Central Bank introduces stringent rules on bank outsourcing as part of a sweeping regulatory overhaul aimed at strengthening risk governance. The move reflects growing concerns over operational control, digital risk exposure, and accountability in Sri Lanka’s banking sector.
Central Bank introduces stringent rules on bank outsourcing to strengthen risk control and governance
Central Bank introduces stringent rules on bank outsourcing in a decisive regulatory shift that redefines how licensed commercial and specialised banks manage external service providers. The new framework reflects a broader effort to align banking operations with evolving digital ecosystems while maintaining strict control over systemic risks.
Issued on March 25, 2026, the Banking Act Directions No. 01 of 2026 will come into effect on January 1, 2027, formally replacing the guidelines established in 2012. This timeline provides banks with a transition window to restructure their outsourcing frameworks, ensuring compliance without disrupting ongoing operations. The updated directives are a response to rapid advancements in digital banking, cloud infrastructure, and third-party service dependencies, which have significantly increased operational complexity.
At the core of the new regulations is a clear objective: outsourcing must not undermine a bank’s risk management, internal controls, or institutional reputation. This introduces a risk-based approach to outsourcing, where each arrangement must be evaluated not just on cost efficiency but on its potential impact on systemic stability and governance integrity.
One of the most significant components of the framework is the strict definition of core banking functions that cannot be outsourced under any circumstances. These include the acceptance of deposits and withdrawals, asset and liability management, compliance oversight, and risk management functions. By prohibiting outsourcing in these areas, the Central Bank is reinforcing the principle that critical financial decision-making must remain within the direct control of the institution.
This approach aligns with global regulatory standards, where regulators emphasize the importance of retaining control over core functions to prevent fragmentation of accountability. In practice, this ensures that banks cannot delegate responsibilities that are fundamental to financial stability and customer trust.
Additionally, strategic decision-making processes—including loan approvals, strategic planning, and Customer Due Diligence (CDD) or Know Your Customer (KYC) procedures—must remain entirely in-house. This ensures that sensitive financial judgments are not influenced by external entities that may not be subject to the same regulatory scrutiny.
However, the framework does allow for limited flexibility. Internal audit functions, while generally restricted from outsourcing, may be partially outsourced in smaller banks or for specialised audit requirements. This exception is conditional on the service provider being an approved auditor and not simultaneously serving as the bank’s external auditor. This safeguard helps maintain auditor independence, a critical factor in preventing conflicts of interest.
Central to the new directives is the principle of accountability. The responsibility for outsourced operations now rests squarely on the board of directors and senior management. This shift reinforces governance expectations by ensuring that outsourcing does not become a mechanism for diffusing responsibility. Instead, decision-makers remain fully accountable for the risks associated with third-party arrangements.
To operationalize this, banks are required to develop a comprehensive, board-approved outsourcing policy. This policy must include detailed criteria for selecting service providers, along with a structured cost-benefit analysis and due diligence procedures. It also mandates the establishment of exposure limits to prevent over-reliance on a single provider, thereby mitigating concentration risk—a critical vulnerability in outsourcing ecosystems.
Another important aspect is the requirement for arm’s-length transactions, particularly in cases where related parties or directors have a financial interest in the service provider. This provision is designed to prevent conflicts of interest and ensure that outsourcing decisions are made based on merit rather than personal or institutional relationships.
Information technology and digital infrastructure receive significant attention under the new framework. Banks are permitted to outsource IT-related functions, including infrastructure management, application development, and disaster recovery. However, these activities must comply with existing Central Bank regulations on technology risk and resilience.
The inclusion of cloud computing reflects the growing reliance on scalable digital solutions in modern banking. However, the use of cloud services introduces strict requirements around data sovereignty, confidentiality, and recoverability. Banks must ensure that their cloud providers adhere to accredited security standards, thereby reducing the risk of data breaches or unauthorized access.
From a risk management perspective, these provisions are critical. Outsourcing IT functions can enhance efficiency and reduce operational costs, but it also introduces third-party risk, which can have cascading effects if not properly managed. The Central Bank’s directives aim to balance these trade-offs by enabling technological innovation while maintaining strict oversight.
To further strengthen governance, each licensed bank is required to establish a dedicated monitoring unit at its head office. This unit will be responsible for evaluating service quality, managing customer complaints related to outsourced vendors, and conducting annual testing of Business Continuity Plans (BCPs). This ensures that banks maintain operational resilience even in the event of disruptions affecting external service providers.
The introduction of these stringent rules also reflects a broader shift in regulatory philosophy—from reactive supervision to proactive risk management. By setting clear boundaries and accountability structures, the Central Bank is encouraging banks to adopt a more disciplined and transparent approach to outsourcing.
The Central Bank introduces stringent rules on bank outsourcing at a time when financial institutions are increasingly dependent on external vendors for critical services. This dependency, while beneficial in terms of scalability and innovation, also introduces systemic risks that require robust regulatory oversight.
In conclusion, the new framework represents a comprehensive effort to modernize banking governance while safeguarding financial stability. By clearly defining responsibilities, restricting core functions, and enhancing oversight mechanisms, the Central Bank aims to create a more resilient and accountable banking environment. As banks prepare for the 2027 implementation deadline, the focus will now shift toward execution, compliance, and the ability to adapt to a more structured regulatory landscape.