Abstract: We analyze the outsourcing regime that applies to financial entities regulated by the Central Bank of Uruguay, to outsource the provision of certain services to suppliers, considering the adhesion contracts and the need to contemplate the requirements of the regulator to obtain the authorization of such contracts, providing a detail of the current regime with the recently approved modifications.
I. INTRODUCTION. CURRENT PANORAMA
For this presentation we have chosen the issue related to outsourcing in the financial sector, especially in relation to the current regulatory framework that we have at the level of the Central Bank of Uruguay ("CBU") on these issues, in reference to the contracting of services, and what challenges may arise in relation to financial institutions with the regulator. We will not delve into specific or particular regulatory aspects, but rather we will refer to the general parameters that are currently set out at the regulatory level, which, as seen in the daily advice to clients, are not always adjusted to the current reality in terms of contracting services specifically.
As we see daily, companies in the financial sector and all those regulated and in the orbit of the CBU, require the contracting of certain services for their operation, associated, for example, with software-based tools. These services are primarily linked to data processing and information security.
A study of the current regulatory framework of outsourcing in the financial sector is proposed, with emphasis on the contracting of services and the challenges that this entails for financial institutions in their relationship with the regulator.
Currently, the regulatory framework establishes regulatory parameters that are not always adjusted to the current reality in terms of service contracting. The latter, marked by adhesion contracts with multinational companies, many of them conceived for another legal and cultural reality. This context entails a new regulatory adequacy challenge for the financial regulator and, consequently, for regulated entities. Let us remember that the outsourcing of services in the field of the financial system is regulated at the legal level, precisely by the new Banking Act No. 17,613, section 2, and regulated by the CBU.
A first point to address is related to the type of contracts that are signed in the field of outsourcing in the financial sector, especially those related to data and software processing, as well as for the safeguarding and security of information in general. Adhesion contracts are typical, which have their legal regulation in Uruguay, although limited since prerogatives are only established in the field of consumer law, but not in this type of case, such as that of the entities controlled by the CBU. As we know, this type of contract is characterized by containing, by default to its granting, the terms and conditions of the service to be provided, where appropriate, in the field of mass contracting in which this type of service provider companies operate.
The next thing we must take into account is what is related to the type of regulation that currently exists at the CBU level. In the first place, the regulations give different treatment to outsourcing provided from the country or from abroad, requiring some additional requirements for the latter case. An example of this is the outsourcing risk report, as well as an assessment of the financial and technical solvency of the contracted third parties. Here we already have a point on which situations of different kinds may arise, depending on the provider. Although it is a requirement for transparency in contracting and before the regulator, accurate information on this type of aspect is practically impossible to obtain when it comes to multinational companies, beyond the fact that due to their reputation it is public knowledge that their solvency is of significant magnitude. Although formally it is an "understandable and reasonable" requirement, formally it is very complex to comply with it in a substantial way, with the institutions requesting the authorization limiting themselves to referring to the fact that this financial and technical capacity is acceptable or adequate.
As for the Contracts themselves, a series of requirements are established by the Superintendence of Financial Services ("SFS") that they must contain in order to be authorized, including the basic ones contained in any type of Contract, to which are added some specific ones such as the assumption of responsibility by the institution for the services provided by the provider, as well as commitments regarding confidentiality and personal data.
In this sense, we have seen some progress in recent times with the entry into force of Circulars 2419, 2420, 2421 and 2422 of December 30, 2022. Let's go over these aspects below.
II. REGULATORY ADVANCES. CBU CIRCULARS 2419, 2420, 2421 AND 2422.
One of the most notorious problems in this type of contracting is the control that the regulator must or should exercise during the execution of these Contracts, and it is for this reason that the regulations provided from the beginning some prerogatives in favor of the SFS that empower it to exercise this control. One of them is the right to carry out periodic audits or evaluations without any restriction by the SFS when it deems it appropriate, and the Contract must provide for unrestricted access to the data and all documentation and technical information related to the services provided, as well as the express provision of instructions for termination of the Contract by the SFS.
In this regard, these Circulars, which introduced changes to the CBU´s compilations of rules on the regulation and control of the financial system, the securities market, the control of provisional funds and insurance and reinsurance, allow the SFS to provide that, in relation to certain services, express authorisation is not required for supervised entities to proceed with their contracting. even if the supplier is based abroad or if the services are provided totally or partially in or from abroad. These services are: email, instant messaging, office automation tools, file storage and safeguarding, electronic signature, collaborative tools and document management, and data processing services that do not include customers' personal data or have been dissociated.
To be included in this hypothesis and not require the express authorization of the SFS, the Contract must:
a) comply with the minimum requirements set for the provision of services by third parties based in the country, making the requirement to which we referred on the power of the SFS to audit or carry out periodic evaluations and that of unrestricted access to all data and documentation and information related to outsourced services, always if the Contract does not provide for it. If necessary, at least exclusive and unrestricted reading access to the externally processed data will be required, usable at all times from the offices of the institution, by the SFS. Likewise, one of the copies of the receipt must be physically located in Uruguay and remain accessible to SFS officials, and formal and duly documented evidence must also be carried out of the operation of said access and the integrity of the reservation located in the country. A similar solution is adopted in the event that the Contract does not provide for the termination instruction by the SFS. As a substitution mechanism, the regulated entity must accept the responsibility that may eventually arise in the event that the SFS instructs the cessation.
b) a contractual agreement regarding the level of services of at least 99.9% availability of services, and provides for penalties for non-compliance.
c) The service must be ISO 27001 certified, and alternatively ISO 27017 certified or have applied for CSA STAR Level 1.
On the other hand, these regulations introduced some minimum requirements to the outsourcing contracts for services provided in the country, which are tacitly authorized as long as they comply with these requirements.
On the other hand, it is convenient to provide a detail of what are the minimum requirements that service outsourcing contracts must provide.
With respect to Contracts that outsource the provision of the data processing service, the requirement is established to provide in these Contracts that the provider assumes the obligation on which, at the end of the contractual term, it undertakes to:
i) transfer or offer tools that allow the transfer of the data to whomever the supervised institution disposes; and (ii) delete them, once the availability and integrity of the data at the destination has been confirmed.
In addition to the above, the aforementioned circulars introduced in an alternative way the possibility that the provider does not directly assume the transfer of the data at the end of the Contract, limiting itself to offering tools that enable the aforementioned transfer.
For our part, we emphasize that the maintenance of the requirement provided for in the draft regulation referring to the provider being obliged to delete the data received at the end of the contractual relationship, may imply that it is impossible to adhere to the tacit authorization regime studied above, with the flexibilizations that were analyzed, specifically when the provider is legally or regulatorily obliged to keep such data for a certain period.
As projected by the CBU authorities through the presentation of the draft standard, the Circulars establish that the obligation to provide unrestricted access to data and to all documentation and technical information related to outsourced services, must be complied with respect to the person in charge of carrying out the periodic audits and/or evaluations carried out by the CBU through the SFS or the supervised entity, with what is already provided for in the regulations in force, and also with respect to the person responsible for the intervention, resolution or liquidation process, if applicable.
Likewise, and in line with the projections, the Circulars provide that the Contracts must provide for the obligation of the service provider to inform the supervised entity about any type of event that significantly jeopardizes the provision of the outsourced service in question.
It also establishes the need to include in these Contracts the obligation of the provider to continue providing the service, even when the supervised entity faces an intervention, resolution or liquidation process. In this sense, the rules add that such obligation will be enforceable as long as the supervised institution continues to exercise its main obligations under the contract, essentially including the obligation to pay.
However, we must emphasize that the incorporation of the requirement detailed above could imply that it is impossible to benefit from the tacit authorization that we have studied, including the flexibility of the outsourcing regime, especially when agreeing this type of clause is valid under the Law that governs the respective Contract.
In addition, the Circulars establish that all the requirements mentioned above must also be included in the Contracts that may be entered into with subcontracted third parties, provided that the main Contract so authorizes.
III. AMENDMENT INTRODUCED BY COMMUNICATION N°2024/103
The essential modification provided for in the new Communication is that the prerogatives established by Communication No. 2022/254 applicable to the Contract between the supervised entity and the contracted supplier, will be extended to the companies subcontracted by the provider that provides the services to the regulated entity, considering the same alternative solutions for the case in which the Contract between the supplier and the subcontracted company does not contain the minimum requirements that we analyze.
As stated, these original requirements are, among others, unrestricted access to data and to all documentation and technical information related to the services provided and/or the right to carry out periodic audits or evaluations by the SFS and the contracting institution, either directly or through independent audits.
In view of this, contracts with subcontracted companies that do not contemplate these clauses will be tacitly authorized when the institution has exclusive and unrestricted read-only access (technical or administrative) to the externally processed data, usable at all times from the institution's offices by SFS officials.
This extension is also applicable to the case in which the Contract between the supplier and the subcontracted company does not provide as a termination clause the termination instruction for the provision of services through the outsourced company by the SFS, accepting as an alternative that the controlled institution accepts the liability that may eventually arise in the event that said Superintendence instructs the termination of the outsourcing and subcontracting.
IV. FINAL REMARKS
By way of conclusion, we can affirm that this new regulation brings with it on the one hand a certain flexibility by expanding the scope of application of the regime of tacit authorizations to the extent that outsourcing provided from abroad is included, provided that the detailed prerogatives are complied with, and on the other hand new requirements are added for the authorization of outsourcing provided in the country. Notwithstanding this, our assessment of this new regulation is favorable insofar as the difficulties we referred to at the beginning of this work arise mainly in the outsourcing of services provided from abroad, by virtue of the current predominance of adhesion contracts in this type of activity.
In order to facilitate access to this type of services by regulated entities, it is expected that over time the requirements will be adapted to the current realities in terms of contracting services, mainly linked to those of a technological nature.