The Bank of Ghana (BoG) has introduced a stringent outsourcing directive aimed at improving governance frameworks and risk management controls within the country’s banking and financial sector.
The directive applies to regulated financial institutions (RFIs), including banks and specialized deposit-taking institutions (SDIs), with full compliance required by July 1, 2025. Non-compliance will attract penalties of 1,000 penalty units (GH₵12,000) and may lead to further sanctions.
With many financial institutions increasingly relying on outsourced services to reduce operational costs and enhance efficiency, the BoG’s directive seeks to ensure that this reliance does not undermine the integrity of core functions. This includes critical areas such as data management, information security, risk assessment, and customer service operations.
The directive emphasizes the need for robust governance structures to oversee outsourced activities. Financial institutions are expected to maintain effective oversight of all outsourced functions, ensuring compliance with legal, regulatory, and risk management requirements.
As one of BoG’s most comprehensive moves on operational governance, the directive seeks to mitigate strategic, operational, and reputational risks associated with outsourcing. As part of the directive, RFIs must maintain internal oversight of core operations, and by mid-2025 or upon renewal, whichever is earlier, all existing contracts must be reviewed for compliance. RFIs must also submit a “materiality assessment” framework by June 2, 2025, clarifying the differences between core and non-core functions.
BoG’s intent is to retain strong internal controls over critical and decision-making roles by exempting routine partnerships such as those with payment card schemes and clearing and settlement systems. Banks and SDIs must conduct thorough risk assessments before engaging in outsourcing agreements, evaluating the potential impact on their operations and developing appropriate control measures.
In addition, the directive stipulates that sensitive customer information cannot be shared with third parties without the individual’s explicit consent.
Institutions must establish internal mechanisms to monitor and report on the performance and risks associated with their outsourced services, including adherence to service-level agreements (SLAs). For any new or renewed outsourcing agreements involving core functions, BoG’s prior written consent is required under Section 60 (12) of Act 930.
Failure to comply with the directive will attract administrative fines of GH₵12,000 (1,000 penalty units), with the possibility of additional sanctions, underscoring the seriousness of BoG’s commitment to strengthening sector resilience and governance.
The BoG’s outsourcing directive aims to balance the cost-efficiency benefits of outsourcing with the need to maintain robust controls and oversight over critical banking functions.
This move, some experts have said, reflects the central bank’s focus on building a resilient and well-governed financial sector in Ghana, capable of meeting rising operational demands without compromising service integrity or exposing institutions to undue risk.
