The Outsourcing Regulations for Banks in UAE

Updated On : October 2021

The CBUAE issued the Outsourcing Regulation for Banks (Regulation) and the Outsourcing Standards for Banks (Standards) as part of an ongoing effort to introduce strong regulatory frameworks which will take care of the UAE’s banking sector. The Regulation and Standards came into effect from 15 July 2021, one month from the date of publication in the Government Gazette.

As an effort to align with international best practices for material outsourcing in the banking sector and prevent potential threats, the Central Bank UAE (CBUAE) introduced a new outsourcing regulation and accompanying Standards for licenced banks operating in the UAE. The objective of the Outsourcing Regulations is to ensure that banks manage risks efficiently without compromising on their financial stability while outsourcing certain functions. This includes mandatory recordings of board-approved policies and procedures for outsourcing activities in the governance framework of banks. The accompanying Standards state the supervisory expectations of the Central Bank.

The regulation came into effect one month after the date of publication in the Government Gazette. The new Regulations and Standards have to be read together with the existing regulations and standards of the CBUAE on operational risk management. Its primary focus is on -

• Risk management – Under the regulation, all banks in the UAE must obtain a notice of no objection from CBUAE before outsourcing any activity.
• Consumer protection – The regulation states that the outsourcing arrangements of a bank should not impair its ability to meet its obligations to consumers and CBUAE, nor should it interfere with the supervisory provisions of CBUAE.Banks must ensure that confidential data of consumers is not shared outside the UAE without the prior consent of both the CBUAE and the consumer concerned.

The new Regulations apply to all banks in the UAE, including subsidiaries, affiliates and international branches, to all new and renewed outsourcing arrangements after the effective date, and to all outsourcing agreements concluded before the effective date but subject to a grace period till 31 December 2023.

Decoding the new Regulations

Key highlights

• Enhanced governance framework: Allbanks have to mandatorily implement internal policies, procedures and a risk management framework to take care of the outsourcing arrangement and internal management. Banks offering Islamic financial services must ensure compliance to Shari’ah rules and principles, and consider the operational and reputational risks if a service provider fails to adhere to them.
• Outsourcing register: Banks need to maintain an updated comprehensive register of all material and non-material outsourcing arrangements on a single and group-wide basis. The register has to include details of the service provider, the outsourced arrangement and if any “confidential customer data” is involved.
• Reporting requirements: Banks must create an internal reporting system of compliance and audit functions to check on the service provider’s compliance and the bank’s compliance with its outsourcing policies and procedures. If there is a material breach of the agreementor other events that has or may have an impact on the bank’s operations, reputation or financial stability, the CBUAE must be immediately notified.
• Outsourcing agreements: Banks have to ensure that outsourcing arrangements are governed by formal contracts, Minimum requirements of various commercial details, governance requirements, termination and risk allocation provisions, regulatory compliance, and data ownership and access, must be included in the contract. The contract must, most importantly, ensure that the bank has full ownership of data shared with the service provider, with customers retaining ownership of their data, and accessibility by CBUAE upon request.
• Data protection: When outsourcing, banks must ensure compliance with all applicable UAE legislation and regulations in managing and processing data including data protection obligations. Banks must establish suitable policies and procedures to ensure data integrity, confidentiality and accessibility.
• Outsourcing outside the UAE: When outsourcing outside the UAE,the Regulation provides important restrictions and obligations, including the necessity to continuously maintain and store within the UAE. a master system of record which will contain all data required to conduct the bank’s core activities. With the approval of the CBUAE, branches of foreign banks are allowed to retain a copy of the master system of record, updated on a daily basis, within the UAE.

Additionally, a bank’s confidential data cannot be shared outside the UAE without the approval of the CBUAE and prior written consent of the customer. This also includes circumstances where confidential data may need to be accessed for legal proceedings outside the UAE. The Regulation restricts outsourcing that involves sharing confidential data with service providers based in a jurisdiction that cannot provide the same degree of protection that will apply if the bank performed the outsourced activity themselves, or where bank secrecy or other laws restrict or limit access to data needed for supervisory purposes.

In case of Violation of Regulations

Violating the Regulation and Standards could lead to supervisory action and sanction, including -

• Withdrawing, replacing or restricting the powers of the bank’s senior management or board members
• Providing for the bank’s interim management
• Imposition of fines
• Excluding individuals from the UAE banking sector

CBUAE may also require a bank to terminate an outsourcing arrangement

• If the arrangement is not in compliance or no longer in compliance with the Regulation
• If outsourcing poses a risk to the bank’s soundness, confidential data or the financial system’s security