to outsource to their head office, the risk management function stipulated in Subparagraph GR-9.1.4 (iv), subject to CBB’s prior approval.
Amended: July 2022
Amended: October 2017
May 2011GR-9.1.7
Licensees must comply with the following requirements:(i) Prior CBB approval is required on any outsourcing to a third-party outside Bahrain (excluding cloud data services). The request application must:a. include information on the legal and technical due diligence, risk assessment and detailed compliance assessment; andb. be made at least 30 calendar days before the licensee intends to commit to the arrangement.(ii) Post notification to the CBB, within 5 working days from the date of signing the outsourcing agreement, is required on any outsourcing to an intragroup entity within or outside Bahrain or to a third-party within Bahrain, provided that the outsourced service does not require a license, or to a third-party cloud data services provider inside or outside Bahrain.(iii)Licensees must have in place sufficient written requirements in their internal policies and procedures addressing all strategic, operational, logistical, business continuity and contingency planning, legal and risks issues in relation to outsourcing.(iv)Licensees must sign a service level agreement (SLA) or equivalent with every outsourcing service provider. The SLA must clearly address the scope, rights, confidentiality and encryption requirements, reporting and allocation of responsibilities. The SLA must also stipulate that the CBB, external auditors, internal audit function, compliance function and where relevant the Shari’a coordination and implementation and internal Shari’a audit functions of thelicensee have unrestricted access to all relevant information and documents maintained by the outsourcing service provider in relation to the outsourced activity.(v)Licensees must designate an approved person to act as coordinator for monitoring and assessing the outsourced arrangement.(vi)Licensee must submit to the CBB any report by any other regulatory authority on the quality of controls of an outsourcing service provider immediately after its receipt or after coming to know about it.(vii)Licensee must inform its normal supervisory point of contact at the CBB of any material problems encountered with the outsourcing service provider if they remain unresolved for a period of three months from its identification date.Amended: July 2022
May 2011GR-9.1.8
For the purpose of Subparagraph GR-9.1.7 (iv),
licensees as part of their assessments may use the following:a) Independent third-party certifications on the outsourcing service provider’s security and other controls;b) Third-party or internal audit reports of the outsourcing service provider; andc) Pooled audits organized by the outsourcing service provider, jointly with its other clients.When conducting on-site examinations,
licensees should ensure that the data of the outsourcing service provider’s other clients is not negatively impacted, including impact on service levels, availability of data and confidentiality.Amended: July 2022
May 2011GR-9.1.9
For the purpose of Subparagraph GR-9.1.7 (i), the CBB will provide a definitive response to any prior approval request for outsourcing within 10 working days of receiving the request complete with all the required information and documents.
Amended: July 2022
Amended: October 2017
May 2011
