QuestionsQuestions (BSP CIRCULAR NO. 268)
It is issued pursuant to Monetary Board Resolution No. 2076 dated November 24, 2000, to implement Section 55.1(e) of R.A. No. 8791 (General Banking Law of 2000).
Banks must (1) ensure outsourcing is done according to proper standards and maintain integrity of the bank’s data, systems, and controls under BSP supervision; (2) remain responsible for performance to the same extent as before outsourcing; (3) ensure compliance with laws and regulations governing the outsourced banking services (e.g., record keeping, reports, signing authorities, internal controls, clearing rules); and (4) continuously manage, monitor, and review the service provider’s performance.
No bank, director, officer, employee, or agent may outsource inherent banking functions. It refers to any contract where the service provider supplies manpower to service the deposit transactions of the bank, or supplies such inherent banking functions.
No. Section 2.2 states banks cannot outsource management functions except when authorized by the Monetary Board when circumstances justify it.
Subject to prior approval of the Monetary Board, banks may outsource IT systems and processes, except for functions expressly excluded under Section 3.1.
The circular lists examples including: strategic planning for IT use; determination of system functionalities; change management (including quality assurance and testing); service level and contract management; and security policy and administration.
Yes, but only for assistance/support to bank personnel assigned to perform those functions. This is subject to prior approval of the Monetary Board and submission of required documentary requirements under Section 3.2.
It must submit: (1) the proposed contract (with minimum required clauses); (2) minutes of the Board meeting signed and attested as specified, documenting specified board discussions; and (3) a profile of the selected service provider/non-bank partner including financial/operational info, track record, clientele list, and optionally other proof of competence and reputation.
Examples include: complete description of work; fee structure; provisions for online communication availability, transmission line security, and transaction authentication; responsibilities for hardware/software/infrastructure upgrades; provisions on amendment and pretermination; mandatory notification of systems changes affecting the bank; details of security procedures and standards; accountability/fines/penalties for errors/omissions/frauds; confidentiality clause including solidary liability and actions/penalties for disclosure; segregation of the bank’s data; disaster recovery/business continuity; ownership/maintenance of source code and documentation; access for auditors and BSP; corrective measures for BSP/internal/external audit findings; and remedies if the provider changes ownership/insolvency/receivership.
To protect bank secrecy and confidential information. The circular explicitly requires solidary liability for any violation of R.A. No. 1405 (Bank Deposits Secrecy Law), and provides for penalties and the bank’s remedies for breach or disclosure.
The minutes must cover: (a) benefits/advantages of outsourcing toward strategic and business plans and improving economy, efficiency, and quality; (b) careful and diligent evaluation of providers’ proposals and qualifications; (c) creation of a senior management oversight committee with roles and responsibilities; (d) creation of a help desk; and (e) systems and user acceptance tests before full implementation and that unsatisfactory results allow rescission.
The oversight committee ensures efficient implementation and continuous monitoring aligned with the bank’s IT initiatives/policies/guidelines; the help desk resolves queries and concerns regarding the outsourced applications/operations.
Examples include: data imaging, storage, retrieval and related systems; clearing and processing of checks not included in the Philippine Clearing House System; printing of bank deposit statements; and other activities determined by the Monetary Board.
Examples include: credit card services; printing of bank loan statements and other non-deposit records and promotional materials; credit investigation and collection; processing export/import and other trading transactions; transfer agent services for debt and equity securities; property appraisal and property management; messenger/courier/postal services; security guard services; vehicle service contracts; janitorial services; and other activities determined by the Monetary Board.
Banks may enter outsourcing contracts only with service providers with demonstrable technical and financial capability commensurate to the services to be rendered.
They must submit a list of all existing outsourcing contracts detailing services/activities outsourced, contract terms, measures to ensure bank deposit secrecy/confidentiality, and other information needed to show compliance. For contracts not compliant, banks may preterminate, renegotiate/remedy and submit amendments/new contracts to BSP, or submit a compliance program to BSP.
Violations are subject to Sections 34, 35, 36, and 37 of R.A. No. 7653 (New Central Bank Act). Additionally, if the offender is a director/officer or the bank, the Monetary Board may suspend or remove such director/officer.