State Bank of Pakistan has asked banks to ensure the confidentiality of customers’ data while outsourcing their services or functions to different vendors and service providers.
SBP also added that banks shall not outsource any decision making functions and those activities that breach the confidentiality of data related to the customers/borrowers.
In case where outsourcing arrangements involve the disclosure of confidential customer information to the service provider, the banks shall need to seek the consent of the customer as well as prior written approval of SBP. Such approval is necessary regardless of the fact that the specified information is provided to a third party or head office of foreign banking company, its holding, or Group Company.
Banks must ensure that outsourcing activity does not violate any statutory/regulatory requirements on Anti-Money Laundering (AML) and record keeping requirements of local as well as foreign jurisdictions.
Any outsourcing arrangement outside Pakistan will still require SBP’s prior approval. All such requests shall be signed by the Head of Compliance and include details of:
- the functions to be outsourced,
- rationale for the outsourcing,
- details relating to the proposed service provider,
- agreement with the service provider,
- business continuity plan,
- disaster recovery arrangements,
- a legal opinion that the arrangement does not violate any relevant local law.
Financial Institutions including Conventional Banks, Islamic Banks, Microfinance Bank use third party entities to perform activities, functions or processes normally in a bid to save money, time and use the skills of another entity on a continuing basis.
These outsourcing arrangements are helpful to meet new & complex challenges like innovation in technology, increasing competition, economies of scale and improvement in quality of service to stakeholders (i.e. customers, depositors or investors).
The practice, however, increases their dependence on third parties and consequently impacts their risk profile. In this regard, State Bank of Pakistan has updated the Guidelines on Outsourcing Arrangements. This framework, however, does not allow outsourcing of core banking functions/activities.
Outsourcing of IT Services
IT outsourcing shall be the part of Outsourcing Policy to be approved by the board. IT outsourcing, at a minimum, shall take into account operational & transactional risks, risks to the confidentiality of information, risks to Business Continuity and compliance/regulatory risks.
IT outsourcing of equipment and services within Pakistan (non-material) shall be approved by the IT Steering Committee of the management.
IT outsourcing shall not be allowed for critical IT systems/functions and applications of the banks like core banking applications including Branchless Banking, mobile wallets of Branchless Banking, main database, databases relating to information of customers, information security and Primary & Disaster Recovery Sites.
Outsourcing To Fintechs
All instructions contained in this framework shall also be applicable to FIs entering into collaboration with Fintechs for outsourcing of products and services.
Banks shall not enter into agreement for outsourcing with Fintechs for those services which come under the domain of Payment System Operators (PSO) and Payment Service Providers in terms of SBP PSO/PSP Rules 2014.
The complete Guidelines on Outsourcing Arrangements for financial institutions can be viewed here.