Subsection X162.4 Managing Outsourcing-Related Risks. No bank may outsource banking activities unless it has in place the appropriate processes, procedures and information system that can adequately identify, monitor and mitigate operational risks that are borne by the bank as a result of its outsourcing activities.

A bank shall determine the materiality of its outsourcing arrangements when establishing guidelines, processes and controls in managing outsourcing risks. An outsourcing arrangement is considered material if the activity when disrupted, has the potential to significantly impact the bank's business operations, reputation, profitability or regulatory responsibilities. A bank may take into consideration the following factors in determining the materiality of its outsourcing arrangements:

i.

Importance of the activity to be outsourced and the potential impact of outsourcing on earnings, solvency, liquidity, funding. and capital and risk profile; ii. Consideration on the bank's reputation and ability to achieve its objectives, strategy and plans, should the service provider fail to perform the services;

iii. Aggregate exposure to a particular service provider in cases where the bank outsource various functions to the same service provider;

iv. Ability to maintain appropriate internal controls and meet regulatory requirements, if there were operational problems faced by the service provider; and

v. Exposure to risk of confidentiality, integrity and availability of customer and bank data.

After due evaluation of bank's risk management processes with respect to outsourcing, the BSP may require the bank to terminate, modify, make alternative arrangements or reintegrate the activity into the bank, as may be necessary, in cases where the risk infrastructure is deemed inadequate for purposes of managing outsourcing-related risks.

6. The new Subsection § X162.5 shall read as follows:

Subsection § X162.5 Authority to Outsource. Only those banks with a CAMELS composite rating of at least "3" and a Management Rating of not lower than "3" shall be allowed to outsource designated activities without prior BSP approval. Otherwise, the bank must secure prior approval from the appropriate supervising department of the BSP whose evaluation will be based on the bank's ability to manage risks attendant to outsourcing.

7. The new Subsection § X162.6 shall read as follows:

Subsection § X162.7 Intra-group Outsourcing. The guidelines and requirements of outsourcing to third-party service providers shall be observed when outsourcing within a business group including its head office, another branch or related company.

When the bank is the service provider, the bank may only render services, it performs in the ordinary course of its banking business, provided that: (i) the service is rendered to subsidiaries, affiliates and companies related to it by at least 5% common ownership: or (ii) the service is rendered to its own depositors on account of the bank being a depositary.

The bank, acting as a service provider within its group, shall uphold the following:

a. Confidentially of deposits and investments in government bonds as defined under Republic Act No. 1405, as amended; and

b. Prohibition on cross-selling except as allowed under applicable regulations.

The new Subsection § X162.8 shall read as follows:

Subsection § X162.8 Offshore Outsourcing. Offshore

outsourcing exist when the service provider is located outside the country. Subsection X162.7 of the MORB on Intra-Group Outsourcing likewise applies in cases of offshore outsourcing. In addition, offshore outsourcing of the bank's domestic operations is permitted only when the service provider operates in jurisdictions which uphold confidentiality.

When the service provider is located in other countries, the bank should take into account and

closely monitor, on continuing basis, government policies and other conditions in countries where the service provider is based during risk assessment process. The bank shall also develop appropriate contingency and exit strategies.

The BSP examiners shall be given access to the service provider and those relating to the outsourced domestic operations of the bank. Such access may be fulfilled by on-site examination through coordination with host authorities, if necessary. The domestic branch of foreign bank shall be principally liable in cases where the client are prejudiced due to errors, omissions and frauds of the service provider located offshore.

The BSP may require the bank to terminate, modify, make alternative outsourcing arrangements or reintegrate the outsourced activity into the bank, as may be necessary, if confidentiality of customer information, effective customer redress mechanisms or the ability of the BSP to carry out its supervisory functions cannot be assured.

10. The previous Subsection § X162.4 (2008 - X169.4) of the MORB on Service Providers is renumbered as the new Subsection § X162.9. It shall be amended to read as follows:

Subsection X162.9 Service Providers. The bank shall carry out due diligence in selecting service providers. It must ensure the integrity, technical expertise, operational capability, financial capacity and suitability of the service provider to perform the outsourced activity. In cases where clients are prejudiced due to errors, omissions and frauds by