Outsourced activities are those for which the taxable establishment entrusts a third party, a natural person who is not a member of its staff or a legal entity other than the said establishment, on a permanent and regular basis, with the provision of services relating to its core or operational activities by subcontracting, assignment or delegation.
Reporting institutions must ensure that any service that plays a substantial part in the decision to enter into a transaction with the institution’s customers is outsourced only to persons approved or authorized to carry out such activities in accordance with the required standards.
Decisions binding the establishment with regard to customers referred to in the previous paragraph are those relating to:
- All banking operations with their related operations.
- Services involved in the performance of these operations.
- Operations for which a failure could undermine the conditions for exercising the authorization granted by the monetary authority, after receiving the assent of the Central African Banking Commission, or compliance with legal and regulatory provisions.
Reporting entities that outsource activities must:
- Ensure that their internal control system includes their outsourced activities,
- Set up control systems for their outsourced activities.
The outsourcing of activities must not have the effect of reducing or limiting the responsibilities of the executive body, internal audit, the entities and individuals in charge of permanent control, risk management and compliance.
Taxable establishments, which outsource a service to their business, must retain full control of the said activity. In particular, they must comply with the following requirements:
- The outsourcing of activities must:
- Give rise to a written contract between the external service provider and the reporting entity.
- Form part of a formal policy for controlling external service providers, defined by the reporting entity.
- In their relations with external service providers, reporting institutions must ensure that the latter:
- Are committed to a level of quality that meets normal service operation and, in the event of an incident, leads to recourse to back-up mechanisms.
- Implement back-up mechanisms in the event of serious difficulties affecting the continuity of the service or that their own continuity plan takes account of the fact that the external service provider is unable to provide the service.
- May not impose a substantial change to the service they provide without the prior agreement of the establishment concerned.
- Comply with the procedures defined by the reporting entity concerning the organization and implementation of the control of the services they provide etc.
- All data of the reporting institution must be available on the territory of the state of its head office in the CEMAC, notwithstanding any other arrangements made by the institution as part of its contingency and business continuity plans. To this end, the following must be kept and be permanently accessible in the territory of the state in which the establishment has its head office in CEMAC:
- The computer servers containing all the establishment’s data.
- All physical files relating to staff, assets, banking and related operations and all other transactions carried out by the reporting institution.
- All procedures, archives and miscellaneous documents.