The Banking Policy and Regulations Department of the State Bank of Pakistan (central bank) released a 2019 revision of its 2017 Framework for Risk Management in Outsourcing Arrangements by Financial Institutions to facilitate effective risk management by banks and financial institutions (FIs) relating to agreements with third party service providers and outsourcing. The 2017 Framework modifies te ‘Guidelines on Outsourcing Arrangements’ issued vide BPRD Circular No. 09 dated July 13, 2007. The 2019 Amendment defines Personally Identifiable Information (PII). Some highlighted modifications include the folowing (emphasis added):
- Personally Identifiable Information or PII means any information relating to an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier.
- In case where outsourcing arrangement involves confidential customer information, FIs shall: i. Seek specific consent of the customer or encrypt or anonymize PII of customers so that their identities cannot be readily inferred. ii. Retain information of all such cases, which will be reviewed by SBP team during on-site inspection.
- Any outsourcing arrangement outside Pakistan, excluding group outsourcing, shall require SBP’s prior approval. All such requests shall be signed by the Head of compliance and include details of the functions to be outsourced, rationale for the outsourcing, details relating to the proposed service provider, agreement with the service provider, business continuity plan, disaster recovery arrangements and a legal opinion that the arrangement does not violate any relevant local law.
- a) Group outsourcing is defined as arrangement where Financial Institutions including Foreign Banks’ branches enter outsourcing arrangements including technological support services from their parent Institutions/ subsidiaries/ Head Offices or other branches of Foreign Banks/ related group entities formulated for providing specialized services to group companies inside or outside Pakistan. b) The instructions in this section are applicable to all outsourcing arrangements with the group companies as defined in para (i) above