The Bank of Ghana has issued an extensive outsourcing directive to tighten governance and risk management among banks, specialised deposit-taking institutions (SDIs), financial holding companies, and development finance institutions.

The directive, aimed at enhancing oversight in a sector increasingly reliant on outsourced functions, requires compliance by July 1, 2025.

Failure to comply will incur an administrative penalty of 1,000 penalty units or GH₵12,000.

The directive underscores the Bank of Ghana’s commitment to preserving the integrity of the country’s financial system by prohibiting the outsourcing of strategic functions.

Among these are high-level decision-making roles, including the board and senior management functions, credit decisions, anti-money laundering and customer identification responsibilities, as well as critical risk management and cybersecurity roles.

Functions considered essential to a regulated financial institution (RFI) must be retained in-house to avoid conflicts of interest and potential risks associated with losing control over sensitive operations.

The central bank’s directive allows some flexibility, stating that outsourcing arrangements involving non-core functions that do not require prior approval under other provisions of Ghana’s banking laws can proceed without the Bank of Ghana’s approval, provided the bank notifies the central bank 10 days before engaging the service provider.

Financial institutions are directed to conduct materiality assessments of functions they plan to outsource to determine if they are core or non-core, a requirement due to the need for central oversight of critical functions.

Institutions are expected to submit these assessments to the Bank of Ghana by June 2, 2025, and complete any necessary adjustments before the deadline or at contract renewal, whichever is earlier.

The directive also clarifies that certain collaborations—such as arrangements with payment card networks like Visa and Mastercard, and clearing and settlement partnerships—do not fall under outsourcing regulations.

However, for all outsourcing agreements involving core functions, prior written approval is mandatory as per section 60 (12) of Ghana’s Act 930, which governs banks and SDIs.

The Bank of Ghana has also emphasised data protection, mandating that customer information cannot be disclosed to third-party service providers without prior customer consent.

By addressing strategic, reputational, and operational risks, the new regulations aim to prevent outsourced arrangements from undermining RFIs’ stability.

The central bank has directed institutions to begin reviewing existing contracts in preparation for the July 2025 deadline to meet compliance standards.