New Outsourcing Regulation for Banks Operating within the UAE

Background

The Central Bank of the United Arab Emirates ("CBUAE") has issued a new outsourcing regulation for Banks operating within the United Arab Emirates. The Central Bank Circular No. 14/2021 (the "Outsourcing Regulation"), emerges against a backdrop of ongoing efforts by the CBUAE, and regulators across highly regulated industries, to adopt minimum acceptable risk management standards for outsourcing arrangements, particularly when international service providers are engaged. 

With the new Outsourcing Regulation, and the accompanying Outsourcing Standards for Banks 14/2021 (the "Outsourcing Standard"), the CBUAE makes explicit its objective to guarantee the soundness of UAE Banks and improve financial stability in the banking sector.

This is part of a global movement, as seen for example in the European Banking Authorities' guidelines, of increased scrutiny of financial institutions' governance frameworks concerning outsourcing arrangements and related supervisory expectations and processes.

Most notable provisions of the New Outsourcing Regime for Banks

Under the new regime, the CBUAE casts a wide net with a broad definition of "Outsourcing" which includes activities delegated to any "party related to the Bank". This phrasing necessarily creates ambiguity with respect to which entities will ultimately be designated as "related to the Bank". The risk here is that arrangements not previously internally classified as being "outsourced" will now need to be treated as such for the purpose of complying with the Outsourcing Regulation.

Risk management framework

As a result of the new regime, internal audit and operational risks functions of UAE Banks can expect to be busy and expect to implement various new policies, procedures and controls. In particular, Banks will need to create a comprehensive risk management framework that takes into account the additional risks that arise when business activities are outsourced. These include (i) operational risks, (ii) compliance risks, (iii) business continuity risks, and (iv) concentration risks, among others, each of which is explicitly referenced as a required component of the risk management framework in the Outsourcing Standard.

The Outsourcing Regulation explicitly provides that Banks will be responsible for ensuring that "outsourcing service providers maintain an appropriate level of information security, risk management and service delivery." As a result, Banks will need to reassess whether their current due diligence processes and standard form agreements (if any) provide them with the level of control necessary to meet this mandate, appreciating the heightened level of responsibility.

Outsourcing agreements

Perhaps one of the most significant features of the Outsourcing Regulation relates to the new minimum standards for outsourcing agreements. These include certain contractual terms that have become standard inclusions across the market, for example, the requirement that Banks retain full ownership of the data they share with outsourcing service providers. At the same time, however, the breadth of this new list of prescribed requirements for outsourcing agreements will seemingly take certain matters off the negotiation table impact the power dynamics in such negotiations.

Data localisation

The Outsourcing Regulation provides that data required to conduct the core activities of the Bank must be maintained and stored within the UAE. Further, Customers' confidential data must not be shared outside the UAE without the CBUAE's approval and the consent of their customers. This begs two separate questions: first, how will approvals from the CBUAE be managed; and second, what form of consent from customers will be sufficient to satisfy this requirement. With respect to the former, the CBUAE may adopt the Dubai Financial Services Authority's (DFSA) approach to managing approvals requested by Authorised Market Institutions (AMI) for material outsourcing arrangements as required under the DFSA Rulebook for AMIs (the "Rulebook"). Under the Rulebook, AMI's seeking approval for an outsourcing arrangement may make submissions both before and after the decision (as appropriate). Where the DFSA denies approval, the applicant AMI may refer the matter to the Financial Markets Tribunal for review. In the case of the latter, if the CBUAE's objective is to provide Banking customers with greater control over cross-border transfers of their data by arming them with knowledge concerning their Bank's extra-territorial data transfer practices, then consent must be sought in a manner that requires the consumer to expressly acknowledge and consent to international transfers. Without express consent as a requirement, Banks are likely to bury implied consent provisions in lengthy terms of use documents, in which case the CBUAE's efforts in this regard are likely to be of limited practical utility.

Unsurprisingly, the CBUAE borrows certain European Union law concepts for the new regime. In this case, it relates to "adequacy decisions" for cross-border data transfers. The Outsourcing Regulations require that Banks refrain from entering outsourcing arrangements that involve sharing data with international service providers who cannot provide the same level of data protection safeguards required in the UAE. The consternation is that the Outsourcing Regulation is silent on who will be responsible for assessing whether a given jurisdiction provides the same level of safeguarding. Logically, we would expect that it is the regulating authority who will be responsible for developing a registry of approved jurisdictions for international data transfers, but we will have to wait on further developments for confirmation.

Final remarks

Over the next coming months, we hope to see further releases from the CBUAE that will resolve certain matters that remain open under the Outsourcing Regulation. In the interim, Banks will need to consider whether their current governance and risk management frameworks bring them in compliance with the new regime and identify what, if any, additional efforts will be required to comply. This will require particularly acute analysis given many UAE banks are relying on outsourcing is a key part of their digital transformation.

This new enactment follows a trend in which highly regulated industries in the UAE, particularly those that involve the processing of consumer data, are receiving increased attention from regulators who are requiring stronger data protection practices, especially in relation to international data transfers. Most recently, the healthcare sector has seen a general prohibition on extra-territorial data transfers. See our previous note on the recent UAE Health Data Law. As with other regulators, the CBUAE must strike a delicate balance which allows collaboration with international service providers to develop innovative customer solutions and creating efficiencies, while also safeguarding against the risks inherent to outsourcing arrangements, particularly as regards consumer data.