CIRCULAR NO. 268
Series of 2000
Pursuant to Monetary Board Resolution No. 2076 dated November 24, 2000, the following rules and regulations are hereby issued to implement Section 55.1(e) of Republic Act (R.A.) No. 8791, the General Banking Law of 2000.
Section 1. Duties and Responsibilities of Banks and their Directors/Officers in All Cases of Outsourcing of Banking Functions. When outsourcing of banking functions is allowed by law and under this circular, all banks concerned shall:
(1) carry out the same in accordance with proper standards, ensuring the integrity of the data, systems and controls of the banks and subject to the supervisory, regulatory and administrative authority of the Bangko Sentral ng Pilipinas (BSP) over the banks and their directors/officers;
(2) be responsible for the performance thereof in the same manner and to the same extent as it was before the outsourcing;
(3) comply with all laws and regulations governing the banking activities/services performed by the qualified service providers in its behalf such as but not limited to keeping of records and preparation of reports, signing authorities, internal control and clearing regulations; and
(4) manage, monitor and review on an ongoing basis the performance by the qualified service providers of the outsourced banking activities/services.
Section 2. Prohibition Against Outsourcing Certain Banking Functions.
Section 2.1 No bank or any director, officer, employee, or agent thereof shall outsource inherent banking functions. For purposes of this circular, outsourcing of inherent banking functions shall refer to any contract between the bank and a service provider for the latter to supply, or any act whereby the latter supplies, the manpower to service the deposit transactions of the former.
Section 2.2 Banks cannot outsource management functions except as may be authorized by the Monetary Board when circumstances justify.
Section 3. Outsourcing of Information Technology Systems/Processes. Subject to prior approval of the Monetary Board, banks may outsource all information technology systems and processes except for functions excluded in Section 3.1.
Section 3.1 Certain functions affecting the ability of the bank to ensure the fit of technology services deployed to meet its strategic and business objectives and to comply with all pertinent banking laws and regulations, such as but not limited to strategic planning for the use of information technology; determination of system functionalities; change management inclusive of quality assurance and testing; service level and contract management; and security policy and administration, may not be outsourced. Subject to prior approval of the Monetary Board and submission of the same documentary requirements in Section 3.2 hereof, consultants and/or service providers may be engaged to provide assistance/support to the bank personnel assigned to perform such functions.
Section 3.2 A bank intending to outsource information technology systems and processes shall submit the following documents to BSP which shall treat the same as strictly confidential:
(1) Proposed contract between the bank and the service provider which should, at a minimum, include all the following:
- Complete description of the work to be performed or services to be provided;
- Fee structure;
- Provisions regarding on-line communication availability, transmission line security, and transaction authentication;
- Responsibilities regarding hardware, software and infrastructure upgrades;
- Provisions governing amendment and pretermination of contract;
- Mandatory notification by the service provider of all systems changes that will affect the bank;
- Details of all security procedures and standards;
- Responsibility, fines, penalties and accountability of the service provider for errors, omissions and frauds;
- Confidentiality clause covering all data and information; solidary liability of service provider and bank for any violation of R.A. No. 1405, the Bank Deposits Secrecy Law; actions that the bank may take against the service provider for breach of confidentiality or any form of disclosure of confidential information; and the applicable penalties;
- Segregation of the data of the bank from that of the service provider and its other clients;
- Disaster recovery/business continuity contingency plans and procedures;
- Adequate insurance for fidelity and fire liability;
- Ownership/maintenance of the computer hardware, software (program source code), user and system documentation, master and transaction data files;
- Guarantee that the service provider will provide necessary levels of transition assistance if the bank decides to convert to other service providers or other arrangements;
- Access to the financial information of the service provider;
- Access of internal and external auditors to information regarding the outsourced activities/services which they need to fulfill their respective responsibilities;
- Access of BSP to the operations of the service provider in order to review the same in relation to the outsourced activities/services;
- Provision which requires the service provider to immediately take the necessary corrective measures to satisfy the findings and recommendations of BSP examiners and those of the internal and/or external auditors of the bank and/or the service provider; and
- (Remedies for the bank in the event of change of ownership, assignment, attachment of assets, insolvency, or receivership of the service provider.
(2) Minutes of Meetings of the Board of Directors of the bank concerned signed by majority thereof, certified by the Secretary and attested by the President documenting their discussions on the following:
- The benefits and advantages of outsourcing with respect to, among others, its role and contribution to the accomplishment of the strategic and business plans of the bank as well as the economy, efficiency and quality of its over-all operations;
- The careful and diligent evaluation, prior to selecting the service provider with which it is entering into an outsourcing contract, by the bank of various service providers and their proposals, including their reputation, financial condition, cost for development, maintenance and support, internal controls, recovery processes, service level agreements, availability of competent, technically qualified and experienced personnel, strategic or convenient location of support services and such similar other considerations;
- The creation, organization and membership of a senior management oversight committee to handle and oversee the efficient implementation and monitoring of the applications/operations of the service provider to ensure that the same is in accordance with the existing information technology initiatives, policies and guidelines of the bank; the list of the members of such committee, its organizational chart, and a detailed description of the roles and responsibilities of its members must be included in the Minutes of the Meeting or submitted as attachments thereto;
- The creation, organization and membership of a help desk to resolve all queries, problems and other concerns arising from the applications/operations rendered by the service provider; and
- The systems and user acceptance tests that will be conducted by the service provider before full implementation of the outsourced systems/processes and the unsatisfactory results of which shall be valid ground to rescind the contract with the service provider.
(3) Profile of the selected service provider or the non-bank partner, in case of joint ventures and other similar arrangements, which should include:
- Most recent and complete financial and operational information;
- Track record;
- List of clientele, particularly banks and the services provided thereto by the service provider; and
- At the option of the service provider or non-bank partner, other documents demonstrative of its competence and reputation in the field of information technology as applied to banking operations.
Section 4. Outsourcing of Other Banking Functions.
Section 4.1 Subject to prior approval of the Monetary Board, banks may outsource data imaging, storage, retrieval and other related systems; clearing and processing of checks not included in the Philippine Clearing House System; printing of bank deposit statements; and such other activities as may be determined by the Monetary Board. The bank concerned must submit the same documentary requirements listed in Section 3.2 hereof, except where they exclusively pertain to information technology operations.
Section 4.2. Banks may outsource credit card services; printing of bank loan statements and other non-deposit records, bank forms and promotional materials; credit investigation and collection; processing of export, import and other trading transactions; transfer agent services for debt and equity securities; property appraisal; property management services; messenger, courier and postal services; security guard services; vehicle service contracts; janitorial services; and such other activities as may be determined by the Monetary Board.
Section 5. Service Providers. When allowed by law and under this circular, banks may enter into outsourcing contracts only with service providers with demonstrable technical and financial capability commensurate to the services to be rendered.
Section 6. Review of Subsisting Outsourcing Contracts. Within six (6) months from the effectivity of this circular:
(1) all banks should submit a list of all their existing contracts with service providers, detailing the:
- Services/activities being outsourced;
- Terms of the contracts;
- Measures, if any, undertaken by the bank and/or service provider to ensure the secrecy of bank deposits and confidentiality of all other data and information; and
- Such other information as may be necessary to show compliance with the pertinent provisions of this circular or be required by the Monetary Board; and
(2) for outsourcing contracts not in accordance with this circular, the following alternative courses of action are available to the bank concerned:
- preterminate said contracts;
- renegotiate or remedy the same to comply with this circular and submit the amendments thereto or new contracts to the BSP; or
- submit a program of compliance to the BSP.
Section 7. Penalties. Violation of this circular shall be subject to Sections 34, 35, 36 and 37 of R.A. No. 7653, the New Central Bank Act. If the offender is a director or officer or a bank, the Monetary Board may also suspend or remove such director or officer.
Section 8. Repeal of Section X169 of the Manual of Regulations for Banks (MORB). This circular supersedes the provisions of Section X169 of the MORB.
Section 9. Effectivity. This circular shall take effect immediately.
FOR THE MONETARY BOARD:
RAFAEL B. BUENAVENTURA
Download Signed Document