The Monetary Authority of Singapore (MAS) has published its new and replacement Guidelines on Outsourcing on 27 July 2016. The Guidelines are intended to provide comprehensive guidance over the risk management practices that should be adopted by financial institutions in handling outsourcing arrangements. Businesses operating in Singapore that have entered into or wish to enter into outsourcing arrangements with third party providers are strongly advised to take careful note of the Guidelines and to consider adopting the appropriate measures.
Several key changes on the Guidelines are being introduced. Notably, the Guidelines have specifically included a section on cloud computing for the first time. It clarifies that cloud services are considered by MAS as a form of outsourcing arrangement. As such, the risk management practices in the Guidelines should also be applied by financial institutions in all cloud computing arrangements. The requirement to establish legal terms consistent with those set out in the Guidelines is likely to present a challenge given cloud services are commonly offered on a take it or leave it basis with legal provisions stacked in favour of the cloud service provider.
The other key change includes a revised definition of “material outsourcing arrangements” which we expect the MAS will now pay particular attention to. Essentially, the new definition includes arrangements that:- “involve customer information and, in the event of any unauthorized access or disclosure, loss or theft of customer information, may have a material impact on an institution’s customers”.
While seemingly directed at the potential impact to customers, this fundamental change to the scope of the new Guidelines in part arises from increasing concern about cyber risk and the associated reputational damage that high profile cyber incidents could have on the integrity of the financial services sector in the Singapore market.
This new limb of the material outsourcing definition will again test financial institutions and their legal advisors to determine which service arrangements will be caught. How many customers would need to be impacted? Is the impact to be considered from an objective perspective or the subjective perspective of the impacted individual(s)? What probability threshold should be applied to the “may have a material impact” requirement? A conservative assessment of these variables would conclude that every service arrangement involving customer data will now be a material outsourcing. Although Annex 2 of the Guidelines provides guidance on the materiality test, it does not address how these new variables will be determined.
Perhaps surprisingly, there has also been a removal of the obligation for financial institutions to pre-notify MAS of any material outsourcing arrangements. This will come as a relief to those who are involved in the hectic pre-contract phase of outsourcings projects where pre-notification of yet to fully scoped projects has added an additional layer of complexity in the past. This relaxation of the notification rules perhaps reflects the practical challenge for MAS in being able to meaningfully assess and contribute to the negotiation phase of all proposed outsourcings which are brought to its attention.
As usual, the extensive Guidelines also set out the risk management practices which a financial institution should consider to adopt. These include a clear statement of the Board and Senior Management’s responsibility, which include evaluating the materiality of the outsourcing arrangements, and instituting proper safeguards for risk management. Institutions are also expected to undertake evaluations of risks, assessments of the service provider and to include proper terms in outsourcing agreements to address the potential risks.
These changes in the Guidelines highlight the interest of the Singapore authorities in strengthening regulation on the increasingly common practice of financial services businesses adopting cloud solutions and reflect heightened concerns about personal data risk and cyber security threats.
In light of the above, businesses are advised to undertake reviews of their existing and future outsourcing arrangements to ensure compliance with these new Guidelines.