The Monetary Board of the Bangko Sentral ng Pilipinas (BSP) has released the revised circular on the outsourcing and IT risk management of banks and non-banks with a preference to the use of the supervisory assessment framework (SAFr) and more frequency of risk assessments.
The amended rules under Circular No. 1137, which was signed by BSP Governor Benjamin E. Diokno last Feb. 18, included more periodic assessment of “exposure to risk of confidentiality” on a contract-specific and institution-wide level for the management of outsourcing-related risks.
In specifying the types of outsourcing that banks and non-banks will arrange, the BSP said guidelines and requirements for third-party service providers will be allowed when a bank acts as the service provider. Intragroup outsourcing and offshore outsourcing were already in the previous guidelines and requirements.
Based on the new circular, a bank as a service provider means “may enter into an outsourcing agreement outside its business group provided that the bank delivering the outsourced service shall adhere to the guidelines on outsourcing as well as relevant laws and pertinent Bangko Sentral rules and regulations”. A bank may also render services to its own depositors on account of the bank acting as the depository institution, according to the circular.
There were also changes in the material outsourcing arrangements in that the BSP will no longer need other BSP department approval nor would it need to approve a bank’s outsourcing arrangements based on its ability to manage risks. This applies to the following: new outsourcing arrangements; changes in existing material outsourcing arrangements that have significant impact in the delivery of outsourcing services; and changes in existing outsourcing arrangements resulting in the reclassification of the arrangements as material such as, but not limited to those affecting the nature, scope, and complexity of systems and processes.
The amendments also addressed governance and management of outsourcing risks, compliance with BSP regulations, legal issues, due diligence, security and privacy, and business continuity planning.
As for SAFr which the BSP has been using to assess its supervised financial institutions since 2020, it replaced the various rating systems of the BSP including the CAMELS (Capital adequacy, Asset quality, Management, Earnings, Liquidity, and Sensitivity) and ROCA (Risk management, Operational controls, Compliance and Asset quality) rating systems. But Diokno in the circular memo said CAMELS rating will still be accepted for those which will apply for authority to outsource provided the rating will be at least “3”.
In February last year, the BSP after adopting the SAFr integrated its Money Laundering Terrorist/Financing Risk Assessment System (MRAS) to the SAFr to have more teeth in fighting against illegal or dirty money.
The MRAS is BSP’s primary tool for anti-money laundering/countering the financing of terrorism supervision.