Appendix 103

DOCUMENTS REQUIRED UNDER THE REVISED OUTSOURCING FRAMEWORK FOR BANKS
(Appendix to Sec. 112 on Documentations)

1. A comprehensive policy on outsourcing duly approved by the board of directors of the bank.

2. Service level agreement of contract between the bank and the service provider, which shall, at a minimum, include all of the following:

a. Complete description of the work to be performed or services to be provided;

b. Fee structure;

c. Provisions governing amendment and pre- termination of contract;

d. Responsibility, fines, penalties and accountability of the service provider for errors, omissions and frauds;

e. Confidentiality clause covering all data and information; solidarity liability of service provider and bank for any violation of R.A. No. 1405, (the Bank Deposits Secrecy Law) actions that the bank may take against the service provider for breach of confidentiality or any form of disclosure of confidential information; and the applicable penalties;

f. Segregation of the data of the bank from that of the service provider and its other clients;

g. Disaster recovery/business continuity contingency plans and procedures;

h. Guarantee that the service provider will provide necessary levels of transition assistance if the bank decides to convert to other service providers or other arrangements;

i. Access to the financial information of the service provider;

j. Access of internal and external auditors to information regarding the outsourced activities/ services which they need to fulfill their respective responsibilities;

k. Access of Bangko Sentral to the operations of the service provider in order to review the same in relation to the outsourced activities/ services;

l. Provision which requires the service provider to immediately take the necessary corrective measures to satisfy the findings and recommendations of Bangko Sentral examiners and those of the internal and/or external auditors of the bank and/or the service provider;

m. Remedies for the bank in the event of change of ownership, assignment, attachment of assets, insolvency, or receivership of the service provider; and

n. Provision allowing the bank to cancel the contract by contractual notice of dismissal or extraordinary notice of cancellation if so required by the Bangko Sentral.

Additional Requirements for IT outsourcing:

o. Provisions regarding on-line communication availability, transmission line security, and transaction authentication;

p. Responsibilities regarding hardware, software and infrastracture upgrades;

q. Mandatory notification by the service provider of all systems changes that will affect the bank;

r. Details of all security procedures and standards;

s. Adequate insurance for fidelity and fire liability; and

t. Ownership/maintenance of the computer hardware, software (program source code), user and system documentation, master and transaction data files.

3. Secretary’s certificate on the minutes of meeting of the board of directors of the bank (or a local/regional management committee, in case of foreign banks), explicitly approving the activity to be outsourced, the determination of whether an outsourcing arrangement is considered material or non-material and the specific service provider with which the bank is entering into an outsourcing contract;

4. Profile of the selected service provider; and

5. A central record of all outsourcing arrangements which shall be periodically updated and shall form part of the corporate governance reviews undertaken by the bank.