BANGKO SENTRAL NG PILIPINAS
OFFICE OF THE DEPUW GOVERNOR
FI NANCIAL SUPERVISION SECTOR
MEMORANDUM NO. M.2O22.O46
To ALL BSP.SUPERVISED FINANCIAL INSTITUTIONS (BSFIS)
Subject Frequently Asked Questions on the Amendments to the
Regulations on Outsourcing and lT Risk Management
The BSP issues the attached Frequently Asked Questions (Fnq1 on Circular
No. 1'137 on the Amendments to the Regulations on Outsourcing and lT Risk
Management (Annex A) to provide additional guidance and clarification on the
implementation of the said Circular. This document covers the following:
'1. Conduct of materiality assessment and maintenance of outsourcing
register;
2. ntra-grou p and offshore outsou rci ng, and su bcontracti ng a rra ngements;
I
3. Cloud outsourcing;
4. Additional outsourcing activity;
5. lT Outsourcing Questionnaire; and
6. Timeline on the submission of documentary requirements.
For information and guidance.
Digitally signed by
. Chuchi G. Fonacier
Date:2022.10.27
l6:57:1 2 +08'00'
CI{UCHI G. FONACIER
Deputy Governor
27 October2o22
� ANNEX A
FREQUENTLY ASKED QUESTIONS (FAQ) ON THE
AMENDMENTS TO RECULATIONS ON OUTSOURCINC
AND IT RISK MANAGEMENT
(Circular No. ll57 dated 18 February 2022)
lntroduction
As the BSP recognizes technology developments in the industry and their
impact on the business operations and initiatives of BSP-supervised financial
institutions (BSFls), the Monetary Board (MB) approved the Amendments to the
Flegulations on Outsourcing and Information Technology Risk Management issued
under Circular No.ll37. The Circular applies a risk-based approach on technology
outsourcing consistent with international practices and in line with recent industry
developments.
The following responses to the FAQs on Circular No. '1137 aim to provide
guidance and facilitate implementation of the said issuance:
A. Conduct of materiali$r assessment and maintenance of outsourcing register
l. Is the maintenance of outsourcing register as provided in Appendix IO3/Q-36.
applicable only for material outsourcing arrangements? ln relation to this, are
BSFIs required to conduct materiality assessment for existing outsourcing
arrangements?
No, the outsourcing register should include all outsourcing arrangements, both
material and non-material. The required minimum information for the
outsourcing register is indicated in Appendix l03 Section A of subject Circular.
Meanwhile, BSFIs are expected to conduct materiality assessment for both new
and existing outsourcing arrangements. BSFIs may initially identiff materiality
of existing outsourcing engagements based on current company policies. For
instance, existing outsourcing contracts that are subject to annual (or more
frequent) reviews may be initiallyassessed as material while those subject to less
frequent reviews may be initiallyassessed as non-material.
Nonetheless, BSFIs should update the corresponding outsourcing and vendor
management policies taking into account the provisions of Circular No.ll37, and
subsequently undertake a more comprehensive materiality assessment of ALL
outsourcing arrangements based on the revised policies and procedures.
2. Since there are no defrned weights/scores and methodology in determining the
level of materiality of outsourced activities/arrangements based on the factors
enumerated in the Circular are BSFIs allowed to develop their own materiality
s c o rin g/ra t i n g sys t e m ?
Yes, BSFIs may develop their own rating/scoring methodology to aid in the
assessment of overall materiality of outsourcing arrangements, based on factors
enumerated in Annex A of the Circular. This, however, does not preclude the BSP
from evaluating the soundness of the Bank's internal rating/scoring
methodology.
FAQON CIRCULAR NO. n3TONTHEAMENDMENTSTO REGU|ATIONS ON OUTSOURCING ANDIT RISK MANAGEMENT Pagel of6
� ANNEX A
B. Intra-g roup a nd offshore outsou rci ng, a nd su bcontracting arrangements
The Circular has provided definitions and guidelines related to intra-group
outsourcing and offshore outsourcing. How should BSFIs classify intra-group
o u ts o u rc e d a c ti vi ty p ro vi d e d by o ffs h o re - b a sed u n i t/g ro u p ?
lf an outsourcing activity falls within the definition of both intra-group and
offshore outsourcing, as provided in Circular No. 1137, then said outsourcing
arrangement is considered as both an intragroup and offshore outsourcing
service. Hence, the outsourcing activity shall not require prior BSP approval once
relevant intra-group or offshore outsourcing conditions are met. In any other
case, the generalguidelines and requirement on outsourcing shall apply.
2. ln relation to the guidelines on intra-group outsourcing arrangements, in case
the BSFI is unable to meet all the following conditiong namelst 0 the seruices
rendered are performed in the ordinary course of business: (ii) the service
provider is likewise a regulated financial institution; and (iii) the seruice is
rendered to subsidiaries, affiliates and companies related to the seruice provider
through common ownership, will the BSFI need to seek BSP approval prior to
implementation of said outsourcing arrangement?
lf the intra-group outsourcing activity does not meet ALL the conditions
provided in the Circular, the general outsourcing guidelines and requirements
shall apply. This includes, among others, the assessment/identification of the
level of materiality and SAFr' rating to determine whether the outsourcing
activity requires prior BSP approval.
Please confirm whether an intra-group outsourcing arrangement which meets
the following conditions, namely, (i) the seruices rendered are performed in the
ordinary course of business; (ii) the seruice provider is likewise a regulated
financial institution; and (iii) the seruice is rendered to subsidiaries, affiliates and
companies related to the seruice provider through common ownership, does
not reguire prior BSP approval regardless of SAFr rating and level of materiality
o f ou tso u rced ac ti vity.
lf an intragroup outsourcing activity meets all three (3) conditions provided in
the Circular, prior BSP approval is not required. However, BSFIs are still expected
to assess the materiality of said outsourcing engagement. lf deemed material,
regardless of the BSFI's SAFr rating. the requirements under Section B of
Appendix 1o3/Q-36 shall apply (For materialoutsourcing that DO NOT REQUIRE
prior Bangko Sentral approval).
r
Supervisory Assessment Framework (SAFr)
FAQ ON CIRCULAR NO. II57 ON THE AMENDMENTS TO REGULATIONS ON OUTSOURCING AND IT RISX MANAGEMENT Page 2 oi 6
� ANNEX A
Prior to the issuance of Circular No. llSZ the intra-group outsourcing covers the
relationship between the head office and its branch. However, the current
amendments on intra-group outsourcing regulations exclude reference to head
office-branch relationship. Does it follow that support seruices rendered by the
head office to its foreign branch are no longer considered as outsourcing under
the existing provisions?
Branch operations are technically extensions of the head office, thus, the
services rendered by the head office to its foreign branch/es shall not be
considered as outsourcing activities. Nonetheless, the branch of the foreign
bank is expected to monitor and evaluate the quality/evel of services rendered
by its head office, as guided by the bank's service level agreement between
concerned units.
The guidelines excluded'branch of foreign banks"when referring to intra-group
outsourcing. Does it imply that the statement Seruices rendered to subsidiaries,
affiliates and companies related to the seruice provider through common
ownership" are also applicable to branches of foreign banks?
Yes, in cases wherein the foreign bank branch enters into an outsourcing
arrangement with a service provider/entity within the common ownership
group, the guidelines on intra-group outsourcing shall apply.
6. For subcontracting agreements, please confirm whether prior BSP approval of
the outsourcing agreement between the BSFI acting as the intra-group seruice
provider and the subcontractor will still take into consideration the level of
materiali$r and the BSFI s SAFr rating. What if the intra-group service provider is
not a BSFI?
Yes,the general outsourcing guidelines and requirements shall apply to BSFIs
acting as intra-group service provider in relation to their subcontracting
arrangement. This means that the determination on whether prior BSP approval
is needed shall be determined by the BSFI's SAFr rating and the level of
materiality of the outsourced activity (subcontracting services).
On the other hand, if the intra-group service provider entering into a
subcontracting agreement is not a BSFI, then the BSFI (recipient of the
outsourcing service) shall follow the general guidelines and requirements on
outsourcing as provided in Circular No. l'137, including proper disclosure of
subcontracting arrangements to the BSP.
FAQ ON CIRCULAR NO. ll37 oNTHEAMENDMENTSTo RECULATIONS ON OUTSOURCING AND lT RISK MANAGEMENT Page3 of6
� ANNEX A
ln case the BSFI's third party seruice provider enters into an outsourcing
arrangement (e.9., cloud hosting seruices) with another seruice provider
(subcontracting), is this agreement expected to conform with the provisions set
forth in the circulafl
While existing regulations do not prohibit subcontracting arrangements,
Section 3.3 of Appendix 78 of the Manualof Regulations for Banks (MORB)clearly
states that,
19ome seruice providers may contract with third-parties in providing lT
seruices to the BSFI. The extent to which subcontractors perform additional
seruices should be limited to peripheral or support functions while the core
seruices should rest with the main seruice provider The BSFI should retain
the abiliU to maintain similar control over its ouEourcing risks when a
seruice provider uses subcontractors in the course of rendering the lT-related
seruices. Agreements should have clauses setting out the rules and
limitations on subcontracting. To provide accountability, it may be beneficial
for the BSFI to include a provision specifying that the contracting seruice
provider shall remain fully responsible with respect to parts of the seruices
which were further outsourced to subcontractors. lt should also consider
including notification and approval requirements regarding changes to the
seruice provider's significant su bcontractors.'
c. Cloud outsourcing
With the deletion of the section on cloud outsourcing in Appendix 78, is cloud
outsourcing still considered as an outsourcing arrangement? lf yes, is it
necessa4r to distinguish various types of cloud outsourcing arrangements when
entering into such agreement? Funher are BSFIs expected to include the type
of cloud hosting seruices in assessing the level of materialifr
Yes, cloud outsourcing arrangements are still considered as lT outsourcing;
hence, these are subject to the provisions of Circular No. 1137. ln case a BSFI
enters into such agreement, it should identiff the type of cloud hosting services
to allow the BSFI to manage risks accordingly. Further, the lT Outsourcing
Questionnaire (Section A - Overview of the Outsourced Activities and Service
Providers) also requires information on activities, operations, and seruices to be
outsourced, which basically pertains to the type of cloud hosting arrangements,
if applicable.
In terms of materiality assessment, the BSFIs are not required to include cloud
service-specific factors (e.9., type of cloud hosting seruices) in addition to the five
(5) materiality factors as provided in the Circular, but may opt to do so if deemed
necessary.
2. Please confirm whether the deletion of Section 4 of Appendix 78 is equivalent
to lifting of restrictions on the use of public cloud for core operations.
Yes, BSFIs may engage in any type of cloud outsourcing seruices, whether for
core or non-core operations, subject to the guidelines and requirements of the
outsourcing circular.
FAQ ON CIRCULAR NO. II37 ON THE AMENDMENTS TO RECULATIONS ON OI.'TSOURCINC AND IT RISK MANAGEMENT Page 4 of 6
� ANNEX A
3. Since BSFIs incur costs in the engagement of SOC 2 Type 2 Audit, will the BSP
allow other external audit report and/or seruice provider's internal audit as
a ccep ta b le a lternative p roced u res/docu me nta ty req u i remen ts?
In case a SOC 2 Type 2 Report for the cloud seruice provider is not available, BSFIs
may submit alternative report/s so long as the review was conducted by an
independent external party.
D. Additional outsourcing activity
ln case the BSP issues approval of outsourcing arrangement (e.9. cloud hosting)
between the BSFI and seruice provider, will such approval extend to subsequent
additional seruices that will be offered by the same seruice provider to the BSFI?
lf a material outsourcing arrangement requires prior BSP approval, such
approval shall only pertain to the activities/services at the time of application
and evaluation. Hence, it does not cover additional services to be availed in the
future. Subsequent changes to any type of outsourcing arrangement of BSFIs
with SAFr rating of below 3" shall require prior BSP approval, under the
following circumsta nces:
a. Changes in existing material outsourcing arrangements that have significant
impact in the delivery of outsourcing services, business operations,
reputation and profitability; and
b. Changes in existing outsourcing arrangements resulting in the
reclassification of the arrangements as material such as, but not limited to
those affecting the nature, scope. and complexity of systems and processes.
In case a BSFI with a SAFr rating of at least 3'takes on subsequent changes, as
mentioned in items a and b above, said arrangements shall not require prior BSP
approval, but are subject to submission of documents, as provided in the
appendix of the Circular.
E. lT Outsourcing Questionnaire
t. As provided in Annexes lO3-I and lO3-2, the IT outsourcing questionnaires must
undergo review and sign-offby C-suite executives prior to submission to the BSP.
ln the event that C-suite executives are based at the regional offices, as in the
case of foreign bank branches, who are required to conduct self-assessment
reviewand sign-offl
Questionnaires must be reviewed and signed off by C-suite executive with direct
understanding of the outsourced activities and their attendant risks. In case the
C-suite executives are based at the regional offices, questionnaires may be
reviewed and signed off by an officer of equivalent rank (e.9., Country Manager)
as long as said officer has proper knowledge and sufficient understanding of the
outsourced activity and related risks.
2. For Appendix lO3-2 (lT Outsourcing Questionnaire for Technology Seruice
Provider), please confirm that while the information will be obtained from the
FAQ ON CIRCULAR NO. TI37 ON THE AMENDMENTS TO REGULATIONS ON OUTSOURCINC AND IT RISK MANACEMENT Page 5 of6
� ANNEX A
Technology Seruice Provider (TSP) the review and sign-off will be performed by
the C-suite executive of the BSFI.
Yes, sign-off and review for the lT Outsourcing Questionnaire for TSPs will be the
responsibility of the BSFI's C-suite executive.
F. Timeline on the submission of documentary requirements
Will the BSP still require submission of additional documentary requirements?
The submission of additional requirements becomes of particular concern in
case project schedules are subject to tight timelines, hence. on-time
implementation of outsourcing arrangements is critical in the achievement of
b us i n ess req u i rem e n ts/o bjectives.
The BSP may require submission of additional information/documents to
address deficiencies in submitted documents or to obtain further clarification.
as may be necessary. In view of this, BSFIs are strongly encouraged to ensure
timely submission of complete and accurate information/documents to avoid
potential delays in planned activities.
FAQ ON CIRCULAR NO. II37 ON THE AMENDMENTS TO RECUTATIONS ON OUTSOURCING AND IT RISK MANAGEMENT Page 6 of6
