Philippines: Rules on outsourcing tightened
MANILA, Philippines — The Bangko Sentral ng Pilipinas (BSP) has tightened the rules on management contracts, outsourcing, and information technology (IT) risk management.
BSP Governor Benjamin Diokno said the Monetary Board issued Resolution 190 on Feb. 10 approving the amendments to regulations on outsourcing and IT risk management.
Under the new rules contained in Circular 1137, banks are directed to assess whether an outsourcing arrangement is material or non-material to the business.
An outsourcing arrangement is material if a business disruption of an outsourced activity, service delivery failure and data or security breach would result in significant impact to the bank’s operations, financial condition, reputation, customers, and compliance with laws as well as rules and regulations.
Diokno said the rules still prohibit the outsourcing of inherent banking functions including taking of deposits, granting of loans and extension of other credit exposures, managing of risk exposure, and general management.
He said banks are also required to conduct periodic assessment to ensure that outsourcing risks, both on a contract-specific level and on an institution-wide level, are managed vis-à-vis the impact to overall operations.
Furthermore, BSP-supervised financial institutions (BSFIs) are required to ensure the portability of the outsourced service and the impact on business continuity and recovery and resolution plans of the supervised institutions.
The BSP chief explained that the guidelines and requirements of outsourcing to third-party service providers should be observed when a bank acts as the service provider, participates in intra-group outsourcing and engages in offshore outsourcing.
He said banks should have the primary responsibility to ascertain the adequacy of design and effectiveness or service provider’s security control mechanisms through audit procedures conducted by third party auditors or the bank’s internal audit functions.
The regulator also directed BSFIs to perform appropriate due diligence on the third-party service provider’s financial soundness, reputation, managerial skills, technical capabilities, operational capability, and capacity in relation to the services to be outsourced.
For arrangements involving data transfer and handling, Diokno said banks should identify potential risks arising from physical and logical access of technology service provider employees, subcontractors and other parties.
Source: https://www.philstar.com/business/2022/02/21/2162141/rules-outsourcing-tightened