Earlier this year, the Central Bank of the UAE issued new Outsourcing Regulations for Banks (Circular No. 14/2021) ("Regulations") and accompanying Outsourcing Standards for Banks ("Standards"). The objective was to establish minimum acceptable standards for the banks’ approach to managing risks associated with outsourcing arrangements, in line with international best practice.
Here are the key requirements of the Regulations:
Scope: The Regulations apply to all banks operating in the UAE;
Governance and Risk Management: Banks must have a process for determining the materiality of outsourced activities and establish and maintain a Risk Governance Framework. The framework must include policies and procedures for the assessment and approval of outsourcing agreements, provisions for business continuity and disaster recovery etc.);
Outsourcing Register: Banks must keep a register of all outsourcing contracts (both material and non material) including certain key mandatory information;
Data Protection: Banks must ensure that they retain ownership of all data provided to the service provider, and that customers retain ownership of their data, including but not limited to Confidential Data;
Outsourcing Agreements: The Regulations set out certain minimum requirements that need to be included in all outsourcing agreements e.g. that the Central Bank can access data upon request and can carry out on-site visits at the service provider's facilities;
Outsourcing outside of the UAE: Banks must ensure that the "Master System of Record" is maintained and stored in the UAE unless an exception is granted by the Central Bank to maintain a copy in the UAE that is updated at least daily. In addition, cutomers' Confidential Data cannot be shared outside the UAE, without consent from both the Central Bank and the relevant customer. Banks also cannot enter into agreements where the jurisdiciton either (i) cannot provide the same level of protection of confidential information as the UAE or (ii) the laws restrict or limit data access necessary for supervisory purposes. Further, banks must ensure that the service providers maintain the appropriate level of information security;
Interal Audit: Banks remains responsible for internal audit and compliance of outsourced activities and must carry out regular reviews and report accordingly;
Non-Objection: Banks must obtain a notice of non-objection from the Central Bank prior to outsourcing any "Material Business Activity", which is defined as "an activity that has the potential, if disrupted, to have a significant impact on the Bank's business operations or its ability to manage risks effectively". The Central Bank will generally not permit outsourcing of core banking activities and key management duties such as senior management, risk management, compliance, internal audit etc.;
Reporting Requirements: Banks must regularly report to the Central Bank on their outsourcing arrangements in the format and frequency prescribed by the Central Bank and provide additional information upon request;
Islamic Banking: Any bank offering Islamic Financial services must ensure that the outsourced activities, insofar as they relate to such services, are consistent with Shari'ah principes that would apply if the bank performed the activities;
Enforcement: Non-compliance can result in supervisory actions, administrative and financial sanctions and the termination of outsourcing agreements; and
Application: The Regulations took effect on 15 July 2021 and apply to all new and renewed outsourcing arrangements after that date. There is also a grace period until 31 December 2023 for any pre-existing outsourcing agreements to be brought into compliance.
The Standards, which form an integral part of the Regulations, follow the same structure as the Regulations (as set out above) and expand on them in certain areas, although are fairly short (only 5 pages long).
If we can assist with any outsourcing agreements or if you have any questions in relation to these new Regulations please email our Head of Banking, Ahmed Thabet at ahmed@thebenchlaw.com or Joby Beretta at joby@thebenchlaw.com. The Bench's Banking and FinTech teams have extensive experience in the outsourcing space, advising both financial institutions and service providers. The Chambers & Partners Global FinTech Guide 2021 recognised The Bench strength in this area, commenting "The Bench has a diverse range of strengths in the FinTech industry, and can provide expert advice on IP protection strategies, FinTech M&A and outsourcing".
Comments