BackText onlyPrint

You need the Flash plugin.

Download Macromedia Flash Player

Location: Central Bank of Bahrain Volume 5—Specialised Licensees > Specific Modules (By Type of Licensee) > Type 7: Ancillary Service Providers > Part A > High Level Standards > GR Ancillary Service Providers General Requirements Module > GR-11 Outsourcing > GR-11.1 Outsourcing > GR-11.1.11
  • GR-11.1 Outsourcing

    • GR-11.1.1

      Ancillary service providersG must undertake a thorough risk assessment of an outsourcingG proposal, before formally submitting the request for approval to the CBB and committing itself to an agreement.

      Added: December 2018

    • GR-11.1.2

      The risk assessment should — amongst other things — include an analysis of (i) the business case; (ii) the suitability of the outsourcing providerG including but not limited to the outsourcing provider's financial soundness, its technical competence, its commitment to the arrangement, its reputation, its adherence to international standards, and the associated country risk; and (iii) the impact of the outsourcingG on the licensee's overall risk profile and its systems and controls framework.

      Added: December 2018

    • GR-11.1.3

      OutsourcingG means an arrangement whereby a third party performs on behalf of a licensee an activity that was previously undertaken by the licensee itself (or in the case of a new activity, one which ordinarily would have been performed internally by the licensee). Examples of services that are typically outsourced include data processing, cloud services, customer call centres and back-office related activities.

      Added: December 2018

    • GR-11.1.4

      Ancillary service providersG must seek the CBB's prior written approval before committing to a new material outsourcingG arrangement and/or when the terms or conditions of the outsourcingG arrangement are altered.

      The prior approval request must:

      (a) Be made in writing to the licensee'sG normal supervisory contact;
      (b) Contain sufficient detail to demonstrate that relevant risks are satisfactorily addressed; and
      (c) Be made at least 6 weeks before the licenseeG intends to commit to the arrangement.
      Added: December 2018

    • GR-11.1.5

      Ancillary service providersG must retain ultimate responsibility for functions or activities that are outsourced. In particular, licenseesG must ensure that they continue to meet all their regulatory obligations with respect to outsourced activities.

      Added: December 2018

    • GR-11.1.6

      Once an activity has been outsourced, ancillary service providersG must continue to monitor the associated risks and the effectiveness of its mitigating controls. Ancillary service providers must inform its normal supervisory contact at the CBB if material problems are encountered with the outsourcing providerG . The CBB may direct the ancillary service providers to make alternative arrangements for the outsourced activity.

      Added: December 2018

    • GR-11.1.7

      Ancillary service providersG must maintain and regularly review contingency plans to enable them to set up alternative arrangements — with minimum disruption to business — should the outsourcingG contract be suddenly terminated or the outsourcing providerG fail.

      Added: December 2018

    • GR-11.1.8

      Ancillary service providersG must nominate a relevant approved person with day-to-day responsibility for handling the relationship with the outsourcing providerG and ensuring that relevant risks are addressed.

      Added: December 2018

    • GR-11.1.9

      A legally enforceable contract document must be available for any material outsourcingG arrangement. Where the outsourcing providerG interacts directly with a licensee's customersG , the contract must — where relevant — reflect the licensee's own standards regarding customer care.

      Added: December 2018

    • GR-11.1.10

      Mechanisms for the regular monitoring by licenseesG of performance against service level agreementG and other targets, and for implementing remedies in case of any shortfalls, must also form part of the agreement. Such reviews must take place at least every year.

      Added: December 2018

    • GR-11.1.11

      OutsourcingG agreements must ensure that the licensee'sG internal and external auditors have timely access to any relevant information they may require to fulfil their responsibilities. Such access must allow them to conduct on-site examinations of the outsourcing providerG , if required.

      Added: December 2018

    • GR-11.1.12

      Ancillary service providersG must also ensure that the CBB inspectors and appointed expertsG have timely access to any relevant information they may reasonably require to fulfil its responsibilities under the law. Such access must allow the CBB to conduct on-site examinations of the outsourcing providerG , if required.

      Added: December 2018

    • GR-11.1.13

      Where the outsourcing providerG is based overseas, the outsourcing providerG must confirm in the outsourcingG agreement that there are no regulatory or legal impediments to either the licensee's internal and external auditors, or the CBB inspectors and appointed expertsG , as appropriate.

      Added: December 2018

    • GR-11.1.14

      The outsourcing providerG must commit itself, in the outsourcingG agreement, to informing the licensee of any developments that may have a material impact on its ability to meet its obligations. These may include, for example, relevant control weaknesses identified by the outsourcing provider'sG internal or external auditors, and material adverse developments in the financial performance of the outsourcing providerG .

      Added: December 2018

    • GR-11.1.15

      Termination under any other circumstances allowed under the outsourcing agreement must give licenseesG a sufficient notice period in which they can effect a smooth transfer of the service to another provider or bring it back in-house.

      Added: December 2018

    • GR-11.1.16

      In the event of termination, for whatever reason, the agreement must provide for the return of all customer data — where required by licenseesG — or destruction of the records.

      Added: December 2018

Back to top