On 5 September 2014, the Monetary Authority of Singapore (the “MAS”) issued two consultation papers proposing to revise its Guidelines on Outsourcing and issue a new Notice on Outsourcing.
Guidelines on Outsourcing
The MAS first issued the Guidelines on Outsourcing (the “Guidelines”) in 2004 to promote sound risk management practices for outsourcing arrangements of financial institutions (the “institutions”). Outsourcing arrangements can increase the risk profile of institutions due to reputation, compliance and operational risks arising from a failure of the service provider (such as in breaches of security, inability to comply with legal and regulatory requirements). It is important that an institution adopts a sound and responsive risk management framework for its outsourcing arrangements. The extent and degree to which an institution implements the Guidelines should be commensurate with the nature of risks in, and materiality of, the outsourcing arrangement.
The MAS now proposes to revise these Guidelines to raise the standards of institutions’ risk management practice, as the number and complexity of outsourcing arrangements have increased since the Guidelines were first introduced.
The revised Guidelines will employ stricter language in terms of the continuing responsibility of institutions in relation to the outsourcing arrangement. The sections setting out the responsibility of the board and senior management and the monitoring and control of outsourcing arrangements will be significantly amended. Some of the proposed amendments are mentioned below:
- Definitions: The Definitions section will be expanded, incorporating, among others, definitions for “material outsourcing arrangement” and “outsourcing arrangement”
- Applicability of Guidelines: The extent of the MAS review of implementation of the Guidelines has been broadened to include an assessment of the quality of an institution’s board and senior management’s oversight and governance and internal controls. An institution should ensure these Guidelines are observed by branches and corporations under its control and should also conduct a self-assessment of all existing outsourcing arrangements against these Guidelines. An institution will also be required to rectify the identified deficiencies no later than six months from the date of the issue of the Guidelines. This requirement had previously allowed a year for rectification.
- Responsibilities of the board and senior management: The proposed revisions to the Guidelines stress that the board and senior management play “pivotal roles in ensuring a sound risk management culture and environment”. They will be responsible for, inter alia, the implementation of a consistent institution-wide outsourcing risk management framework, in accordance with the Guidelines. The board and senior management of an institution should ensure that there are adequate processes to provide a comprehensive institution-wide view of its risk exposures from all its outsourcing arrangements, and to incorporate the assessment of such risks into the institution’s outsourcing risk management framework. The responsibilities of the board (or a committee delegated by it) will be expanded to include the setting of “a suitable risk appetite to define the nature and extent of risks that the institution is willing and able to assume from its outsourcing arrangements” and ensuring that senior management establishes appropriate governance structures and processes for sound and prudent risk management.
- Engagement with MAS on outsourcing: This section will be significantly amended with new responsibilities. An institution should notify the MAS before it commits to the commencement of any material outsourcing arrangement or amends an existing material outsourcing arrangement, and be ready to demonstrate to the MAS its observance of the Guidelines. Factors that an institution should consider to assess the materiality in an outsourcing arrangement are set out in Annex 3 to the revised Guidelines.
- Monitoring and control of outsourcing arrangements: Proposed revisions to the Guidelines provide that an institution should establish a structure for the management and control of its outsourcing arrangements and state that as relationships and interdependencies increase in materiality and complexity, a more rigorous risk management approach should be adopted. Additionally, an institution will have to ensure that operational, internal control and risk management standards are upheld by the service provider. An institution should, in addition to responsibilities set out in the previous Guidelines, also ensure that there are policies and procedures in place to monitor confidentiality and security adequacy and compliance and security vulnerability management. The institution will also have to establish service recovery procedures and report lapses relating to the agreed service standards by the service provider.
Notice on Outsourcing
To enhance the MAS’ regulatory framework, in addition to updating the Guidelines, the MAS proposes to issue a Notice that defines a set of minimum standards for outsourcing management. The Notice sets out requirements for the assessment of service providers, access to information, conduct of audits on a service provider, protection of customer data and termination of and exiting from an outsourcing arrangement. The expectation is for an institution to manage outsourcing arrangements as if the services continue to be conducted by the institution.
The MAS invites comments for the amendments to the Guidelines and the new Notice to be provided by 7 October 2014.
The Consultation Paper is available from the MAS website www.mas.gov.sg or by clicking on the following links: