1. |
VASPs must take into account additional considerations in respect of Outsourcing to a Service Provider located outside of the UAE, including but not limited to the following factors in respect of the relevant jurisdiction which may affect the ability of an overseas Service Provider to fulfil the terms of an Outsourcing agreement or the ability of the VASP to monitor and control the Outsourced Function—
|
|
a. |
economic, political or social conditions; |
|
b. |
differing legal or regulatory systems; |
|
c. |
sophistication of the technology and infrastructure; and |
|
d. |
reputational risk.
|
2. |
VASPs must take active steps in managing such risks, including conducting additional due diligence on potential Service Providers located outside of the UAE to understand whether they will be able to safeguard confidential information and client data and effectively monitor the overseas Service Provider, as well as execute business continuity plans and exit arrangements. VASPs must ensure, by means of adequate contractual and practical arrangements, that overseas Service Providers implement and maintain robust and appropriate levels of information security and service delivery throughout the duration of the Outsourcing relationship. |
3. |
VASPs must ensure all applicable data protection laws are complied with in cross-border Outsourcing arrangements, including those in respect of international transfers of Personal Data. |
4. |
VASPs should consider the need to notify [and obtain consent from] their clients in respect of cross-border Outsourcing arrangements, including the jurisdiction in which the service is to be performed and any rights of access available to overseas authorities. |
5. |
In circumstances where an overseas authority requests access to the VASP’s information, the VASP should notify VARA and any affected clients as soon as possible, subject to the VASP’s compliance with applicable laws. |
6. |
VASPs must notify VARA prior to undertaking any cross-border Outsourcing and must ensure that the Outsourcing arrangement would not impede VARA’s ability to exercise its statutory rights and responsibilities, such as the rights of access and audit to information of the VASP.
|