1. |
VASPs must ensure all Outsourcing arrangement are undertaken in the form of a legally binding written agreement which clearly sets out the relevant rights, liabilities and obligations of the Service Provider and the VASP. The contents and level of contractual protection required should reflect the risk level of the Outsourcing arrangement. VASPs should regularly review their Outsourcing agreements to assess whether it is necessary to renegotiate provisions to bring the agreements in line with current market standards and changes in the VASP’s business development strategies. |
2. |
The following matters should be taken into consideration by the VASP when negotiating the provisions of any Outsourcing agreement—
|
|
a. |
performance standards to be achieved in respect of the Outsourced service, and consequences for failing to achieve such standards; |
|
b. |
delineation of intellectual property, proprietary information and asset ownership and rights; |
|
c. |
business continuity and contingency planning for the Outsourced service; |
|
d. |
controls and process for changes to the Outsourcing arrangement; |
|
e. |
guarantees or indemnities from the Service Provider; and |
|
f. |
mechanism to resolve disputes that might arise under the Outsourcing arrangement.
|
3. |
Mandatory provisions for any Outsourcing. The following matters must be included in all legal agreements governing an Outsourcing—
|
|
a. |
a clear description of the Outsourced Function to be provided; |
|
b. |
contractual assurance that the Service Provider is able to maintain processes and procedures for the continuous operation of the Outsourcing required by the VASP, in line with all applicable laws and regulatory requirements; |
|
c. |
contractual requirements to maintain an appropriate level of information security, risk management and service delivery commensurate with the profile of the Outsourcing arrangement; |
|
d. |
contractual requirements to protect confidential information and client data [as further specified in Rule IV.D.5 of this Company Rulebook below]; |
|
e. |
provisions allowing that the data that is owned or controlled by the VASP can be accessed at any time by the VASP or a competent authority and, in particular, in the case of resolution or discontinuation of business operations of the Service Provider or if it is insolvent; |
|
f. |
notwithstanding Rule IV.E of this Company Rulebook below, conditions to be imposed in relation to sub-Outsourcing; |
|
g. |
clearly set out the obligations of existing Service Provider on termination to securely destroy data relating to the VASP or its clients; and |
|
h. |
the Outsourcing agreement should expressly allow the VASP to terminate the arrangement, in accordance with applicable laws, including in the following situations—
|
|
|
i. |
where the Service Provider is in breach of applicable laws, regulations or in material breach of contractual provisions; |
|
|
ii. |
where there are material weaknesses regarding the management and security of confidential, personal or otherwise sensitive data or information; and |
|
|
iii. |
where instructions are given by a competent authority [including VARA] to terminate the Outsourcing agreement or where such competent authority expresses significant concern regarding the adequacy or prudence of any such Outsourcing agreement.
|
4. |
Mandatory provisions for a Material Outsourcing. In addition to the mandatory provisions set out in Rule IV.D.3 of this Company Rulebook above, the following matters must be included in any legal agreement governing a Material Outsourcing—
|
|
a. |
the start date and end date, where applicable, of the agreement and the notice periods for the Service Provider and the VASP; |
|
b. |
the parties’ financial obligations; |
|
c. |
the right of the VASP to monitor the Service Provider’s performance on an ongoing basis; |
|
d. |
the agreed service levels or performance standards, which should include precise performance targets for the Outsourced Function to allow for timely monitoring so that appropriate corrective action can be taken without undue delay if the agreed service levels are not met, including consequences if service levels or performance standards are not met; |
|
e. |
the reporting obligations of the Service Provider to the VASP, including—
|
|
|
i. |
the communication [without undue delay] by the Service Provider of any breach of the VASP’s data [including confidential information]; or |
|
|
ii. |
any development that may have a material impact on the Service Provider’s ability to effectively carry out the Material Outsourcing in line with the agreed service levels, in compliance with all applicable laws and regulatory requirements and, as appropriate, the obligations to submit reports of the internal audit Function of the Service Provider;
|
|
f. |
the requirements to implement and test business contingency plans; |
|
g. |
the obligation of the Service Provider to cooperate with the competent authorities of the VASP, including other Entities appointed by them; |
|
h. |
the right of the VASP and competent authorities to inspect and audit the Service Provider as further specified in Rule IV.G.2 of this Company Rulebook; |
|
i. |
termination and exit assistance arrangements to ensure the smooth transfer of the Outsourced service either to another Service Provider or back to the VASP with minimal disruption. To this effect, the Outsourcing agreement should—
|
|
|
i. |
clearly set out the obligations of the existing Service Provider in providing cooperation, reasonable assistance and transitional services on termination of the Outsourcing agreement, including the return, destruction or transfer of data; and |
|
|
ii. |
include a transition period, where necessary, during which the Service Provider, after the termination of the Outsourcing arrangement, continues to provide the service to reduce disruption;
|
|
j. |
the requirement for the Service Provider to hold relevant and adequate insurance; and |
|
k. |
the location[s] [i.e. regions or countries] where Material Outsourcing will be provided and/or where relevant data will be kept and processed, including the possible storage location, and the conditions to be met, including a requirement to notify the VASP if the Service Provider proposes to change the location[s].
|
5. |
Client confidentiality and data.
|
|
a. |
VASPs must take appropriate steps to monitor their relationships with Service Providers and ensure that adequate measures are taken to safeguard the confidentiality and integrity of client data. |
|
b. |
Notwithstanding all other requirements in the Technology and Information Rulebook, VASPs must ensure that Outsourcing arrangements comply with all applicable UAE laws and regulations in respect of managing and processing data [e.g. the PDPL]. This includes requiring the Service Provider to procure, in the event a Service Provider subcontracts part of the service to a sub-contractor, the sub-contractor’s compliance with all applicable laws and regulations. VASPs should ensure Service Providers are not permitted to provide any third party with access to confidential data of the VASP or its clients without obtaining the VASP’s prior written consent. |
|
c. |
VASPs should take into account any applicable legal, regulatory or contractual obligations to notify clients or any competent authority in the event of an unauthorised data access or breach. In the event of an unauthorised data access or breach, where the VASP is required to notify clients or a competent authority under applicable legal or regulatory obligations, the VASP shall notify VARA within the same legally required time periods. |
|
d. |
VASPs should ensure that all client data should be destroyed or returned to the VASP in event of any termination of the Outsourcing arrangements, subject to applicable laws and regulatory requirements [e.g. recordkeeping requirements].
|