New outsourcing rules for UAE Banks

The UAE Central Bank has issued a new set of rules to regulate the outsourcing of services by UAE financial institutions. The Outsourcing Regulation and Standards are applicable to licensed UAE banks when entering into outsourcing arrangements to ensure that inherent risks are appropriately managed. In this article, we consider the new rules, how they will be enforced and what this means for financial institutions in the UAE.

Background

The Outsourcing Regulation for Banks (Regulation) and the Outsourcing Standards for Banks (Standards) have been introduced by the UAE Central Bank (CBUAE) as part of the regulator’s efforts to align with international best practices for material outsourcing in the banking sector. The stated objective of the Regulation is to establish the minimum acceptable standards to managing the risks associated with outsourcing with a view to ensuring the soundness, and contributing to the financial stability, of UAE banks. The accompanying Standards set out the supervisory expectations of CBUAE.

The Regulation and Standards are to be read in conjunction with CBUAE’s existing regulations and standards on risk management and operational risk management.

Key things to know

The scope of the obligations of the Regulation and the Standards include enhanced governance and reporting requirements, minimum requirements for outsourcing agreements, detailed data protection compliance obligations and restrictions on offshoring (i.e. outsourcing outside the UAE). There is also a more formalised process for obtaining regulatory approval in the form of a notice of no objection from CBUAE prior to outsourcing material business activities.

Highlights include:

• Enhanced governance framework: Banks must implement internal policies, procedures and a risk governance framework that addresses both the outsourcing arrangement and internal management. Banks that offer Islamic financial services must ensure that its outsourcing policies and arrangements are consistent with Shari’ah rules and principles, including specifically considering the operational and reputational risks of a service provider’s failure to adhere to the Shari’ah rules and principles.

• Outsourcing register: Banks must maintain and update a comprehensive register of all material and non-material outsourcing arrangements on a solo and group-wide basis. The register must include, as a minimum, details of the service provider and the outsourced arrangement and whether “confidential data” is involved (i.e. account or other data relating to an identified or identifiable bank customer).

• Reporting: Banks must establish internal reporting by the compliance and audit functions on service provider’s compliance and the bank’s compliance with (and the effectiveness of) its outsourcing policies and procedures. There are also requirements on the bank to report to the CBUAE and to immediately notify any material breach of the terms of an outsourcing agreement, or other event that has, or is likely to have, a significant impact on the bank’s operations, reputation or financial condition.

• Outsourcing agreements: Banks must ensure that all outsourcing arrangements are governed by formal contracts with service providers. The minimum provisions required to be covered in outsourcing agreements include various commercial details, governance requirements (including business continuity and disaster recovery management), termination and risk allocation provisions, regulatory compliance, and data ownership and access. Importantly, the contract must ensure that the bank retains full ownership of data shared with the service provider, that customers retain full ownership of their data, and that CBUAE can access this data upon request.

• Data protection: When outsourcing, banks must ensure compliance with all applicable UAE legislation and regulations in managing and processing data (see also our recent update on CBUAE’s new Financial Consumer Protection Regulatory Framework, which includes substantial data protection obligations). Banks must establish adequate policies and procedures, and take all necessary steps to ensure data integrity, confidentiality and accessibility.

• Offshore outsourcing: The Regulation provides significant restrictions and obligations when outsourcing outside the UAE, particularly in relation to the requirement to localise data (including confidential data) within the UAE. The offshoring restrictions and obligations include a requirement to continuously maintain and store within the UAE a “master system of record” comprising a collection of all data (including confidential data) required to conduct the bank’s core activities. Subject to CBUAE approval, branches of foreign banks are permitted to retain a copy of the master system of record, updated on at least a daily basis, within the UAE. Further, a bank’s confidential data must not be shared outside the UAE without CBUAE approval and obtaining prior written consent from the customer, including for circumstances where confidential data may be accessed under legal proceedings outside the UAE. There are restrictions on outsourcing that involves sharing confidential data with service providers domiciled in a jurisdiction that cannot provide the same level of safeguarding that would apply if the data was kept in the UAE or where bank secrecy or other laws restrict or limit access to data necessary for supervisory purposes.

Enforcement

Any violation of the Regulation and Standards may be subject to supervisory action and sanction as deemed appropriate by CBUAE. These may include withdrawing, replacing or restricting the powers of the bank’s senior management or board members, providing for the interim management of the bank, imposition of fines or barring individuals from the UAE banking sector.

In addition, CBUAE may require a bank to terminate an outsourcing arrangement:

• when the arrangement is not or no longer in compliance with the Regulation; or

• where the outsourcing presents undue risks to the soundness of the bank, the security of confidential data or the financial system.

When do the new rules take effect?

The Regulation and Standards took effect on 15 July 2021, being one month from the date of publication in Official Gazette No. 704, and apply:

• to all UAE banks, including subsidiaries, affiliates and international branches;

• on a solo and group-wide basis;

• to all new and renewed outsourcing arrangements after the effective date; and

• to all outsourcing agreements concluded before the effective date but subject to a grace period expiring on 31 December 2023.

How to get ready

Given that the Regulation and the Standards are now in effect, Banks should consider taking steps to address each of the actions in the following checklist:

Our leading outsourcing, data privacy and regulatory teams can support you with complying with the Regulation and the Standards. We have extensive experience in helping banks to develop and implement compliance frameworks, as well as advising on large-scale outsourcing projects.

Please contact the authors for further information.