Institutions will need to meet deadlines to conduct a self-assessment of existing outsourcing arrangements, rectify identified deficiencies, and put in place measures to mitigate interim risks where a deficiency is significant.

On 27 July 2016, the Monetary Authority of Singapore (MAS) issued revised Guidelines on Outsourcing (Guidelines) after considering the feedback received in connection with its September 2014 public consultation paper (MAS Consultation Paper) that proposed to raise the standards of institutions’ outsourcing risk management practices.

The Guidelines are not legally binding, but MAS will consider an institution’s implementation of the Guidelines in determining the supervisory conduct of the institution’s board and senior management in the areas of governance, internal controls, and risk management.

Key aspects of the Guidelines include the following:

  • The Guidelines apply to outsourcing arrangements with both third-party service providers as well as related group companies.  
  • Institutions incorporated in Singapore will need to consider the impact of outsourcing by its branches and any corporation under its control—including those located outside Singapore—regardless of whether they are financial or non-financial related companies.  
  • Institutions subject to the Guidelines now include entities that are otherwise exempted from being licensed, approved, registered, or regulated by MAS.  
  • Certain additional obligations are imposed only in respect of “material outsourcing arrangements”, such as the need to perform periodic reviews at least annually and to ensure that outsourcing agreements incorporate clauses granting MAS audit and information access.  
  • The class of “material outsourcing arrangement” has been expanded to include arrangements involving customer information of which unauthorised access or disclosure, loss, or theft may have a material impact on an institution’s customers.  
  • A new section on cloud computing has been added in recognition of the attendant risks of cloud computing similar to other forms of outsourcing arrangements.

Deadlines for Implementation

In implementing the Guidelines, institutions will need to conduct a self-assessment of all existing outsourcing arrangements by 26 October 2016, rectify deficiencies identified in the self-assessments by 26 July 2017, and put in place measures to mitigate interim risks where a deficiency is significant.

A MAS Notice on Outsourcing, which will define a set of minimum standards for outsourcing management, will be issued at a later date.