On 27 July 2016, the Monetary Authority of Singapore (“MAS”) issued new Guidelines on Outsourcing Risk Management (“Guidelines”) to Financial Institutions (“FIs”). These Guidelines will impact not only FIs but also third party service providers providing outsourcing services to these FIs. Section 1 of this article provides 11 key changes you need to know when dealing with any current and future outsourcing arrangements, while Section 2 highlights various aspects of outsourcing which need to be addressed in the outsourcing agreement.
FIs have up to 27 October 2016 to perform a self-assessment of all existing outsourcing arrangements against the guidelines. Any deficiencies would need to be rectified no later than 12 months from the issuance of the Guidelines.
Furthermore, MAS will also issue, at a later date, a Notice on Outsourcing once its review of industry feedback has been completed.
Section 1: 11 Significant Changes You Need To Know
A summary of the 11 key changes and their implications with regards to the Guidelines are as follows:
- Wider application of the Guidelines to all FIs
The Guidelines apply to any FI defined under Section 27A of the Monetary Authority of Singapore Act (Cap. 186). This will mean there is a wider application of the Guidelines to include FIs such as money changers and remitters, insurance intermediaries, financial advisers, trustee-manager of a business trust, trust companies, holders of stored value facilities, registered insurance brokers, exempt corporate finance advisers, and registered fund management companies.
- Guidelines supersede the MAS Circular on Information Technology Outsourcing
Previously, FIs had to complete the MAS Technology Questionnaire before entering into any significant outsourcing commitment. Since the Guidelines replace not only the former guidelines but also the MAS IT Outsourcing Circular, there is no need for FIs to complete the MAS Technology Questionnaire anymore. This is much welcomed from an administrative standpoint.
- Removal of pre-notification obligations for material outsourcing arrangements
In the past, FIs were required to notify MAS before entering into or varying a material outsourcing arrangement. These obligations have been removed, reducing compliance burdens on the part of FIs. That said, MAS will still require FIs to notify them, as soon as possible, of any adverse developments that could impact the FI or within the FI’s group. Examples include prolonged service failures or disruptions in the outsourcing arrangement, or any breach of security and confidentiality of the FI’s customer information. Furthermore, FIs are expected to include in the outsourcing agreements, events and circumstances which require the service provider to report to the FI, so as to allow the FI to take prompt risk mitigation measures and notify MAS of such developments.
- Outsourcing Register
MAS expects FIs to maintain a register of all its outsourcing arrangements. This has to be sent to MAS on an annual basis, or upon request. A copy of the template can be found on the MAS website.
- Revised definition of “material outsourcing arrangements”
An outsourcing arrangement will now be considered material if it “involves customer information and, in the event of any unauthorized access or disclosure, loss or theft of customer information, may have a material impact on an institution’s customers”. This addition is important in light of the increasing focus on cyber risks. Customer information does not include information that is public, anonymised, or encrypted securely in a matter where the identities of customers cannot be readily identified.
- Further guidance on material outsourcing
Further guidance is provided in the Guidelines for the FI’s to consider in assessing the materiality of its outsourcing arrangements. These include:
- impact on FI’s customer should the service provider fail to perform the service or encounter a breach of confidentiality or security;
- impact on the FI’s counterparties and the Singapore financial market should the service provider fail to perform the service; and
- costs of outsourcing failure as a proportion to the total operating costs of the FI.
- Enhanced responsibilities of the Board and Senior Management
MAS expects the Board and Senior Management to ensure sound oversight and governance, internal controls and prudent management of outsourcing risks. Particularly, the Board (or any delegated committee) is now further required to set a suitable framework to define the nature and extent of risks that the FI is willing and able to assume from its outsourcing arrangements and ensuring that senior management establishes appropriate governance structures and processes for sound and prudent risk management. Senior Management are also further expected to monitor and maintain effective control of all risks from its material outsourcing arrangements on an institution-wide basis, and ensuring appropriate and timely remedial actions are taken to address audit findings on audits for compliance with outsourcing policies and procedures.
- Framework on Risk Evaluation Criteria
MAS expects FIs to consider the additional steps in evaluating risks associated with the FI’s outsourcing arrangement. These include:
- assessing the service provider’s ability to employ a high standard of care in performing the outsourced service and meet regulatory standards as expected of the FI, as if the outsourcing arrangement is performed by the FI;
- analysing the FI as well as its group aggregate exposure to the outsourcing arrangement to manage concentration risk; and
- analysing the benefits of outsourcing against the risks that may arise, ranging from the impact of temporary disruption to service to that of a breach in security and confidentiality, and whether for strategic and internal control reasons, the FI should not enter into the outsourcing arrangement.
- Assessment of Service Providers
In assessing the capability of service providers, a more rigorous approach now is required. This includes conducing assessments of the physical and IT security controls, ethical and professional standards, and conducting onsite visits to the service provider. Notably, the FI should ensure that the outsourcing arrangement has been assessed to meet the FI’s hiring policies for the role they are performing, consistent with the criteria applicable to its own employees.
- Risk Management Practices applicable only to material outsourcing arrangement
MAS has revised certain risk management practices that will only apply to material outsourcing arrangements. These include:
- performing periodic reviews, at least annually;
- clauses allowing the FI (including agents appointed by the FI) or MAS to conduct audits on the service provider;
- ensuring outsourcing arrangements overseas do not hinder MAS’ efforts to supervise the Singapore business activities of the FI in a timely manner.
- Cloud Computing
With the transformation towards the digital economy, MAS has explicitly clarified that Cloud Computing services provided by third parties, including public cloud, are another form of outsourcing. Therefore, the risk management practices enunciated in the Guidelines are applicable to these arrangements.
Section 2: What You Need To Include In Your Outsourcing Agreement
MAS expects FIs to ensure that every outsourcing agreement contains provisions to mitigate risks identified at the risk evaluation and due diligence stages. At the very least, the outsourcing agreement needs to include provisions that will address the various aspects of outsourcing such as the following:
- scope of the outsourcing agreement;
- performance, operational, internal control and risk management standards;
- confidentiality and security;
- business continuity management;
- monitoring and control;
- audit and inspection;
- notification of adverse developments;
- dispute resolution;
- default termination and early exit;
- applicable laws.
In conclusion, these changes are intended to raise the standards of FIs’ risk management practices as outsourcing arrangements have become increasingly prevalent and complex. While the Guidelines are intended for FIs, service providers providing outsourcing arrangements to FIs will inevitably be affected.