On 23 June 2022, the Bank of Namibia issued a Determination in terms of the Banking Institutions Act. The determination sets strict guidelines relating to the outsourcing of cloud-based services by Banking Institutions.
The directive is of importance to Namibian Banking Institutions and to entities that desire to render information technology services to Namibian Banking Institutions.
Herewith a summary of the key provisions of the Directive:
Services that banking institutions are permitted to outsource and measure that Namibian banking institutions and third-parties must have in place when outsourcing information technology services.
1. Cloud-based services or cloud computing refers to the set of on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage facilities, applications and services). Such resources can be rapidly provisioned and released with minimal management effort or service provider interaction:
1.1. Software as a Service (SaaS) means using general software or business specific applications run on computers in the cloud but owned and operated by the cloud service providers;
1.2. Platform as a Service (PaaS) means using A complete computer environment that is provided for building and delivering web-based applications, either internally developed or acquired applications, while the cloud service provider undertakes the purchase, management and hosting of the underlying hardware;
1.3. Infrastructure as a Service (IaaS) is where companies are provided with computing resources, including servers, networking, storage, and data centre space.
2. Cloud resources may be provided through public, private, community or hybrid cloud deployment models:
2.1. public cloud is services and infrastructure owned and operated by the service providers and offered off-site over a public network;
2.2. private cloud refers to services and infrastructure operated solely for a single organisation, whether managed internally or by a third party and hosted on a private network;
2.3. community cloud is cloud infrastructure available for exclusive use by a specific community of institutions, including several institutions within a single group; and
2.4. hybrid cloud is services built on a private cloud foundation with a combination of public cloud services.
3. A banking institution must differentiate outsourced business activities and functions as:
3.1. Core activities, business activities or functions which may not be outsourced;
3.2. Material activities, business activities or functions which may be outsourced with prior notification of the Bank; and
3.3. Non-material activities, business activities or functions which may be outsourced with no notification of the Bank.
4. Marterial business activitiess mean business activities or functions of such importance that have a significant impact on the banking institution’s business operations, its ability to manage risks effectively or its continued regulatory compliance, should such activities be disrupted. The Bank will only allow the outsourcing, with prior written approval from the Bank, of internal audit. Management oversight, governance, risk management, compliance, and critical shared services (services that support a banking institution’s critical functions, where a failure of such services would lead to a failure or disruption of critical functions) may only be insourced with the written approval of the Bank.
5. Insourcing is described as services which have been outsourced to a third-party service provider within a particular group of institutions that form part of a single banking group.
6. All notifications for insourced activities must be accompanied by supporting documents confirming the due diligence, selection criteria, contractual agreement and Service Level Agreement of the third party. Furthermore, the pricing methodology and cost components for any fees charged, and a detailed invoice must be provided to justify the fees charged. Transfer pricing across legal entities is considered insourcing.
7. All existing insourced arrangements must be brought into compliance with the requirements of this Determination.
8. Requirements relating to the outsourcing of material business activities have been formulated. Senior management must ensure that these regulations are complied with. The banking institution must ensure that a contractual agreement with third party service providers is in place to warrant compliance with legislation and with the requirements. The requirements include:
8.1.1. A plan for assessing outsourcing strategies and arrangements, evaluating their consistency with and supporting the banking institution’s strategic objectives is established.
8.1.2. A programme for outsourcing activities or functions, including performing risk assessments surrounding the outsourcing of material business activities and functions before entering into the arrangement and during the arrangements, and determining appropriate approval mandates for outsourced services.
8.1.3. A comprehensive risk assessment and risk mitigation strategies to address the risks associated with outsourced arrangements with third party service providers. The risks should be periodically reassessed in line with the banking institution’s risk management framework.
8.1.4. The Bank must be notified before material business activities is outsourced.
8.1.5. A senior official of the banking institution must assume the responsibility of managing outsourced services. This official will be accountable for the smooth operating of the service and compliance of the third party service provider with Determination where applicable.
8.1.6. Monitor the regulatory and compliance landscape for change and consider all respective regulations when considering all outsourcing and cloud computing arrangements to ensure compliance.
8.1.7. The legislative requirements applicable to the third party service provider in the countries where the banking institution’s data is hosted must be understood, and it must be determined whether this does not impose undue risk on the banking institution, especially where countries have rights to seize or otherwise access data hosted by the third party service providers.
9. The outsourcing of data centres hosting production core banking IT systems is not permitted. This service is identified as a core business activity or function. There are, however, exceptions:
9.1. A banking institution must locate their data centres, hosting their production core banking systems, on local infrastructure. Local Infrastructure as a Service (IaaS) for the production core banking system may be considered on a case-by-case basis with the written approval of the Bank.
9.2. A banking institution may elect to locate their data centre to host only replicated or backup copies of the core banking system on an infrastructure owned, hosted and administered by the parent company, with the prior written notification to the Bank.
9.3. Non – core banking systems must be categorised as material or non-material IT systems, which may be outsourced, such as cloud computing arrangements, provided the arrangement comply with the requirements of the Determination.
9.4. Where written notification is required, a banking institution must ensure the notification includes supporting documentation on the outsourced activity and vendor to the satisfaction of the Bank, which includes due diligence, selection criteria, contractual agreement, and Service Level Agreements.
10. The board of directors of a banking institution must ensure that the Bank and the banking institution’s external auditors have access to information relating to the outsourced service.
11. Where services are to be outsourced, the following requirement must be complied with:
11.1. A board approved ooutsourcing policy;
11.2. Planning and risk assessments;
11.3. Tender process, due diligence and selection.
11.3.1. The due diligence conducted before an outsourced cloud computing arrangement must include an assessment of:
a) the business case for moving an IT system to cloud computing;
b) all relevant and effected stakeholders;
c) information security controls and considerations;
d) third-party assurance audits and security testing;
e) security standards, ensuring that the third-party is certified or audited to adhere to cloud computing, and security requirements including physical security standards at the third party’s data centres, which should not be less than the physical security measures that would have been in place had the data been hosted at the banking institution’s own data centres.
f) access rights, including developed and implemented user access privilege controls in order to restrict access to the banking institution’s data, systems and infrastructure.
h) incidental management, which must also be included in a contractual agreement;
i) multitenancy in the Cloud;
j) contingency planning and capacity of the third party to provide services on a continuous basis, and to take on increased services.
k) continuity and recoverability.
11.4. An outsourcing contractual agreement entered into between the banking institutions and the third-party service provider, supported by Service Level Agreements. The agreements must specifically pertain to:
a) data ownership
b) data breaches
c) default and termination provisions and termination of services
d) planning for termination
f) forensic audits and investigations
11.5. Resources must be available to the banking institution to ensure that the outsourcing relationship is monitored and managed.
11.6. A contingency plan relating to the outsourced activity must be developed by the banking institution.
11.7. The Bank should be able to obtain access to information relating to the outsourced material business to enable it to perform its regulatory duties.
11.8. Documentation and reporting which facilitates the accountability, monitoring, and risk management associated with third-party service providers.
12. Existing outsourced or cloud computing arrangements must be brought into compliance with this Determination within one year of the publication of this Determination.
Kindly note that this note is not intended to be legal advice. The note is distributed for information purposes only and Cronjé Inc or its employees will not be liable for any direct or indirect loss that may be suffered as a result of reliance on the content of this note. The is confined to matters of Namibian law, as at the date hereof. In the event that the content hereof is relevant to any reader, we advise that the reader is to approach their attorney for legal advice.