Banking Policy and Regulations Department of the State Bank of Pakistan (central bank) releases its Framework for Risk Management in Outsourcing Arrangements by Financial Institutions, an Annexure‐I of BPRD Circular No. 06 of 2017. It modifies te ‘Guidelines on Outsourcing Arrangements’ issued vide BPRD Circular No. 09 dated July 13, 2007. An excerpt of the introduction, applicability and policy for arrangements appears below:
- Financial Institutions (FIs) are increasingly using third party services to carry out activities, functions and processes as outsourcing arrangements to meet new & complex challenges like innovation in technology, increasing competition, economies of scale and improvement in quality of service to stakeholders (i.e. customers, depositors or investors). The practice, however, increases their dependence on third parties and consequently impacts their risk profile. With the objective to enable FIs to effectively manage the risks arising out of outsourcing, State Bank of Pakistan has updated the Guidelines on Outsourcing Arrangements issued vide BPRD Circular No. 09 of 2007. This framework, however, does not allow outsourcing of core banking functions/activities.
- The FIs, while deciding to outsource any function, activity or process shall ensure that outsourcing should neither reduce the protection available to depositors or investors nor be used as a way of avoiding compliance with regulatory requirements. It will be the responsibility of the FIs to ensure compliance with all legal\regulatory requirements issued and amended from time to time, while entering into any outsourcing arrangement.
- The guidelines contained in this framework are applicable on all outsourcing arrangements entered into by Commercial Banks, Islamic Banks, Microfinance Banks (MFBs) and Development Financial Institutions (DFIs) hereinafter jointly referred to as Financial Institutions (FIs).
- This framework is applicable on all outsourcing arrangements of FIs with local as well as off-shore1 service providers.
- All new outsourcing arrangements by FIs shall be governed under this framework.The outsourcing arrangements already in place by the FIs shall be streamlined to comply with this framework latest by June 30, 2018.
- The FIs shall develop outsourcing policy to be approved by their Board of Directors. The outsourcing policy shall, at a minimum, include Roles & Responsibilities of all stakeholders, Materiality Assessment Criteria, , Vendor Management (due diligence, on-boarding, contractual requirements, monitoring, training & development etc), Risk Assessment & Mitigation measures for all types of outsourcing risks, classification of core & non-core activities for each function, contingency planning and an exit strategy from the outsourcing arrangement etc.
- The FIs shall ensure effective implementation of policy and formulation of detailed Standard Operating Procedures (SOPs)/Procedural Manual for outsourcing arrangements. The outsourcing policy shall be disseminated across the institution for information, understanding and compliance.
- The FIs shall ensure that the staff responsible for outsourcing arrangements is trained to have reasonable understanding on the outsourcing and the outsourced functions/activities.
- The exceptions or deviations in the policy shall be escalated to the board or its sub- committees in the immediate next meeting.