These services have a growing interest in Uruguay.
The activities described above, would most probably be considered as an outsourcing of services from a regulated entity.In this sense, section 2 of Law N° 17.613 provides that entities that are under the CBU supervision (such as banks and other financial institutions, etc.) must require the CBU’s prior authorization in order to outsource activities inherent to their commercial businesses which in case they were performed by themselves would be under the CBU’s supervision scope. Section 35.1 of the Compilation of Regulatory and Control Norms for the Financial System of CBU (the “Compilation”), in similar terms, states the same obligation of requiring the prior authorization of the CBU to outsource the mentioned activities.
In order to obtain such authorization, the aforesaid Section 35.1 states that a draft of the outsourcing service agreement to be entered into with the service provider must be submitted before the CBU, together with sufficient information regarding both technical and patrimonial (net worth) solvency of the service provider. Section 35.2 of the Compilation states that the CBU’s authorization is required to totally or partially process data by external agents, whether carried out by a local or foreign entity. Additionally, the aforementioned Section 35.2 provides that in case of outsourcing data processing activities, the service provider shall evidence that both, data and software backup processes, allow to restore the institution operations, and that the technological devices and systems used for data communication, storage and process are sufficiently secure to comply with the availability, integrity, confidentiality, authenticity and reliability requirements as well as to continuously backup the operational continuity plan.
Furthermore, CBU’s Communication N° 2008/069, applicable among others to financial institutions and exchange offices, establishes that the agreement shall provide, as a minimum: the scope of the activities; the place in which the data processing and backups are located; minimum levels of service provision; subcontractors participation; confidentiality clauses; institution's right to conduct audits; requirement to report to the institution; procedure through which the institution shall obtain the necessary data to ensure the continuity of the activities; and obligation of the entity to support the cost that the Superintendence of Financial Services of the CBU may incur in relation to visits and controls to the service provider.