What the CBUAE / SAMA's outsourcing guidelines require in every LSP agreement
The CBUAE / SAMA's outsourcing guidelines specify that LSP agreements must contain a defined minimum set of clauses covering: the scope of activities permitted (preventing the LSP from sub-contracting prohibited functions without approval), the institution's right to audit the LSP's operations, the LSP's obligation to maintain confidentiality of borrower data, the LSP's compliance with applicable laws and regulations including consumer protection conduct standards, provisions for termination and orderly transition of activities on contract end, and the institution's regulatory obligation to report material LSP failures to the CBUAE / SAMA.
These are not optional — an agreement that lacks any of these clauses creates a regulatory exposure that an CBUAE / SAMA inspector will identify when reviewing the institution's outsourcing register and asking to see the underlying contracts. The LSP Governance AI checks every agreement against this clause checklist at the time of onboarding, maintains a compliance status for each contract, and alerts when any clause is absent, ambiguous, or has become outdated due to regulatory changes.
The required clause checklist: present, partial, or missing
permitted
activities
Agreement defines permitted functions and prohibits sub-contracting without prior written approval
Schedule 1 of the Credence Collections agreement specifies: collection calls on DPD 1–90 accounts, field visits on DPD 31–90 accounts, PTP capture and reporting. Sub-contracting is prohibited without written approval. The scope is clear and specific — no ambiguity about what the LSP is and is not permitted to do.
→ Status: Compliant · No action requiredaudit
Institution has explicit right to audit LSP's operations, systems, and records with 7 days' notice
Clause 14 grants the institution, its internal auditors, statutory auditors, and the CBUAE / SAMA (or any other regulator designated by the CBUAE / SAMA) the right to inspect the LSP's premises, records, and systems with 7 days' notice. The clause correctly includes the CBUAE / SAMA as a permitted inspector — many older agreements do not include this.
→ Status: Compliant · Includes CBUAE / SAMA inspection right · No action requiredconfidentiality
/ PDPL
Confidentiality clause exists but pre-dates the UAE PDPL / local data protection law — does not include data minimisation, purpose limitation, or retention obligations
Clause 11 contains a general confidentiality obligation covering borrower data. However, the agreement was signed in January 2022 — before the UAE PDPL / local data protection law 2023. It does not include the specific obligations the UAE PDPL / local data protection law now requires: data minimisation, purpose limitation, defined retention period, and sub-processor disclosure. Amendment required before January 31, 2026 (UAE PDPL / local data protection law implementation deadline).
→ Action required: PDPL amendment by Jan 31, 2026 · Drafted by LSP Governance AI · Legal sign-off requiredcompliance
LSP obligated to comply with CBUAE / SAMA consumer protection standards in all borrower interactions
Clause 9 requires the LSP and all its agents to comply with CBUAE / SAMA consumer protection standards as applicable to collections: permitted calling hours (8 AM to 7 PM), prohibition on contacting family or employer without consent, prohibition on abusive language, and identification at the start of every call. Breach is an event of default entitling the institution to terminate with 7 days' notice.
→ Status: Compliant · Breach is event of default · No action requiredand
transition
Agreement does not contain an orderly transition clause — required by CBUAE / SAMA outsourcing guidelines
The CBUAE / SAMA's outsourcing guidelines require that every LSP agreement contain provisions for the orderly transfer of activities back to the institution or to a replacement LSP on termination — including data return, system access revocation, and agent re-assignment. The current agreement (signed February 2020) predates the strengthened outsourcing guidelines. The termination clause covers only the termination of the commercial relationship, not the operational transition.
→ Critical gap: Termination and transition clause must be added · LSP Governance AI has drafted a compliant clause · Add at next contract renewal (Feb 2025) or by side letter before thenfailure
reporting
Institution's obligation to report material LSP failures to CBUAE / SAMA acknowledged in agreement
Clause 20 acknowledges that the institution is required under CBUAE / SAMA guidelines to report material failures by any LSP to the CBUAE / SAMA and confirms the LSP's obligation to cooperate with any such reporting process. This clause protects the institution's right to disclose LSP failures to the regulator without the LSP being able to claim breach of confidentiality.
→ Status: Compliant · Regulatory reporting carve-out in place · No action requiredcontinuity
BCP clause exists but LSP has not submitted the required annual BCP test report
Clause 16 requires the LSP to maintain a Business Continuity Plan and to test it annually, with a test report provided to the institution within 30 days of the test. The clause is present. However, the LSP has not submitted the FY2024–25 BCP test report — it was due by September 2025 and is now overdue by 6 weeks. The LSP Governance AI has flagged this and sent a reminder to the LSP. If not received within 14 days, the default clause will be triggered. → Action: BCP test report overdue · Reminder sent · Default notice if not received by Nov 28
Contract compliance summary: all LSPs, all clauses, this quarter
| LSP Name | Function | Contract Date | Critical Gaps | PDPL Status | BCP Current | Overall |
|---|---|---|---|---|---|---|
| Credence Collections Pvt Ltd | Collections — field and call | Feb 2020 | Transition clause missing | Amendment needed | Report overdue | Action needed |
| FinanceConnect referral partner / agent Network | referral partner / agent — home and SME loans | Mar 2024 | None | Compliant | Current | Compliant |
| TechServ Analytics Pvt Ltd | Credit score model vendor | Jan 2023 | None | Amendment needed | Current | PDPL amendment |
| Aarya Recovery Solutions | Collection — hard bucket legal | Nov 2019 | Transition + audit right missing | Non-compliant | Test overdue | Renewal required |
| KYC / CDD Digital Solutions | V-KYC / CDD and digital onboarding | Sep 2024 | None | Compliant | Current | Compliant |
The contract that was compliant when signed may not be compliant today
A 2019 LSP agreement that satisfied the outsourcing guidelines in 2019 does not satisfy them in 2025. The strengthened outsourcing guidelines of 2021–22, the UAE PDPL / local data protection law of 2023, and successive consumer protection circulars have added requirements that older agreements did not anticipate. An institution that filed its 2019 contracts and never reviewed them again is holding compliance documentation for non-compliant agreements. The LSP Governance AI monitors every contract against the current regulatory requirement, not the requirement as it was when the contract was signed — and drafts the required amendments so the legal team's job is review and sign-off, not drafting from a blank page.