112 MANAGEMENT CONTRACTS AND OUTSOURCING
a. Management contracts of banks with management firms shall be limited to consultancy and advisory services;
b. Only a natural person may be elected or appointed as an officer of a bank, without prejudice to such person being a nominee of a management corporation: Provided, That the responsibility and/or accountability of anyone elected or appointed to an officer position shall be personal in nature and cannot be delegated to a corporation; and
c. Any bank that enters into contracts contrary to this policy shall be denied the credit facilities of the Bangko Sentral.
a. Taking of deposits from the public;
b. Granting of loans and extension of other credit exposures;
c. Managing of risk exposures; and
d. General management.
a. Perform risk assessment of a business activity and evaluate the implications of performing the activity in-house or having the activity outsourced.
(1) Level of importance to the bank of the activity to be outsourced and potential impact on bank’s operations, financial condition, reputation, and ability to achieve its objectives, strategies and plans, should the service provider fail to perform the services;
(2) Outsourcing costs in proportion to total operating expenses and compared with costs of developing own infrastructure and expertise;
(3) Aggregate exposure to a particular service provider, in cases when the bank outsources various functions to the same service provider;
(4) Ability to maintain appropriate controls and meet regulatory requirements, in cases of operational constraints of the service provider; and
(5) Exposure to risk of confidentiality, integrity and availability of customer and bank data.
b. Establish policies and criteria to select the “best” service provider for the outsourced activities and to get said services at reasonable price. The following factors should be considered in evaluating potential service providers:
(1) Reputation, ownership structure (to identify potential conflict of interest), technical expertise, and operational capability;
(2) Financial performance and condition (e.g., ongoing viability, outstanding commitments, capital/funding strength, liquidity and operating results; and reliance on subcontractors) of the service provider and its closely-related affiliates;
(3) Operations and internal control environment (e.g., internal controls, facilities management, training, security of system, privacy protection, maintenance and retention of records, business resumption and contingency plans, systems development and maintenance, and employee background checks);
(4) Fees and charges (e.g., outsourcing cost should be lower than developing the necessary infrastructure and expertise, comparable with market rates, and reasonable vis-à-vis scope and complexity of services);
(5) Actual performance vis-à-vis service level agreement;
(6) Performance of the service provider (past and present engagements) including the reasons/causes of disengagements, if any; and
(7) Compliance with provisions of service agreements, performance standards and adherence to applicable laws, regulations, and supervisory expectations.
c. Establish, maintain, and regularly test business continuity and contingency plans for situations wherein the service provider cannot deliver the required services. The contingency plan must indicate whether another service provider will be tapped or the service/activity will be brought back in-house. This should in turn consider the costs, time, and resources that would be involved.
d. Ensure that it has adequate resources to manage and monitor outsourcing relationships on a continuing basis. Banks are expected to develop acceptable performance metrics to assess outsourcing contracts. They shall also maintain records of all outsourcing activities which should be updated and reviewed regularly.
e. Ensure that personnel with oversight and management responsibilities for service providers have the appropriate level of expertise and stature to manage the outsourcing arrangement. The oversight process, including the level and frequency of management reporting, should be risk- focused. Banks should design and implement risk mitigation plans for higher risk service providers. These may include certain requirements or processes such as additional reporting by the service provider or heightened monitoring. Further, more frequent and stringent monitoring is necessary for service providers that exhibit performance, financial, compliance, or control concerns.
a. Confidentiality of deposits and investments in government bonds as defined under R.A. No. 1405, as amended;
b. Prohibition on cross-selling except as allowed under applicable regulations.