Central Bank introduces stringent rules on bank outsourcing

• New directives will officially come into effect on January 1, 2027, completely revoking previous guidelines established in 2012
• Under new rules, scope of outsourcing is strictly monitored to ensure it does not compromise a bank’s risk management, internal controls or overall reputation
• Directives place ultimate responsibility for outsourced operations squarely on shoulders of board of directors and senior management
• A significant portion of new framework focuses on clearly defining core banking functions that are strictly prohibited from being outsourced

The Central Bank of Sri Lanka has introduced a comprehensive set of new regulations governing how the licensed commercial and specialised banks manage the outsourcing of their business operations. 

Issued on March 25, 2026, Banking Act Directions No. 01 of 2026 are designed to establish a sound and prudent framework for outsourcing, responding directly to the recent developments in digitalised business processes and new banking activities. 

These new directives will officially come into effect on January 1, 2027, completely revoking the previous guidelines established in 2012. 

Under the new rules, the scope of outsourcing is strictly monitored, to ensure it does not compromise a bank’s risk management, internal controls or overall reputation.

A significant portion of the new framework focuses on clearly defining the core banking functions that are strictly prohibited from being outsourced. The licensed banks are legally barred from outsourcing services directly associated with the acceptance of deposits and withdrawals as well as critical internal functions like asset and liability management, compliance and risk management. 

Furthermore, the core decision-making areas, including strategic planning, sanctioning of loans and Customer Due Diligence or Know Your Customer procedures, must remain entirely in-house. 

While the internal audit functions generally cannot be outsourced, the Central Bank has provided limited exemptions for smaller banks or specialised audits, provided the chosen service provider is an approved auditor and is not currently serving as the bank’s external auditor.

The directives place the ultimate responsibility for the outsourced operations squarely on the shoulders of the board of directors and senior management. 

The banks are now mandated to formulate a comprehensive, board-approved outsourcing policy that encompasses rigorous selection criteria, a detailed cost-benefit analysis and an extensive due diligence process for all prospective service providers. 

This policy must also dictate maximum exposure limits to any single provider to mitigate concentration risks. 

Additionally, the banks must ensure that all outsourcing arrangements are conducted on an arm’s-length basis, particularly when related parties or directors hold a substantial interest in the service provider’s business.

Information technology and security operations have received specialised attention within the new regulatory framework. The banks are permitted to outsource IT infrastructure management, application development and disaster recovery support, provided they strictly comply with the existing Central Bank regulations on technology risk and resilience. 

The utilisation of cloud computing is also permitted but it introduces stringent prerequisites. The banks leveraging cloud services must guarantee data sovereignty, recoverability and confidentiality, while ensuring the provider holds accredited security certifications. 

To oversee these vast technological and operational shifts, every licensed bank is required to establish a dedicated monitoring unit at its head office, tasked with conducting periodic assessments of service quality, handling customer complaints related to outsourced vendors and ensuring comprehensive annual testing of Business Continuity Plans. (NF)