On 5 September 2014, the Monetary Authority of Singapore (“MAS”) issued two consultation papers relating to the outsourcing arrangement of Financial Institutions (“FIs”). The two consultation papers related to a new Notice on Outsourcing (the “MAS Notice”) and a new Guidelines on Outsourcing (the “MAS Guidelines”), together imposing a set of legally binding minimum standards on FIs on their material outsourcing arrangements.
On 26 June 2015, the Association of Banks in Singapore (“ABS”) in turn released their own Guidelines on Control Objectives & Procedures for Outsourced Service Providers (the “ABS Guidelines”), seemingly in response to the MAS Notice and Guidelines. These guidelines form the minimum and baseline controls that OSPs which wish to service financial institutions should have in place. The ABS announced in their press release that they will be working with the relevant Outsourced Service Providers (“OSPs”) to ensure that they adopt the ABS Guidelines within the 12 months following the release on 26 June 2015. ABS, together with ABS members, will likely be couching the ABS Guidelines as minimum industry standards in relation to OSPs.
In this Client Update, we wish to explore how the ABS Guidelines change the existing audit practices that currently exist between FIs and OSPs, and to what extent FIs can rely on requirements set out in the ABS Guidelines to address their statutory obligations to the MAS under the MAS Notice and Guidelines.
What do FIs and OSPs have to do now?
The ABS Guidelines have significant implications for both FIs and the OSPs. We set out some issues and action items that FIs and OSPs will have to consider respectively below.
While the ABS Guidelines seem to impose requirements on OSPs only, FIs should review how the requirements under the ABS Guidelines affect their existing audit regime, in particular the audit arrangements in place to comply with the MAS Notice and Guidelines. For FIs which have been or intending to rely on internal audits by the FI’s own personnel, this means that they are not able to do so and will have to ensure that there is an external independent auditor which will conduct audits on the OSPs. In addition, even with independent audits in place in line with the ABS Guidelines, imposing audit requirements on OSPs alone will not necessarily absolve FIs from their statutory obligations and duties vis-a-vis the MAS. We will elaborate on this further below.
While ABS is a self-regulating entity, and hence does not have powers to impose statutory requirements unlike the MAS, it is safe to assume that ABS’ members will be following the ABS Guidelines. The ABS Guidelines stipulate that OSPs are required to perform audits for material outsourcing services provided to the FIs. While the ABS Guidelines do specifically reserve for the FIs and MAS the right to audit the OSPs, it is in essence, transferring the audit requirements set out by the MAS in the MAS Notice and Guidelines against the FI to the OSPs.
Briefly, OSPs are required to:
- Engage an external auditor for the audit, where the external auditor must have audited at least 2 commercial banks in Singapore within the last 5 years and have demonstrated a sound understanding of outsourcing risks pertinent to the banking industry; and
- Conduct the audit once every 12 months.
The audit is across 3 areas: entity level control, general information technology (IT) control and service controls. These 3 areas are elaborated in detail in the ABS Guidelines (which includes an audit report template), and are much more specific than the audit requirements prescribed by the MAS. It is likely that ABS member FIs will require OSPs to comply with the requirements set out under the ABS Guidelines should the OSP wish to provide services to ABS members. In the long run, common use of the Outsourced Service Provider Audit Report (“OSPAR”) template may actually streamline how OSPs deal with audits, as they develop increased efficiencies, routine process, and in turn a reduction in audit costs.
It is interesting to note that neither the ABS Guidelines nor the MAS Notice and Guidelines state which party should bear the cost of the audit, or how the cost may be divided between the parties. This will be an important concern for both FIs and OSPs, especially if the standard audit format prescribed by the ABS is costly. We will discuss this issue below.
The Impact of the ABS Guidelines Requirements
Going forward, FIs and OSPs entering into new material outsourcing arrangements should include the requirements set out by the ABS. In addition, for existing material outsourcing arrangements between ABS member FIs and OSPs, the FI is likely to approach the OSP to modify the existing arrangement, including the service level agreement, to capture the new audit requirements.
A key concern for both parties would be whether they are responsible in bearing the costs of the audit. While the ABS Guidelines imposes the duty of conducting the audit on the OSP, thereby implying that the cost of such an audit would be borne by the OSP, the reality is not clear. There will likely be negotiations between parties on how best to share the audit cost, which may be made more complex if an OSP services more than one FI and is privy to varying responses from different FIs. In any event, it seems unlikely that OSPs will agree to bear the full audit costs in view of the fact that audits were implemented by the MAS and ABS in response to a regulatory regime directed at the FIs. FIs on the other hand would have to consider whether they need to reserve costs which may be incurred for compliance with the MAS Notice and Guidelines outside of the ABS Guidelines, and how this will affect how much they can commit to cost sharing. Cost sharing arrangements, as well as responsibility in liaising with the auditor, should be captured expressly in the contracting documents.
What happens if the audit report results are unsatisfactory and highlights gaps? The agreement between the parties should clearly set out whether this allows the FI to termiante the agreement, and whether a cure-period can be implemented during which the OSP can rectify the gap. In the event of a significant gap, the FI will have to also ensure that there are no repercussions in its statutory obligations vis-a-vis the MAS.
While the ABS Guidelines are good news to FIs in managing its audit obligations, the key concern for FIs at this point will be to analyse to what extent they are complying with the MAS Notice and Guidelines by implementing the ABS Guidelines requirements, and to ensure that there are no gaps in their statutory obligations. For OSPs, it is important to leverage on the context for the ABS Guidelines, and set out clearly in the arrangements with FIs which party is engaging the auditor, how costs of the audit is to be divided, and what are the steps available if there are gaps highlighted in the audit report. As the MAS has not issued the finalised version of the MAS Notice and MAS Guidelines, the coming 12 months will be a gradual implementation process for FIs and OSPs to re-negotiate their existing outsourcing arrangements to comply with both the ABS Guidelines and the finalised MAS Notice and Guidelines.