Book an appointment with us, or search the directory to find the right lawyer for you directly through the app.
Find out moreThis Edition of Law Update, From Africa to Asia: Legal Narratives of Change and Continuity, takes you on a journey through dynamic markets.
Africa is undergoing a tech-driven transformation, overcoming regulatory challenges while its startup ecosystem thrives. India’s legal framework is evolving rapidly, keeping pace with its expanding economy and diverse business environment.
We also dive into China’s regulatory shifts, particularly how they are shaping investments in the MENA region, and explore Korea’s innovative global partnerships, which are driving advancements in industries across the UAE and beyond.
Read NowMartin Hayward - Head of Digital & Data - Digital & Data
With the announcement by the UAE Central Bank (“UAECB”) of its new Outsourcing Regulations for Banks and accompanying Standards (Circular 14/2021 dated 31/05/2021, (together the “Regulations”), banks will need to take a closer and more detailed look at their outsourcing arrangements.
The Regulations cover all forms of outsourcing from business process (BPO) outsourcing of functions like HR or payroll to IT outsourcing. The definition of “outsourcing” is very broad (covering both external and intra-bank arrangements): “an agreement with another party either within or outside the UAE, including a party related to the bank, to perform on a continuing basis an activity which currently is, or could be, undertaken by the bank itself.
As a technology lawyer, the impact of the Regulations on IT outsourcing at a time of accelerating bank digitalisation and the growth of fintech offerings that enable banks to rapidly roll-out outsourced technology, usually cloud based, to deliver key bank functions (including compliance requirements) is especially interesting. We are at the start of a Middle East digital banking journey with challenger banks coming online. At a time when the regional banking market is combating significant disruption, these new regulations across the region are both timely and challenging as banks seek to balance the adoption of new technologies with increasing regulatory requirements. As the UAECB states in the Regulations: “A key principle underpinning this Regulation is that a bank’s outsourcing arrangements should not impair the bank’s ability to fulfil its obligations to customers and to the Central Bank . . . .” The need for proactive, comprehensive, risk management has never been greater.
The approach banks are taking to outsourcing is also changing, based on the greater access to new, disruptive, technologies. Where, previously, a bank would contract with a prime IT contractor who would take full responsibility for the delivery of a complete, “turnkey” outsourced solution, banks are now contracting with multiple technology vendors to cover multiple requirements. Banks will often contract with a systems integrator to integrate all these various technology deliverables. Banks will need to consider if the adoption of any new technology will constitute the outsourcing of a particular bank function and, if so, whether this would be considered material, or simply the technological enablement of a particular bank function with the bank retaining control of the function’s operation.
It is important to note that these Regulations are not introducing completely new concepts. The UAECB ‘s Regulations and Standards covering Risk Management and Operational Risk Management (Risk Management Regulations) have long been in place and the new Regulations need to be read in conjunction with these regulations. It also follows the recent issuance of the UAECB Consumer Protection Regulations and Standards. [ link to ATCO article ] It should also be noted that the financial freezones, Dubai International Financial Centre (DIFC) and Abu Dhabi Global Market (ADGM) have similar regulatory requirements in place. The Regulations apply to all banks in the UAE (excluding the DIFC and ADGM). For UAE banks, the Regulations apply group-wide and cover international subsidiaries and affiliates.
The Regulations cover all parts of the outsourcing lifecycle, from identifying the right outsourcing service provider, to contracting with them, maintaining a risk management and governance process throughout the outsourcing period and then managing any exit or migration away from the outsourcing service provider. Key functions of the bank from procurement through legal and compliance to internal audit need to be involved in the process in addition to the operational teams managing the day-to-day engagement with the outsourcing service provider.
Bank procurement processes need to build in the Regulations’ requirements. Procurement policies need to cover the procurement aspects in the Regulations. An appropriate and documented due diligence review process is required to ensure that the selected outsourcing service provider can meet the bank’s requirements (including the outsourcing service provider financial capacity requirements). This may be particularly challenging as banks look to the fintech start-up ecosystem for new products and technologies. Procurement teams also need to guard against vendor lock-in in their choice of outsourcing service provider and also continuously monitor the aggregate outsourcing risk the bank is taking on.
The Regulations emphasize that banks remain fully responsible for the risks arising from any process or activity they outsource and for ensuring that they remain compliant with all relevant laws and regulations applicable to their outsourced activities. As a result, banks need the following:
The recent UAECB Consumer Protection Regulations and Standards dealt, in detail, with data protection. The Regulations reiterate the need for banks to continue to meet their legal and regulatory obligations in relation to the management and processing of data, even when outsourced. The key issues for banks include:
With data often held in cloud storage and banks adopting new and emerging technologies, such as blockchain and artificial intelligence, banks need to carefully analyse whether they can continue to meet their regulatory requirements in relation to data. The banks’ contracts with outsourcing service providers will need to include detailed provisions covering these requirements (see below).
It is mandatory for banks to have formal written outsourcing arrangements in place with outsourcing service providers that are robust and detailed. The Regulations set out the required minimum content of these outsourcing arrangements. The scope of the outsourcing and the respective rights and responsibilities of the parties need to be clearly set out in addition to pricing and fee structure, performance requirements, dispute resolution governance, reporting and monitoring. Term, termination, liability and insurance provisions need careful attention.
In particular, these outsourcing arrangements need to cover the following:
The Regulations place certain limitations on outsourcing outside the UAE. These include:
Banks need to think carefully before outsourcing outside the UAE with the additional requirements to manage operational, legal and reputational risk and put in place policies and procedures to manage (and mitigate) these risks. Banks also need to fully understand how the technologies they are using use and transfer data, what data is involved and in what form (e.g. anonymised, encrypted, etc.) and where it goes.
The Regulation introduces new reporting requirements for banks. These include:
Banks will need to ensure that they have processes and procedures established to meet these reporting requirements and that these reporting requirements are covered in their contracts with its outsourcing service providers to ensure that theycan extract the right data in the right format to meet their regulatory requirements.
Violations of the Regulations can trigger supervisory action and/ administrative and financial sanctions by the UAECB. The UAECB can also require a bank to terminate an outsourcing arrangement where the arrangement is found to be no longer compliant with the Regulations or presents undue risks to the bank, the security of Confidential Data or the UAE financial system. Banks need to cover this in their termination provisions with their outsourcing service providers in addition to flowing the financial risk of supervisory action and sanctions down to outsourcing service providers.
Any outsourcing activities by banks offering Islamic financial services need to ensure that Shari’iah rules and principles are observed.
All outsourcing arrangements concluded or renewed after this Regulation came into force on 14 July 2021 (one month after being published in the Official Gazette) must comply fully with these regulations. All outsourcing agreements concluded prior to the Regulations coming into force must be amended so that they fully comply with the Regulations by 31 December 2023. For existing outsourcing agreements, banks should be engaging as soon as possible with their outsourcing service providers to socialise the new Regulations and start the discussion on any required amendments to their outsourcing arrangements.
Al Tamimi’s Digital & Data team regularly advises UAE financial services clients on technology, data protection and cybersecurity matters. For more information on how we can help, please contact Martin Hayward.
To learn more about our services and get the latest legal insights from across the Middle East and North Africa region, click on the link below.