Bank Negara Malaysia (i.e. the Central Bank of Malaysia) (BNM) had on 28 September 2017, issued an exposure draft of the Outsourcing Guidelines (Exposure Draft) to obtain public and industry feedback on the proposed regulatory requirements. The Exposure Draft sets out the requirements for licensed financial institutions when implementing, or renewing, any outsourcing arrangements.
There are various regulatory, prudential and supervisory objectives that BNM seeks to achieve under the Exposure Draft. These include, stringent governance standards to be enforced by the board and senior management of the financial institutions, enhanced due diligence being undertaken before any outsourcing arrangement is effected, and increased oversight by BNM of any outsourcing arrangement.
Financial institutions may want to exercise caution and deliberate if any arrangement should be outsourced. The decision will need to be balanced against the increased standards of governance and corresponding increase in cost for outsourcing. Thought will also have to be given on how such outsourcing arrangements should be “unwound” (if needed).
While still in a draft format, some of the salient changes being proposed under the Exposure Draft are set out below.
(a) Streamlining the regulatory regime for all licensed financial institutions
The current regulatory framework for outsourcing differs – licensed banks and licensed insurers/takaful operators are subject to different guidelines and standards. Under the Exposure Draft, all licensed financial institutions will be subject to the same regulatory regime for outsourcing.
(b) All outsourcing arrangements subject to BNM approval
Under the present guidelines, BNM approval is generally required if a financial institution outsources its core functions or outsource any function outside of Malaysia. Going forward, the entry into or renegotiation/renewal of all outsourcing arrangements (whether relating to a core function or a non-core function) will be subject to the prior approval of BNM.
The following are however exempt from the approval requirement:
(i) the outsourced activity will be performed by the licensed financial institutions' parent company (which is also a financial institution); and
(ii) the following activities which BNM does not regard as outsourcing:
a) subscription, maintenance and support of electronic trading or banking system;
b) correspondent banking services;
c) co-insurance, reinsurance, retrocessions;
d) independent consultancy support;
e) services for the transfer, clearing and settlement of funds or securities;
f) independent audit assessment; and
g) procurement services such as, credit or market information service, purchase of commercially available software, maintenance and support of licensed software, physical security and surveillance services and telecommunication, postal and courier service.
Services like IT support and data recovery services, which at present can be outsourced by licensed banks subject to notification to BNM, will require the prior approval of BNM. BNM is subjecting financial institutions to greater and more stringent supervisory oversight.
(c) Outsourcing Agreement must be time bound
As with the current regulatory regime, the Exposure Draft also requires that financial institutions record their outsourcing arrangements in written contracts (Outsourcing Agreement). The Exposure Draft prescribes the minimum content (e.g., such agreement must include well-defined and measurable performance standards to be met by the service provider, and measures that the service provider will need to take to ensure continuity of the outsourced activity in the event of an operational disruption or failure of the service provider).
The Exposure Draft contemplates for all Outsourcing Agreements to have fixed terms. At this juncture, BNM is considering specifying a maximum term of 3 years. Under the Exposure Draft, a financial institution will need to ensure that any agreement entered into prior to the coming into force of the finalised policy document and which is not time bound, be terminated by the end of the prescribed transitional period. Financial institutions should undertake an internal diligence review to identify all its outsourcing arrangements, ascertain the term for each agreement, and plan for the required changes.
(d) Legal advice must be sought before execution of Outsourcing Agreement
The Exposure Draft also prescribes the requirement for licensed financial institutions to obtain legal advice before executing the Outsourcing Agreement. The legal counsel will need to render a confirmation that all relevant requirements in the policy document have been incorporated in the Outsourcing Agreement (Legal Advice).
A copy of the Legal Advice will form part of the supporting documents in the application to BNM for its approval.
(e) Board and Senior Management oversight
The Exposure Draft shifts a heavier burden on the Board and Senior Management (i.e., Chief Executive Officer and senior officers) of the financial institution.
For example, the Senior Management will have to:
(i) ensure that a regular review (as opposed to periodic reviews under the current guidelines) is undertaken by an independent function on all the licensed financial institution's outsourcing arrangements for compliance with its outsourcing framework;
(ii) ensure that prompt remedial or disciplinary action is undertaken if the outsourcing framework is not complied with; and
(iii) assess, at least on an annual basis, the effectiveness of its management of risks that could result in a disruption to business operations, financial loss or reputational damage to the financial institution (Outsourcing Risk).
Moving forward, the Board will have to:
(i) ensure the effectiveness of the licensed financial institutions overall management of Outsourcing Risk at all times;
(ii) ensure that the outsourcing framework remains up-to-date and appropriate to address any material changes to the size, nature and complexity of the financial institutions operations; and
(iii) also approve of all Outsourcing Arrangements (regardless of their materiality) before they are entered into by the licensed financial institution.
(f) Strengthened due diligence requirements on service providers
There will have to be a comprehensive and rigorous assessment on a potential service provider and such assessment must include:
(i) the capacity, capability and business reputation of the service provider to perform the outsourced activity at a high standard;
(ii) risk management and internal control capabilities, including physical and IT security controls and business continuity management;
(iii) disaster recovery arrangements and locations (both primary and backup sites) established by the service provider including disaster recovery record;
(iv) reliance on any sub-contractor; and
(v) any potential conflict of interest (taking into account the service provider's fee structure and incentives for similar business arrangements with the financial institution).
The findings and outcomes from this due diligence will need to be documented and thereafter escalated to the Board.
The regulatory requirements to be met before a financial institution can outsource any function have been made more stringent. These higher standards reflect BNM's concerns that licensed financial institutions are reliant on service providers for activities that are critical to the overall viability of the licensed financial institution. BNM is seeking to deter financial institutions from outsourcing functions which the institutions should be in a position to implement i.e., without the aid of an external service provider.
Given the tenor of the Exposure Draft, licensed financial institutions should take the opportunity to review its existing outsourcing arrangements with the view of either transitioning (to the extent possible) such arrangements in-house, or otherwise consider the changes that it will need to make upon the policy document coming into force.