On July 27, the Monetary Authority of Singapore (MAS) issued the revised Guidelines on Outsourcing (Guidelines). The revised Guidelines represent a culmination of extensive industry and public consultation on this topic, beginning with the Consultation Paper on Guidelines on Outsourcing issued on September 5, 2014 (Consultation Paper). In conjunction with the revised Guidelines, the MAS also issued its response to feedback received (MAS Response) on the Consultation Paper.
The Guidelines apply to all financial institutions that are licensed, approved, registered or regulated by the MAS. This briefing focuses on the key amendments to the Guidelines that may affect Singapore fund management companies. A copy of the Guidelines and MAS Response is available here.
|Provisions||Key Amendments to the Guidelines||Comments|
|New definition of “customer”||“Customer” in relation to a CMI1 means a person (whether a natural person, legal person or legal arrangement)
||In response to requests for the MAS to define “customer” for all types of institutions and to align the definition across existing legislation, the MAS has provided the definition of “customer” in relation to all types of institutions.|
|New definition of “customer information”||“Customer information” means information that relates to customers of an institution and includes customers’ accounts, particulars, transaction details and dealings with the financial institutions but does not include any information that is public, anonymised, or encrypted in a secure manner such that the identities of the customers cannot be readily inferred.||The MAS has accepted feedback to exclude information that is public, made anonymous or encrypted securely and that cannot be used to readily identify its customers.|
|Amended definition of “outsourcing arrangement”||“Outsourcing arrangement” includes the following characteristics:
The following characteristic of an outsourcing arrangement which was included in the previous definition has been deleted:
"prohibitive to change the service provider as substitutes are lacking in the market or may only be replaced at significant cost to the institution”
|The definition proposed in the Consultation Paper has been further refined. The MAS deleted the express exclusion of “services that involve the provision of a finished product” from the definition.|
|Amended definition of “material outsourcing arrangement”||“Material Outsourcing Arrangement” means an outsourcing arrangement–
|Removal of notification requirement for material outsourcing||The MAS has removed the expectation for institutions to notify it before commencing any material outsourcing arrangements.||This is a departure from the Consultation Paper.|
|Certain risk management practices for material outsourcing only||
The following risk management practices will now apply only to material outsourcing arrangements:
|This is a revision of certain proposals in the Consultation Paper.|
|Onsite visits to assess service provider||Institutions should use onsite visits to the service provider to supplement their assessment of the service provider.||The MAS has clarified that institutions should adopt a risk-based approach when determining whether to supplement their due diligence of service providers with onsite visits.|
|New requirement on assessment of employees of service providers||Institutions should ensure that employees of the service provider undertaking any part of the outsourcing arrangement have been assessed to meet the institution’s hiring policies for the role they are performing, consistent with the criteria applicable to its own employees.||The MAS has clarified that it does not expect the service provider’s employees to undergo a full fit and proper assessment as described in the MAS’ Guidelines on Fit and Proper Criteria. Employees employed by the institution’s related companies in intra-group outsourcing arrangements can be assessed as part of their employment with the institution via the institution’s human resource policies rather than via the outsourcing risk management process.|
|Validity or enforceability of intra-group outsourcing agreements||Outsourcing agreements should be vetted by a competent authority (e.g., the institutions’ legal counsel) on their legality and enforceability.||Regarding intra-group outsourcing arrangements, in particular where outsourcing is between a Singapore branch and head office, the MAS has clarified that institutions should ensure compliance with the requirements to the extent permitted by law.|
|Additional issues to be addressed in outsourcing agreements||
All outsourcing agreements should address the following additional issues.
Notification of adverse developments:
An institution should specify in its outsourcing agreement the type of events and circumstances under which the service provider should report to the institution in order for an institution to take prompt risk mitigation measures and notify the MAS.
The institution should ensure that the sub-contracting of any part of material outsourcing arrangements is subject to the institution’s prior approval.
|Additional issues to be addressed in outsourcing agreements for material outsourcing||Outsourcing agreements for material outsourcing arrangements should include clauses that require the service provider to comply with any request from the MAS or the institution to submit reports on the security and control environment of the service provider and its sub-contractors to the MAS.|
|Register of outsourcing arrangements||Institutions are expected to maintain a register of all their outsourcing arrangements. The register should minimally capture the information indicated in Annex 3 of the Guidelines and should be submitted to the MAS at least annually or upon the MAS’ request.|
|New audit and inspection rights of access to be granted over sub-contractors||
An institution should include, in all its outsourcing agreements for material outsourcing arrangements, clauses that
|The MAS has considered the concerns raised by the industry and has agreed to remove the proposal in the Consultation Paper for indemnity clauses to be provided for the MAS and its officers, agents and employees in an institution’s outsourcing agreement.|
|New provisions on cloud computing||Cloud services (CS) operated by service providers are a form of outsourcing. Hence,
Institutions are ultimately responsible and accountable for maintaining oversight of CS and managing the attendant risks of adopting CS, as in any other form of outsourcing arrangements.
|This was not addressed in the Consultation Paper.|
Institutions should conduct a self-assessment of all existing outsourcing arrangements against the Guidelines within three months of the issuance of the Guidelines — i.e., October 27, 2016 — and rectify deficiencies identified in the self-assessments no later than 12 months from the issuance of the Guidelines — i.e., July 27, 2017.
Notice on Outsourcing to Be Issued at a Later Date
The MAS is still reviewing feedback on the proposed Notice on Outsourcing (Notice) discussed in the Consultation Paper on Notice on Outsourcing issued on September 5, 2014, and will issue the Notice at a later date once the review has been completed.