112 MANAGEMENT CONTRACTS AND OUTSOURCING

112 MANAGEMENT CONTRACTS AND OUTSOURCING

Management Contracts.

a. Management contracts of banks with management firms shall be limited to consultancy and advisory services;

b. Only a natural person may be elected or appointed as an officer of a bank, without prejudice to such person being a nominee of a management corporation: Provided, That the responsibility and/or accountability of anyone elected or appointed to an officer position shall be personal in nature and cannot be delegated to a corporation; and

c. Any bank that enters into contracts contrary to this policy shall be denied the credit facilities of the Bangko Sentral.

Outsourcing. A bank may outsource to third parties or to related companies in the group, in accordance with existing Bangko Sentral regulations, certain services or activities to have access to certain areas of expertise or to address resource constraints: Provided, That it has in place appropriate processes, procedures, and information system that can adequately identify, monitor, and mitigate operational risks arising from the outsourced activities: Provided, further, That the bank’s board of directors and senior management shall remain responsible for ensuring that outsourced activities are conducted in a safe and sound manner and in compliance with applicable laws, rules and regulations.

Definition. Outsourcing shall refer to any contractual arrangement between a bank and a qualified service provider for the latter to perform designated activities on a continuing basis on behalf of the bank.

Prohibition against outsourcing of inherent banking functions. No bank shall outsource inherent banking functions such as:

a. Taking of deposits from the public;

b. Granting of loans and extension of other credit exposures;

c. Managing of risk exposures; and

d. General management.

Authority to outsource. Only those banks with a CAMELS composite rating of at least “3” and a Management rating of not lower than “3” shall be allowed to outsource designated activities without prior Bangko Sentral approval. Otherwise, the bank must secure prior approval from the appropriate supervising department of the Bangko Sentral whose evaluation will be based on the bank’s ability to manage risks attendant to outsourcing.

Governance and managing of outsourcing risks. Key risk areas related to outsourcing such as strategic; reputational/ legal; operational, compliance, country and concentration risks should be evaluated before entering into and while managing outsourcing contracts. In this regard, banks shall:

a. Perform risk assessment of a business activity and evaluate the implications of performing the activity in-house or having the activity outsourced.

The following factors shall be considered in the assessment:

(1) Level of importance to the bank of the activity to be outsourced and potential impact on bank’s operations, financial condition, reputation, and ability to achieve its objectives, strategies and plans, should the service provider fail to perform the services;

(2) Outsourcing costs in proportion to total operating expenses and compared with costs of developing own infrastructure and expertise;

(3) Aggregate exposure to a particular service provider, in cases when the bank outsources various functions to the same service provider;

(4) Ability to maintain appropriate controls and meet regulatory requirements, in cases of operational constraints of the service provider; and

(5) Exposure to risk of confidentiality, integrity and availability of customer and bank data.

In cases when the risk management system is deemed inadequate for purposes of managing outsourcing-related risks, the Bangko Sentral may direct the bank to terminate, modify, make alternative arrangements or re-integrate the outsourced activity into its operations, as may be necessary.

b. Establish policies and criteria to select the “best” service provider for the outsourced activities and to get said services at reasonable price. The following factors should be considered in evaluating potential service providers:

(1) Reputation, ownership structure (to identify potential conflict of interest), technical expertise, and operational capability;

(2) Financial performance and condition (e.g., ongoing viability, outstanding commitments, capital/funding strength, liquidity and operating results; and reliance on subcontractors) of the service provider and its closely-related affiliates;

(3) Operations and internal control environment (e.g., internal controls, facilities management, training, security of system, privacy protection, maintenance and retention of records, business resumption and contingency plans, systems development and maintenance, and employee background checks);

(4) Fees and charges (e.g., outsourcing cost should be lower than developing the necessary infrastructure and expertise, comparable with market rates, and reasonable vis-à-vis scope and complexity of services);

(5) Actual performance vis-à-vis service level agreement;

(6) Performance of the service provider (past and present engagements) including the reasons/causes of disengagements, if any; and

(7) Compliance with provisions of service agreements, performance standards and adherence to applicable laws, regulations, and supervisory expectations.

In cases when the clients are prejudiced due to errors, omissions, and frauds by the service provider, the bank shall be liable in providing the appropriate remedies or remuneration as may be allowed under existing laws or regulations, without prejudice to the bank’s right of recourse to the service provider.

c. Establish, maintain, and regularly test business continuity and contingency plans for situations wherein the service provider cannot deliver the required services. The contingency plan must indicate whether another service provider will be tapped or the service/activity will be brought back in-house. This should in turn consider the costs, time, and resources that would be involved.

Contingency arrangements in respect of daily operational and systems problems should be covered in the service provider’s own contingency plan. The contingency plan must be reviewed regularly to ensure that it remains relevant and ready for implementation.

d. Ensure that it has adequate resources to manage and monitor outsourcing relationships on a continuing basis. Banks are expected to develop acceptable performance metrics to assess outsourcing contracts. They shall also maintain records of all outsourcing activities which should be updated and reviewed regularly.

e. Ensure that personnel with oversight and management responsibilities for service providers have the appropriate level of expertise and stature to manage the outsourcing arrangement. The oversight process, including the level and frequency of management reporting, should be risk- focused. Banks should design and implement risk mitigation plans for higher risk service providers. These may include certain requirements or processes such as additional reporting by the service provider or heightened monitoring. Further, more frequent and stringent monitoring is necessary for service providers that exhibit performance, financial, compliance, or control concerns.

Documentations. The bank should maintain necessary documentation to show that outsourcing arrangements are properly reviewed and the appropriate due diligence has been undertaken prior to implementation. The bank shall keep in its file the documents shown in Appendix 103 and the same shall be made available to authorized representatives of the Bangko Sentral for inspection.

Intra-group outsourcing. The guidelines and requirements of outsourcing to third-party service providers shall be observed when outsourcing within a business group including its head office, another branch or related company. When the bank is the service provider, the bank may only render services it performs in the ordinary course of its banking business: Provided, That (i) the service is rendered to subsidiaries, affiliates and companies related to it by at least five percent (5%) common ownership; or (ii) the service is rendered to its own depositors on account of the bank being a depository. The bank, acting as a service provider within its group, shall uphold the following:

a. Confidentiality of deposits and investments in government bonds as defined under R.A. No. 1405, as amended;

b. Prohibition on cross-selling except as allowed under applicable regulations.

Offshore outsourcing. Offshore outsourcing exists when the service provider is located outside the country. The intra-group outsourcing under this Section likewise applies in cases of offshore outsourcing. In addition, offshore outsourcing of bank’s domestic operations is permitted only when the service provider operates in jurisdictions which uphold confidentiality. When the service provider is located in other countries, the bank should take into account and closely monitor, on continuing basis, government policies and other conditions in countries where the service provider is based during risk assessment process. The bank shall also develop appropriate contingency and exit strategies.

The Bangko Sentral examiners shall be given access to the service provider and those relating to the outsourced domestic operations of the bank. Such access may be fulfilled by on-site examination through coordination with host authorities, if necessary. The domestic branch of foreign bank shall be principally liable in cases where the clients are prejudiced due to errors, omissions and frauds of the service provider located offshore.

The Bangko Sentral may require the bank to terminate, modify, make alternative outsourcing arrangement or re-integrate the outsourced activity into the bank, as may be necessary, if confidentiality of customer information, effective customer redress mechanisms or the ability of the Bangko Sentral to carry out its supervision functions cannot be assured.

Transitory provision. All outsourcing agreements must be aligned with the provisions under this Section. Existing outsourcing agreements which are not in accordance with this Section will not be unwound. However, it must comply with the requirements provided herein upon renewal of the agreements.

Supervisory enforcement actions. Consistent with Sec. 002, the Bangko Sentral may deploy enforcement actions to promote adherence with the requirements set forth in this Section and its Subsections and bring about timely corrective actions. The Bangko Sentral may issue directives to improve the management of outsourcing arrangements, or impose sanctions to limit the level of or suspend any business activity that has adverse effects on the safety or soundness of the BSFI, among others. Sanctions may likewise be imposed on a BSFI and/or its directors, officers and/or employees.

(Circular Nos. 940 dated 20 January 2017, 930 dated 18 November 2016 and 899 dated 18 January 2016)