On 14 July 2011, the Monetary Authority of Singapore (“MAS”) issued a circular regarding information technology outsourcing with specific reference to cloud computing in addition to the general reminder to financial institutions of their responsibilities with regard to effective due diligence, oversight and management of outsourcing and accountability for all outsourcing decisions. The circular also introduces the new MAS Technology Questionnaire for Outsourcing which financial institutions are required to complete and submit to MAS before making any significant IT outsourcing commitments.
(1) Reminder Of Financial Institutions’ General Responsibilities
Financial institutions are reminded of the following obligations:
- to ensure effective due diligence, oversight and management of outsourcing and accountability for all outsourcing decisions;
- to put in place proper frameworks, policies and procedures to evaluate, approve, review, control and monitor the risks and materiality of all its outsourcing activities;
- to ensure outsourcing should not result in any degradation of a financial institution’s internal controls; and
- to ensure that a service provider employs a high standard of care and diligence in its sensitive information, such as customer data, computer files, records, object programs and source codes.
(2) Unique Attributes And Risks In Utilising Cloud Computing Services
MAS impresses upon the need for financial institutions to be aware of the unique attributes and risks involved in utilising cloud computing services. In particular, financial institutions are advised to take cognizance of risks relating to data integrity, recoverability and confidentiality, and legal issues such as regulatory compliance and auditing. As cloud computing service providers typically process data for multiple customers, financial institutions are instructed to pay attention to the cloud computing service providers’ abilities to isolate and identify their customer data and other information system assets for protection. Financial institution should retain the right to have all IT information and assets promptly removed or destroyed in the event of contract termination with the cloud computing service provider, notwithstanding the cause for such termination. Financial institutions are also advised to consider the resilience and safety of the cloud computing service provider’s infrastructure to ensure that the outsourcing does not compromise their business continuity preparedness.
It is important for financial institutions to be familiar with the new MAS Technology Questionnaire for Outsourcing issued by MAS to assess risks related to the significant IT outsourcing to cloud computing service providers. The circular is available at http://www.mas.gov.sg/resource/legislation_guidelines/risk_mgt/TQoutsourcing.doc.
Apart from performing a thorough risk assessment of the proposed outsourcing arrangement against all relevant MAS regulations, guidelines and other requirements, financial institutions are required to consult and submit the completed MAS Technology Questionnaire for Outsourcing to MAS before making any significant IT outsourcing commitments. “Significant” IT outsourcing generally relates to outsourcing involving customer personal or account data, transactions, deposits, loans, payment card data, trading details and investment portfolios.