Outsourcing in a Digital Bank: The Liability That Stays With the Bank

A digital bank is structurally dependent on external vendors in a way that no traditional bank is. Its core banking system is operated by a software vendor. Its online platform may be built by a third-party development firm. Its cybersecurity defences are managed by a specialized security provider. Its KYC and identity verification capabilities are supplied by a fintech data company. This dependency is inherent to the digital bank model and it creates a legal liability structure that founders and boards consistently underestimate.

The governing principle is straightforward and non-negotiable: the bank remains fully responsible to the CBI and to its customers for the performance of every function it has outsourced, regardless of what any commercial vendor contract says. A service level agreement, however comprehensive, does not transfer regulatory liability from the bank to the vendor. If a vendor failure causes the bank to breach a licensing condition, the bank not the vendor faces the regulatory consequences.

1. CBI’s Regulatory Framework for Outsourcing

The CBI’s framework imposes the following specific requirements on outsourcing by digital banks:

• The bank must retain full control over decision-making in all core functions, even where operational execution has been delegated to an external provider
• Functions that directly affect the CBI’s ability to supervise the bank may not be outsourced in a manner that impedes the CBI’s access to information or its ability to conduct examinations
• The CBI has the right to conduct on-site inspections of vendor facilities and to request access to vendor records where this is necessary for its supervisory functions, vendor contracts must include provisions explicitly recognizing this right
• All vendor service level agreements must satisfy the technical and operational standards prescribed by the CBI, a vendor arrangement that produces availability or security levels below the CBI’s minimum standards places the bank in breach of its licensing conditions

2. Vendor Risk Classification

3. Mandatory Contractual Provisions for Critical Vendors

3.1 Service Level Agreements

Every SLA with a critical vendor must specify: system availability guarantees consistent with CBI minimum requirements (99.5% for core banking systems, 98% for online platforms), incident severity classifications with defined maximum response and resolution times for each severity level, scheduled maintenance windows agreed in advance and notified to the bank with sufficient lead time, financial penalties that are meaningful and proportionate for availability or performance breaches, and mechanisms for the bank to escalate unresolved incidents to senior management at the vendor.

3.2 Audit and Inspection Rights

Every critical vendor contract must include explicit provisions recognizing: the bank’s right to conduct or commission audits of the vendor’s facilities, systems, and records relevant to the services provided; the CBI’s right by extension of its supervisory authority over the bank to conduct inspections of vendor facilities; and the vendor’s obligation to cooperate fully with any such audit or inspection. A vendor that refuses to grant audit rights to the bank is not an appropriate vendor for a critical function in a regulated environment.

3.3 Data Protection and Security

For any vendor that processes customer personal data, a Data Processing Agreement (DPA) is mandatory. The DPA must specify: the precise categories of data processed, the permitted purposes of processing, the technical and organizational security measures in place, the vendor’s obligation to notify the bank within 24 hours of discovering any security incident affecting bank data, the prohibition on sharing bank data with any other party without the bank’s prior written consent, and the obligations for data return or deletion upon termination of the arrangement.

3.4 Business Continuity and Transition

Critical vendor contracts must include: a business continuity and disaster recovery plan specific to the services provided, which is consistent with and integrated into the bank’s own BCP/DRP; a transition plan specifying how services will be migrated to an alternative provider or brought in-house upon termination; a minimum transition period of not less than six months on termination for non-cause, giving the bank adequate time to migrate without service disruption.

4. Concentration Risk: The Single-Vendor Problem

Complete reliance on a single vendor for any critical function creates concentration risk. Where the bank has only one vendor capable of providing a critical system or service, a failure by that vendor whether technical, commercial, or financial can cause a service disruption with no available alternative. The bank must:

• Maintain a documented assessment of concentration risk across its vendor portfolio
• Develop and maintain a practical exit strategy for every critical vendor, a plan that can realistically be executed within the transition period specified in the contract without material service disruption
• Report material concentration risks to the board of directors as part of the bank’s regular risk reporting cycle
• Consider diversification strategies for the highest-criticality functions where a single-vendor failure would cause the bank to breach its licensing conditions