With less than a year until the UAE Central Bank's new outsourcing regulations come into full effect, UAE banks must act now to ensure their outsourcing agreements and internal policies are fully compliant by the deadline date.
The UAE's banking industry is one of the most dynamic in the MENA region with new and existing players constantly developing novel ways to lower costs and improve efficiency in an increasingly competitive business environment. An important tool used by UAE banks in recent years has been the deployment of outsourcing arrangements to generate time and cost-saving efficiencies across a range of key business functions such as compliance, people management and customer relations.
But with new rewards come new risks. The involvement of outsourcing service providers in the delivery of banking functions introduces a new potential point of failure for perils such as data breaches, cyber-attacks and regulatory non-compliance. In direct response to these risks, the Central Bank of the United Arab Emirates (CBUAE) last year issued Circular No. 14/2021 (the Regulations) which introduced higher standards in relation the how UAE banks go about outsourcing their business functions.
At a very high level, some of the key requirements introduced by the Regulations are summarised below:
- Governance: One of the fundamental principles underpinning the Regulations is that banks remain fully responsible for any outsourced activities. As such, banks are required to have a comprehensive risk governance framework which specifically addresses the risks that may arise when a business activity is outsourced and includes within its scope, any outsourced business activities. Any banks providing Islamic banking services must ensure that their outsourcing service providers comply with Shari'ah rules and regulations.
- Data Security: Banks must ensure that their outsourcing agreements provide for at least the same degree of data protection that would apply if they performed the outsourced activity themselves, i.e. the collection, use and storage of any data under any outsourcing agreement must be fully compliant with the latest UAE data protection laws (regardless of the location of the service provider). Banks must also retain full ownership and access rights in relation to any the data they share with their outsourcing service providers. Additionally, confidential data relating to the bank's core functions must, as a general rule, be stored within the UAE.
- Reporting and compliance: Banks must maintain a comprehensive register of all outsourcing arrangements and all outsourced activities must remain within scope of the relevant bank's internal audit and compliance regime. Any proposed outsourcing of a 'material business activity' will be subject to the obtaining of a 'non-objection' from the CBUAE and banks are required to regularly report on their outsourcing arrangements to the CBUAE.
Some practical steps UAE banks can take to ensure compliance include:
- Reviewing their current governance and data protection policies to ensure that they are in line with the Regulations and providing adequate training to relevant staff to raise awareness and develop good practice;
- Reviewing all existing outsourcing contracts in light of the Regulations. This may include identifying non-compliant contracts and to the extent necessary either (i) triggering any change of law provisions that grant automatic variation rights; or (ii) engaging outsourcing service providers to renegotiate existing contracts;
- Updating any template outsourcing agreements used by the bank to ensure that all future outsourcing transactions comply with the Regulations; and
- Ensuring that the bank's procurement teams are up to date with the Regulations and are making sure that compliance capabilities are one the key pre-requisites for the appointment of any prospective outsourcing service providers.
In addition to its impact on UAE Banks, the Regulations will likely have an equally significant impact on outsourcing service providers. These service providers will need to ensure they are capable of complying with the increased responsibility that will be flowed down to them, and may consider raising their prices to reflect the increased risk and liability that they will now be expected to take on once the Regulations are in full force.
Please do not hesitate to contact us if you would like further information about the new regulatory framework and its potential impact on your business, or need assistance with updating or renegotiating your existing policies or outsourcing arrangements.