THE BANGKO SENTRAL ng Pilipinas (BSP) has set new limits on lenders’ outsourcing arrangements to avoid disruptions to operations.

The BSP in Circular No. 1137 made changes to the rules on outsourcing and information technology risk management.

The regulator said banks are not allowed to outsource “inherent” banking functions, including taking deposits from the public, granting loans, managing risk exposure, and general management.

Some banks have “material” outsourcing arrangements, which means that disruptions or data breaches in outsourcing certain activities could significantly impact bank operations, finances, reputation, customers, and law compliance.

Only banks with a Supervisory Assessment Framework (SAFr) of at least “3” are allowed to have material outsourcing without its approval.

Otherwise, banks will need BSP approval for new outsourcing arrangements or changes to such arrangements that would affect operations.

“Periodic assessments shall be conducted to ensure that outsourcing risks, both on a contract-specific level and on an institution-wide level, are managed vis-a-vis the impact to the overall operations,” the BSP said.

Banks choosing service providers are responsible for checking the providers’ reputation and technical capabilities, along with identifying potential risks from data transfers.

BSP-supervised financial institutions (BSFI) must ensure that all confidential and sensitive data exposed to technology service providers are protected, the central bank said. These providers must follow appropriate data handling rules.

“BSFIs shall ensure that all data being handled, processed and/or stored through an outsourcing arrangement are included in its data inventory and data classification process.” — J.P. Ibañez

RELATED ARTICLESMORE FROM AUTHOR