BackText onlyPrint

You need the Flash plugin.

Download Macromedia Flash Player



Location: Central Bank of Bahrain Volume 4—Investment Business > Part A > Business Standards > RM Risk Management > Chapter RM-7 Outsourcing Risk > RM-7.1 Outsourcing Risk > RM-7.1.1
  • RM-7.1 Outsourcing Risk

    • RM-7.1.1

      Investment firm licenseesG must identify all material outsourcing contracts and ensure that the risks associated with such contracts are adequately controlled. In particular, investment firm licenseesG must comply with the specific requirements set out in this Chapter.

      Adopted: July 2007

    • RM-7.1.2

      OutsourcingG means an arrangement whereby a third party performs on behalf of a licenseeG an activity that was previously undertaken by the licenseeG itself (or in the case of a new activity, one which ordinarily would have been performed internally by the licenseeG ). Examples of services that are typically outsourced include data processing, cloud services, customer call centres and back-office related activities.

      Amended: October 2017
      Adopted: July 2007

    • RM-7.1.3

      For purposes of RM-7.1.1, a contract is 'material' where, if it failed in any way, it would pose significant risks to the on-going operations of a licenseeG , its reputation and/or the quality of service provided to its clientsG . For instance, the outsourcing of all or a substantial part of functions such as customer sales and relationship management, settlements and processing, IT and data processing and financial control, would normally be considered "material". Management should carefully consider whether a proposed outsourcing arrangement falls under this Module's definition of "material". If in doubt, management should consult with the CBB.

      Adopted: July 2007

    • RM-7.1.3A

      For outsourcing services that are not considered material outsourcing arrangements, licenses must submit a written notification to the CBB before committing to the new outsourcing arrangement.

      Added: October 2017

    • RM-7.1.4

      Investment firm licenseesG must retain ultimate responsibility for functions or activities that are outsourced. In particular, licenseesG must ensure that they continue to meet all their regulatory obligations with respect to outsourced activities.

      Adopted: July 2007

    • RM-7.1.5

      Investment firm licenseesG must not contract out their regulatory obligations and must take reasonable care to supervise the discharge of outsourced functions, if any.

      Adopted: July 2007

    • Supervisory Approach

      • RM-7.1.6

        Investment firm licenseesG must seek the CBB's prior written approval before committing to a new material outsourcing arrangement.

        Amended: October 2017
        Amended: July 2008
        Adopted: July 2007

      • RM-7.1.7

        Investment firm licenseesG may not outsource their core business function or activities to third parties.

        Adopted: July 2010

      • RM-7.1.8

        The prior approval request in RM-7.1.6 must:

        (a) Be made in writing to the licensee's normal supervisory contact; and
        (b) Contain sufficient detail to demonstrate that relevant issues raised in this Chapter have been addressed; and
        (c) Be made at least 6 weeks before the licenseeG intends to commit to the arrangement.
        Amended: July 2010
        Amended: July 2008
        Adopted: July 2007

      • RM-7.1.9

        The CBB will review the information provided and provide a definitive response within a reasonable period of time of receiving the request for approval referred to in Paragraph RM-7.1.8. The CBB may also contact home or host supervisors to seek their comments — in such cases, the period of time is also subject to the speed of their response.

        Amended: October 2017
        Amended: January 2016
        Amended: July 2013
        Amended: July 2010
        Adopted: July 2007

      • RM-7.1.9A

        The CBB's approach to approving requests for outsourcing arrangements will also consider whether the investment firm licenseeG has engaged in considerable outsourcing of its activities, a practice which the CBB does not favour.

        Added: July 2013

      • RM-7.1.10

        Once an activity has been outsourced, a licenseeG must continue to monitor the associated risks and the effectiveness of its mitigating controls.

        Amended: July 2010
        Adopted: July 2007

      • RM-7.1.11

        Investment firm licenseesG must immediately inform their normal supervisory contact at the CBB of any material problems encountered with an outsourcing provider. The CBB may direct the investment firm licenseeG to make alternative arrangements for the outsourced activity.

        Amended: October 2017
        Amended: July 2010
        Adopted: July 2007

      • RM-7.1.11A

        The CBB reserves the right to require a licensee to terminate or make alternative outsourcing arrangements if, among other reasons, the confidentiality of its customer information was, or is likely to be, breached or the ability of the CBB to carry out its supervisory functions in view of the outsourcing arrangement cannot be assured or executed.

        Added: October 2017

      • RM-7.1.12

        The CBB requires ongoing access to the outsourced activity, which it may occasionally want to examine itself, through management meetings or on-site examinations.

        Amended: July 2010
        Adopted: July 2007

    • Risk Assessment

      • RM-7.1.13

        Investment firm licenseesG must undertake a thorough risk assessment of an outsourcing proposal, before formally notifying the submitting the request for approval to CBB and committing itself to an agreement.

        Amended: October 2017
        Amended: July 2010
        Adopted: July 2007

      • RM-7.1.14

        Before entering into, or significantly changing, an outsourcing arrangement, a licenseeG should:

        (a) Analyse how the arrangement will fit with its organisation and reporting structure; business strategy; overall risk profile; and ability to meet its regulatory obligations;
        (b) Consider whether the agreements establishing the arrangement will allow it to monitor and control its operational risk exposure relating to the outsourcing;
        (c) Conduct appropriate due diligence of the service provider's financial stability and expertise;
        (d) Consider how it will ensure a smooth transition of its operations from its current arrangements to a new or changed outsourcing arrangement (including what will happen on the termination of the contract);
        (e) Consider any concentration risk implications such as the business continuity implications that may arise if a single service provider is used by several firms; and
        (f) Analyse the outsourcing provider's financial soundness, its technical competence, its commitment to the arrangement, its reputation, its adherence to international standards and the associated country risk.
        Amended: October 2017
        Amended: July 2010
        Adopted: July 2007

      • RM-7.1.15

        In negotiating its contract with a service provider, a licenseeG should have regard to:

        (a) Reporting or notification requirements it may wish to impose on the service provider;
        (b) Whether sufficient access will be available to its internal auditors, external auditors and to the CBB;
        (c) Information ownership rights, confidentiality agreements and Chinese walls to protect clientG and other information (including arrangements at the termination of the contract);
        (d) The adequacy of any guarantees and indemnities;
        (e) The extent to which the service provider must comply with the licensee'sG policies and procedures (covering, for example, information security);
        (f) The extent to which a service provider will provide business continuity for outsourcing operations, and whether exclusive access to its resources is agreed;
        (g) The need for continued availability of software following difficulty at a third party supplier; and
        (h) The processes for making changes to the outsourcing arrangement (for example, changes in processing volumes, activities and other contractual terms) and the conditions under which the licenseeG or service provider can choose to change or terminate the outsourcing arrangement, such as where there is:
        (i) A change of ownership or control (including insolvency or receivership) of the service provider or firm;
        (ii) Significant change in the business operations (including sub-contracting) of the service provider or firm; or
        (iii) Inadequate provision of services that may lead to the firm being unable to meet its regulatory obligations.
        Amended: July 2010
        Adopted: July 2007

      • RM-7.1.16

        Investment firm licenseesG must maintain and regularly review contingency plans to enable them to set up alternative arrangements — with minimum disruption to business — should the outsourcing contract be suddenly terminated or the outsourcing provider fail. This may involve the identification of alternative outsourcing providers or the provision of the service in-house. These plans should consider how long the transition would take and what interim arrangements would apply.

        Amended: July 2010
        Adopted: July 2007

      • RM-7.1.17

        A licenseeG must nominate a relevant approved personG within the licenseeG to handle the responsibility of the day-to-day relationship with the outsourcing provider and to ensure that relevant risks are addressed. The CBB should be informed of the designated individual as part of the written prior approval required under Rule RM-7.1.6. Any subsequent replacement of such person must also be notified to the CBB.

        Amended: October 2017
        Amended: July 2010
        Amended: October 2009
        Amended: July 2008
        Adopted: July 2007

      • RM-7.1.18

        All material outsourcing arrangements by an investment firm licenseeG must be the subject of a legally enforceable contract. Where the outsourcing provider interacts directly with a licensee'sG customers, the contract must — where relevant — reflect the licensee'sG own standards regarding clientG care. Once an outsourcing agreement has been entered into, licenseesG must regularly review the suitability of the outsourcing provider and the on-going impact of the agreement on their risk profile and systems and controls framework.

        Amended: July 2010
        Adopted: July 2007

Back to top