In order to strengthen governance and risk management standards, the Bank of Ghana has introduced a comprehensive outsourcing directive that applies to banks, specialized deposit-taking institutions (SDIs), financial holding companies, and development finance institutions.
In an effort to improve oversight in an industry increasingly reliant on outsourced functions, the directive mandates full compliance by July 1, 2025.
Should institutions fail to comply, they will face an administrative penalty of 1,000 penalty units, or GH₵12,000.
This directive emphasizes the Bank of Ghana’s dedication to preserving the financial system’s integrity by limiting the outsourcing of key functions.
Restricted roles include high-level decision-making positions, such as those of board and senior management, along with credit decision-making, anti-money laundering, customer verification, as well as critical risk management and cybersecurity roles.
Any function deemed essential to a regulated financial institution (RFI) must be maintained in-house to prevent conflicts of interest and mitigate risks linked to outsourcing sensitive activities.
Recognizing the need for flexibility, the directive allows banks to outsource non-core functions without prior approval, provided they notify the Bank of Ghana 10 days before engaging the service provider.
The directive also requires financial institutions to assess the materiality of functions they intend to outsource, distinguishing between core and non-core activities to maintain central oversight of critical operations.
By June 2, 2025, institutions must submit these assessments to the Bank of Ghana and make necessary adjustments by the deadline or at contract renewal, whichever occurs first.
The directive clarifies that specific partnerships—such as those with payment card networks (e.g., Visa, Mastercard) and clearing and settlement partners—are exempt from outsourcing classification.
Nevertheless, for any outsourcing agreements involving core functions, written approval is compulsory in line with section 60 (12) of Ghana’s Act 930, which governs banks and SDIs.
Additionally, the Bank of Ghana has underscored the importance of data protection, requiring that customer information not be shared with third-party providers without explicit customer consent.
With a focus on strategic, reputational, and operational risks, the new regulations aim to ensure that outsourced arrangements do not jeopardize the stability of RFIs.
4o