Part IV – Outsourcing Management
Introduction
Whilst VARA recognises the potential benefit to VASPs of Outsourcing certain business activities to third-party Service Providers, Outsourcing poses a number of challenges from an operational and regulatory perspective. Outsourcing may increase a VASP’s dependency on a third party and potentially reduce its control over proprietary and client-related information and systems. This creates risks for the VASP in respect of business disruption, security of data and, in some cases, may create risks to investors in Virtual Assets and the wider market.
A. Application & Scope
1. Application & scope
a. In scope
Subject to Rules IV.A.1.b and IV.A.1.c, this Part IV shall apply to all Outsourcing arrangements of VASPs.
b. Out of scope
The following shall not be treated as Outsourcing— i. a Function that is legally required to be performed by a Service Provider [e.g. statutory audit]; ii. market information services [e.g. provision of data]; iii. global network infrastructures; and iv. the acquisition of services that would otherwise not be undertaken by the VASP [e.g. advice from a lawyer, cleaning and gardening, post-room services, receptionists and switchboard operators], goods [e.g. office supplies, furniture] or utilities [e.g. electricity, gas, water, telephone line].
c. Non-core systems or business
An Outsourcing by a VASP to a Service Provider in relation to non-core systems which do not relate to its core business, or any service or task where a defect or failure in their performance would not materially impair the continuing compliance by the VASP with its Licence including all conditions, shall not fall within the scope of this Part IV of this Company Rulebook.
2. Prohibited Outsourcing. VASPs must not enter into any Outsourcing arrangement that would materially impair—
a. the quality of their internal controls; or b. the ability of VARA and other competent authorities to exercise their statutory rights or to monitor, supervise or audit the VASP’s compliance with all applicable laws or regulatory requirements.
3. Specified officers. VASPs may enter into Outsourcing arrangements with respect to each of their MLRO, CISO and/or Data Protection Officer, provided that—
a. any such Outsourcing complies with this Part IV of this Company Rulebook at all times; b. individuals appointed to any of the roles of MLRO, CISO and/or Data Protection Officer agree to individual responsibility to VARA during the licensing process or prior to being appointed; c. to the extent that such individual holds roles with more than one [1] VASP, VARA shall take this into consideration when assessing the individual’s ability to perform the duties required of their role and may impose requirements on the individual to maintain separation between such roles, including but not limited to implementing “Chinese Walls”; and d. whilst VASPs can Outsource such roles, they are encouraged to resource them in-house and VARA may in its sole discretion require a VASP to resource any of those roles with a full-time employee, either during the licensing process or any time thereafter.
4. Outsourcing - other legal and regulatory obligations.
a. To the extent applicable, VASPs must comply with the CBUAE Circular No. [14] of 2021 Outsourcing Regulation for Banks. b. VASPs must also consider, to the extent applicable to its Outsourcing arrangements—
i. guiding principles for Outsourcing in financial services issued by the Technical Committee of the International Organisation of Securities Commissions, the Basel Committee on Banking Supervision, or any other international body promulgating standards for Outsourcing by financial services providers; and ii. any equivalent principles or regulations applicable to the VASP’s Group in other jurisdictions.
c. Notwithstanding the above, VASPs must comply with all Rules, Directives and Guidance with respect to Outsourcing as may be specified by VARA from time to time, which shall supersede the other guidance and regulations mentioned in this Rule IV.A.4 of this Company Rulebook.
5. Accountability. VASPs shall be ultimately responsible for compliance with their legal and regulatory obligations and shall be accountable to VARA for any and all Functions that such VASPs may Outsource to a Service Provider to the same extent as if the Function was performed in-house by the VASP.
B. Risk Assessment, Due Diligence and Controls
1. Risk based approach. VARA recognises that Outsourcing arrangements exhibit a varying degree of risk and expects VASPs to take this into account in assessing and managing the relevant risks. Measures taken by a VASP must be commensurate with the degree of risk associated with the Outsourcing arrangements. Material Outsourcings shall be subject to additional requirements as set out in this Part IV of this Company Rulebook. 2. Risk assessments.
a. VASPs should have a process to assess the risk in relation to each Outsourcing arrangement they propose to enter into [including the variation or renewal of Outsourcing arrangements] and to identify if any such Outsourcing constitutes a Material Outsourcing. This assessment should be conducted prior to the commencement of an Outsourcing relationship and at least annually for the duration of such relationship. b. In respect of Outsourcing arrangements, the assessment of risk is dependent on the specific circumstances of each VASP. In assessing risk, factors that should be considered include but are not limited to the following—
i. impact on the financial position, business operation, continuity of services, clients’ best interests, and reputation of the VASP upon the Service Provider’s failure to perform; ii. impact of the Outsourced activity on the ability of the VASP to comply with legal and regulatory requirements; iii. the scope, complexity and criticality of the service to be Outsourced; iv. impact of the Outsourced activity on internal control Functions of the VASP; v. cost of Outsourcing as a proportion to the total operating costs of the VASP; vi. the regulatory status of the Service Provider; vii. risks that are relevant to the geographical location of a Service Provider, including but not limited to those contained in Rule IV.F of this Company Rulebook; and viii. the degree of difficulty and time required to find an alternative Service Provider or to bring the Outsourced service in-house.
3. Due diligence.
a. Prior to selecting a Service Provider, VASPs must perform detailed due diligence in relation to the Service Provider to ensure that the Service Provider has the ability and capacity to undertake the provision of the Outsourcing effectively, reliably and to a high standard. This should include an assessment of the Service Provider’s quality of services, technical, managerial and human resources capacity, financial soundness, reputation and experience, licensing or regulatory status, extent of reliance on and control of subcontractors, compatibility with the VASP’s corporate culture and business strategies, familiarity with the Virtual Asset industry and capacity to keep pace with innovation in the market. Other considerations that may be relevant include aggregate exposure to a particular Service Provider, costs and possible conflicts of interest. b. During the conduct of an Outsourcing, VASPs should regularly [and in any event at least annually and as circumstances warrant] review the selected Service Provider to ascertain whether the Service Provider remains competent to provide the Outsourced service to the standards required.
C. Internal Governance – Outsourcing Policy and Register
1. Prior to the Outsourcing of services and on an ongoing basis, VASPs should establish and maintain comprehensive Outsourcing policies, contingency plans and Outsourcing risk management programmes [Outsourcing Policy]. 2. Outsourcing Policy.
a. An Outsourcing Policy should include, but not be limited to the following—
i. the framework for a comprehensive assessment of risks involved in Outsourcing and identifying whether a proposed Outsourcing is a Material Outsourcing or not; ii. procedures for identifying, measuring, managing, mitigating, controlling and reporting the risks of an Outsourcing arrangement and any conflicts of interest; iii. the objectives of the Outsourcing and criteria for approving an Outsourcing arrangement; iv. procedures that clearly identify the Staff involved in the VASP and their roles and responsibilities with regard to Outsourcing arrangements; v. procedures that clearly identify the responsibilities of each party in respect of the Outsourcing and in particular what responsibilities have been retained by the VASP; vi. procedures to deal effectively with any act or omission by the Service Provider that leads, or might lead, to a breach of any law or regulation, and enact required remediation measures promptly; and vii. a review mechanism to ensure the Outsourcing policy can be updated as necessary to align with industry and regulatory developments as well as the VASP’s strategic development needs.
b. VASPs must maintain a comprehensive register of all Outsourcing arrangements, including both those of the VASP itself and its Group, which must include the following key information for each Outsourcing arrangement, at a minimum—
i. the name of each Service Provider; ii. a description of the scope of the Outsourced service; iii. location where the Outsourced service is being performed; iv. start and end date of the Outsourcing agreement; v. key points of contact for the Service Provider; vi. whether the Outsourcing arrangement is a Material Outsourcing; vii. whether the Outsourcing involves storage or processing of Personal Data [beyond the exchange of business contact information between the VASP and the Service Provider for administration purposes]; and viii. whether the Outsourcing arrangement involves any confidential information.
3. Oversight of Outsourcing – monitoring the service.
a. VASPs must manage identified risks associated with the Outsourcing activity and such Service Provider’s compliance with its contractual obligations as well as managing their relationship with the Service Provider, having regard to the risks presented by the Outsourced activity to the ongoing business of the VASP and its regulatory obligations. b. Monitoring should be assigned to Staff with appropriate expertise and cover the Service Provider’s contractual performance, financial soundness and risk profile, any material issues encountered in the provision of services and any remedial steps and mitigation measures taken in respect thereof. The monitoring and control processes and procedures of VASPs should be subject to regular reviews and audits to evaluate effectiveness and adequacy.
D. Outsourcing Agreements
1. VASPs must ensure all Outsourcing arrangement are undertaken in the form of a legally binding written agreement which clearly sets out the relevant rights, liabilities and obligations of the Service Provider and the VASP. The contents and level of contractual protection required should reflect the risk level of the Outsourcing arrangement. VASPs should regularly review their Outsourcing agreements to assess whether it is necessary to renegotiate provisions to bring the agreements in line with current market standards and changes in the VASP’s business development strategies. 2. The following matters should be taken into consideration by the VASP when negotiating the provisions of any Outsourcing agreement—
a. performance standards to be achieved in respect of the Outsourced service, and consequences for failing to achieve such standards; b. delineation of intellectual property, proprietary information and asset ownership and rights; c. business continuity and contingency planning for the Outsourced service; d. controls and process for changes to the Outsourcing arrangement; e. guarantees or indemnities from the Service Provider; and f. mechanism to resolve disputes that might arise under the Outsourcing arrangement.
3. Mandatory provisions for any Outsourcing. The following matters must be included in all legal agreements governing an Outsourcing—
a. a clear description of the Outsourced Function to be provided; b. contractual assurance that the Service Provider is able to maintain processes and procedures for the continuous operation of the Outsourcing required by the VASP, in line with all applicable laws and regulatory requirements; c. contractual requirements to maintain an appropriate level of information security, risk management and service delivery commensurate with the profile of the Outsourcing arrangement; d. contractual requirements to protect confidential information and client data [as further specified in Rule IV.D.5 of this Company Rulebook below]; e. provisions allowing that the data that is owned or controlled by the VASP can be accessed at any time by the VASP or a competent authority and, in particular, in the case of resolution or discontinuation of business operations of the Service Provider or if it is insolvent; f. notwithstanding Rule IV.E of this Company Rulebook below, conditions to be imposed in relation to sub-Outsourcing; g. clearly set out the obligations of existing Service Provider on termination to securely destroy data relating to the VASP or its clients; and h. the Outsourcing agreement should expressly allow the VASP to terminate the arrangement, in accordance with applicable laws, including in the following situations—
i. where the Service Provider is in breach of applicable laws, regulations or in material breach of contractual provisions; ii. where there are material weaknesses regarding the management and security of confidential, personal or otherwise sensitive data or information; and iii. where instructions are given by a competent authority [including VARA] to terminate the Outsourcing agreement or where such competent authority expresses significant concern regarding the adequacy or prudence of any such Outsourcing agreement.
4. Mandatory provisions for a Material Outsourcing. In addition to the mandatory provisions set out in Rule IV.D.3 of this Company Rulebook above, the following matters must be included in any legal agreement governing a Material Outsourcing—
a. the start date and end date, where applicable, of the agreement and the notice periods for the Service Provider and the VASP; b. the parties’ financial obligations; c. the right of the VASP to monitor the Service Provider’s performance on an ongoing basis; d. the agreed service levels or performance standards, which should include precise performance targets for the Outsourced Function to allow for timely monitoring so that appropriate corrective action can be taken without undue delay if the agreed service levels are not met, including consequences if service levels or performance standards are not met; e. the reporting obligations of the Service Provider to the VASP, including—
i. the communication [without undue delay] by the Service Provider of any breach of the VASP’s data [including confidential information]; or ii. any development that may have a material impact on the Service Provider’s ability to effectively carry out the Material Outsourcing in line with the agreed service levels, in compliance with all applicable laws and regulatory requirements and, as appropriate, the obligations to submit reports of the internal audit Function of the Service Provider;
f. the requirements to implement and test business contingency plans; g. the obligation of the Service Provider to cooperate with the competent authorities of the VASP, including other Entities appointed by them; h. the right of the VASP and competent authorities to inspect and audit the Service Provider as further specified in Rule IV.G.2 of this Company Rulebook; i. termination and exit assistance arrangements to ensure the smooth transfer of the Outsourced service either to another Service Provider or back to the VASP with minimal disruption. To this effect, the Outsourcing agreement should—
i. clearly set out the obligations of the existing Service Provider in providing cooperation, reasonable assistance and transitional services on termination of the Outsourcing agreement, including the return, destruction or transfer of data; and ii. include a transition period, where necessary, during which the Service Provider, after the termination of the Outsourcing arrangement, continues to provide the service to reduce disruption;
j. the requirement for the Service Provider to hold relevant and adequate insurance; and k. the location[s] [i.e. regions or countries] where Material Outsourcing will be provided and/or where relevant data will be kept and processed, including the possible storage location, and the conditions to be met, including a requirement to notify the VASP if the Service Provider proposes to change the location[s].
5. Client confidentiality and data.
a. VASPs must take appropriate steps to monitor their relationships with Service Providers and ensure that adequate measures are taken to safeguard the confidentiality and integrity of client data. b. Notwithstanding all other requirements in the Technology and Information Rulebook, VASPs must ensure that Outsourcing arrangements comply with all applicable UAE laws and regulations in respect of managing and processing data [e.g. the PDPL]. This includes requiring the Service Provider to procure, in the event a Service Provider subcontracts part of the service to a sub-contractor, the sub-contractor’s compliance with all applicable laws and regulations. VASPs should ensure Service Providers are not permitted to provide any third party with access to confidential data of the VASP or its clients without obtaining the VASP’s prior written consent. c. VASPs should take into account any applicable legal, regulatory or contractual obligations to notify clients or any competent authority in the event of an unauthorised data access or breach. In the event of an unauthorised data access or breach, where the VASP is required to notify clients or a competent authority under applicable legal or regulatory obligations, the VASP shall notify VARA within the same legally required time periods. d. VASPs should ensure that all client data should be destroyed or returned to the VASP in event of any termination of the Outsourcing arrangements, subject to applicable laws and regulatory requirements [e.g. recordkeeping requirements].
E. Sub-Outsourcing
1. Before entering into any Outsourcing arrangements, VASPs must consider the additional risk that may be posed if the Service Provider is allowed to further contract part of the service to third parties. 2. Sub-Outsourcing – all Outsourcing arrangements.
a. Consent should be given to sub-Outsourcing only if the subcontractor undertakes to—
i. comply with all applicable laws, regulatory requirements and contractual obligations; and ii. provide the same contractual rights of access and audit as those granted to the VASP and where applicable its regulators [including VARA] by the Service Provider.
b. VASPs should ensure that no sub-Outsourcing engaged by the Service Provider will impede the Service Provider’s ability to comply with its contractual obligations to the VASP, including requirements on confidentiality of client data, information access and audit rights, and business continuity planning.
3. Sub-Outsourcing – Material Outsourcing. The following requirements apply in relation to sub-Outsourcing in relation to all or part of a Material Outsourcing—
i. the Outsourcing agreement should specify whether or not sub-Outsourcing is permitted; and ii. if sub-Outsourcing is permitted, the written Outsourcing agreement should—
1. specify any types of activities that are not permitted to be sub-Outsourced; 2. specify the conditions to be complied with in the case of sub-Outsourcing; specify that the Service Provider is obliged to oversee those services that it has subcontracted to ensure that all contractual obligations between the Service Provider and the VASP are continuously met; 3. include an obligation of the Service Provider to inform the VASP of any planned sub-Outsourcing, or material changes thereof, in particular where that might affect the ability of the Service Provider to meet its responsibilities under the Outsourcing agreement; 4. ensure, where appropriate, that the VASP has the right to object to an intended sub-Outsourcing, or material changes thereof, or that explicit approval is required; and 5. include provisions such that the VASP has the contractual right to terminate the agreement in the case of undue sub-Outsourcing [e.g. where the sub-Outsourcing materially increases the risks for the VASP or where the Service Provider sub-Outsources without notifying the VASP].
F. Cross-Border Outsourcing
1. VASPs must take into account additional considerations in respect of Outsourcing to a Service Provider located outside of the UAE, including but not limited to the following factors in respect of the relevant jurisdiction which may affect the ability of an overseas Service Provider to fulfil the terms of an Outsourcing agreement or the ability of the VASP to monitor and control the Outsourced Function—
a. economic, political or social conditions; b. differing legal or regulatory systems; c. sophistication of the technology and infrastructure; and d. reputational risk.
2. VASPs must take active steps in managing such risks, including conducting additional due diligence on potential Service Providers located outside of the UAE to understand whether they will be able to safeguard confidential information and client data and effectively monitor the overseas Service Provider, as well as execute business continuity plans and exit arrangements. VASPs must ensure, by means of adequate contractual and practical arrangements, that overseas Service Providers implement and maintain robust and appropriate levels of information security and service delivery throughout the duration of the Outsourcing relationship. 3. VASPs must ensure all applicable data protection laws are complied with in cross-border Outsourcing arrangements, including those in respect of international transfers of Personal Data. 4. VASPs should consider the need to notify [and obtain consent from] their clients in respect of cross-border Outsourcing arrangements, including the jurisdiction in which the service is to be performed and any rights of access available to overseas authorities. 5. In circumstances where an overseas authority requests access to the VASP’s information, the VASP should notify VARA and any affected clients as soon as possible, subject to the VASP’s compliance with applicable laws. 6. VASPs must notify VARA prior to undertaking any cross-border Outsourcing and must ensure that the Outsourcing arrangement would not impede VARA’s ability to exercise its statutory rights and responsibilities, such as the rights of access and audit to information of the VASP.
G. Audit Rights
1. Audit rights – all Outsourcing arrangements. VASPs should ensure within the written Outsourcing arrangement that it is able to review the Outsourced Function. The written Outsourcing arrangements should refer to the information gathering and investigatory powers of competent authorities under applicable laws, and VASPs should also preserve those rights with regard to Service Providers located in third countries. 2. Audit rights – Material Outsourcing. VASPs should ensure within the written Outsourcing agreement in relation to a Material Outsourcing that they and their competent authorities [including VARA], and any other Entity appointed by them or the competent authorities, are granted, the following—
i. full access to all relevant business premises [e.g. head offices and operation centres], including the full range of relevant devices, systems, networks, information and data used for providing the service, including related financial information, personnel and the Service Provider’s external auditors; and ii. unrestricted rights of inspection and auditing related to the Outsourcing arrangement, to enable them to monitor the Outsourcing arrangement and to ensure compliance with all applicable regulatory and contractual requirements.
3. Pooled audits.
a. Without prejudice to their ultimate responsibility regarding Outsourcing arrangements, VASPs may use—
i. pooled audits organised jointly with other clients of the same Service Provider and performed by them and these clients or by a third party appointed by them, to use audit resources more efficiently; and ii. third party certifications and third party or internal audit reports, made available by the Service Provider, if they ensure that the scope of the certification or audit report covers the systems, key controls and the compliance with relevant regulatory requirements and assess the content of the certifications or audit reports on an ongoing basis and verify that the reports or certifications are valid, adequate and current.
b. VASPs should assess whether third-party certifications and reports as referred to in Rule IV.G.3 of this Company Rulebook are adequate and sufficient to comply with their regulatory obligations and should not rely solely on these reports over time. VASPs should also retain the contractual right to perform individual audits at their discretion with regard to the Material Outsourcing.
H. Regulatory Notifications
1. Notwithstanding all other notification requirements set out herein, VASPs must immediately notify VARA when they become aware of a material breach of the terms of a Material Outsourcing agreement they have with any Service Provider, or other material development in respect of a Material Outsourcing arrangement that has, or is likely to have, a significant impact on the operations, financial condition or reputation of the VASP. 2. VASPs are required to notify VARA immediately of any issues that may have arisen that would materially affect their compliance with their legal and regulatory obligations. 3. When a VASP intends to enter into any new Material Outsourcing arrangement or materially vary an existing Material Outsourcing arrangement, the VASP should notify VARA in advance providing relevant details of any such arrangement or amendment. In their notifications, VASPs should seek to satisfy VARA that all requirements of this Part IV of this Company Rulebook have been taken into account and properly addressed in its Material Outsourcing arrangements. 4. VARA may object to any Material Outsourcing and/or raise areas of concern, which the VASP must remedy to VARA’s satisfaction prior to entering into any new Material Outsourcing arrangement or materially varying an existing Material Outsourcing arrangement.