BSP amends IT, outsourcing risk management rules
The Monetary Board of the Bangko Sentral ng Pilipinas (BSP) recently released an amended copy of Circular No. 1137 on the outsourcing and IT risk management of banks and non-banks.
The revised circular discussed outsourcing and IT firms which use the supervisory assessment framework (SAFr) and more frequency of risk assessments.
Signed by BSP Governor Benjamin E. Diokno, the new set of rules included a more periodic assessment of “exposure to the risk of confidentiality” on a contract-specific and institution-wide level for the management of outsourcing-related risks.
The BSP added that guidelines and requirements for third-party service providers will be allowed when a bank acts as the service provider. A bank may also use its depositors provided that they act as a depository institution.
Diokno also stated that the CAMELS (Capital adequacy, Asset quality, Management, Earnings, Liquidity, and Sensitivity) rating system will still be accepted for those which will apply for authority to outsource provided the rating will be at least “3”.
Last 2020, CAMELS and ROCA (Risk management, Operational controls, Compliance and Asset quality) rating systems were replaced by SAFr. BSP also integrated its Money Laundering Terrorist/Financing Risk Assessment System (MRAS) into the SAFr to enhance its ability to track illegal transactions.
