Outsourcing IT services in the financial sector: Pakistan’s regulatory landscape
Akhund Forbes, Karachi
There has been an increase in financial institutions outsourcing their technological services to cloud service providers (CSPs) for various reasons, such as a lack of internal IT expertise and cost reduction. However, these institutions are exposed to potential cloud transaction risks, such as legal, technology and firm risks. While the importance of an effective internal governance structure is stressed, the varying effectiveness amongst firms in crafting suitable governance mechanisms is recognised.
In response to these challenges, the State Bank of Pakistan (SBP) has issued regulations to provide a cohesive regulatory framework for financial institutions outsourcing technological services to Cloud Service Providers. It is important to note that section 17H of the State Bank of Pakistan Act 1956, empowers the SBP to make and enforce regulations pertaining to finance, banking, monetary policy, etc. This article, therefore, aims to explore this regulatory landscape for financial entities that outsource their IT services.
SBP’s framework for risk management in outsourcing arrangements by financial institutions
In 2019, the SBP developed a framework to mitigate potential risks which may arise from financial institutions outsourcing their internal services. The guidelines in the framework apply to all outsourcing arrangements of financial institutions, which include commercial banks, Islamic banks, microfinance banks and development financial institutions (FIs). These apply to local and off-shore service providers and govern all new outsourcing arrangements. Furthermore, existing arrangements are required to be streamlined to comply with the framework. Under these guidelines, FIs are mandated to develop an outsourcing policy, approved by their board of directors, which must encompass roles and responsibilities of stakeholders, materiality assessment criteria, vendor management, risk assessment and mitigation, core and non-core activities, contingency planning and an exit strategy.
FIs are further required to manage the risks associated with outsourcing arrangements, which include operational and concentration risks. The SBP must be informed of any significant adverse development regarding the outsourcing arrangement within two days. FIs are required to assess risks from outsourcing business activities and integrate them into their risk management framework, and they must define and assess the risk of outsourcing specific functions, analyse the impact on their overall risk profile, address all associated risks, consider the criticality of services to be outsourced and conduct risk assessments periodically.
In addition, FIs are required to conduct due diligence on the business activity to be outsourced, and on the service provider. This should cover various areas including the provider’s technical competence, financial strength, reputation, control framework, performance standards, policies, procedures, business continuity planning, physical and IT security controls and ethical and professional standards. Enhanced due diligence is needed when there is only one service provider for a specific outsourcing activity, and potential conflicts of interest are also required to be addressed. The results of due diligence must be documented and reviewed by auditors and the SBP when necessary. In addition, these guidelines stipulate instructions regarding risk mitigation of outsourcing services to foreign CSPs.
SBP’s framework for outsourcing to Cloud Service Providers
In 2023, the SBP published a new framework which specifically deals with outsourcing arrangements to CSPs and outlines the minimum requirements for SBP’s Regulated Entities (REs) to safely outsource their workloads, both material and non-material, using a risk-based approach. The regulated entities include banks, digital banks, microfinance banks, development finance institutions, electronic money institutions, payment system operators and payment system providers. Pursuant to this framework, all cloud outsourcing arrangements will be regulated by the SBP. This framework and its directives strongly echo the SBP’s 2019 guidelines as mentioned above.
Material workloads, as defined under these guidelines, are essential systems, applications and services that, if compromised, could significantly impact a business operation’s reputation or profitability. REs are allowed to outsource any type of workload to reputable onshore CSPs. However, outsourcing material workloads to offshore CSPs will require the SBP’s approval, which will be given on a case-by-case basis after considering the systemic implications. To obtain permission to outsource material workloads offshore, banks and other entities must submit a request to the SBP, which may then impose additional terms and conditions beyond the framework’s requirements.
Similar to the 2019 guidelines, REs must demonstrate reasonable care before entering into cloud outsourcing arrangements and conduct due diligence on the CSPs and their material subcontracting arrangements. Notably, outsourcing to CSPs does not absolve REs from the responsibility of safeguarding data confidentiality and integrity. As such, REs must ensure data in the cloud environment is identifiable and segregated. Furthermore, REs must conduct periodic vulnerability assessments, penetration tests and scenario-based security testing of their systems hosted with the CSPs, given the nature of cyber threats.
The rise of technological service outsourcing by financial institutions to CSPs has been coupled with increasing potential risks regarding privacy and data-breach concerns. To mitigate such risks, the SBP has responded with detailed regulatory frameworks, both in 2019 and 2023. Effective internal governance, comprehensive risk management, due diligence and stringent cybersecurity measures form the core of these guidelines, which mandate FIs and REs to adopt a risk-based approach in their outsourcing policies, especially concerning critical material workloads.