The activities to be outsourced and respective contractual liabilities and obligations of the outsourcing service provider and licensee must be clearly specified in an outsourcing agreement. This agreement must, amongst other things, address the following points:

(a) Control over outsourced activities
1. The Board and management of licensees are held ultimately responsible by the CBB for the adequacy of systems and controls in outsourced activities. Licensees must therefore ensure that they have adequate mechanisms for monitoring the performance of, and managing the relationship with, the outsourcing service provider;
2. A service level agreement ("SLA") — setting out the standards of service to be provided — must form part of the outsourcing agreement. Where the outsourcing provider interacts directly with a licensee's customers, the SLA must — where relevant — reflect the licensee's own standards and the CBB's relevant rulebook requirements regarding customer service;
3. Mechanisms for the regular monitoring by licensees of performance against the SLA and other targets, and for implementing remedies in case of any shortfalls, must also form part of the agreement;
4. Clear reporting and escalation mechanisms must be specified in the agreement; and
5. Where an outsourcing service provider in turn decides to sub-contract to other providers, the licensee must perform a due diligence and a risk and control assessment and obtain CBB's prior written approval;
6. In case of (5) above, the original provider must remain contractually liable to the licensee for the quality and level of service agreed, and its obligations to the licensee must remain unchanged.
(b) Customer data confidentiality
1. Licensees must ensure that outsourcing agreements comply with the requirements of Law No. 30 of 2018, Personal Data Protection Law (PDPL) issued on 12 July 2018, as applicable, and other applicable legal requirements regarding customer confidentiality.
2. Licensees must ensure that the outsourcing service provider implements adequate safeguards and procedures. Amongst other things, customer data must be properly segregated from those belonging to other clients the outsourcing service provider may have.
3. Customer information must be encrypted and licensees must ensure that all encryption keys or similar forms of authentication are kept secure within the licensee's control.
4. Outsourcing service providers must give suitable undertakings that the company and its staff will comply with all applicable confidentiality rules. Licensees must have contractual rights to take action against the service provider in the event of a breach of confidentiality.
5. Licensees must assess the impact of using an overseas-based outsourcing service provider on their ability to maintain customer data confidentiality, for instance, because of the powers of local authorities to access such data.
(c) Access to information
1. Outsourcing agreements must ensure that the licensee's internal and external auditors have timely access to any relevant information related to the outsourced function/service they may require to fulfill their responsibilities. Such access must allow them to conduct on-site examinations of the relevant function/service provided by outsourcing service provider, if required.
2. Licensees must also ensure that the CBB inspectors and appointed experts have timely access to any relevant information related to the outsourced function/service they may reasonably require under the law. Such access must allow the CBB to conduct on-site examinations of the relevant function/service provided by the outsourcing service provider, if required.
3. Where the outsourcing service provider is based overseas, the outsourcing service provider must confirm in the outsourcing agreement that there are no regulatory or legal impediments to either the licensee's internal and external auditors, or the CBB inspectors and appointed experts, having the access described above. Should such restrictions subsequently be imposed, the licensee must communicate this fact to the CBB as soon as it becomes aware of the matter.
4. The outsourcing service provider must commit itself, in the outsourcing agreement, to inform the licensee of any developments that may have a material impact on its ability to meet its obligations. These may include, for example, relevant control weaknesses identified by the outsourcing service provider's internal or external auditors, and material adverse developments in the financial performance of the outsourcing service provider.
(d) Business continuity
1. Licensees must ensure that service providers regularly review and test plans to ensure continuity in the provision of the outsourced service.
2. Licensees must have an adequate understanding of the outsourcing service provider's arrangements, to understand the implications for its own contingency arrangements (see Section OM-2.6).
(e) Termination
1. Licensees must have the right to terminate the agreement should the outsourcing service provider undergo a change of ownership (whether direct or indirect) that poses a potential conflict of interest; becomes insolvent; or goes into liquidation or administration.
2. Termination under any other circumstances allowed under the agreement must give licensees a sufficient notice period in which they can effect a smooth transfer of the service to another provider or bring it back in-house.
3. In the event of termination, for whatever reason, the agreement must provide for the return of all customer data where required by licensees.
Added: January 2020