The move is in line with Principle 25 (Operational Risk and Operational Resilience) of the Basel Core Principles for Effective Supervision (BCP) issued by the Basel Committee for Banking Supervision (BCBS) in April 2024.

It entreats supervisors to require the board and senior management of RFIs to understand the risks associated with banking activities performed by service providers and ensure that effective  risk management policies and processes are in place to adequately manage any risks associated with outsourcing.

The RFIs are banks, Specialised Deposit-taking Institutions, Financial Holding Companies and Development Finance Institutions.

Directive

The central bank in a 50-page directive observed that in recent years, there has been an increasing tendency by RFIs, to outsource activities to reduce costs and improve efficiency.

It said empirical data indicates that outsourcing in the banking sector was initially limited to activities that did not pertain to institutions’ primary business, such as payroll processing.

“More recently, however, commonly outsourced activities have included information technology (IT), management services, accounting, audit and human resources, among others.

In the context of digitalisation and the increasing importance of IT and financial technologies (FinTech), RFIs are adapting their business models, processes and systems to embrace such technologies. IT has become one of the commonly outsourced activities in the banking sector,” it said.

Risks

Notwithstanding its benefits, BoG warned that outsourcing IT and data services presented information security risks and challenges to the governance framework of RFIs, in particular, to internal controls, as well as to data management and data protection.

“The BoG recognises that RFIs may have sound reasons to outsource functions, such as the ability to achieve economies of scale or to improve the quality of service to customers, or to improve the quality of risk management. 

“The main reasons for outsourcing are to reduce and control operating costs and to meet the challenges of technological innovation, increased specialisation, and heightened competition. RFIs have intensified the use of IT and FinTech solutions and have launched projects to improve their cost efficiency,” it said.

The directive also indicated that outsourcing of business activities could, however, increase the RFI’s dependence on service providers which may heighten its risk profile and jeopardise overall safety and soundness, particularly where material business activities, services or processes are outsourced to an unregulated third party or an overseas service provider.

Complexities

BoG also observed that outsourced services are also becoming increasingly complex and may increase an institution’s exposure to strategic, reputation, compliance, operational, country and concentration risks. 

Consequently, the BOG has issued this Directive to RFIs to ensure that they effectively manage the risks associated with outsourcing activities.

Assessment

“In view of the foregoing, the BoG will consider the impact of the outsourced services when conducting a risk assessment of an RFI. 

The assessment will include inter alia a determination of whether the outsourcing arrangement hampers in any way the RFI’s ability to meet its regulatory requirements,” the bank said.

The BoG, according to the directive which is published in full on its website, will consider the potential systemic risks posed where outsourced activities of multiple regulated entities are concentrated in a single or limited number of service providers. 

‘Empty shell’

The bank was emphatic when it stated that; “Outsourcing must not lead to a situation where an RFI becomes an ‘empty shell’ that lacks the substance to remain licensed. 

To this end, the board and senior management should ensure that sufficient resources are available to appropriately support and ensure the performance of their responsibilities, including overseeing the risks and managing the outsourcing arrangements.”