Skip to main content

A. Application & Scope

1. Application & scope
  a. In scope
    Subject to Rules IV.A.1.b and IV.A.1.c, this Part IV shall apply to all Outsourcing arrangements of VASPs.
  b. Out of scope
    The following shall not be treated as Outsourcing—
    i. a Function that is legally required to be performed by a Service Provider [e.g. statutory audit];
    ii. market information services [e.g. provision of data];
    iii. global network infrastructures; and
    iv. the acquisition of services that would otherwise not be undertaken by the VASP [e.g. advice from a lawyer, cleaning and gardening, post-room services, receptionists and switchboard operators], goods [e.g. office supplies, furniture] or utilities [e.g. electricity, gas, water, telephone line].
  c. Non-core systems or business
    An Outsourcing by a VASP to a Service Provider in relation to non-core systems which do not relate to its core business, or any service or task where a defect or failure in their performance would not materially impair the continuing compliance by the VASP with its Licence including all conditions, shall not fall within the scope of this Part IV of this Company Rulebook.
2. Prohibited Outsourcing. VASPs must not enter into any Outsourcing arrangement that would materially impair—
  a. the quality of their internal controls; or
  b. the ability of VARA and other competent authorities to exercise their statutory rights or to monitor, supervise or audit the VASP’s compliance with all applicable laws or regulatory requirements.
3. Specified officers. VASPs may enter into Outsourcing arrangements with respect to each of their MLRO, CISO and/or Data Protection Officer, provided that—
  a. any such Outsourcing complies with this Part IV of this Company Rulebook at all times;
  b. individuals appointed to any of the roles of MLRO, CISO and/or Data Protection Officer agree to individual responsibility to VARA during the licensing process or prior to being appointed;
  c. to the extent that such individual holds roles with more than one [1] VASP, VARA shall take this into consideration when assessing the individual’s ability to perform the duties required of their role and may impose requirements on the individual to maintain separation between such roles, including but not limited to implementing “Chinese Walls”; and
  d. whilst VASPs can Outsource such roles, they are encouraged to resource them in-house and VARA may in its sole discretion require a VASP to resource any of those roles with a full-time employee, either during the licensing process or any time thereafter.
4. Outsourcing - other legal and regulatory obligations.
  a. To the extent applicable, VASPs must comply with the CBUAE Circular No. [14] of 2021 Outsourcing Regulation for Banks.
  b. VASPs must also consider, to the extent applicable to its Outsourcing arrangements—
    i. guiding principles for Outsourcing in financial services issued by the Technical Committee of the International Organisation of Securities Commissions, the Basel Committee on Banking Supervision, or any other international body promulgating standards for Outsourcing by financial services providers; and
    ii. any equivalent principles or regulations applicable to the VASP’s Group in other jurisdictions.
  c. Notwithstanding the above, VASPs must comply with all Rules, Directives and Guidance with respect to Outsourcing as may be specified by VARA from time to time, which shall supersede the other guidance and regulations mentioned in this Rule IV.A.4 of this Company Rulebook.
5. Accountability. VASPs shall be ultimately responsible for compliance with their legal and regulatory obligations and shall be accountable to VARA for any and all Functions that such VASPs may Outsource to a Service Provider to the same extent as if the Function was performed in-house by the VASP.