Title
BSP Rules on Banking Function Outsourcing
Law
Bsp Circular No. 268
Decision Date
Dec 5, 2000
BSP Circular No. 268 establishes regulations for banks on outsourcing banking functions, emphasizing the need for compliance with data integrity, supervisory authority, and prohibiting the outsourcing of inherent banking and management functions without prior approval from the Monetary Board.
outsourcing
banking functions
general banking

Legal basis and supersession

  • Republic Act No. 8791 provides the statutory basis through Section 55.1(e) for outsourcing rules for banking functions.
  • Section 7 ties penalties for violations to Sections 34, 35, 36 and 37 of Republic Act No. 7653 (New Central Bank Act).
  • Section 8 states that BSP Circular No. 268 supersedes Section X169 of the Manual of Regulations for Banks (MORB).
  • BSP Circular No. 268 does not require a separate transitory publication period because it takes effect immediately under Section 9.

Core duties and responsibilities

  • Section 1 requires that, when outsourcing is allowed by law and under BSP Circular No. 268, banks must ensure proper standards and maintain integrity of the bank’s data, systems and controls.
  • Banks must ensure outsourcing remains under the supervisory, regulatory and administrative authority of the BSP over the bank and its directors/officers (Section 1(1)).
  • Section 1 makes banks responsible for outsourced functions in the same manner and to the same extent as before outsourcing (Section 1(2)).
  • Banks must comply with all laws and regulations governing banking activities/services performed by qualified service providers on the bank’s behalf, including rules on keeping of records and preparation of reports, signing authorities, internal control, and clearing regulations (Section 1(3)).
  • Banks must manage, monitor and review on an ongoing basis the performance of qualified service providers for outsourced banking activities/services (Section 1(4)).

Prohibited outsourcing of banking functions

  • Section 2.1 prohibits any bank and any director, officer, employee, or agent from outsourcing inherent banking functions.
  • Section 2.1 defines outsourcing of inherent banking functions as any contract where a service provider supplies manpower to service the bank’s deposit transactions, or any act where the service provider supplies such manpower.
  • Section 2.2 prohibits banks from outsourcing management functions except when the Monetary Board authorizes outsourcing due to circumstances that justify it.

IT systems outsourcing rules

  • Section 3 permits banks, subject to prior approval of the Monetary Board, to outsource all information technology systems and processes, except functions excluded under Section 3.1.
  • Section 3.1 prohibits outsourcing specific functions affecting the bank’s ability to ensure technology fit with strategic and business objectives and compliance with banking laws and regulations.
  • Prohibited from outsourcing under Section 3.1 includes strategic planning for the use of information technology, determination of system functionalities, and change management including quality assurance and testing.
  • Section 3.1 also excludes from outsourcing service level and contract management, and security policy and administration.
  • Section 3.1 allows banks to engage consultants and/or service providers to provide assistance/support to bank personnel assigned to perform excluded functions, but only subject to prior approval of the Monetary Board and submission of the documentary requirements in Section 3.2.

Required BSP submissions for IT outsourcing

  • Section 3.2 requires a bank intending to outsource IT systems/processes to submit the required documents to the BSP, which must treat them as strictly confidential.
  • Section 3.2(1) requires submission of a proposed contract that must include, at minimum, the following elements:
    • A complete description of the work/services to be provided (Section 3.2(1)(a)).
    • A fee structure (Section 3.2(1)(b)).
    • Provisions on on-line communication availability, transmission line security, and transaction authentication (Section 3.2(1)(c)).
    • Responsibilities regarding hardware, software and infrastructure upgrades (Section 3.2(1)(d)).
    • Provisions governing amendment and pretermination of the contract (Section 3.2(1)(e)).
    • Mandatory notification by the service provider of all systems changes affecting the bank (Section 3.2(1)(f)).
    • Details of all security procedures and standards (Section 3.2(1)(g)).
    • Responsibility, fines, penalties and accountability of the service provider for errors, omissions and frauds (Section 3.2(1)(h)).
    • A confidentiality clause covering all data/information, plus solidary liability of the service provider and the bank for any violation of R.A. No. 1405 (Bank Deposits Secrecy Law), including actions the bank may take for breach and the applicable penalties (Section 3.2(1)(i)).
    • Segregation of the bank’s data from the service provider’s and its other clients’ data (Section 3.2(1)(j)).
    • Disaster recovery/business continuity contingency plans and procedures (Section 3.2(1)(k)).
    • Adequate insurance for fidelity and fire liability (Section 3.2(1)(l)).
    • Ownership/maintenance of computer hardware, software (program source code), user and system documentation, and master/transaction data files (Section 3.2(1)(m)).
    • Guarantee of necessary transition assistance if the bank changes to other service providers or arrangements (Section 3.2(1)(n)).
    • Access to the service provider’s financial information (Section 3.2(1)(o)).
    • Access of internal and external auditors to information needed for their responsibilities (Section 3.2(1)(p)).
    • Access of BSP to the service provider’s operations to review outsourced activities/services (Section 3.2(1)(q)).
    • A provision requiring the service provider to immediately take corrective measures to satisfy findings/recommendations of BSP examiners and internal/external auditors (Section 3.2(1)(r)).
    • Remedies for the bank in events of change of ownership, assignment, attachment of assets, insolvency, or receivership of the service provider (Section 3.2(1)(s)).
  • Section 3.2(2) requires submission of Board minutes signed by a majority of directors, certified by the Secretary and attested by the President, covering:
    • Benefits/advantages of outsourcing, including role in strategic and business plans and contributions to economy, efficiency and quality of operations (Section 3.2(2)(a)).
    • Careful evaluation before selecting the service provider, including reputation, financial condition, cost for development/maintenance/support, internal controls, recovery processes, service level agreements, availability of competent personnel, strategic or convenient support location, and similar considerations (Section 3.2(2)(b)).
    • Creation of a senior management oversight committee, including members, organizational chart, and roles/responsibilities to oversee efficient implementation/monitoring of the provider’s applications/operations to align with bank IT initiatives/policies/guidelines (Section 3.2(2)(c)).
    • Creation of a help desk to resolve queries/problems arising from outsourced applications/operations (Section 3.2(2)(d)).
    • Systems and user acceptance tests to be conducted by the service provider before full implementation, with unsatisfactory results as valid ground to rescind the outsourcing contract (Section 3.2(2)(e)).
  • Section 3.2(3) requires submission of a profile of the selected service provider (or non-bank partner in joint ventures/other similar arrangements) including:
    • Most recent and complete financial and operational information (Section 3.2(3)(a)).
    • Track record (Section 3.2(3)(b)).
    • List of clientele, particularly banks and services provided thereto (Section 3.2(3)(c)).
    • Other competence/reputation documents if chosen by the service provider or non-bank partner (Section 3.2(3)(d)).

Outsourcing of other banking functions

  • Section 4.1 permits, subject to prior approval of the Monetary Board, outsourcing of specified non-IT functions, including:
    • Data imaging, storage, retrieval and other related systems.
    • Clearing and processing of checks not included in the Philippine Clearing House System.
    • Printing of bank deposit statements.
    • Other activities as the Monetary Board may determine.
  • Section 4.1 requires documentary requirements listed in Section 3.2 for these outsourcing arrangements, except where they exclusively pertain to information technology operations.
  • Section 4.2 permits banks, subject to Section 4 framework and Monetary Board approval, to outsource services including:
    • Credit card services.
    • Printing of bank loan statements and other non-deposit records, bank forms, and promotional materials.
    • Credit investigation and collection.
    • Processing of export, import and other trading transactions.
    • Transfer agent services for debt and equity securities.
    • Property appraisal and property management services.
    • Messenger, courier and postal services.
    • Security guard services.
    • Vehicle service contracts.
    • Janitorial services.
    • Other activities as the Monetary Board may determine.

Service provider eligibility standard

  • Section 5 requires banks, when outsourcing is allowed under law and the circular, to enter outsourcing contracts only with service providers that have demonstrable technical and financial capability commensurate to the services to be rendered.

Review of existing outsourcing contracts

  • Section 6 requires banks to comply within six (6) months from the effectivity of BSP Circular No. 268.
  • Section 6(1) requires each bank to submit a list of all existing outsourcing contracts with service providers that details:
    • Services/activities being outsourced (Section 6(1)(a)).
    • Terms of the contracts (Section 6(1)(b)).
    • Measures undertaken by the bank and/or service provider to ensure secrecy of bank deposits and confidentiality of all other data and information (Section 6(1)(c)).
    • Other information necessary to show compliance or required by the Monetary Board (Section 6(1)(d)).
  • Section 6(2) provides alternative compliance courses for outsourcing contracts not in accordance with the circular:
    • Preterminate the contracts (Section 6(2)(a)).
    • Renegotiate/remedy to comply and submit amendments or new contracts to BSP (Section 6(2)(b)).
    • Submit a program of compliance to BSP (Section 6(2)(c)).

Penalties and administrative consequences

  • Section 7 provides that violation of BSP Circular No. 268 triggers penalties under Sections 34, 35, 36 and 37 of Republic Act No. 7653 (New Central Bank Act).
  • Section 7 further provides that when the offender is a director or officer or a bank, the Monetary Board may also suspend or remove such director or officer.

Supersession and effectivity

  • Section 8 supersedes Section X169 of the Manual of Regulations for Banks (MORB).
  • Section 9 sets the effectivity of BSP Circular No. 268 as immediate.

Analyze Cases Smarter, Faster
Jur helps you analyze cases smarter to comprehend faster, building context before diving into full texts. AI-powered analysis, always verify critical details.

About Privacy Terms