1.1. With globalization and advancement in IT, BSFIs increasingly rely on services provided by other entities to support an array of IT-related functions. The ability to outsource IT systems and process enables a BSFI to manage costs, obtain necessary expertise, expand customer product offerings, and improve services. While outsourcing offers a cost-effective alternative to in-house capabilities, it does not reduce the fundamental risks associated with IT or the business lines that use it. Risks such as loss of funds, loss of competitive advantage, damaged reputation, improper disclosure of information and regulatory action remain. Because the functions are performed by an organization outside the BSFI, the risks may be realized in a different manner than if the functions were inside resulting in the need for well-structured process to properly manage risks and ensure that the interest of customers will not be compromised.
2. ROLES AND RESPONSIBILITIES
2.1. Board of Directors (Board) and Senior Management. The responsibility for the oversight and management of outsourcing activities and accountability for all outsourcing decisions continue to rest with the BSFI’s Board and senior management. They should establish and approve enterprise-wide policies, appropriate to the IT risk profile of the institution. This framework should govern the end-to-end perspective of outsourcing process and shall provide the basis for management to identify, measure, monitor, and control the risks associated with IT-related outsourcing arrangements.
3. IT OUTSOURCING / VENDOR RISK MANAGEMENT PROGRAM
3.1 Risk Assessment. Prior to entering into an outsourcing plan, the BSFI should clearly define the business requirements for the functions or activities to be outsourced, assess the risk of outsourcing those functions or activities and establish appropriate measures to manage and control the identified risks. Risk assessment should take into consideration the criticality of the services to be outsourced, the capability of the technology service provider (TSP)1and the technology it will use in delivering the outsourced service. Such assessment should be made periodically on existing arrangements as part of the outsourcing program and review process of the BSFI.
3.2 Service Provider Selection. Before selecting a service provider, the BSFI should perform appropriate due diligence of the provider’s financial soundness, reputation, managerial skills, technical capabilities, operational capability and capacity in relation to the services to be outsourced. The depth and formality of the due diligence performed may vary depending on the nature of the outsourcing arrangement and the BSFI’s familiarity with the prospective service providers. Contract negotiation should be initiated with the service provider determined to best meet the business requirements of the BSFI.
3.3 Outsourcing Contracts. The contract is the legally binding document that defines all aspects of the servicing relationship and one of the most important controls in outsourcing process. It should be clearly written and sufficiently detailed to provide assurances for performance, reliability, security, confidentiality and reporting. Before signing a contract, management should:
a. Ensure the contract clearly defines the rights and responsibilities of both parties and contains or supported by adequate and measurable service level agreements;
b. Ensure contracts with related entities clearly reflect an arms-length relationship and costs and services are on terms that are substantially the same, or at least as favorable to the BSFI, as those prevailing at the time for comparable transactions with non- related third parties;
c. Choose the most appropriate pricing method for the BSFI’s needs;
d. Ensure service provider’s physical and data security standards meet or exceed the BSFI’s standards. Any breach in security should be reported by the service provider to the BSFI;
e. Engage legal counsel to review the contract; and
f. Ensure the contract contains the minimum provisions required under existing Bangko Sentral rules and regulations, like access by Bangko Sentral to systems and databases outsourced, and the same does not include any provisions or inducements that may adversely affect the BSFI (i.e. extended terms, significant increases after the first few years, substantial cancellation penalties).
3.4 Service Level Agreement (SLA). SLAs formalize the performance standards against which the quantity and quality of service should be measured. Management should include SLAs in its outsourcing contracts to specify and clarify performance expectations, as well as establish accountability for the outsourced activity. The BSFI should link SLA to the provisions in the contract regarding incentives, penalties and contract cancellation in order to protect themselves in the event the service provider failed to meet the required level of performance.
a. Availability and timeliness of services;
b. Confidentiality and integrity of data;
c. Change control;
d. Security standards compliance, including vulnerability and penetration management;
e. Business continuity compliance; and
f. Help desk support.
3.5 Ongoing Monitoring
3.5.1. Monitoring Program. As outsourcing relationships and interdependencies increase in materiality and complexity, the BSFI needs to be more proactive in managing its outsourcing relationships. It should establish a monitoring program to ensure service providers deliver the quantity and quality of services required by the contract. The resources to support this program will vary depending on the criticality and complexity of the system, process, or service being outsourced.
a. contract/SLA performance;
b. material problems encountered by the service provider which may impact the BSFI;
c. financial condition and risk profile; and
d. business continuity plan, the results of testing thereof and the scope for improving it.
3.5.2. Financial Condition of Service Providers. The BSFI should have an on-going monitoring of the financial condition of its service providers as financial problems may jeopardize the quality of its service and possibly the integrity of the data in its possession. In the event management recognizes that the financial condition of the provider is declining or unstable, more frequent financial reviews of said provider are warranted.
3.5.3. General Control Environment of the Service Provider. The BSFI should also implement adequate measures to ensure service providers are only given access to the information and systems that they need in order to perform their function. Management should restrict their access to BSFI’s systems, and appropriate access controls and monitoring should be in place between the service provider’s systems and the BSFI.
3.6. Business Continuity Planning Consideration. The BSFI should integrate the provider’s BCP into its own plan, communicate functions to the appropriate personnel, and maintain and periodically review the combined plan. It should ensure that service provider tests its plan annually and notify the institution of any resulting modifications.
3.7. Compliance with Bangko Sentral Regulations. The BSFI should ensure that appropriate up-to-date records relevant to its outsourcing arrangements are maintained in its premises and kept available for inspection by the Bangko Sentral Examiners. The outsourcing agreement should explicitly provide a clause allowing Bangko Sentral and BSFIs’ internal and external auditors to review the operations and controls of the service provider as they relate to the outsourced activity.
4. EMERGING OUTSOURCING MODELS
4.1. With continued and fast growth of technology, outsourcing of IT-related systems and processes has been a constant theme among BSFIs. While outsourcing strategy allows BSFIs to achieve growth targets, operational efficiency and cost savings, this also exposes them to various levels and kinds of risks. Potential risk exposures and other significant supervisory concerns are further heightened by the emergence of flexible and innovative outsourcing models (i.e. shared-services, offshoring and cloud computing).
4.2. Due mainly to the perceived implications for greater flexibility and availability at lower cost, cloud computing is a subject that has been receiving a good deal of attention. Currently, the most widely accepted definition of cloud computing is as follows –
4.3. In general, cloud computing is a migration from owned resources to shared resources in which client users receive IT services, on demand, from third-party service providers a.k.a. Cloud Service Providers (CSP) via the Internet “cloud.” This emerging model allows BSFIs the option to move from a capital-intensive approach to a more flexible business model that lowers operational costs. Cloud computing technologies can be implemented in a wide variety of architectures, under different service and deployment models, and can coexist with other technologies and software design approaches. The four (4) cloud deployment models include the following:
a. Private Cloud – A private cloud is operated solely for an institution and is closely related to the existing IT outsourcing models in the marketplace, but can be an institution’s internal delivery model as well.
b. Public Cloud – A public cloud is owned and operated by a CSP that delivers services to the general public or a large industry group via the internet or other computer network using a multi-tenant platform.
c. Community Cloud – It is a private- public cloud with users having a common connection or affiliation, such as a trade association, the same industry or a common locality. It allows a CSP to provide cloud tools and applications specific to the needs of the community.
d. Hybrid Cloud – This model composes two or more clouds (private, community or public). A hybrid cloud leverages on the advantage of the other cloud models, thus, providing a more optimal user experience.
4.4. Cloud computing is perceived to play an increasingly important role in a wide range of development initiatives, including among others, offering small to medium- sized BSFIs critical access to infrastructure and computational resources that would otherwise be out of their financial reach or are too complex to manage. While the advantages of adopting an outsourced cloud-based component are undeniable, the fact remains that cloud computing also creates disruptive possibilities and potential risks. Many of the threats identified are not necessarily unique to the cloud environment. In fact, risks such as potential data loss, poor management by a service provider, service interruption and unauthorized access to sensitive data are also applicable to traditional forms of outsourcing. Cloud computing, however, adds new dimensions to the traditional outsourcing risks, thus, the vulnerabilities and the probability of the risk event occurring is amplified. BSFIs should be fully aware of the unique attributes and risks associated with cloud computing, particularly in the following areas: (Details are shown in the attached Annex “A”)
o Legal and Regulatory Compliance;
o Governance and Risk Management;
o Due Diligence;
o Vendor Management/Performance and Conformance;
o Security and Privacy;
o Data Ownership and Data Location and Retrieval;
o Business Continuity Planning.
4.5. Among the four (4) cloud models, the private cloud deployment is most similar to traditional outsourcing model, thus, offers the least amount of new risks and security challenges. Implementation of this model is allowed subject to compliance with existing Bangko Sentral rules and regulations on outsourcing. Adoption of community and hybrid cloud deployment models may also be allowed with prior Bangko Sentral approval, subject to the following:
a. Compliance with existing Bangko Sentral rules and regulations on outsourcing;
b. Implementation of more robust risk management systems and controls required for these types of arrangements;
c. Issues set out in the attached Annex “A” are properly addressed prior to executing the plans; and
d. Bangko Sentral may be allowed to perform onsite validation prior to implementing the cloud computing arrangement/s.
4.6. However, given the increased probability of risk & exposure to potential issues related to business operations, confidentiality and compliance which are critical in the financial service industry, the Bangko Sentral, at present, would only allow the use of public cloud computing model for non-core operations and business processes (e.g., email, office productivity, collaboration tools, claims and legal management, etc.) which do not directly involve sensitive BSFI and customer data. Bangko Sentral approval of public cloud deployment model for non-core operations shall be subject to the same conditions in Item 4.5 above. Core operations and business processes whose importance is fundamental in ensuring continuous and undisturbed operation of IT systems used to directly perform banking and financial services (e.g., CA/SA, Loans, Trust and Treasury systems, ATM switch operations, electronic delivery systems and systems used to record banking operations) are not allowed to use public cloud computing service. Distinguishing whether a particular actual operation or business is “core” or “non-core” and classifying the data (e.g. confidential, critical, sensitive, public) associated with the system or application are, therefore, significant considerations in determining permissibility of public cloud model for this type of operation or process.
4.7. BSFIs should consult Bangko Sentral before making any significant commitment on cloud computing.
5. ROLE OF IT AUDIT
5.1. The BSFI should conduct a regular, comprehensive audit of its service provider relationships. The audit scope should include a review of controls and operating procedures that help protect the BSFI from losses due to irregularities and willful manipulations. Such responsibility can be assigned to the BSFI’s IT audit function. In case the BSFI has no technical audit expertise, the non-technical audit methods can provide minimum coverage and should be supplemented with comprehensive external IT audits.
(Circular No. 958 dated 25 April 2017)
1. Legal and Regulatory Compliance
a. Law on Secrecy of Deposits (R.A. No. 1405);
b. Foreign Currency Deposit System (R.A. No. 6426)
c. Anti-Money Laundering Act, particularly on data/file retention;
d. Electronic Commerce Act (R.A. No. 8792);
e. Data Privacy Law;
f. Cybercrime Prevention Act;
g. General Banking Law (R.A. No. 8791); and
h. Regulations concerning IT risk management, electronic banking, consumer protection, reporting of security incidents and other applicable Bangko Sentral issuances, rules and regulations.
2. Governance and Risk Management
3. Due Diligence
4. Vendor Management/Performance and Conformance
5. Security and Privacy
6. Data Ownership and Data Location and Retrieval
7. Business Continuity Planning
a. Prioritization arrangements in case of multiple/simultaneous disasters;
b. Retention of onsite and offsite back- up (Whether to maintain an up-to-date back- up copy of data at the BSFI’s premises or stored with a second vendor that has no common points of failure with the CSP); and
c. Ability to synchronize documents and process data while the client-BSFI is offline.
(Circular No. 958 dated 25 April 2017)
- TSPs include a wide range of entities including but not limited to affiliated entities, non-affiliated entities, and alliances of companies providing technology products and services. These services may include but not limited to the following: a) information and transaction processing and settlement activities that support banking functions; b) electronic banking-related services; c) Internet-related services; d) security monitoring; e) systems development and maintenance; f) aggregation services; and g) digital certification services. Other terms used to describe TSPs include vendors and external/outsourced service providers.
- National Institute of Standards Technology, The NIST Definition of Cloud Computing: Special Publication 800-145, 2011, www.nist.gov/itl/cloud/