Bank Negara Malaysia (the Malaysian Central Bank) (BNM) had on 28 December 2018, issued a policy document on outsourcing (Outsourcing Guideline). The Outsourcing Guideline was finalised after feedback from industry players to previous exposure drafts and was anticipated by the financial services industry given that it would impact the terms of any existing outsourcing arrangement (including whether there would be a need to amend such arrangements) and provide guidance to the financial institutions on the ability for it to appoint service providers (including the use of cloud services).
The Outsourcing Guideline came into force on 1 January 2019 and the salient terms include:
(a) Streamlined Approach
The outsourcing regime for all licensed banks, insurers, takaful operators and prescribed development financial institutions (collectively, the "FIs") has been streamlined under the Outsourcing Guideline and applies to all FIs
(b) Outsourcing Arrangements versus Material Outsourcing Arrangements
An arrangement is regarded as outsourcing if it entails a service provider performing an activity (directly or indirectly) on behalf of an FI on a continuing basis, where the activity would otherwise be undertaken by the FI.
Any activity supporting internal control functions relating to risk management, internal audit and compliance are considered as material outsourcing activities. BNM approval will not be required where the material outsourced activity is to be performed by an affiliate which:
- is a financial institution; or
- ) is not supervised by BNM but which BNM considers to be effective in managing outsourcing risk taking into account the fact that the affiliate is supervised by another financial regulatory authority and the fact that BNM has effective home-host supervisory cooperation arrangements with such a financial regulatory authority.
The entry into new or modifications to existing arrangements constituting material outsourcing arrangements (which will entail a qualitative assessment by the FIs) will require the prior approval of BNM.
c) Continuous Board and Senior Management Oversight
Moving forward, the Board of an FI will have to approve:
- an outsourcing risk management framework; and
- an outsourcing plan (detailing the FI's planned outsourcing arrangements
for the year) and submit the same to BNM within 3 months from the FI's
financial year end.
The Senior Management in turn bears primary responsibility for day-to-day management of the outsourcing risk.
(d) Comprehensive Due Diligence
When considering all new outsourcing arrangements or renewing or renegotiating existing outsourcing arrangements, the FI will need to conduct a comprehensive and rigorous assessment on the service provider (whether it is a third party or an offshore or onshore provider).
The scope and depth of the due diligence process has been significantly expanded and must cover, amongst others, a comprehensive assessment of the risks to which the FI may be exposed to, risk management and internal control capabilities of the service provider and reliance on sub-contractors. That said, the depth of due diligence may however differ, if the service provider is an affiliate which is supervised by a financial regulatory authority.
(e) Outsourcing Arrangements in Writing
Outsourcing arrangements must be documented in writing and at a minimum include:
- controls to ensure security of proprietary and customer data shared with the service provider at all times;
- the right of the FI and its auditors to conduct audits and on-site inspections on the service provider and its sub-contractors; and
- termination rights in the event there is heavy reliance on sub-contracting.
FIs should take note of the Outsourcing Guideline because it has an impact on their existing outsourcing arrangements (including the possibility of having to negotiate amendments to such arrangements), and will also determine the breadth of services that they can outsource going forward. BNM requires all FIs to conduct a gap analysis of their existing outsourcing arrangements against the requirements of the Outsourcing Guideline and develop an action plan to address the gaps (Gap Analysis and Action Plan).
The Gap Analysis and Action Plan will need to highlight the changes to be made to the existing outsourcing arrangements, and enable the FIs to commence discussions with the service providers to renegotiate and vary such arrangements.
Therefore, as a matter of priority, FIs should formulate its outsourcing risk management framework and its outsourcing plan. These will then serve as the guide for FIs in respect of their outsourcing arrangements. The Gap Analysis and Action Plan, which are due to BNM by 1 July 2019, will also need to dovetail with the framework and plan.